19 Understanding Security in Account Reconciliation

Account Reconciliation implements several security layers to ensure security. At the highest level, Infrastructure security components, which are implemented and managed by Oracle, create a highly secure environment for Account Reconciliation. Security is ensured with password-protected single sign-on, and role-based access to data and artifacts.

Here are the different levels of security:

Table 19-1 Elements of Security

Name Who Performs and Description Link
Create users and assign them access to Account Reconciliation The Identity Domain Administrator creates the users and assigns them access to the application. See Creating Users in the Getting Started with Oracle Enterprise Performance Management Cloud for Administrators guide.
Assign users predefined role access to the application. The Identity Domain Administrator assigns users role access to the application: Service Administrators, Power Users, Users, Viewers. See Understanding Predefined Roles and Account Reconciliation in the Getting Started with Oracle Enterprise Performance Management Cloud for Administrators guide.
Grant additional privileges to users in addition to their predefined roles by using Application Roles. The Service Administrator has the flexibility to grant additional privileges to different users or groups in addition to their predefined roles by using Application Roles. This can be done under Access Controlusing Assign Roles. See Account Reconciliation Application Roles and Predefined Role Mapping for Account Reconciliation in Administering Access Control for Oracle Enterprise Performance Management Cloud
Create and manage groups Administrators can define groups and populate with users using Manage Groups under Access Control.

For creation and management of groups, see Managing Groups in Administering Access Control for Oracle Enterprise Performance Management Cloud

Create and manage teams Administrators can define teams and populate with users with various roles. Users may have user or viewer roles. The user role includes Preparer, Reviewer, or Viewer roles. A team must be assigned that role to perform that role. For creation and management of teams, see Using Teams in this chapter.
Power User Security Administrators can use Power User Security under Access Control to view and change who has been assigned Power User security.

For Power User Security, see Power User Security

User Reporting Using Manage Users under Access Control Administrators can use Manage Users under Access Control to see various information about users on the system.

For Manage Users, see User Reporting Using Manage Users Dialog

Assign security on artifacts such as Profiles, Organizations, and Reports from within Account Reconciliation
  • Profiles - Administrators can grant access to profiles during profile creation using an Access tab.
  • Organizations - Administrators can grant access to artifacts based on users or teams being in an organization.
  • Reports - Administrators can grant access to standard reports using an Access tab in the Edit Reports dialog. Custom report security is determined by the report author at the time the report is created.

For Profiles security, see Specifying Profile Access in the Setting Up and Configuring Account Reconciliation guide.

For Organization security, see Defining Organizations in the Setting Up and Configuring Account Reconciliation guide.

For Reports security, see Understanding Reports Security in Administering Account Reconciliation.

Access Control Options

In Account Reconciliation, you can use Access Control under Tools for the following security related options:

  • Assign roles to users in addition to their predefined roles by using Assign Application Roles
  • Create and manage groups of users
  • Create and manage teams of users
  • View and control who has Power User security
  • Gather information on who is using Account Reconciliation (User Login report) and see what roles they have been assigned (Role Assignment report).

Assigning Application Roles to Grant Additional Privileges Above a Predefined Role

The Service Administrator has the flexibility to grant additional privileges to different users or groups in addition to their predefined roles by using Application Roles. This can be done under Access Control using Assign Application Roles. For more information, see Account Reconciliation Application Roles and Predefined Role Mapping for Account Reconciliationin Administering Access Control for Oracle Enterprise Performance Management Cloud.

Creating and Managing Groups

A Service Administrator can create and manage groups of users. For detailed information on creating and managing groups, see Managing Groups in Administering Access Control for Oracle Enterprise Performance Management Cloud

User Reporting Using Manage Users Dialog

Under Access Control, you can use Manage Users to access information about users on the system. The following fields can be used as columns or filters on the Users List.

You can determine which columns you want to display, as well as filter the list, and then export to csv or Excel format.

To see detailed information about a user, double-click on the Name and User Details display.

  • Name - full name of the user. Column and filter selected by default.
  • User Login - user id. Column and filter selected by default.
  • Status - user status (Available or Unavailable). Column and filter selected by default.
  • Teams - list of teams the user belongs to. Column selected by default.
  • Email - email address for the user.
  • Role - highest external role the user is assigned to.
  • Workflow Roles - roles the user is assigned to in profiles (Preparer, Reviewer 2, Viewer, etc.).
  • Preparer - (Yes/No) indicates whether the user is a Preparer in any Account Reconciliation Profile. This includes backup assignments and indirect assignments using Teams.
  • Reviewer - (Yes/No) indicates whether the user is a Reviewer in any Account Reconciliation Profile. This includes backup assignments and indirect assignments using Teams.
  • Organizations - list of organizations that the user is assigned to.
  • Power User Filter - list of users who have power user security filter applied.
  • Last Login - date and time of last user login.
An example is shown:
Manage Users dialog

Power User Security

Under Access Control, you can use Power User Security to see all the users who have Power User Security and also users assigned the Manage Profiles and Reconciliations application role. Security filters are built using profile segments.

Power Users and users who have been assigned the Manage Profiles and Reconciliations application role can only see reconciliations included in their security filter. These users can act on profiles/reconciliations within their security scope but if the user is also assigned as a Preparer or Reviewer, it can also act as a workflow user, but only for those reconciliations it is directly assigned to.

Note:

If a user has been granted the Manage Profiles and Reconciliations application role, then that user's ID will appear in the Power User Security list but they must be given a security filter in order to access the Profiles List or Reconciliations List so they only see the appropriate profiles and reconciliations.

Oracle highly recommends that if you assign a user the Manage Profiles and Reconciliations privilege, that you make sure that the security scope is set appropriately for that user.

You can also click on the user name to change the power user security for a particular user.

Creating and Managing Teams

Teams can be defined and populated with users with various roles. A team with the User role will allow that team to be assigned as a preparer, reviewer, commentator, or viewer.

When a reconciliation is created, the team membership is saved with the reconciliation. This helps keep the history accurate and reflect who was working on the reconciliation. For more information on teams, see Using Teams.

Additional User Reporting Options

Besides using the Manage Users dialog to see information about users on your system, you can also generate two reports directly from Access Control:

  • Role Assignment Report
  • User Login Report

Role Assignment Report - Administrators use the Role Assignment Report to review the access, assigned through predefined roles and application-level roles, of all users. The report lists the predefined roles (for example, Power User)

The Role Assignment Report also identifies the number of users who are authorized to access the environment based on their predefined roles. It does not list the application roles that are subsumed into predefined roles or the component roles of application roles assigned to the user. If you need a report showing such details, you may generate the classic version of the report using the provisionReport EPM Automate command.

You can export the Role Assignment Report as a CSV file, which can then be opened using a program such as Microsoft Excel or saved to your computer. The Role Assignment Report in CSV format uses one row for each role assignment.

To open the Role Assignment Report:

  1. From Tools, click Access Control, then Role Assignment Report.
  2. Optional: Filter the report to display the following:
    • Role assignments of a specific user. Select Users from the drop down list and then enter a partial search string.
    • Users assigned to a specific role. Select Roles from the drop down list and then enter a partial role name.

      Note:

      Users may be assigned to many roles. In such cases, the report lists all the roles of the user even if you filter it for a specific role.
  3. Optional: Click Export to CSV to export the report into a CSV file. Note that only the information from the currently displayed report is exported to CSV.

    An example of a Role Assignment report is shown:
    Role Assignment Report

User Login Report - The User Login Report, by default, contains information on the users who signed into the environment over the last 24 hours. It lists the IP address of the computer from which the user logged in and the date and time (UTC) at which the user accessed the environment.

Administrators can regenerate this report for a custom date range or for the last 30 days, last 90 days, and last 120 days. They can also filter the report to view only the information of specific users by using a partial string of the users' first name, last name or userid as the search string.

Note:

Oracle Enterprise Performance Management Cloud maintains user login audit history for the last 120 days only.

To regenerate the User Login Report:

  1. From Tools, click Access Control, then User Login Report. A report that lists all users who signed into the environment over the last day is displayed.
  2. Select a period––Last 1 Day, Last 30 Days, Last 90 Days, or Last 120 Days––for which you want to generate the report. To specify a custom date range, select Date Range and then select a start date and end date.
  3. Optional: Select the users to include in the report.
  4. Optional: Click Export to CSV to export the displayed report as a CSV file.
  5. Click Cancel to close the report.

An example of a User Login report is shown:
User Login Report