Key Steps for Configuring Chart of Accounts Segment Value Security
Here are the main steps for setting up chart of accounts segment value security.
- Select business functions that enforce segment value security.
- Enable security for a value set.
- Deploy the accounting flexfield and publish account hierarchies.
- Prepare the Manage Segment Value Security Rules spreadsheet.
Before you start, you’ll need to have a role that’s based on either the Application Implementation Consultant (ORA_ASM_APPLICATION_IMPLEMENTATION_CONSULTANT_JOB) or the Financial Application Administrator (ORA_FUN_FINANCIAL_APPLICATION_ADMINISTRATOR_JOB), and the IT Security Administrator (ORA_FND_IT_SECURITY_MANAGER_JOB) job roles to have access to the range of functions required to set up all the elements involved with configuring segment value security by business function for users in the application.
The Manage Advanced Chart of Accounts Segment Value Security (FUN_MANAGE_ADVANCED_CHART_OF_ACCOUNTS_SEGMENT_VALUE_SECURITY_PRIV) privilege controls access to the Manage Segment Value Security Rules spreadsheet. You'll need a custom role that's assigned this privilege.
Select Business Functions That Enforce Segment Value Security
The business functions that you select affect all secured value sets in all charts of accounts that the value sets are used in.
- In the Setup and Maintenance work area, go to the Manage Chart of Accounts
Configurations task:
- Offering: Financials
- Functional Area: Financial Reporting Structures
- Task: Manage Chart of Accounts Configurations
- Click Manage Segment Value Security by Business
Function.Note: If the button doesn’t appear, your instance doesn’t qualify for segment value security by business function. Only instances with no secured value sets at the time they're evaluated will be qualified to use this model of chart of accounts segment value security. For an instance where there's at least one existing value set enabled for security, including one that's assigned to your chart of accounts segment or other application key flexfields, it will continue to behave in the same manner as it had all along in previous releases, enforcing segment value security without the business function distinction. Any future value set enabled for security in such an instance will also apply enforcement in this same manner. For more information, see the Segment Value Security without Business Function Implementation Guide (Doc ID 3054824.1) on My Oracle Support.Caution: The evaluation and designation for a Cloud Applications environment of the enforcement method of segment value security by business function or without business function is applied distinctly on each instance, based on their distinct instance name plus instance type. Two instances with the same letter name but of different types (that is, instance WXYZ Prod versus instance WXYZ Test) are considered individually, and the segment value security enforcement method will be set for each instance based on the presence or absence of value sets enabled for security, independent of the other like-named instance.
- On the Manage Segment Value Security by Business Function dialog box, review
this text, which appears after the title.
You're enabling segment value security for your chart of accounts for the very first time. Select the business functions where segment value security must be enforced. Your selections will apply to all charts of accounts whose segments are enabled for security. Click Cancel to make your selection later.
- Select the business functions where security must be enforced.Note: A business function can be disabled from security enforcement afterward.You can select from among the following business functions:
- General Ledger
- Payables
- Receivables
- Intercompany
- Assets
Selecting one or more of these business functions automatically enables security enforcement for Oracle Subledger Accounting because it’s an integration module between Oracle General Ledger and the other listed subledger business functions.
Note: You don’t have to make all your business function selections at once. You can select additional business functions later by clicking Manage Segment Value Security by Business Function.
Enable Security for a Value Set
After selecting the business functions, the next step is to enable security for a chart of accounts value set for the Accounting Flexfield (GL#) key flexfield.
- In the Setup and Maintenance work area, go to the Manage Chart of Accounts
Configurations task:
- Offering: Financials
- Functional Area: Financial Reporting Structures
- Task: Manage Chart of Accounts Configurations
Caution: You must use this task and the Manage Chart of Accounts Configurations page to enable security for a value set. Don’t use the Manage Value Set, Edit Value Set, or Edit Value Set Data Security pages because the required initialization for the value set won’t be successful and the security configuration for the value set won’t be correct. - Click the name of the chart of accounts that you want to secure.
- In the Segments section, select the segment row with the value set that you want
to secure.
Value set security applies at the value set level, not to individual segments of a chart of accounts that reference that value set. If a value set is used in multiple charts of accounts, then all chart of accounts segments that are assigned that value set will be enabled for security.
Chart of accounts security is enabled for one value set at a time, and its security rules and rule assignments are framed individually for each distinct secured value set for which they’re defined.
For a chart of accounts that has multiple segments with secured value sets, each value set's security configurations are considered individually and they’re not cross-secured with one another. To determine whether an account combination that a user is working with passes the access check for each of account combination segments’ values, the grants for the individual secured segments are each evaluated independently and then applied additively across each of the secured segments.
Caution: For a secured Accounting Flexfield (GL#) value set that's shared with other key flexfields, such as the Budgeting Flexfield (XCC), the Cost Allocation Flexfield (COST), the Asset Key Flexfield (KEY#), the Location Flexfield (LOC#), and others, security will not be enforced for that secured value set with these other types of key flexfields. Value sets in other types of key flexfields that aren't shared with the Accounting Flexfield (GL#) key flexfield and that are enabled for security will still enforce segment value security in the mode without the business function distinction. As such, there can be differences in segment value security enforcement across the segments of such key flexfields. - On the Value Set tab in the Value Set section, select Enable
security.Note: If you’re enabling security on a value set for the first time and you haven’t performed the previous setup step of selecting the business functions that enforce segment value security, the Manage Segment Value Security by Business Function dialog box will open. See the Select Business Functions That Enforce Segment Value Security topic for more information.
It's possible to deselect the Enable security checkbox and stop enforcement of segment value security for a value set. If you deselect the checkbox, you must redeploy the GL# Accounting Key Flexfield to process such a metadata change to the chart of accounts for this to take effect. Successful redeployment is similarly required when enabling or disabling security for a value set referenced in any other type of key flexfield, such as the Budgeting Flexfield (XCC).
- Click Save.
The application will automatically create the data security resource for the secured value set. The security object name uses the format DS followed by an underscore (_) and then the value set name, without spaces. For example, if the value set name is Vision Company, then the data resource security name would be DS_VisionCompany.
In addition, the application generates an All Values policy for this data security resource to the Authenticated User (ORA_FND_AUTHENTICATED_USER_ABSTRACT) role, which is automatically assigned to all users who successfully sign in to the application. The policy name follows this format: <Secured Value Set Name> – All Segment Values, for example, Vision Company – All Segment Values. This policy is the key mechanism enabling the segment value security by business function behavior where all users are first provided access to all account values of a secured value set by default. This default policy will be suppressed in usage scenarios where a user has a matching distinct policy assignment that restricts access to certain account values.
Deploy the Accounting Flexfield and Publish Account Hierarchies
When enabling or disabling security for a chart of accounts value set, you must successfully deploy the accounting flexfield for the change to take effect.
In the Setup and Maintenance work area, use the Manage Chart of Accounts Configurations task in the Financial Reporting Structures functional area and click Deploy All Charts of Accounts.
To update the General Ledger balances cube so that the current security enforcement settings are applied, you must publish the account hierarchies for the secured value sets. In the Setup and Maintenance work area, use the Publish Account Hierarchies task in the Financial Reporting Structures functional area.
Open the Manage Segment Value Security Rules Spreadsheet
If there are users who should have access to only limited accounts of a secured value set at all times, or for their certain usage scenarios, then you must configure rules and user rule assignments for that secured value set.
This is necessary to suppress the All Values access that was granted by default to every user, which is a feature of segment value security rules by business function.
You must use the Manage Segment Value Security spreadsheet exclusively to maintain your rules and rule assignments for segment value security by business function.
- Edit Data Security page in the application.
-
Rapid Implementation Create Segment Value Security Rules spreadsheet, which is opened using the Create Segment Value Security Rules in Spreadsheet task.
The Manage Segment Value Security Rules spreadsheet captures additional rule and rule assignment attributes that aren’t maintained in the Edit Data Security page or in the Rapid Implementation Create Segment Value Security Rules spreadsheet, including attributes that support enforcing segment value security by business function.
Commingling the usage of the Manage Segment Value Security Rules spreadsheet with the Edit Data Security page or the Rapid Implementation spreadsheet to maintain your segment value security setups will result in serious data inconsistencies that will cause the incorrect enforcement of segment value security.
After you’ve saved your changes to enable security for a value set, you can open the Manage Segment Value Security Rules spreadsheet to set up your security rules.
- In the Setup and Maintenance work area, go to the Manage Chart of Accounts
Configurations task:
- Offering: Financials
- Functional Area: Financial Reporting Structures
- Task: Manage Chart of Accounts Configurations
- On the Manage Chart of Accounts Configurations page, select the chart of accounts.
- In the Segments section, select the secured value set.
- In the Value Set tab, click Manage Data Security. The spreadsheet will open within the context of the secured value set.