Reporting on General Ledger Balances Cubes Reports with Account Hierarchies
General Ledger balances cubes are differentiated by unique combinations of a chart of accounts and an accounting calendar.
Balances cubes maintain summarized account balances for all trees and tree versions, and for all chart of account dimensions that are published to those balances cubes. The detail account balances for those published trees and tree versions are summarized according to defined account hierarchy rollups.
Trees and tree versions are defined in the application to represent date effective versions of account hierarchies. They’re organized for different purposes, for example, for statutory versus management reporting, with each tree version being assigned an effective date range.
However, this date effectivity isn’t an actual attribute in balances cubes. Instead, it’s an implied characteristic. Users need to know the significance of each tree and tree version that they select and which effective date of the organization’s rollup those tree versions represent. This helps facilitate performing year-over-year comparisons of financials results.
For example, this user-determined control allows organizations to report on fiscal year 23 versus fiscal year 22 financial results using the same tree version rollup for parent account values on both sets of numbers so that there's a consistent comparison between them.
A user can have a choice of reporting on both years' results using last year's tree version rollup for parent account values, or both using the current year's tree version rollup. They can even report on fiscal year 22 results using the fiscal year 22 rollup with the fiscal year 23 results using the fiscal year 23 rollup, if that's what’s required.
Segment Value Security Rules Based on Account Hierarchies
You can refer to account hierarchies in segment value security by business function policies as an efficient way of granting access to secured account values.
Use the hierarchical operators Is descendant of and Is last descendant of, along with a specified tree, to allow references to parent account values in a security rule condition. This means that a grant provides access to that parent value and all its descendants (with the Is Descendant of operator) or to that parent and its’ detail values descendants (with the Is last descendant of operator), according to the account hierarchy that’s defined for the applicable tree code and tree version.
While a distinct tree code is associated with each segment in a chart of accounts, as specified through the Default Hierarchy value in the chart of accounts structure setup, a security rule can refer to any tree (hierarchy) that’s defined for the secured value set.
The tree version that you specify in a rule is just for the purposes of determining which parent values you can select from to then attach to the security rule condition. At runtime, the application applies date effectivity to identify the version of the tree referenced in the rule whose effective dates intersect with the current system date. Based on this tree version, the application derives the list of accessible descendant account values for the referenced parent value of that tree that are granted by that hierarchical security rule assignment.
For inquiring and reporting in balances cubes, these security grants apply across all versions of the specified hierarchy, as well as all hierarchies associated with the same value set of the specified hierarchy that are published to the GL balances cube. Even though a security rule has a specific tree and tree version for a parent value, the derived set of account values granted by that rule will equally apply to all other published tree and tree versions for where that same parent value is cited and as indicated in GL balances cube-based inquiries and reports.
This example highlights that the grant for segment value security rules based on hierarchies will apply the current effective tree version when deriving the list of accessible values. This contrasts with references to tree and tree versions in balances cube inquiries and reports, where a user controls exactly which tree and tree version they want to use for a rollup.
This table shows the hierarchies, hierarchy versions, parent value, and parent value descendants for this example.
Hierarchy | Hierarchy Version | Parent Value | Parents and Detail Value Descendants |
---|---|---|---|
Management | 2023 | 100 |
|
Management | 2024 | 100 |
|
Geographical | 2023 | 100 |
|
Let’s say a rule is defined with these attributes.
- Operator: Is descendant of
- From Value: 100
- Tree Code: Management
- Tree Version: 2023
Here’s how the application determines the secured values granted.
- The application derives the hierarchy (tree) version that’s in effect based on the current system date, which is January 1, 2024. In this example, that’s version 2024.
- The application then applies the rule condition to get the list of secured values. In this example, the secured values granted are 100, 200, 101, 201, 202, 300, 301, and 302 (parent value 100 and all its descendants in tree version 2024.)
- This list of values will be accessible across all versions of the Management
hierarchy and across all hierarchies associated with the value set for the segment.
This means the list of values will be accessible if choosing to report against any
version of the Management or Geographical hierarchies.Note: Value 203 in Management hierarchy version 2023 and values 400, 401, and 402 in Geographical hierarchy version 2023 won't be accessible.
For the purpose of data entry, this date-effective list of accessible descendant segment values is available to the user for that given point of time.
For the purpose of inquiry and reporting with the balances cube, the same list of accessible descendant segment values is available to the user for all published trees and tree versions for the secured value set of the chart of accounts segment or dimension. Based on the tree and tree version the user selects, the balances data for the accessible descendant segment values of the referenced parent account will be displayed accordingly. A user can also be granted access to a specific parent value. In that case, the summarized balance shown for that parent value will be consistent with the rollup for the selected tree and tree version for reporting purposes, regardless of whether the user has been granted access to all the descendants involved with that particular rollup.
The advantage of the application dynamically applying date effectivity to security rules is that the rule would be self-maintaining. This methodology works well when it comes to creating transactions or financial data, which in most cases is a real-time exercise.
For comparative reporting, such as with year-over-year financial reporting, previous tree versions might be used as the basis of the rollup to compute summarized balances. This might result in some discrepancy in the access to the descendant accounts for that parent based on the previous tree version’s rollup as referenced in the inquiry or report. A potential solution would be to use a different hierarchy in the security rule that encompasses all the account values the user will need to inquire or report on, across the different trees and tree versions.
Considerations When Using Parent Account References in Hierarchical Rules for Balances Cubes
Ensure users get the appropriate secured values grants to view the financial data that they need.
A good practice is to define hierarchical rules that sync to parent values according to the tree as referenced in balances cube inquiries and reports such as Account Monitor, Smart View, and Financial Reporting.
Access to the descendant accounts of a specific parent value should be in sync with the descendant accounts that roll up to the summary account balance of that parent value based on another tree. Otherwise, the parent value will show the appropriate summary balance for the other tree, but the detail breakdown shown on the report of its descendants’ balances might not sum up consistently because of lack of access to those descendant values.
This concern applies even when the tree referenced in inquiries and report definitions is the very same one used in the security rule with parent value references. This is because there can be a difference in the dynamic date-effective version rollup that's applied when determining the grants for the rule assignment. Moreover, it's even possible to use a different tree in inquiries and report definitions than the one used in the rule, which can result in even more pronounced disparities.