Segment Value Security
Set up segment value security rules on value sets to control access to parent or detail segment values for chart of accounts segments, also called flexfield segments. Segment value security rules restrict data entry, online inquiry, and reporting.
Secured Value Sets
When you enable security on a value set, access to all values for that value set is denied. To control access to value set values, you enable security on the value set, create conditions, and then assign the conditions to roles. The roles should be created solely for the purpose of segment value security. The roles are then assigned to users.
If a value set is secured, every usage of that value set in a chart of accounts structure instance is secured. The same security applies if that value set is:
-
Used for two or more segments in the same chart of accounts, such as the primary balancing and intercompany segments
-
Shared across different segments of different charts of accounts
If you want to secure only the primary balancing segment and not the intercompany segment, then these two segments must use different value sets.
Secured Segment Values
Segment value security applies mainly when data is created or updated, and when account combinations are queried. When you have access to secured account values, you can view and use those secured values across all modules of the applications where there are references to accounting flexfields including:
-
Transaction entry pages
-
Balances and transactions inquiry pages
-
Setup pages
-
Reports
On setup pages, you can still view referenced account combinations with secured account values, even if you haven't been granted access to those secured values. However, if you try to update such references, you can't use those secured values. On reports, you can view balances for secured account values only if you have access to those secured values.
Segment Value Security Implementation
You can implement segment value security using the Security Console and these pages: Manage Value Sets, Manage Chart of Accounts Structures, Publish Account Hierarchies.
The following figure shows the steps for defining and implementing security rules for segment values using the Security Console, Manage Value Sets, Manage Chart of Accounts Structures, and Publish Account Hierarchies pages.
![This figure shows the steps to define and implement segment value security.](images/gl_seg_val_sec_rul_nhdd_01_20057137.png)
To define segment value security roles:
-
Create segment value security roles.
-
Enable security on the value set.
Note: You can enable security only on value sets with a type of Independent. -
Create conditions for the rule.
-
Create policies to associate the conditions with the role.
-
Deploy the accounting flexfield.
-
Publish the account hierarchies.
-
Assign the role to users.
Whenever you assign segment value security roles to a user, the rules from the user's assigned roles can be applied together. All of the segment value security roles assigned to a user pertaining to a given value set are simultaneously applied when the user works with that value set. For example, one rule provides access to cost center 110 and another rule provides access to all cost centers. A user with both of these segment value security rules has access to all cost centers when working in a context where that value set matters.
Segment Value Security Conditions
When you create a condition, you specify an operator. This table describes the operators you can use.
Operator |
What It Does |
---|---|
All values |
Provides access to all account values in the value set. Note: This operator is only applicable to the Manage Segment
Value Security Rules spreadsheet. If you're creating rules using the Manage Segment Value Security Rules task,
you can use the Row Set attribute
on the Rule tab of the Create Policy dialog box to provide access
to all values.
|
Between |
Provides access to the account values included in the range of values specified in the From and To Value columns. When the range of values includes a parent account, access applies to that parent value only, in all trees and tree versions that include that parent. The rule doesn't provide access to any of its descendants, unless they're part of the specified range. |
Contains |
Provides access to account values that contain the specified value. When the matching value is a parent account, access applies to that parent value only, in all trees and tree versions that include that parent. It doesn't provide access to any of its descendants unless those descendants also happen to match the condition. |
Ends with |
Provides access to account values that end with the specified value. When the matching value is a parent account, access applies to that parent value only, in all trees and tree versions that include that parent. It doesn't provide access to any of its descendants unless those descendants also happen to match the condition. |
Equal to |
Provides access to a specific account value. When the specified value is a parent account, access applies to that parent value only, in all trees and tree versions that include that parent. The rule doesn't provide access to any of its descendants. |
Is descendant of |
Provides access to the specified parent account value and all of its descendants. Descendants include middle level parent accounts and nonparent accounts throughout all of that parent's hierarchical branches, from the root to the leaf nodes. |
Is last descendant of |
Provides access to the specified parent account value and to the account values at the leaf nodes of that parent. |
Not equal to |
Provides access to all non-parent account values, except for the specified account. Caution: Here are some important points about this operator.
|
Starts with |
Provides access to account values that start with the specified value. When the matching value is a parent account, access applies to that parent value only, in all trees and tree versions that include that parent. It doesn't provide access to any of its descendants unless the descendants also happen to match the condition. |