Assets-Specific Considerations for Segment Value Security
Asset books control data security and are the fundamental data security object in Oracle Assets.
It serves as the primary control for an Assets user with access to work with the records of a particular asset book, based on the user's access assignment. This includes the ability to work with and perform actions in an asset book like adding assets, editing asset source lines, entering unplanned depreciation, transferring assets, running Assets reports, and performing inquiry on asset records and transactions.
Chart of accounts segment value security is another layer of data security above asset books that controls a user's ability to work with the chart of accounts-based accounting information of records in a given asset book.
Segment value security restricts access to account segment values in transactions with the Accounting flexfield component in transactions like asset additions and asset transfers. It doesn't restrict transaction entry for an asset within the asset book that doesn't involve the chart of accounts element.
Users who don't have access to segment values used in the accounting for an asset record can still search for that asset record in all the transaction entry and asset inquiry pages in the asset books they have access to. Only when they're working on the chart of accounts-based accounting aspect of an asset record will segment value security access controls be applied. You can only work with account values in a secured chart of accounts value set you've been granted access to through your rule assignments.
Segment Value Security by Business Function for Oracle Assets
The Segment Value Security by Business Function feature lets you enable security enforcement for all business functions or for one or more specific business functions.
For example, you can enable segment value security enforcement for the Oracle Assets business function alone.
When you enable security enforcement for Assets, all Assets users automatically have access to all segment values until you specifically restrict access for one or more users to limited segment values.
You only need to maintain segment value security rules and rule assignments for users who must have access to limited account values by using the Segment Value Security by Business Function spreadsheet.
For example, you can define the following types of segment value access rule assignments for Assets users who require access to certain secured account values:
| Access Type | Business Function | Security Context | Security Context Value |
|---|---|---|---|
| Global access | All business functions | All security contexts | All security context values |
| Access for Assets business function only | Assets | Asset book | All security context values |
| Access for specific asset book | Assets | Asset book | Name of asset book |
Assign the access type according to the type if access each user needs:
- Global access: Assign to users with responsibilities in multiple business functions such as Assets, Oracle Payables, and Oracle General Ledger, and who require access to the same specified segment account values for all their assigned asset books, business units, and ledgers.
- Access for Assets business function only: Assign to users with only Assets responsibility who require access to the same specified segment account values for all their assigned asset books.
- Access for specific asset book: Assign to users with only Assets responsibility who require access to the specified segment account values for a specific asset book.
Generally, you should create dedicated segment value security roles for data security policies to grant access to secured segment account values to Assets users. Never directly create segment value data security policies with job roles such as Asset Accountant or Asset Accounting Manager, because these roles are likely to be shared among all Assets users, and these users are likely to have different chart of accounts segment value security profiles. The dedicated segment value security roles with their secured segment values can be assigned and even shared with the corresponding users based on their particular segment value access requirements.
Secured segment account values can be granted with these access levels:
- Read and Write: Provides access to create, update, view accounting for, inquire on, and report on Assets transactions that reference the account values granted.
- Read Only: Provides access to view accounting for, inquire on, and report on Assets transactions that reference the account values granted.
Segment Value Security Enforcement in Assets Transactions
Segment value security is generally enforced in Oracle Assets in transactions that directly include the chart of accounts element.
It has no impact on transactions in which actions don't directly involve the chart of accounts, such as cost adjustments, category changes, source line transfers, and suspend or resume depreciation transactions. When searching in pages such as the Adjust Assets and Asset Inquiry pages, it retrieves all asset records without regard to the account values referenced in the distribution lines associated with each asset, and only considers the asset book's element of data security control.
Segment value security is enforced in Assets as follows:
- Users with read and write access to certain account values can take these actions on
asset records that reference those account values:
- Add an asset
- Prepare source lines
- Record unplanned depreciation
- Transfer an asset
- Make unit adjustments
- Create a lease
- Change the financial terms of a lease
- Users with read-only access to certain account values can take these actions on
asset records that reference those account values:
- View distributions and accounting lines
- Run reports
- Segment value security isn't enforced:
- In Assets setup pages, such as Manage Assets Books, Manage Asset Categories, and Manage Distribution Sets, even though these pages involve the chart of accounts element.
- For submitted processes such as Post Mass Additions and Create Accounting.
Example of Segment Value Security by Business Function
The following setup example illustrates how enforcement by segment value security by business function works in Oracle Assets.
You must assign the rules to users for them to have access to the secured account values. If no rules are assigned to a user, the user has access to all the account values.
In this example, user SANJAY has no rule assignments; SANJAY has access to all secured rule account values for the asset books SANJAY has access to.
User KUMAR has access to two asset books: FIN CONSULTING CORP and HR CONSULTING CORP. This table shows the access setup for KUMAR.
| User | Role | Business Function | Asset Book | Security Context Value | Access Level |
|---|---|---|---|---|---|
| KUMAR | FA_SVSBF_CUSTOM_ROLE | Assets | HR CONSULTING CORP | 3111, 3888 | Read and Write |
| KUMAR | FA_SVSBF_CUSTOM_ROLE | Assets | FIN CONSULTING CORP | 3121, 3999 | Read and Write |
| KUMAR | FA_SVSBF_CUSTOM_ROLE | Assets | HR CONSULTING CORP | 3121, 3999 | Read Only |
| KUMAR | FA_SVSBF_CUSTOM_ROLE | Assets | FIN CONSULTING CORP | 3111, 3888 | Read Only |
Asset additions:
For the write action of asset additions, in the book HR CONSULTING CORP, KUMAR has read and write access to company 3111 and 3888. Therefore, KUMAR can add assets using these account values for that asset book. KUMAR also has read only access to the companies 3121 and 3999. Even though KUMAR has read access to these values, KUMAR can use only 3111 and 3888 to perform asset additions in this book.
In the asset book FIN CONSULTING CORP, KUMAR has read and write access to the companies 3121 and 3999. Therefore, KUMAR can add assets using these account values.
Edit source lines:
In the asset book FIN CONSULTING CORP, KUMAR has read and write access to the companies 3121 and 3999. KUMAR can edit the Depreciation Expense Account using the accounts KUMAR has read and write access to.
In the book FIN CONSULTING CORP, KUMAR has read-only access to company 3888. KUMAR can't edit this depreciation expense account and can only view it.
Transaction Account Builder in Assets:
In Assets, segment value security isn't enforced in the Transaction Account Builder, which is used to drive the depreciation expense account for mass addition lines. This process defaults accounts based on the rules configured by the organization and isn't subject to the limitations of a user's secured account grants.
Asset transfers:
In the book FIN CONSULTING CORP, KUMAR has read and write access to company 3999. Therefore, KUMAR can transfer the asset that references that account in the FIN CONSULTING CORP asset book.
In the book FIN CONSULTING CORP, KUMAR has no access to company 4111 and has read and write access only to the values for company 3121 and 3999. Therefore, KUMAR can't transfer an asset that references values in company 4111.
Example of Accounting in Oracle Assets
In the asset book FIN CONSULTING CORP, among the accounts user KUMAR is granted, KUMAR has read and write access to company 3999 and read-only access to company 3111.
Therefore, when viewing accounting lines for asset records, KUMAR can view all lines that reference accounts KUMAR has read and write and read-only access to.
In the asset book FIN CONSULTING CORP, any user other than KUMAR, who's assigned rules that don't include 3111 and 3999, can't view these accounting transactions.
Example of Reports in Oracle Assets
In the book FIN CONSULTING CORP, KUMAR has read and write access to companies 3121 and 3999, and read-only access to companies 3111 and 3888.
Therefore, KUMAR can report on asset records that reference these four account values for that asset book. KUMAR can't run reports for any values other than those that KUMAR has read and read and write access to.