Segment Value Security

Secured Value Sets

When you enable security on a value set, access to all values for that value set is denied. To control access to value set values, you enable security on the value set, create conditions, and then assign the conditions to roles. The roles should be created solely for the purpose of segment value security. The roles are then assigned to users.

Note: To ensure segment value security applies properly throughout Oracle General Ledger, make sure that every user who's working with that secured value set is assigned at least one of those roles.

If a value set is secured, every usage of that value set in a chart of accounts structure instance is secured. The same security applies if that value set is:

Used for two or more segments in the same chart of accounts, such as the primary balancing and intercompany segments
Shared across different segments of different charts of accounts

If you want to secure only the primary balancing segment and not the intercompany segment, then these two segments must use different value sets.

Secured Segment Values

Segment value security applies mainly when data is created or updated, and when account combinations are queried. When you have access to secured account values, you can view and use those secured values across all modules of the applications where there are references to accounting flexfields including:

Transaction entry pages
Balances and transactions inquiry pages
Setup pages
Reports

On setup pages, you can still view referenced account combinations with secured account values, even if you haven't been granted access to those secured values. However, if you try to update such references, you can't use those secured values. On reports, you can view balances for secured account values only if you have access to those secured values.

Note: You can enforce segment value security for inquiries and reporting based on any hierarchy, even hierarchies that aren't published to the reporting cube.

Segment Value Security Implementation

You can implement segment value security using the Security Console and these pages: Manage Value Sets, Manage Chart of Accounts Structures, Publish Account Hierarchies.

Note: If you're enabling security on a value set for the very first time and haven't created any segment value security rules for it yet, you can also use the Manage Segment Value Security Rules spreadsheet to create, edit, and delete your rules. Use the Manage Chart of Accounts Configurations task and Edit Chart of Accounts Configuration page to open the spreadsheet. Once you use this spreadsheet, you must continue to use it to manage the rules for that value set.

The following figure shows the steps for defining and implementing security rules for segment values using the Security Console, Manage Value Sets, Manage Chart of Accounts Structures, and Publish Account Hierarchies pages.

This figure shows the steps to define and implement segment value security.

To define segment value security roles:

Create segment value security roles.
Enable security on the value set.

Note: You can enable security only on value sets with a type of Independent.
Create conditions for the rule.
Create policies to associate the conditions with the role.
Deploy the accounting flexfield.
Publish the account hierarchies.
Assign the role to users.

Whenever you assign segment value security roles to a user, the rules from the user's assigned roles can be applied together. All of the segment value security roles assigned to a user pertaining to a given value set are simultaneously applied when the user works with that value set. For example, one rule provides access to cost center 110 and another rule provides access to all cost centers. A user with both of these segment value security rules has access to all cost centers when working in a context where that value set matters.

Note: To ensure segment value security applies properly throughout General Ledger, make sure that every user who's working with that secured value set is assigned at least one of those roles.

Segment Value Security Conditions

When you create a condition, you specify an operator. This table describes the operators you can use.

Operator	What It Does
All values	Provides access to all account values in the value set. Note: This operator is only applicable to the Manage Segment Value Security Rules spreadsheet. If you're creating rules using the Manage Segment Value Security Rules task, you can use the Row Set attribute on the Rule tab of the Create Policy dialog box to provide access to all values.
Between	Provides access to the account values included in the range of values specified in the From and To Value columns. When the range of values includes a parent account, access applies to that parent value only, in all trees and tree versions that include that parent. The rule doesn't provide access to any of its descendants, unless they're part of the specified range.
Contains	Provides access to account values that contain the specified value. When the matching value is a parent account, access applies to that parent value only, in all trees and tree versions that include that parent. It doesn't provide access to any of its descendants unless those descendants also happen to match the condition.
Ends with	Provides access to account values that end with the specified value. When the matching value is a parent account, access applies to that parent value only, in all trees and tree versions that include that parent. It doesn't provide access to any of its descendants unless those descendants also happen to match the condition.
Equal to	Provides access to a specific account value. When the specified value is a parent account, access applies to that parent value only, in all trees and tree versions that include that parent. The rule doesn't provide access to any of its descendants.
Is descendant of	Provides access to the specified parent account value and all of its descendants. Descendants include middle level parent accounts and nonparent accounts throughout all of that parent's hierarchical branches, from the root to the leaf nodes.
Is last descendant of	Provides access to the specified parent account value and to the account values at the leaf nodes of that parent.
Not equal to	Provides access to all non-parent account values, except for the specified account. Caution: Here are some important points about this operator. Use this operator carefully and sparingly. Don't use it in multiple condition rows for the same policy or in different policies for the same secured value set. The different conditions could end up canceling each other out, resulting in unintended access being granted to account values you want to secure. For example, let's say you have a policy with two condition rows. You define the first condition as Not Equal To account value 100 and the second condition as Not Equal To account value 200. The list of values for the segment is going to show both 100 and 200. That's because an account value can meet any one of the conditions for the rule to apply. The value of 100 meets the Not Equal To 200 condition and the value of 200 meets the Not Equal To 100 condition.
Starts with	Provides access to account values that start with the specified value. When the matching value is a parent account, access applies to that parent value only, in all trees and tree versions that include that parent. It doesn't provide access to any of its descendants unless the descendants also happen to match the condition.

Note: Best practice to improve rule efficiency is to use the tree operators (Is descendant of, Is last descendant of) where possible and limit the number of conditions in a rule.

Note: For the Is descendant of and Is last descendant of operators, the security rule applies across all tree versions of the specified hierarchy, as well as all hierarchies associated with the same value set of the specified hierarchy.