Data Security Differences in GL Features Based on Balance Cubes
In certain cases, differences in data security can appear depending on whether the Oracle General Ledger feature being used is directly or indirectly based on the balances cube.
For example, this can occur when a user is assigned multiple data access sets for the same balances cube with different security specifications for ledger or primary balancing segment value access, or when segment value security rule assignments are involved.
General Ledger features based directly on the balances cube are:
-
Inquire on Detail Balances
-
Account Monitor
-
Account Inspector
-
Financial Reporting
-
Smart View
-
Allocations
All other General Ledger features are indirectly based on the balances cube.
When using features indirectly related to the balances cube, you select a specific data access set and you work only with that one data access set at a time. The defined ledger and primary balancing segment value access for the selected data access set are enforced.
When using features directly related to the balances cube, the cumulative effects of your combined data access sets for that balances cube are enforced. From your combined data access sets for that cube, balances cube security separately constructs the access filter for the ledger dimension and primary balancing segment values dimension independently of the other dimensions. This means the specific combination of ledger and primary balancing segment values access as defined in each distinct data access set aren't enforced as such. Instead, you have access simultaneously to all the ledgers and all the primary balancing segment values granted to you through your combined data access sets.
-
Full ledger
-
All Values: Specific Balancing Segment Values Access Type
With segment value security rules assigned to you through your various roles, the security rules are in effect simultaneously whether working directly or indirectly with the balances cube.
Segment value security rules are specified for a particular value set. Therefore, as you're working on anything that references the secured value set, all segment value security rules for that value set that's assigned to you through any of your roles are in effect at the same time, regardless of the specific role the rule was assigned to. In other words, segment value security rules are cumulative, or the union of all the segment value security rules you have assigned to you through your roles. If you have one role assigned to your user that only grants access to cost center 200, and another role that grants access to cost centers 300 through 500, then you have access to cost centers 200 and 300 through 500.
When using features indirectly based on the balances cube, such as journal entry pages, the primary balancing segment values you can access are based on the intersection of:
-
Primary balancing segment values granted to you through your current selected data access set.
-
All of your assigned segment value security rules pertaining to the primary balancing segment value set across all of your assigned segment value security roles.
So, if a balancing segment value is only granted in either of the selected data access set or a segment value security role, that balancing segment value isn't available to you.
In contrast, for features directly based on the balances cube, your access is based on the cumulative union of:
-
Primary balancing segment values granted to you through all your assigned data access sets related to the balances cube that you're working with.
-
Any segment value security rule grants to that primary balancing segment value set across all of your segment value security role assignments.
Example
This setup is used to more clearly and comprehensively illustrate the difference in how security works for features directly and indirectly related to the balances cube with respect to data access sets and segment value security, though this might not generally reflect a real-life example.
In this example, your job role is assigned two different data access sets for the Vision Corporation ledger. The Vision Corporation 01 data access set is assigned primary balancing segment value 01, and the Vision Corporation 02 data access set is assigned primary balancing segment value 02. You are also assigned segment value security roles SVS 01 and SVS 03.
The following table lists the job role, data access set, and primary balancing segment value assignments for this example.
|
Job Role |
Data Access Set |
Primary Balancing Segment Value |
|---|---|---|
|
General Accounting Manager |
Vision Corporation 01 |
01 |
|
General Accounting Manager |
Vision Corporation 02 |
02 |
The following table lists the primary balancing segment values that are assigned to you through the segment value security roles.
|
Segment Value Security Role |
Primary Balancing Segment Value |
|---|---|
|
SVS 01 |
01 |
|
SVS 03 |
03 |
Select Vision Corporation 01 Data Access Set
For features indirectly based on the balances cube, you can access primary balancing segment value 01. This segment value represents the intersection of the Vision Corporation 01 data access set and the SVS 01 and SVS 03 segment value security roles.
Neither your selected data access set, nor your segment value security roles provide access to Company 02, and your selected data access set Vision Corporation 01 and your cumulative segment value security roles SVS01 and SVS03 only intersect on primary balancing segment value 01, and not on 03.
For features directly based on the balances cube, you can access primary balancing segments 01, 02, and 03. These segment values represent the union of your assigned data access sets and segment value security roles. With the balances cube, all data access sets assigned to you that are related to the balances cube you're working with apply simultaneously, regardless of the data access set you selected to work with in the application.
Select Vision Corporation 02 Data Access Set
For features indirectly based on the balances cube, you can't access any primary balancing segment value because none of the values from the Vision Corporation 02 data access set and SVS 01 and SVS 03 segment value security roles intersect.
For features directly based on the balances cube, you can access primary balancing segments 01, 02, and 03. These values represent the union of your assigned data access sets and segment value security roles.