The Chief Financial Officer decides on accounting data access and restrictions for finance staff. For instance, a Shared Services accountant for EMEA accesses data for companies based in EMEA only. Ideally, the user experience should be seamless and controlled. This blog focuses on how to best secure data access in General Ledger. 

General ledger secures functions and data through job roles, data access sets, and segment value security rules.

Each job role gives users direct privilege grants, as well as duty role assignments, with access to application functions that correspond to their responsibilities. 

For example, the General Accounting Manager role grants comprehensive access to all General Ledger functions to the general accounting manager, controller, and chief financial officer in your organization.
 

Control Access to Ledger and Ledger Sets with Data Access Sets (DAS)
 

  • Data Access Sets secure access to ledgers, ledger sets, and portions of ledgers using primary balancing segment values.
  • General Ledger (GL) automatically creates a DAS with full “read and write” access for each Ledger and Ledger Set (with the same name).
  • The CFO determines the data access levels and assigns a super user to grant such security. The super user creates additional DAS manually. 
  • A DAS grants access to a Ledger or a Ledger Set, or optionally, primary balancing segment values (BSVs). 
    • You can assign BSVs to legal entities. That way, you can give more granular access to selected BSVs within a ledger. 
    • You can optionally add “read-only” or “read and write” access to the above accounting data.  
  • When navigating through GL UIs your finance user is connected to only one DAS at any point in time. Even when multiple Data Access Sets are assigned to your finance user, only one data access set can be selected at a time in the GL UIs.
  • FBDIs, Scheduled Jobs and Journals ADFdi inherit a user’s data access sets and control
    • the parameters that your user can specify when launching the FBDI, job or Journals ADFdi
    • the output which would display only accessible values to match the assigned DAS
  • DAS access privileges control data access for Essbase and Oracle Transactional Business Intelligence (OTBI).
    • With Essbase your finance user can, for all assigned Data Access Sets, inquire on detailed balances via:
      • Account Monitor
      • Account Inspector
      • Financial Reporting Web Studio
      • Smart View
      • and Allocations
    • With OTBI your finance user can, for all Data Access Sets assigned, create online reports on GL journals and balances. 

Warning

 

Data Access Sets do not apply to subledgers transaction security, as business unit security applies to those instead.

 

 

Connect Role with DAS via Security Assignment

Use the Security Console to assign users roles. Use the Manage Data Access Set Data Access for Users task to assign users data access sets. Pair the security context with their General Ledger job role assignments.

Control Access to Chart of Account (COA) values with Segment Value Security (SVS)

  • SVS policies restrict access to segment values for data entry, inquiry, and reporting.
  • Starting with 24D SVS by Business Function, you can define rules for read-only access such as for inquiry and reporting. Then define other rules for read and write access for data entry. 
  • Super users define access control to detail- and parent segment values of the COA with SVS. 
  • SVS, once activated for a value set,  prevents access to all values. That is, unless you are positively granted access via a job role.
  • You assign SVS rules to roles that are, in turn, assigned to your users.
  • SVS aggregates access privileges across roles.

Be Aware of Aggregation of Security Access across Roles

Except for DAS, security access to Oracle Cloud ERP is aggregated at the level of the system user.

  • A system user accumulates access to GL data from all roles assigned to that person. 
    • If a system user was granted read and write access to a ledger, BSV, or segment value, then that access stands. This applies no matter what other function and data security roles are assigned.

WarningLet’s say a user is granted read and write access to segment values, by virtue of multiple roles assigned. This user will be able to read and update these values in General Ledger UIs and features.
For example:

  • A French General Accountant role grants access to cost centers 100-300. 
  • A Spanish General Accountant role grants access to cost centers 400-500. 
  • A user assigned both roles will have access to cost centers 100-300 and 400-500. 

  • Though note, the user will not have access to the values 301 to 399.

Cross Validation Rules, Related Value Sets and Combination Sets features validate and ensure accuracy of account combinations. See ERP-ACE blog: Cross Validation Combination Sets and Other Account Combination Validation Features.  However, this blog focuses on data access security.

Best Implementation Practices

Our best implementation practices:

  • Minimize the number of Data Access Sets (DAS). 
  • Use Ledger Sets to grant access to multiple ledgers that share the same COA and Calendar. 

 For DAS ensure that you:

  • Assign the automatically created DAS with full “read and write” access to users where no restriction is required. 
  • Create additional DAS only when necessary to meet specific data access accounting requirements.
  • Minimize the number of DAS by using Ledger Sets to grant access to multiple ledgers.
  • Use parent BSVs, where applicable, in a DAS. That way, new child values are automatically available to the users of the DAS.

 For SVS ensure that you:

  • Define common job roles with no business functions to represent security policies with conditions.  For each common job role, define a security policy with conditions to access specific segment values. Assign the security policy to the appropriate common job role.
  • Assign the common job roles, in addition to specific job roles, to each user.  This approach separates security policies from job roles. It provides maximum flexibility when you assign job roles to users. 
  • Avoid aligning a security policy with a job role. That would result in a custom job role for each security policy. A common job role without any function can be easily defined.
  • Use an account hierarchy where a parent value represents the list of accessible detail values.  When requirements change, maintain the account hierarchy as opposed to maintaining the security policies.
  • Use spreadsheet upload to create security policies. For example, create a security profile for the cost center value set with a condition for the value ‘310 – West Coast’.

 To explore DAS and SVS use case examples, please refer to the Implementing Enterprise Structures and General Ledger user guide here

SummaryConclusion

Use Data Access Sets to restrict data access for your finance staff who accesses General Ledger data. Take a holistic view on Segment Value Security rules as they impact all Oracle Cloud SaaS applications where your chart of accounts is in use. Be aware of the impact of aggregation of security access across roles.