1. Securing ERP
  2. Manage Segment Value Security Rules Spreadsheet

Manage Segment Value Security Rules Spreadsheet

You can control user access to chart of account segment values by defining segment value security rules. These rules restrict data entry, online inquiry, and reporting. You can define segment value security rules in the application or through desktop-integrated spreadsheets.

This topic describes the Manage Segment Value Security Rules spreadsheet, which you can use to create, edit, and delete the segment value security rules for a value set. Once you use this spreadsheet, you must continue to use it to manage the rules for that value set.

When to Use the Spreadsheet

You can only use the spreadsheet if you're enabling security on a value set for the very first time and haven't created any segment value security rules for it yet.

Caution: The rules that you define using this spreadsheet are stored differently than the rules you define using the application pages or the Create Segment Value Security Rules spreadsheet. To maintain rule integrity, use compatible methods to add new rules or edit existing rules to a secured value set as described in the following table.

This table shows how the method you use to create the original rules for a value set determines which methods you can use to manage the rules for that value set going forward.

Methods for Managing Segment Value Security Rules

Method Used to Create Original Rules Which methods can be used to create additional rules? Which methods can be used to edit or delete the rules?
Manage Segment Value Security Rules spreadsheet Manage Segment Value Security Rules spreadsheet Manage Segment Value Security Rules spreadsheet
Edit Data Security page
  • Edit Data Security page
  • Create Segment Value Security Rules spreadsheet
 Edit Data Security page
Create Segment Value Security Rules spreadsheet
  • Edit Data Security page
  • Create Segment Value Security Rules spreadsheet
 Edit Data Security page

How You Open the Spreadsheet

  1. In the Setup and Maintenance work area, use the Manage Chart of Accounts Configurations task.

    • Offering: Financials

    • Functional Area: Financial Structures

    • Task: Manage Chart of Accounts Configurations

  2. On the Manage Chart of Accounts Configurations page, select the chart of accounts.

  3. In the Segments section, select the value set.

  4. In the Value Set tab, select the Enable security check box.

    Note: Since you're enabling security at the value set level, all charts of accounts that use that value set are affected.

  5. Enter a data security resource name.

  6. Save your changes.

  7. Click Manage Data Security.

What to Do After You Enable Security on a Value Set

You must deploy the accounting flexfield and publish the account hierarchies tied to the secured value set. These steps are independent of working with the spreadsheet. You can deploy the flexfield from the Manage Chart of Accounts Configurations page. Just click Deploy All Charts of Accounts.

To publish the account hierarchies, use the Publish Account Hierarchies task.

  • Offering: Financials

  • Functional Area: Financial Structures

  • Task: Publish Account Hierarchies

Note: If you disable security on a value set, you must also deploy the accounting flexfield and publish the account hierarchies.

What's in the Spreadsheet

The spreadsheet has rows for defining segment value security policies and assigning them to segment value security roles. A policy can have one or more conditions, which consist of operators, values, and in some cases, tree codes and tree versions. Some spreadsheet columns represent policy level attributes, and some represent condition level attributes.

Here's a summary of the columns on the spreadsheet.

Column

Is It Required?

Can You Update It?

Is It an Attribute of the Policy or Condition?

Policy Name

Yes

No

Policy

Policy Description

No

Yes

Policy

Segment Value Security Role Name

Yes

No

Policy

Operator

Yes

Yes

Condition

From Value

Yes, for all operators other than All Values

Yes

Condition

To Value

Yes, for the Between operator

Yes

Condition

Tree Code

Yes, for hierarchical operators

Yes

Condition

Tree Version

Yes, for hierarchical operators

Yes

Condition

Policy Start Date

Yes

No

Policy

Policy End Date

No

Yes

Policy

Mark for Deletion

No

Yes

Condition

Here's more information about the policy columns to help you prepare the spreadsheet.

Column

What It Represents

How to Use It

Policy Name

The name for a group of related condition rows.

When a policy has multiple conditions, you must use the same policy name across all related condition rows.

Policy Description

A brief summary of the scope and purpose for the policy.

When a policy has multiple conditions, you must use the same policy description across all related condition rows.

Segment Value Security Role Name

The existing role that the policy is being assigned to.

When a policy has multiple conditions, you must use the same segment value security role across all related condition rows.

Note: To complete the segment value security rule definition, the role must be assigned to the users the policy applies to.

Policy Start Date

The effective start date of the policy.

You can specify a date in the future. When a policy has multiple conditions, you must use the same start date across all related condition rows.

Policy End Date

The effective end date of the policy.

If you don't specify an end date, the policy is in effect indefinitely. When a policy has multiple conditions, you must use the same end date across all related condition rows.

Note: For audit purposes, you can't delete a policy. Use the end date attribute to indicate when the policy is no longer applicable.

Here's more information about the condition columns to help you prepare the spreadsheet.

Column

What It Represents

How To Use It

Operator

The method used to evaluate the values in the condition.

When a policy has multiple conditions, you can use different operators across all related condition rows.

From Value

The value the operator evaluates in determining what account values to provide access to.

You must enter a value for all operators, except for the All Values operator. When a policy has multiple conditions, you can use different values across all related condition rows. The account value must exist unless you're using the Between operator. For that operator, the value represents the starting value in the range.

To Value

The value the Between operator evaluates in determining what account values to provide access to.

You must enter a value when you're using the Between operator and the value represents the ending value in the range. The value doesn't have to be an existing account.

Tree Code

The tree code for the parent account specified in the From Value column. Used only with hierarchical operators.

You must select a tree code when you use hierarchy operators Is a descendant of and Is a last descendant of. When a policy has multiple hierarchical conditions, you can use different tree codes across all related condition rows.

Tree Version

The tree version for the parent account specified in the From Value column. Used only with hierarchical operators.

You must select a tree version when you use hierarchy operators Is a descendant of and Is a last descendant of. When a policy has multiple hierarchical conditions, you can use different tree versions across all related condition rows.

Mark for Deletion

The indicator for whether to remove an individual condition from the policy.

If a policy has only one condition and you mark it for deletion, the policy is automatically end-dated. It no longer appears in the spreadsheet the next time you download the rules from the application.

Operators are key attributes of a condition. They specify how the rule evaluates condition values in determining what account values the role can access. When a policy has multiple conditions, an account value just has to meet any one of the conditions for the rule to apply.

Here's the list of available operators. Use this information to help you prepare the spreadsheet.

Operator

What It Does

All values

Provides access to all account values in the value set.

Between

Provides access to the account values included in the range of values specified in the From and To Value columns. When the range of values includes a parent account, access applies to that parent value only, in all trees and tree versions that include that parent. The rule doesn't provide access to any of its descendants, unless they're part of the specified range.

Contains

Provides access to account values that contain the specified value. When the matching value is a parent account, access applies to that parent value only, in all trees and tree versions that include that parent. It doesn't provide access to any of its descendants unless those descendants also happen to match the condition.

Ends with

Provides access to account values that end with the specified value. When the matching value is a parent account, access applies to that parent value only, in all trees and tree versions that include that parent.It doesn't provide access to any of its descendants unless those descendants also happen to match the condition.

Equal to

Provides access to a specific account value. When the specified value is a parent account, access applies to that parent value only, in all trees and tree versions that include that parent. The rule doesn't provide access to any of its descendants.

Is descendant of

Provides access to the specified parent account value and all of its descendants. Descendants include middle level parent accounts and nonparent accounts throughout all of that parent's hierarchical branches, from the root to the leaf nodes.

Is last descendant of

Provides access to the specified parent account value and to the account values at the leaf nodes of that parent.

Not equal to

Provides access to all non-parent account values, except for the specified account.

Caution: Here are some important points about this operator.

  • Use this operator carefully and sparingly.

  • Don't use it in multiple condition rows for the same policy or in different policies for the same secured value set. The different conditions could end up canceling each other out, resulting in unintended access being granted to account values you want to secure. For example, let's say you have a policy with two condition rows. You define the first condition as Not Equal To account value 100 and the second condition as Not Equal To account value 200. The list of values for the segment is going to show both 100 and 200. That's because an account value can meet any one of the conditions for the rule to apply. The value of 100 meets the Not Equal To 200 condition and the value of 200 meets the Not Equal To 100 condition.

Starts with

Provides access to account values that start with the specified value. When the matching value is a parent account, access applies to that parent value only, in all trees and tree versions that include that parent. It doesn't provide access to any of its descendants unless the descendants also happen to match the condition.
Note: Best practice to improve rule efficiency is to use the tree operators (Is descendant of, Is last descendant of) where possible and limit the number of conditions in a rule.

How You Review or Edit Existing Rules

When you have to review or edit rules, it's important to always work with the most current version of the rules recorded in the application. The way to do this is to always download the rules from the application.

  1. Open the spreadsheet and connect to the application.

  2. Click Search in the Manage Segment Value Security ribbon.

  3. Search by policy name or assigned segment value security role, or both.

  4. Review the rules or make changes and then upload them to the application.

    Note: You can also create rules in the same spreadsheet that you're reviewing or editing.

Related Topics