1. Implementing Payables Invoice to Pay
  2. Manage Attachment Security for Payables

Manage Attachment Security for Payables

You can configure data security policies to assign privileges to access the attachments on a secured invoice.

You can also define the security of invoice attachments so that different users can have access to the same Business Units and invoices but can only access certain categories of attachments to those invoices. For example, there might be multiple categories of objects (such as contracts, internal emails, or correspondence directly with the supplier) attached to an invoice. Multiple users such as buyers, supplier account representatives, payables specialists, or payables approvers might have access to the invoice. They all can have the access to view the invoice itself, however their access to the attached objects might need to be restricted by attachment category.

Payables doesn’t have secured attachment categories by default and all roles can view all attachment categories.

A security policy defined for an attachment category is enforced on all business objects associated with the category, if those business objects are enabled for attachment security.

To provide attachment security for Payables, perform the following tasks:

  • Define data security policies, which apply to attachment categories.
  • Enable attachment data security for selected business objects.

Related Topics

Defining Data Security Policies

A data security policy is defined by a set of allowable actions on a database resource (such as an attachment category) for a job role.

When a role is provisioned to a user, the user can access the data defined by the attachment data security policy. According to the defined conditions, the user (a job role) can perform operations (such as read, update, or delete) on a set of attachment categories.

Complete these steps to successfully create a data security policy which grants a specific role access to certain attachment categories.

  1. Sign in as IT security manager.
  2. From the Setup and Maintenance work area, go to the Manage Data Security Policies task.
    • Offering: Financials
    • Functional Area: Users and Security, or Application Extensions
    • Task: Manage Data Security Policies
  3. The Manage Data Security Policies task automatically launches the Security Console. You can also open the Security Console directly from the Navigator.
  4. In the Security Console, go to Administration > General, and then click Manage Database Resources.
    Note: A database resource defines an instance of a data object. A data object is a table, view, or flexfield.
  5. On the Manage Database Resources and Policies page, search for the Display Name equal to Application Attachment Category. The category appears in the search results, with an Object Name of FND_DOCUMENT_CATEGORIES. The data security policies defined for the selected database resource appear in the Policies Details region.
  6. In the Search Results for the selected database resource, select Edit from the Actions menu.
  7. On the Condition tab of the Edit Data Security page, select Create from the Actions menu.
  8. In the Create Database Resource Condition dialog box, name the condition and specify the attachment categories in scope for the data security policy. This table has an example of values for a database resource condition.
    Field Value
    Name APInternalDocumentCategories
    Display Name APInternalDocumentCategories
    Description AP Document categories granted for internal access
    Condition Type

    SQL predicate

    You can also specify the condition as a filter on a table or view.
    SQL Predicate

    category_name IN ('FROM_SUPPLIER', 'TO_BUYER', 'TO_APPROVER', 'TO_PAYABLES', 'AP_SUPPORTING_DOC', 'AP_SUPPLIER_EMAIL')

    The SQL predicate consists of a query on the table or view named by the database resource (in this example, FND_DOCUMENT_CATEGORIES). The category name specified in the predicate must exactly match the category name specified as the attachment category.
  9. On the Policy tab of the Edit Data Security page, select Create from the Actions menu.
  10. On the General Information tab of the Create Policy dialog box, specify the name, start date, and module. By default, the Module field is the module associated with the database resource for which you're creating the policy (such as, Application Attachments).
    • Name: Grant on Application Attachments
    • Start Date: sysdate
    • Module: Application Attachments
  11. On the Role tab of the Create Policy dialog box, select fscm in the Application list, then search for and select the role names to be assigned the new policy.
  12. On the Rule tab of the Create Policy dialog box, select Multiple Values in the Row Set field, then search for and select in the Condition field for the name of the condition that you created.
  13. On the Action tab of the Create Policy dialog box, move actions from the Available Actions list to the Selected Actions list to specify the actions that are applicable to the data secured on the database resource, which you want to grant to the roles you selected. After you complete, click Save and Close.
  14. On the Edit Data Security page, click Submit to update the database resource FND_DOCUMENT_CATEGORIES.
  15. On the Manage Database Resources and Policies page, click Done.

Enabling Attachment Data Security for Business Objects

You can enable and disable attachment security at the level of business objects. When you enable attachment security for a specific business object, it’s enforced on every attachment category assigned to the business object.

By default, Payables-related attachment entities don't have Security enabled, which means that no Data Security Policies are enforced for Payables-related business objects by default.

To enable your data security policies on attachment categories:

  1. Sign in with the Implementation Consultant credentials.
  2. In the Setup and Maintenance work area, search for the task Manage Attachment Entities.
  3. On the Manage Attachment Entities page, search for and select each of the attachment entities that you want to secure.
  4. Enter one of the following Payables-related attachment entity names in the Entity Name field and click Search. The ready-to-use attachment categories appear in the Attachment Categories region for the selected attachment entity.
    Business Object Attachment Association Level Attachment Entity Name
    Payables Invoice Header AP_INVOICES_ALL
    Payables Invoice Interface Header AP_INVOICES_INTERFACE
    Payables Payment AP_CHECKS_ALL
  5. For each selected attachment entity in the search results, click Enable Security.
  6. After enabling security on all the desired attachment entities, click Save and Close.
  7. On the Setup page, search for and open the Run User and Roles Synchronization Process task from the Initial Users functional area.
  8. Submit the scheduled process to complete enabling security on attachments.

FAQs for Managing Attachment Security for Payables

These FAQs answer some common concerns regarding attachment security.

Does Payables support the use and security of custom attachment categories?

Payables doesn't support creating custom attachment categories and assigning them to any Payables-related attachment entities. Furthermore, only predefined attachment categories which are assigned to a Payables-related attachment entity can be secured through data security policies and visible from the Invoices screen. For instance, you can't add an attachment category to a Payables attachment entity that's not already assigned ready to use. Even if you do this, the attachment category will not be visible from the category drop-down list on the Invoices screen; however, it might impact your intended attachment security and what's visible for other business objects that the user has been granted access to.

Why do I see attachment categories that aren't related to my custom data security policy?

While you might have only granted certain data security policies to the custom role created, there might be other inherited policies from other duty roles which impact the attachment categories visible to the role, potentially granting unintended extra access.

You should always run the User and Role Access Audit Report with the Data Security Policies parameter set to Yes for any custom job role being created to understand all attachment-related data security policies that are provisioned to a specific role. For example, the AP Specialist job role inherits the Supplier Profile Inquiry duty role, which has security policies that grant access to several attachment categories that overlap between business objects. This could potentially grant unintentional access to an attachment category for the AP Specialist when creating or viewing Invoices.

How can I update the attachment category of existing invoice attachments?

To update the Attachment Category for an existing invoice, you can manually navigate to the attachment and change the category from the drop-down list. You can also use REST API to retrieve the existing attachment, create a new attachment record with the corrected category, and delete the original attachment record with the incorrect category.