Data Access Sets
For General Ledger, data access sets provide users with access to one or more ledges and serve as a core and required data security mechanism.
Data access sets are a fundamental data security control object that always apply in General Ledger and are unique to the General Ledger module. They include the following attributes:
- Access Set Type
- Access Level
Here are the access set types.
- Full Ledger: This type provides access to an entire ledger. It can include one or
more ledgers as well as ledger sets. When a ledger set is added to a Full Ledger
data access set, access to all the ledgers in the ledger set are granted in full.
Whenever a new ledger or ledger set is created, the application automatically creates an implicit data access set for it. This is a nonupdatable data access set. An explicit data access set can also be created for one or more ledgers, or ledger sets, or both. Explicit data access sets are updatable.
- Primary Balancing Segment Value: This type provides access to one or more primary
balancing segment values of a ledger or ledger set.
You can specify a single or parent value. If you specify a parent value, the data access set provides access to all the single values that roll up to that parent value. The parent value is evaluated based on the current version of the hierarchy associated with the primary balancing segment in the chart of accounts definition.
Here are the access levels.
- Read Only: Even if a user carries the functional privilege to use certain write-level functions, such as the ability to create a journal, the user will be prevented from taking any action that will update General Ledger transactions and balances for a given ledger or primary balancing segment value, depending on the definition of the read-only data access set.
- Read and Write
Using Primary Balancing Segment Value-Based Data Access Sets with a Secured Primary Balancing Segment
For segment value security by business function, data access sets serve as the security context basis for the General Ledger module.
For the Subledger Accounting module, to the extent that there’s a touchpoint with the General Ledger module, the data access set also plays an indirect role in establishing a user’s data security and it’s used to establish a user’s ledger and ledger set access scope.
If you enable segment value security by business function for the value set of a chart of accounts primary balancing segment and also use the data access set type of Primary Balancing Segment Value, the two data security control elements, including their access levels, will apply to those primary balancing segments in General Ledger.
Instead, limit the implementation of data security control of primary balancing segment values to one of these two methods:
- Data access sets with an access set type of Primary Balancing Segment Value
- Segment value security by business function enabled on the primary balancing segment of the chart of accounts.
Here are some guidelines on which of the two methods to use.
- If security on the primary balancing segment of the chart of accounts will always only be required in the General Ledger module, then use Primary Balancing Segment Value-based data access sets alone to specifically control primary balancing segment values access in General Ledger. Data access sets and Primary Balancing Segment Value-based data access sets are unique in usage for data security control in the General Ledger module.
- If security on the primary balancing segment of the chart of accounts is also required in other product modules besides General Ledger, then enable segment value security by business function on the primary balancing segment of the chart of accounts. This is the only option that applies to all product modules. Avoid using Primary Balancing Segment Value-based data access sets for General Ledger in this case and only use the Full Ledger access type of data access sets.
How Data Security Works When Using Primary Balancing Segment Value-Based Data Access Sets with a Secured Primary Balancing Segment
If you don’t follow the recommended best practice described in the Using Primary Balancing Segment Value-Based Data Access Sets with a Secured Primary Balancing Segment topic, and instead use both Primary Balancing Segment Value-Based data access sets along with a secured primary balancing segment, here’s a summary of how data security works followed by examples.
For features directly based on the General Ledger balances cube, a user’s access to primary balancing segment values will be based on the cumulative union of the two data security control methods.
For features indirectly based on the General Ledger balances cube, a user’s access to primary balancing segment values will be based on the intersection of the two data security control methods.
Example of Primary Balancing Segment Value Access for Features Directly Based on Balances Cubes
Most balances cube-based features in General Ledger pertain to reporting or inquiry functions. That is, they're read-only type functions. For read-only features, the rules assigned to a user on both a read-only and read and write basis will apply.
The following General Ledger features are directly based on General Ledger balances cube.
- Account Groups and Account Monitor
- Account Inspector
- Allocations
- Close Monitor Summary Income Statement
- Correct Budget Import Errors
- Create Budgets in Spreadsheet
- Financial Reporting
- Inquire and Analyze Balances
- Inquire and Analyze Average Balances
- Inquire on Detail Balances
- Oracle Transactional Business Intelligence (OTBI): General Ledger Balances Real Time and Average Daily Balances Real Time Subject Areas
- Revenue, Expenses and Allocations Infolets
- Smart View
From this list, only Allocations, Create Budgets in Spreadsheet and Correct Budget Import Errors are features that are of a read and write nature. Segment value security enforcement won't be applied for them. These features have an element of import and are considered more like back-end processes.
For features that are based directly on balances cubes, a user can access the cumulative primary balances segment values that are granted through both methods.
The application evaluates each method separately. It determines which ledgers a user has access to based on the data access set, as well as the primary balancing segment values granted in the case of Primary Balancing Segment Value-based data access sets. It then separately determines which primary balancing segment values a user has access to for the secured primary balancing segment based on that user’s applicable segment value security by business function grants.
The result is that a user gets access to the cumulative primary balancing segment values from the data access sets and segment value security by business function grants across all ledgers and ledger sets included in those data access sets.
Here’s an example.
This table shows the access set assignments for the Vision Corporation Global data access set. This access set has a type of Primary Balancing Segment Value.
| Ledger or Ledger Set | Type | Specific Value | Segment Value | Privilege |
|---|---|---|---|---|
| Vision Corporation Global | Ledger | Single Value | 3111 | Read and Write |
| Vision Corporation Global | Ledger | Single Value | 3121 | Read Only |
This table shows the key attribute values on the Rules worksheet for the secured value set of the Company primary balancing segment.
| Policy Name | Role Name | Operator | From Value |
|---|---|---|---|
| CCLARK EQ 3111 | CCLARK Role | Equal to | 3111 |
| CCLARK EQ 4888 | CCLARK Role | Equal to | 4888 |
This table shows the key attribute values on the related Rule Assignments worksheet.
| User Name | Policy Name | Role Name | Business Function | Security Context | Security Context Value | Access Level |
|---|---|---|---|---|---|---|
| CCLARK | CCLARK EQ 3111 | CCLARK Role | General Ledger | Data access set | Vision Corporation Global | Read and write |
| CCLARK | CCLARK EQ 4888 | CCLARK Role | General Ledger | Data access set | All security context values | Read and write |
Example of Primary Balancing Segment Value Access for Features Not Based on Balances Cubes
All General Ledger features that aren't specifically mentioned in the Example of Primary Balancing Segment Value Access for Features Directly Based on Balances Cubes topic are associated with relational database tables.
Using the data access set and rules setup from the previous example, when the user CCLARK selects the Vision Corporation Global data access set in a General Ledger feature that's not based on the balances cube, the only primary balancing segment value that CCLARK can work with is 3111. That's because value 3111 is the only primary balancing segment value that’s granted in both the Primary Balancing Segment Value-based data access set and in the segment value security by business function assignment.
When reviewing and editing a journal entry using that same data access set, the user CCLARK will see only the journal lines with account combinations that refer to Company 3111.
Read-Only Data Access Sets with Segment Value Security
When working with read-only data access sets at the ledger level, the entire ledger is read-only for a user.
Having read and write access to account values to any secured segments of its chart of accounts would be irrelevant. The access level to those accounts in that ledger will effectively still be read only because the user’s access to that whole ledger, per the data access set, is read only.