Enforcement of Segment Value Security by Business Function
These examples illustrate key points about how segment value security by business function enforcement works when using the following types of General Ledger features that involve the chart of accounts:
- Journal entry
- Submission of the predefined Oracle Analytics Publisher Trial Balance Report using the Scheduled Processes page
- Balances cube-based online inquiry using Account Monitor
- Balances cube-based inquiry using Smart View
For all examples, the General Ledger business function has been enabled for security enforcement and the Company, Cost Center, and Natural Account segment of the chart of accounts have been secured. These examples will focus on the segment value security rules for the Natural Account segment.
Here are some more characteristics of the chart of accounts.
- The first segment is the Company segment, the second is the Line of Business segment, the third is the Account segment, the fourth is the Cost Center segment, and the fifth is the Product segment.
- Asset type account values start with 1, Liability type account values start with 2, Owner’s Equity type accounts start with 3, Revenue type accounts start with 4, and Expense type accounts start with 5.
There are 3 users: CCLARK, LLOPEZ, and PPATEL. Both CCLARK and PPATEL not only manage the financial accounting for their region, but they’re also responsible for calculating the global bad debt reserve. They require full read and write access to all accounts when working with the financial data specific to their assigned region but should have read and write access to just certain accounts for the worldwide financial data related to calculating the global bad debt reserve. For example, PPATEL’s configuration mirrors such access requirements with the two data access set assignments.
The following tables provide details on the ledger sets, account access, security profiles, rules, and rule assignments for the examples that follow.
This table lists the ledger sets and their corresponding ledgers.
| Ledger Set | Ledgers |
|---|---|
| Vision Corporation North America | Vision Corporation Canada, Vision Corporation USA |
| Vision Corporation Global | Vision Corporation Canada, Vision Corporation USA, Vision Corporation Japan |
This table describes the Natural Account segment values for the secured chart of accounts that will be used in the rule assignments.
| Account or Account Range | Account Description | Parent |
|---|---|---|
| 12010 - 12999 | Bad debt reserve accounts | No |
| REV | Revenue accounts | Yes |
| EXP | Expense accounts | Yes |
| 88888 | Net Equity All Balance Sheet Accounts | Yes |
This table describes the security profile for each user.
| User Name | Functional Role | Assigned Data Access Sets | Allowed Accounts | Access Level |
|---|---|---|---|---|
| CCLARK | General Ledger Manager | Vision Corporation Global | All | Read and write |
| LLOPEZ | Financial Analyst Ledger | Vision Corporation USA | All nonrevenue | Read only |
| PPATEL | General Ledger Analyst | Vision Corporation North America, Vision Corporation Global | All for Vision Corporation North America data access set, Bad debt and revenue for Vision Corporation Global data access set | Read and write |
The following tables describe the rules and user rule assignments for the secured chart of accounts, Account segment, and Account Vision Corporation value set that were defined to provide access to the users according to their security profile.
This table lists the attribute values that were entered on the Rules worksheet, except for the Policy Description.
| Row | Policy Name | Role Name | Operator | From Value | To Value | Tree Code | Tree Version |
|---|---|---|---|---|---|---|---|
| 1 | PPATEL Bad Debt and Revenue Accounts | PPATEL Role | Between | 12010 | 12999 | This field is blank. | This field is blank |
| 2 | PPATEL Bad Debt and Revenue Accounts | PPATEL Role | Is descendant of | REV | This field is blank. | Account Vision Corporation | Account Vision Corporation Current |
| 3 | LLOPEZ Nonrevenue Accounts | LLOPEZ Role | Is descendant of | 8888 | This field is blank. | Account Vision Corporation | Account Vision Corporation Current |
| 4 | LLOPEZ Nonrevenue Accounts | LLOPEZ Role | Is descendant of | EXP | This field is blank. | Account Vision Corporation | Account Vision Corporation Current |
This table lists the attribute values that were entered on the Rule Assignments worksheet.
| User Name | Policy Name | Role Name | Business Function | Security Context | Security Context Value | Access Level |
|---|---|---|---|---|---|---|
| PPATEL | PPATEL Bad Debt and Revenue Accounts | PPATEL Role | General Ledger | Data access set | Vision Corporation Global | Read and write |
| LLOPEZ | LLOPEZ Nonrevenue Accounts | LLOPEZ Role | General Ledger | Data access set | Vision Corporation USA | Read only |
Journal Entry
This example is based on the setup outlined in the Enforcement of Segment Value Security by Business Function topic.
It shows how segment value security by business function is enforced for users CCLARK, LLOPEZ, and PPATEL when they’re using a transaction entry feature like General Ledger journal entry on the Create or Edit Journal pages.
Let’s start with CCLARK. Here’s a summary of CCLARK’s security profile.
- Assigned Data Access Set: Vision Corporation Global
- Allowed Accounts: All
- Access Level: Read and write
This profile highlights the default grant to all users where they’re provided access to all account values on a read and write basis of a secured value set, unless they’re assigned a specific rule assignment to limit their access to just certain account values. CCLARK, LLOPEZ, and PPATEL have no rule assignments for the secured Company and Cost Center segments, so they have access to all Company and Cost Center values on a read and write basis This makes it efficient to maintain rules and rule assignments because you only need to maintain such configurations in cases where chart of accounts security enforcement to limit access to just certain secured accounts is required for the user.
CCLARK is on the Edit Journal page, reviewing an unposted journal for the Vision Corporation USA ledger and this table shows the journal line numbers, accounts, and entered amounts that CCLARK can view.
| Line | Account | Entered (USD) Debit | Entered (USD) Credit |
|---|---|---|---|
| 1 | 3111-00-11010-000-0000 | 1,000.00 | 0.00 |
| 2 | 3111-00-12010-000-0000 | 1,000.00 | 0.00 |
| 3 | 3111-00-21010-000-0000 | 0.00 | 1,000.00 |
| 4 | 3111-00-31001-000-0000 | 0.00 | 1,000.00 |
| 5 | 3111-00-40110-000-0000 | 0.00 | 1,000.00 |
| 6 | 3111-00-52110-000-0000 | 1,000.00 | 0.00 |
| NA | Total | 3,000.00 | 3,000.00 |
CCLARK can view every journal line, which reference different account segments. With read and write access to all these accounts, CCLARK can also edit the existing lines, add new lines to the journal entry, and create a new journal entry for any account.
Let’s now review how this same journal entry would appear to the user LLOPEZ. Here’s a summary of LLOPEZ’s security profile.
- Assigned Data Access Set: Vision Corporation USA
- Allowed Accounts: All nonrevenue
- Access Level: Read only
This table shows the journal lines line numbers, accounts, and amounts for the unposted journal that LLOPEZ can view.
| Line | Account | Entered (USD) Debit | Entered (USD) Credit |
|---|---|---|---|
| 1 | 3111-00-11010-000-0000 | 1,000.00 | 0.00 |
| 2 | 3111-00-12010-000-0000 | 1,000.00 | 0.00 |
| 3 | 3111-00-21010-000-0000 | 0.00 | 1,000.00 |
| 4 | 3111-00-31001-000-0000 | 0.00 | 1,000.00 |
| 6 | 3111-00-52110-000-0000 | 1,000.00 | 0.00 |
| NA | Total | 3,000.00 | 3,000.00 |
Journal line 5 won’t display because it’s for a revenue account. In addition, LLOPEZ has read-only access to the nonrevenue accounts and can only view the journal information. LLOPEZ can’t edit the existing lines, add new lines, or create journals. LLOPEZ also can’t select any full account combination because of the read-only access to nonrevenue accounts of the secured Natural Account segment.
Finally, let’s review how this same journal entry appears to PPATEL. Here’s a summary of PPATEL’s security profile.
- Assigned Data Access Set: Vision Corporation North America, Vision Corporation Global
- Allowed Accounts: All for Vision Corporation North America data access set, Bad debt and revenue for Vision Corporation Global data access set
- Access Level: Read and write
PPATEL has access to the Vision Corporation USA ledger through both data access sets and has different access profiles for each data access set.
Here are some key points.
- A user’s access to a secured chart of accounts segment value set can be differentiated, if required, for each business function and security context the user works with. This allows great flexibility in fine-tuning a user’s access to secured account values in as specific a manner as required by configuring the rule assignments accordingly.
- The users PPATEL and CCLARK share the same Vision Corporation Global data access
set. However, while CCLARK has access to all accounts with that data access set,
PPATEL's access is restricted to bad debt and revenue accounts for that same data
access set. This highlights the concept that user rule assignments are specific to a
given user and the specified data access set in the rule’s security context value
attribute, in the case of General Ledger.
A user rule assignment has a set of qualifiers as to when or how the referenced policy will apply, relevant to the specified user. The same notion applies with user rule assignments for the other types of security contexts, such as business units, asset books, and intercompany organization, and their relevant security context values, for their applicable business functions of Payables, Receivables, Asset Books, and Intercompany.
While using the Vision Corporation North America data access set PPATEL can see every line of the unposted journal entry. Moreover, PPATEL can edit any of the journal lines.
This table shows the journal line numbers, accounts, and entered amounts that user PPATEL can view and edit.
| Line | Account | Entered (USD) Debit | Entered (USD) Credit |
|---|---|---|---|
| 1 | 3111-00-11010-000-0000 | 1,000.00 | 0.00 |
| 2 | 3111-00-12010-000-0000 | 1,000.00 | 0.00 |
| 3 | 3111-00-21010-000-0000 | 0.00 | 1,000.00 |
| 4 | 3111-00-31001-000-0000 | 0.00 | 1,000.00 |
| 5 | 3111-00-40110-000-0000 | 0.00 | 1,000.00 |
| 6 | 3111-00-52110-000-0000 | 1,000.00 | 0.00 |
| NA | Total | 3,000.00 | 3,000.00 |
While using the Vision Corporation Global data access set, PPATEL’s access is limited to the bad debt and revenue accounts and this table shows the journal line numbers, accounts, and entered amounts that user PPATEL can view and edit.
| Line | Account | Entered (USD) Debit | Entered (USD) Credit |
|---|---|---|---|
| 2 | 3111-00-12010-000-0000 | 1,000.00 | 0.00 |
| 3 | 3111-00-40110-000-0000 | 0.00 | 1,000.00 |
| NA | Total | 3,000.00 | 3,000.00 |
PPATEL can view and edit these journal lines and create journals with the bad debt and revenue accounts.
Standard Reports
This example is based on the setup outlined in the Enforcement of Segment Value Security by Business Function topic.
It shows how segment value security by business function is enforced for users CCLARK, LLOPEZ, and PPATEL when they’re submitting the Trial Balance Report for General Ledger on the Scheduled Processes page.
When users submit the report, they must select one of their assigned data access sets. This selection sets the scope for which ledger the report is to be submitted. For segment value security by business function with a secured chart of accounts, the data access set is also the basis for determining if there are applicable user rule assignments that would limit the accounts whose balances should be included in the generated report for that user.
The report will be submitted for the same Vision Corporation USA ledger and will focus on the secured Natural Account segment. The users LLOPEZ and PPATEL have user rule assignments that limit access to some natural account values.
Let’s start with CCLARK and the summary of CCLARK’s security profile.
- Assigned Data Access Set: Vision Corporation Global
- Allowed Accounts: All
- Access Level: Read and write
When CCLARK submits the report for the Vision Corporation USA ledger using the assigned Vision Corporation Global data access set, the report output displays balances for all the natural account values. Having read and write access to secured account values provides CCLARK with the ability to inquire and report on transactions and balances, as well as create transactions and update balances for these accounts.
This table shows the accounts, descriptions, and balances on the Trial Balance report for the Vision Corporation USA ledger that CCLARK can view.
| Account | Description | Beginning Balance (USD) | Debits (USD) | Credits (USD) | Ending Balance (USD) |
|---|---|---|---|---|---|
| 11010 | Cash | 0.00 | 90,000.00 | 0.00 | 90,000.00 |
| 12010 | Bad Debt Reserve | 0.00 | 10,000.00 | 0.00 | 10,000.00 |
| 21010 | Accounts Payable | 0.00 | 0.00 | 20,000.00 | -20,000.00 |
| 31001 | Common Stock | 0.00 | 0.00 | 50,000.00 | -50,000.00 |
| 40110 | White Wine Revenue | 0.00 | 0.00 | 60,000.00 | -60,000.00 |
| 52110 | Cost of Goods Sold – White Wines | 0.00 | 30,000.00 | 0.00 | 30,000.00 |
| Total | NA | 0.00 | 130,000.00 | 130,000.00 | 0.00 |
Next, let’s look at the report for the user LLOPEZ. Here’s a summary of LLOPEZ’s security profile.
- Assigned Data Access Set: Vision Corporation USA
- Allowed Accounts: All nonrevenue
- Access Level: Read only
Having read-only access to the secured account values provides the ability to inquire and report on its transactions and balances. The report doesn’t include the Revenue account because LLOPEZ's grants to the secured Natural Account segment for the chart of accounts don't include revenue accounts.
This table shows the accounts, descriptions, and balances on the Trial Balance report for the Vision Corporation USA ledger that LLOPEZ can view.
| Account | Description | Beginning Balance (USD) | Debits (USD) | Credits (USD) | Ending Balance (USD) |
|---|---|---|---|---|---|
| 11010 | Cash | 0.00 | 90,000.00 | 0.00 | 90,000.00 |
| 12010 | Bad Debt Reserve | 0.00 | 10,000.00 | 0.00 | 10,000.00 |
| 21010 | Accounts Payable | 0.00 | 0.00 | 20,000.00 | -20,000.00 |
| 31001 | Common Stock | 0.00 | 0.00 | 50,000.00 | -50,000.00 |
| 52110 | Cost of Goods Sold – White Wines | 0.00 | 30,000.00 | 0.00 | 30,000.00 |
| Total | NA | 0.00 | 130,000.00 | 70,000.00 | 60,000.00 |
Lastly, let’s look at the output for the user PPATEL. Here’s a summary of PPATEL’s security profile.
- Assigned Data Access Set: Vision Corporation North America, Vision Corporation Global
- Allowed Accounts: All for Vision Corporation North America data access set, Bad debt and revenue for Vision Corporation Global data access set
- Access Level: Read and write
When PPATEL runs the report using the Vision Corporation North America data access set, where PPATEL has read and write access to all accounts, the report output displays all the accounts that have balances for the Vision Corporation USA ledger.
This table shows the accounts, descriptions, and balances on the Trial Balance report for the Vision Corporation USA ledger that PPATEL can view when submitting the report for the Vision Corporation North America data access set.
| Account | Description | Beginning Balance (USD) | Debits (USD) | Credits (USD) | Ending Balance (USD) |
|---|---|---|---|---|---|
| 11010 | Cash | 0.00 | 90,000.00 | 0.00 | 90,000.00 |
| 12010 | Bad Debt Reserve | 0.00 | 10,000.00 | 0.00 | 10,000.00 |
| 21010 | Accounts Payable | 0.00 | 0.00 | 20,000.00 | -20,000.00 |
| 31001 | Common Stock | 0.00 | 0.00 | 50,000.00 | -50,000.00 |
| 40110 | White Wine Revenue | 0.00 | 0.00 | 60,000.00 | -60,000.00 |
| 52110 | Cost of Goods Sold – White Wines | 0.00 | 30,000.00 | 0.00 | 30,000.00 |
| Total | NA | 0.00 | 130,000.00 | 130,000.00 | 0.00 |
When PPATEL runs the report using the Vision Corporation Global data access set, where PPATEL has read and write access to the bad debt and revenue accounts, only the balances for those two accounts appear in the report output.
This table shows the accounts, descriptions, and balances on the Trial Balance report for the Vision Corporation USA ledger that PPATEL can view when submitting the report for the Vision Corporation Global data access set.
| Account | Description | Beginning Balance (USD) | Debits (USD) | Credits (USD) | Ending Balance (USD) |
|---|---|---|---|---|---|
| 12010 | Bad Debt Reserve | 0.00 | 10,000.00 | 0.00 | 10,000.00 |
| 40110 | White Wine Revenue | 0.00 | 0.00 | 60,000.00 | -60,000.00 |
| Total | NA | 0.00 | 10,000.00 | 60,000.00 | -50,000.00 |
This example with the user PPATEL illustrates how segment value security rule assignments for a user can be configured in a manner that precisely grants access to secured accounts for a specific data security context value, such as a data access set in the General Ledger module.
Account Monitor Inquiries
This example is based on the setup outlined in the Enforcement of Segment Value Security by Business Function topic and focuses on the user PPATEL.
The Account Monitor is an online inquiry tool for reviewing a ledger’s account balances.
Users can view summarized account balances rolled up by parent account values and can save their inquiries in the form of account groups. The inquiry results are projected in the Account Monitor. Balances are based on the General Ledger balances cube where balances aggregation is maintained according to the hierarchies for the different data dimensions, including dimensions based on the chart of accounts segments.
Here’s a summary of PPATEL’s security profile.
- Assigned Data Access Sets: Vision Corporation North America, Vision Corporation Global
- Allowed Accounts: All for Vision Corporation North America, Bad debt and revenue for Vision Corporation Global
- Access Level: Read and write
The account group in this example inquires on a set of account balances for the Vision Corporation USA ledger, with individual natural account values in each row.
When the user PPATEL views the account balances in the Account Monitor using the Vision Corporation North America data access set, all account balances are displayed. This is because PPATL has read and write access to all Natural Account segment values for the secured chart of accounts.
This table shows the account segment values that the user PPATEL can view in the Account Monitor. The Company, Line of Business, Cost Center, and Product columns are excluded from the table because PPATEL has access to all those segment values.
| Name | Ledger | Account |
|---|---|---|
| Bad Debt Reserve | Vision Corporation USA | 12010 |
| Accounts Payable | Vision Corporation USA | 21010 |
| Common Stock | Vision Corporation USA | 31000 |
| Revenue | Vision Corporation USA | 40110 |
| Expense | Vision Corporation USA | 52110 |
When the user PPATEL views the account balances in the Account Monitor using the Vision Corporation Global data access set, only balances from the bad debt and revenue accounts display. This is because PPATEL has read and write access to only the bad debt and revenue Natural Account segment values for the secured chart of accounts.
This table shows the account segment values that the user PPATEL can view in the Account Monitor. The Company, Line of Business, Cost Center, and Product columns are excluded from the table because PPATEL has access to all those segment values.
| Name | Ledger | Account |
|---|---|---|
| Bad Debt Reserve | Vision Corporation USA | 12010 |
| Revenue | Vision Corporation USA | 40110 |
Smart View Inquiries
This example is based on the setup outlined in the Enforcement of Segment Value Security by Business Function topic and focuses on the user PPATEL.
It shows how segment value security by business function is enforced in an inquiry tool that’s launched outside of the main General Ledger application. Security enforcement is applied just like in the main application, except there are some considerations when the data access set for the user changes.
Smart View is a spreadsheet-based tool for inquiring on General Ledger account balances data that are stored in the General Ledger balances cube. The General Ledger balances cube is where balances aggregation is maintained according to the hierarchies for the different data dimensions, including dimensions based on the chart of accounts segments.
Here’s a summary of PPATEL’s security profile.
- Assigned Data Access Sets: Vision Corporation North America, Vision Corporation Global
- Allowed Accounts: All for Vision Corporation North America, Bad debt and revenue for Vision Corporation Global
- Access Level: Read and write
When the user PPATEL views the account balances in Smart View using the Vision Corporation North America data access set, all account balances are displayed. This is because PPATL has read and write access to all the secured Natural Account segment values for the secured chart of accounts.
This table shows the accounts and balances that the user PPATEL can view in the Smart View inquiry for the Vision Corporation USA ledger when using the Vision Corporation North America data access set. The point of view for the inquiry includes all values for the Company, Line of Business, Cost Center, and Product segments.
| Account | Vision Corporation USA |
|---|---|
| 11010 – Cash | 90000 |
| 12010 – Bad Debt Reserve | 10000 |
| 21010 – Account Payable | -20000 |
| 31000 – Common Stock | -50000 |
| 4011 – Revenue | -60000 |
| 52110 – Expense | 30000 |
When the user PPATEL views the account balances in Smart View using the Vision Corporation Global data access set, only balances from the bad debt and revenue accounts display. This is because PPATEL has read and write access to only the bad debt and revenue Natural Account segment values for the secured chart of accounts.
This table shows the accounts and balances that the user PPATEL can view in the Smart View inquiry for the Vision Corporation USA ledger when using the Vision Corporation Global data access set. The point of view for the inquiry includes all values for the Company, Line of Business, Cost Center, and Product segments.
| Account | Vision Corporation USA |
|---|---|
| 11010 – Cash | #No Access |
| 12010 – Bad Debt Reserve | 10000 |
| 21010 – Account Payable | #No Access |
| 31000 – Common Stock | #No Access |
| 40110 – Revenue | -60000 |
| 52110 – Expense | #No Access |
When users work with reporting tools for the General Ledger balances cube such as Smart View and Financial Reporting, which are outside of the main application, there’s no explicit data access set selection. Users must change the data access within the main application by using the data access set selector or by changing the data access set in General Ledger preferences.
After changing the data access set, users can click Refresh in the Point of View section of the Smart View spreadsheet to register the data access set selection change. For Financial Reporting, users can rerun the report. Taking these steps ensures that the correct segment value security grants are applied to the reports with these reporting tools based on the current data access set selection.