2Oracle Cloud Security

This chapter contains the following:

Overview of Implementing Financials Security

Oracle Financials Cloud provides common job roles such as Accounts Payable Manager and General Accounting Manager. You can use these roles, modify them, or create job roles as needed. Since you can assign multiple roles to a user, don't define a role that includes all the accesses needed for every user.

To review the predefined job roles in Oracle Financials Cloud, see the Oracle Financials Cloud Security Reference guides in the Oracle Help Center (http://docs.oracle.com).

To find more information on securing your applications, see the Oracle ERP Cloud Securing ERP guide in the Oracle Help Center (http://docs.oracle.com).

Overview of General Ledger Security

General ledger functions and data are secured through job roles, data access sets, and segment value security rules.

Functional Security

Functional security, which is what you can do, is managed using job roles. The following job roles are predefined for Oracle Fusion General Ledger:

  • General Accounting Manager

  • General Accountant

  • Financial Analyst

Each job role includes direct privilege grants, as well as duty role assignments, to provide access to application functions that correspond to their responsibilities. For example, the General Accounting Manager role grants comprehensive access to all General Ledger functions to the general accounting manager, controller, and chief financial officer in your organization.

Data Security

Data security, which controls what action can be taken against which data, is managed using:

  • Data access sets

  • Segment value security rules

Data access sets can be defined to grant access to a ledger, ledger set, or specific primary balancing segment values associated with a ledger. You decide whether each data access set provides read-only access or read and write access to the ledger, ledger set, or specific primary balancing segment values, which typically represent your legal entities that belong to that ledger. Primary balancing segment values without a specific legal entity association can also be directly assigned to the ledger.

Segment value security rules control access to data that's tagged with the value set values associated with any segment in your chart of accounts.

Security Assignment

Use the Security Console to assign users roles (job roles, as well as roles created for segment value security rules or others). Use the Manage Data Access Set Data Access for Users task to assign users data access sets as the security context paired with their General Ledger job role assignments.

For more information about security assignments and managing data access for users, see the Oracle ERP Cloud Securing ERP guide.

Payables Security

In Oracle Fusion Payables you secure access to invoices and payments by business unit. You can access invoices and payments for viewing or processing only in the business units to which you have permission. The permission must be explicitly granted to each user.

You assign users to the appropriate security context, such as a business unit, for job roles using the Manage Data Access for Users page.

Payables is integrated to the document repository for processing scanned invoices. Edit access to the document repository is granted to the following predefined roles:

  • Accounts Payable Manager

  • Accounts Payable Specialist

  • Accounts Payable Supervisor

  • Accounts Payable Invoice Supervisor

The following predefined roles have view-only access to the document repository:

  • Financial Application Administrator

  • Cost Accountant

  • Project Accountant

Other Financials Security Considerations

Common functionality that's not job specific, such as creating expense reports and purchase requisitions, are granted to abstract roles like Employee, Line Manager, and Purchase Requester.

Oracle Financials Cloud includes the following roles that are designed for initial implementation and the ongoing management of setup and reference data:

  • Application Implementation Manager: Used to manage implementation projects and assign implementation tasks.

  • Application Implementation Consultant: Used to access all setup tasks.

Note: For the ongoing management of setup and reference data, the predefined Financial Application Administrator role provides access to all financial setup tasks.

Segregation of Duties Considerations

Segregation of duties (SOD) separates activities such as approving, recording, processing, and reconciling results so you can more easily prevent or detect unintentional errors and willful fraud.

Oracle Financials Cloud includes roles that have been defined with a knowledge of a set of SOD policies that are included in the Oracle Cloud Access Controls Governor product. The job roles are based on those commonly defined in business and the duty definitions are defined using the Oracle Cloud SOD policies.

For example, the privilege Create Payments is incompatible with the privilege Approve Invoice. The predefined Accounts Payable Manager role has the privileges of Force Approve Invoices and Create Payments. When you assess and balance the cost of duty segregation against reduction of risk, you may determine that the Accounts Payable Manager role isn't allowed to perform force approve invoices and remove this privilege.

To learn more about the policies and roles, see the Oracle Financials Cloud Security Reference guides in the Oracle Help Center (http://docs.oracle.com).

Data Security Considerations

  • Use segment value security rules to restrict access to transactions, journal entries, and balances based on certain values in the chart of accounts, such as specific companies and cost center values, to individual roles.

  • Use data access set security for Oracle Fusion General Ledger users to control read or write access to entire ledgers or portions of the ledger represented as primary balancing segment values, such as specific legal entities or companies.

For more information on securing your applications, see the Oracle ERP Cloud Securing ERP guide in the Oracle Help Center (http://docs.oracle.com).

Data Security

Data Access Sets secure access to ledgers, ledger sets, and portions of ledgers using primary balancing segment values. If you have primary balancing segment values assigned to a legal entity, then you can use this feature to secure access to specific legal entities.

You can combine ledger and ledger set assignments in single data access sets if the ledgers share a common chart of accounts and calendar. If you have primary balancing segment values assigned to a legal entity within the ledger, then you can use data access sets to secure access to specific legal entities. You can also secure access to primary balancing segments assigned directly to the ledger.

When a ledger or ledger set is created, a data access set for that ledger or ledger set is automatically created, giving full read and write access to those ledgers. You can also manually create data access sets to give read and write access, or read-only access to entire ledgers or portions of the ledger represented as primary balancing segment values.

The following figure shows that a data access set consists of an access set type and an access level. The access set type can be set to full ledger or primary balancing segment value. The access level can be read only or read and write.

This figure shows the components of a data access set.
A data access set has an access set type and an access level.

The Full Ledger access set type provides access to the entire ledger or ledger set. This could be for read-only access or both read and write access to the entire ledger.

The Primary Balancing Segment Value access set type provides access to one or more primary balancing segment values for that ledger. This access set type security can be specified by parent or detail primary balancing segment values. The parent value must be selected from the tree that's associated with the primary balancing segment of your chart of accounts. The specified parent value and all its descendants, including middle level parents and detail values are secured. You can specify read only, read and write access, or combination of both, for different primary balancing segment values for different ledgers and ledger sets.

For more information about security assignments and managing data access for users, see the Oracle ERP Cloud Securing ERP guide.

Examples of Data Access Set Security

This example shows a data access set that secures access by using primary balancing segment values that correspond to legal entities.

Scenario

The following figure shows a data access set for the US Financial Services Ledger. The access set type is Primary Balancing Segment Value, with each primary balancing segment value representing different legal entities. Read-only access has been assigned to primary balancing segment value 131, which represents the Insurance legal entity. Read and write access has been assigned to primary balancing segment values 101 and 102, which represent the Banks and Capital legal entities.

For this data access set, the user can:

  • View the journals, balances, and reports for primary balancing segment value 131 for the Insurance legal entity.

  • Create journals and update balances, as well as view journals, balances and reports for primary balancing segment value 101 and 102 for legal entities Banks and Capital.

This figure shows an example of a data access set
with two levels of access.
Note: In financial reporting, the list of ledgers isn't secured by data access sets when viewing a report in Preview mode. Users can view the names of ledgers they don't have privileges to view. However, the data from a secured ledger doesn't appear on the report.

For more information about security assignments and managing data access for users, see the Oracle ERP Cloud Securing ERP guide.

Set up segment value security rules on value sets to control access to parent or detail segment values for chart of accounts segments, also called flexfield segments. Segment value security rules restrict data entry, online inquiry, and reporting.

Secured Value Sets

When you enable security on a value set, access to all values for that value set is denied. To control access to value set values, you enable security on the value set, create conditions, and then assign the conditions to roles. The roles should be created solely for the purpose of segment value security. The roles are then assigned to users.

If a value set is secured, every usage of that value set in a chart of accounts structure instance is secured. For example the same security applies if that value set is:

  • Used for two or more segments in the same chart of accounts, such as the primary balancing and intercompany segments

  • Shared across different segments of different charts of accounts

Secured Segment Values

Segment value security applies mainly when data is created or updated, and when account combinations are queried. When you have access to secured account values, you can view and use those secured values across all modules of the applications where there are references to accounting flexfields including:

  • Transaction entry pages

  • Balances and transactions inquiry pages

  • Setup pages

  • Reports

On setup pages, you can still view referenced account combinations with secured account values, even if you haven't been granted access to those secured values. However, if you try to update such references, you can't use those secured values. On reports, you can view balances for secured account values only if you have access to those secured values.

Note: You can enforce segment value security for inquiries and reporting based on any hierarchy, even hierarchies that aren't published to the reporting cube.

Segment Value Security Implementation

You implement segment value security using the Security Console and these pages: Manage Value Sets, Manage Chart of Accounts Structures, Publish Account Hierarchies.

The following figure shows the steps for defining and implementing security rules for segment values.

This figure shows the steps to define and implement
segment value security.

To define segment value security roles:

  1. Create segment value security roles.

  2. Enable security on the value set.

    Note: You can enable security only on value sets with a type of Independent.
  3. Create conditions for the rule.

  4. Create policies to associate the conditions with the role.

  5. Deploy the accounting flexfield.

  6. Publish the account hierarchies.

  7. Assign the role to users.

Whenever you assign segment value security roles to a user, the rules from the user's assigned roles can be applied together. All of the segment value security roles assigned to a user pertaining to a given value set are simultaneously applied when the user works with that value set. For example, one rule provides access to cost center 110 and another rule provides access to all cost centers. A user with both of these segment value security rules has access to all cost centers when working in a context where that value set matters.

Segment Value Security Conditions

When you create a condition, you specify an operator. The following table describes the operators that you can use.

Operator Usage

Equal to

  • Provides access to a specific detail or child value.

  • Don't use to provide access to a parent value.

Not equal to

  • Provides access to all detail and child values, except the one that you specify.

  • Don't use to provide access to a parent value.

Between

  • Provides access to detail and parent values within the specified range. For parent values, this access applies only to the parent value itself, and doesn't automatically include that parent's descendants unless those account values are also part of the specified range.

Is descendant of

  • Provides access to the parent value itself and all of its descendants including middle level parents and detail values.

Is last descendant of

  • Provides access to the last descendants for example, the detail values of a parent value.

Tip: For the operators Is descendant of and Is last descendant of:
  • Specify an account hierarchy (tree) and a tree version to use these operators.

  • Understand that the security rule applies across all the tree versions of the specified hierarchy, as well as all hierarchies associated with the same value set of the specified hierarchy.

You can set up segment value security rules on value sets to control access to parent or detail segment values for chart of accounts segments. Segment value security rules restrict data entry, online inquiry, and reporting.

The following example describes why and how you might want to use segment value security.

Securing Values for the Cost Center and Account Segments

For this scenario, only certain users should have access to the Accounting cost center and the US Revenue account. To create a complete data security policy that restricts segment value access to those users:

  1. Plan for the number of roles that represent the unique segment value security profiles for your users. For this scenario, you can create two roles, one for the cost center segment and one for the account segment.

  2. Use the Security Console to create the roles. Append the text SVS-role to the role names so it's clear the roles are solely for segment value security. For this scenario, you create roles Accounting Cost Center-SVS Role and US Revenue Account-SVS Role.

  3. Use the Manage Segment Value Security Rules task to enable security on the cost center and account value sets associated with the chart of accounts.

  4. Create a condition for each value set. For example, the condition for the Accounting cost center is that the cost center is equal to Accounting.

  5. Create a policy to associate the conditions to the roles. For example, create a policy to assign the condition for the Accounting cost center to the role Accounting Cost Center-SVS Role.

  6. Use the Security Console to assign the appropriate role to the appropriate user. For example, assign the role Accounting Cost Center-SVS Role to the users who should have access to the Accounting cost center.

This example demonstrates how to enable security on a chart of accounts to control access to specific segment values.

The following table summarizes the key decisions for this scenario.

Decisions to Consider In This Example

Which segment in the chart of accounts must be restricted?

Cost center

Which cost center values have to be granted to different users?

  • Child values 110 to 120

  • Child value 310

  • Parent value 400 and all its children

  • All cost centers

What's the name of the value set for the segment with the Cost Center label?

Cost Center Main

What's the name of the user who can access cost centers 110 to 120?

Casey Brown

What's the name of the tree for the accounting flexfield?

All Corporate Cost Centers

What version of the tree hierarchy does the condition apply to?

V5

Summary of the Tasks and Prerequisites

This example includes details of the following tasks you perform when defining and implementing segment value security.

  1. Define roles for segment value security rules.

  2. Enable segment value security for the value set.

  3. Define the conditions.

  4. Define the policies.

  5. Deploy the accounting flexfield.

  6. Publish the account hierarchies.

  7. Assign segment value security roles to users.

Perform the following prerequisites before enabling security on a chart of accounts:

  • To work with the Security Console, you need the IT Security Manager role assigned to your user setup.

  • To work with value sets and profile options, you need the Financial Application Administrator role.

  • Set the Enable Data Security Policies and User Membership Edit profile to Yes.

Defining Roles for Segment Value Security Rules

To create a complete data security policy, create the roles first so that they're available for assignment to the segment value security rules.
  1. In the Tools work area, open the Security Console.

  2. Perform the following steps four times to create four roles.

  3. Click Create Role.

  4. On the Create Role page, complete the fields as shown in this table, and then click Next, Next, Next, Next, Next, Save and Close.

  5. Click OK and complete the fields, as shown in this table.

    Field Role 1 Role 2 Role 3 Role 4

    Role Name

    Cost Center 110-120 SVS Role

    Cost Center 310 SVS Role

    Cost Center 400 SVS Role

    Cost Center All SVS Role

    Role Code

    CC_110_120_SVS_ROLE

    CC_310_SVS_ROLE

    CC_400_SVS_ROLE

    CC_ALL_SVS_ROLE

    Role Category

    Default

    Default

    Default

    Default

    Description

    Access to cost centers 110 to 120.

    Access to cost center 310.

    Access to parent cost center 400 and all its children.

    Access to all cost centers.

    The following figure shows the Create Role page for the first role, which is Cost Center 110-120 SVS Role. The role code, role category, and description fields are complete.

    This figure shows the Create Role page.

Enabling Segment Value Security for the Value Set
  1. In the Setup and Maintenance work area, go to the following:

    • Offering: Financials

    • Functional Area: Financial Reporting Structures

    • Task: Manage Segment Value Security Rules

  2. In the Value Set Code field, enter Cost Center Main and click Search.

  3. In the Search Results section, click Edit to open the Edit Value Set page.

  4. Select the Security enabled option.

  5. In the Data Security Resource Name field, enter Secure_Main_Cost_Center_Values.

  6. Click Save.

    The following figure shows the Edit Value Set page for the Cost Center Main value set. Security is enabled and a data security resource name has been entered.

    This figure shows the Edit Value Set page.

Defining the Conditions

Use conditions to specify the segment values that require security.

Segment value security rules that provide access to all segment values, and segment value security rules that provide access to single nonparent segment values, don't need a condition. Instead, you can define the policy to cover all values, and you can define a policy to cover a single nonparent segment value provided that you know the internal ID for that segment value. If you don't know the internal ID, you can create a condition for that single segment value.

In this scenario, the internal ID for segment value 310 isn't known, so the following steps create all of the conditions, except for the access to all cost centers, which the policy definition can cover.

  1. Click Edit Data Security to open the Edit Data Security page.

  2. On the Condition tab, click Create to open the Create Database Resource Condition window.

  3. Enter CC 110 - 120 in the Name field.

  4. Enter Cost Centers 110 to 120 in the Display Name field.

  5. Accept the default value of All for the Match field.

    Matching to All means that all of the condition rows apply simultaneously and all of them must be met in identifying the values.

    Matching to Any means that any of the condition rows could apply. For example, if you create multiple condition rows, each of which on its own is an alternative scenario for identifying the values that apply, you would select Match to Any.

    Because this example only has one condition row, the Match selection doesn't matter. If however, you define multiple condition rows for segment value security, you would have to select Match to Any, because a single account value can't satisfy multiple account value-based conditions.

  6. Click Add in the Conditions section.

  7. Select VALUE for the Column Name field.

  8. Select Between for the Operator field.

    Note: You can select one of the following operators: Equal to, Not equal to, Between, Is descendant of, Is last descendant of.

  9. Enter 110 in the first Value field and 120 in the second Value field.

    The following figure shows the Create Database Resource Condition page for the condition named CC 110 - 120. The display name is Cost Centers 110 to 120, and one condition is defined. The condition has a column name of VALUE, an operator of Between, and the specified values are 110 and 120.

    This figure shows the Create Database Resource
Condition page.

  10. Click Save.

  11. To create the next database resource condition for segment value 310, click Create on the Condition tab.

  12. Enter CC 310 in the Name field.

  13. Enter Cost Center 310 in the Display Name field.

  14. Click Add in the Conditions section.

  15. Select VALUE for the Column Name field.

  16. Select Equal to for the Operator field.

  17. In the Value field, enter 310.

    The following figure shows the definition of the second condition.

    The following figure shows the Create Database Resource Condition page for the condition named CC 310. The display name is Cost Center 310, and one condition is defined. The condition has a column name of VALUE, an operator of Equal to, and the specified value is 310.

    This figure shows the Create Database Resource
Condition page.

  18. Click Save.

  19. To create the next database resource condition for parent value 400, click Create on the Condition tab.

  20. Enter CC 400 in the Name field.

  21. Enter Parent Cost Center 400 in the Display Name field.

  22. In the Condition section, click Add.

  23. Select VALUE for the Column Name field.

  24. Select the Tree Operators option.

  25. For the Operator field, select Is a last descendant of, which restricts access to the parent cost center 400 and all of its children, including intermediary parents.

    Note: For the Tree Operators field, you can only select Is a last descendant of or Is a descendant of.

  26. In the Value column, click the Select Tree Node icon to open the Select Tree Node window.

    The following figure shows the Select Tree Node window. Values are required for the Tree Structure, Tree, and Active Tree Version fields. The window also includes these Tree Node options: Specify primary keys, Select from hierarchy.

    This figure shows the Select Tree Node window.

  27. In the Tree Structure field, select Accounting Flexfield Hierarchy. This signifies that you are choosing among trees that are used as accounting flexfield, or charts of accounts, hierarchies.

  28. In the Tree field, select All Corporate Cost Centers.

  29. In the Active Tree Version field, select V5.

  30. In the Tree Node field, select the Select from hierarchy button. The Tree Node section opens.

  31. In the Tree Node section, expand the nodes and select 400.

    The following figure shows the Select Tree Node window after completing the fields in steps 27 through 31.

    This figure shows the Select Tree Node window.

  32. Click OK.

    The following figure shows the resulting Create Database Resource Condition page for the condition named CC 400. The display name is Parent Cost Center 400 and one condition is defined. The condition has a column name of VALUE, an enabled Tree Operators option, an operator called Is a last descendant of, and a value of 400.

    This figure shows the Create Database Resource
Condition page.

  33. Click Save.

Defining the Policies

Create policies to assign conditions to segment value security roles.
  1. On the Edit Data Security page, click the Policy tab.

  2. Click Create to open the Create Policy window.

  3. On the General Information tab, enter Policy for 110-120 in the Name field.

  4. Accept the default value of General Ledger in the Module field.

  5. Enter 9/1/16 in the Start Date field.

    The following figure shows the General Information tab on the Create Policy page for the policy named Policy for 110-120. The start date for the policy is 9/1/16.

    This figure shows the General Information tab on
the Create Policy page.

  6. Select the Role tab and click Add to open the Select and Add window.

  7. Enter 110 in the Role Name field.

  8. Select hcm in the Application field.

    Roles with the Default category are created in the hcm application.

  9. Click Search.

    The following figure shows the Select and Add Roles window with the search results. The role retrieved by the search results is named Cost Center 110-120 SVS Role.

    This figure shows the Select and Add Roles window.

  10. Select Cost Center 110-120 SVS Role and click OK.

    The following figure shows the Role tab on the Create Policy page with the role that was populated by the search results.

    This figure shows the Role tab on the Create Policy
page.

  11. Select the Rule tab.

  12. Accept the default setting of Multiple Values in the Row Set field.

    Note: The Row Set field determines the range of value set values affected by the policy.
    • If Multiple Values is selected, a condition must be specified.

    • If All Values is selected, then the policy grants access to all values in the value set and no condition is needed.

    • If Single Value is selected, then the internal Value ID for the segment value must be specified and no condition is needed.

  13. Click Search on the Condition field.

  14. Select Cost Centers 110 to 120 for the Condition field and click OK.

    The following figure shows the Rule tab on the Create Policy page. The selected row set is Multiple Values and the condition is Cost Centers 110 to 120.

    This figure shows the Rule tab on the Create Policy
page.

  15. Click Save and Close.

  16. Click OK to confirm.

  17. Repeat steps 2 through 13 to create the rest of the policies, using the values in the following table.

    Field Policy 2 Policy 3 Policy 4

    General Information tab, Name

    Policy for 310

    Policy for 400

    Policy for all cost centers

    General Information tab, Start Date

    9/1/16

    9/1/16

    9/1/16

    Role tab, Role Name

    Cost Center 310 SVS Role

    Cost Center 400 SVS Role

    Cost Center All SVS Role

    Rule tab, Row Set

    Multiple Values

    Multiple Values

    All Values

    Rule tab, Condition

    Cost Center 310

    Parent Cost Center 400

    Not Applicable

  18. Click Done.

Deploying the Accounting Flexfield

You must deploy the accounting flexfield for the segment value security changes to take effect.
  1. In the Setup and Maintenance work area, go to the following:

    • Offering: Financials

    • Functional Area: Financial Reporting Structures

    • Task: Manage Chart of Accounts Structures

  2. In the Module field, select General Ledger and click Search.

  3. Select the row for the Accounting Flexfield and click Deploy Flexfield.

    The following figure shows the Manage Chart of Accounts Structure page after searching for General Ledger modules. The search results display a row with a key flexfield named Accounting Flexfield.

    This figure shows the Manage Chart of Accounts
Structures page.

  4. Click OK.

Publishing the Account Hierarchies

  1. In the Setup and Maintenance work area, go to the following:

    • Offering: Financials

    • Functional Area: Financial Reporting Structures

    • Task: Publish Account Hierarchies

  2. In the Hierarchy field, select All Corporate Cost Centers.

  3. In the Hierarchy Version field, select V5.

  4. Click Search.

  5. In the Search Results section, expand the hierarchy row.

  6. Select the row for the hierarchy version V5.

  7. Click Publish.

  8. Click OK.

Assigning Segment Value Security Roles to Users

  1. In the Tools work area, open the Security Console.

  2. Enter Cost Center 110-120 SVS Role in the Search field and click Search.

  3. In the Search Results section, select the down arrow icon and select Edit Role.

    The following figure shows the Roles page and the available menu options, including Edit Role, for the role named Cost Center 110-120 SVS Role.

    This figure shows the Roles page and the Edit Role
menu option for the selected role.

  4. Click Next four times to navigate to the Edit Role: Users page.

  5. Click Add User.

  6. Enter Casey in the Search field and click Search.

  7. Click Add User to Role to add Casey Brown to the role.

  8. Click OK to confirm.

    The following figure shows the Edit Role page for the Cost Center 110-120 SVS Role with the user Casey Brown selected.

    This figure shows the Users section on the Edit
Role page.

  9. Repeat steps 2 through 8 to add the other roles to different users as needed.