1. Securing ERP
  2. Payables-Specific Considerations for Segment Value Security

Payables-Specific Considerations for Segment Value Security

Optimizing segment value security by business function limits a user's access to certain accounts for each secured value set while creating, updating, and reviewing financial data.

The security context of the business function enforces the segment value security. “Payables” is the applicable business function for Payables module. Payables users have the following access levels for the segment values of a secured chart of accounts based on the Payables business function:

  • Read/write: This access level allows a user to manage invoice lines or distributions and inquire and review the invoice distributions with account values to which the user has read/write access.
  • Read-Only: This access level allows a user to only view and inquire invoice distributions referencing those account values to which they've access. User can’t create transactions using these account values.
Important:
  • This feature operates on the principle of first providing access to all the secured segment values to all users by default.
  • Security policies are defined, and such rules are assigned to a user only when their access should be limited to specific segment values.
    • The user rule assignments are defined for a combination of business function, data access context, and access level. For Payables, the business function to use is “Payables” and the data access context is “Business Unit.”
    • If there are no matching rule assignments for a user for a given usage scenario, the user gets access to all account values for the secured chart of accounts value set.

Setting Up

There are no extra Payables-related setups to undertake to enable Segment Value Security by Business Function for Payables. However, to enforce segment value security in the Payables module, the “Payables” business function must be enabled for enforcement.

Enforcing Segment Value Security by Business Function in Payables

In Payables, the business unit serves as the data security-striping mechanism that controls the data access to the users, and also the security context basis for segment value security.

Whenever a Payables user accesses any of the Payables pages, the account combination values the user can access, are decided by the intersection of data security access for the Payables module and the security context of the segment value security for the Payables business function. For example, if user wants to create a Payables Invoice for Vision America business unit, then they should have the following access rights.

  • Access to Vision America business unit in the Payables module
  • Access to at least one account value in Vision America Payables business function in segment value security

Segment value security by business function can be enforced in the Payables modules differently based on the task pages you're working with.

Examples of Enforcing Segment Value Security While Creating or Processing Payables Invoices

Segment value security validation takes place on Create Invoice and Process Invoice pages even if the user just types in the account values instead of selecting them from the accounting key flexfield dialog box.

Here are a few examples scenarios of how Payables-specific segment value security is enforced.

Access to Account Segment Values

Users can enter an account combination on an invoice only if they've read/write access to each segment’s account for the said account combination. Consider that User 1 has the following accesses.

  • Read/write access to account values 5310 and 5320 in Vision America business unit.
  • Read-only access to 7310 in Vision America business unit.
  • Read/write access to account value 7320 in Vision Canada business unit.

User 1 can create an invoice for Vision America business unit with all account combinations that have account segment values of 5310 and 5320, but not account combinations with 7310 or any other account value. Similarly, User 1 can create an invoice for Vision Canada business unit with all account combinations that have account segment values of 7320 only, and not with any other account value.

Segment value security by business function is also enforced when the user creates invoices through the ADFDI spreadsheet, and through the import process. It's also enforced while entering the account combination details during the workflow process.

Note: Segment value security by business function isn’t enforced when invoices are created from internal source, such as the following.
  • Advance schedule billing notice
  • Evaluated Receipt Settlement (ERS)
  • Advanced Global Intercompany (AGIS)
  • Sales Compensation
  • Assets
  • Projects
  • One-Time Payments (OTP)
  • Property Manager
  • Patient refunds
  • Projects intercompany invoices
  • Projects interproject invoices
  • Student Management
  • Receivables
  • Expenses (includes cash advances and expense reports)
  • Return to supplier
  • Supplier Chain Financial Flow Orchestration
  • Fiscal Document Capture

Access to Accounts used in Distributions

Users can't cancel an invoice or invoice line or invoice distribution if the entity has at least one distribution with an account combination to which they don’t have read/write access. What this means is that the user can only cancel an invoice or its lower entity if they've complete access to all the accounts used in its distributions.

Consider that User 2 has read/write access to account values 5310 and 5320 but read-only access to 7310. There are 2 invoices with following account details.

  • Invoice 1: Has two distributions, one with account combination of 5310 and other with 5320.
  • Invoice 2: Has two distributions, one with account combination of 5310 and other with 7310.

The user can cancel Invoice 1 because they've read/write access to both account segment values 5310 and 5320. However, user can't cancel Invoice 2 because they don't have read/write access to 7310.

Access to Account Combinations

When a user tries to validate an invoice with an account combination for which they don’t have read/write access, the invoice is placed on hold, and distributions must be generated for the account combination. This means that the user can’t trigger automatic distribution generation if they don’t have read/write access to the account combination.

Consider that User 3 has read/write access to account values 5310 and 5320 and read-only access to 7310. There are two invoices with following account details.

  • Invoice 1 has two invoice lines, one with account combination of 5310 and other with 5320.
  • Invoice 2 has two invoice lines, one with account combination of 5310 and other with 7310.

The user can validate Invoice 1 because they've read/write access to both account segment values 5310 and 5320. However, they can't validate Invoice 2 because they've read/write access to only 5310 but not 7310.

Access to Accounts used in Prepayment Distributions

A user can’t apply or unapply prepayments if the prepayment invoice distributions include an account value to which they don’t have read/write access.

Consider that User 4 has read/write access to account values 6110 and 6120 and read-only access to 8110. There are two prepayment invoices with following account details.

  • Invoice 1 has two prepayment distributions, one with account combination of 6110 and other with 6120.
  • Invoice 2 has two prepayment distributions, one with account combination of 6110 and other with 8110.

The user can apply prepayment to Invoice 1 because they've read/write access to both account segment values 6110 and 6120. However, they can't apply or unapply the prepayment to invoice 2 because they don't have read/write access to 8110.

Examples of Enforcing Segment Value Security While Viewing Payables Invoice Lines

Segment value security isn’t enforced on view invoice lines. Any user can view the invoice lines irrespective of their security access regarding segment value security.

However, segment value security is still enforced in the following scenarios.

Read Access to Invoice Distributions

When users navigate to the Distributions page of an invoice, they can see only the invoice distributions referencing the account values to which they've either read/write or read-only access. Other distributions aren't displayed. However, if the users don’t have any Payables-specific segment value security rule assignments, they can see all the distribution lines.

Consider that the user has read/write access to account value 5310, read-only access to 7310, and no access to 8310. The user navigates to the Distributions page for the following invoices.

  • Invoice 1 has three invoice distributions where one distribution has account combination of 5310, the second one with account value of 7310, and the third with 8310. When user navigates to the Distributions page, they can see only the distribution lines with account values of 5310 and 7310. User can’t see the distribution line with the account value of 8310 because they don’t have read access to this value.
  • Invoice 2 has three invoice distributions where one distribution has account combination of 5310, the second and third distribution lines have account combinations with the account value of 7310. When the user navigates to the Distributions page, they can see all three distributions as the user has read access to both 5310 and 7310.

Read Access to Accounting Combinations

When a user reviews the Transaction Accounting page, they can see only the accounting lines that have an account combination to which they've either read/write or read-only access. Other accounting lines aren't displayed. If the user doesn’t have any specific rule assignments, then they can see all the distributions.

Consider that the user has read/write access to account value 5310, read-only access to 7310, and no access to 8310. The user navigates to the View Accounting page for the following invoices.

  • Invoice 1 has three invoice distributions where one distribution has account combination of 5310, the second with account value of 7310, and third with 8310. When the user navigates to the View Accounting page, they can see only the accounting lines with the account values of 5310 and 7310. However, user can't see the accounting line with the account value of 8310 as they don’t have read access to this value.
  • Invoice 2 has three invoice distributions where one distribution has account combination of 5310, the second and third distribution have an account combination each with account value of 7310. When the user navigates to the View Accounting page, they can see all accounting lines as the user has read access to both 5310 and 7310.

Read Access to Account Values

When a user drills down to invoice distributions, say from Payments or from GL journal entries, they can see only the invoice distributions referencing account values to which they either have read/write or read-only access. Other distributions aren't displayed. If the user doesn’t have any Payables-specific segment value security rule assignments, then they can see all the distributions.