Advanced Security

Overview

Copyright Oracle, 2007. All rights reserved.

Advanced Security
Effective mm/dd/yy

Page 1 of 20

315817557.doc
Rev 1

Advanced Security
System References
Distribution
Job Title*

Ownership
The Job Title [list@YourCompany.com?Subject=EDUxxxxx] is responsible for ensuring that this
document is necessary and that it reflects actual practice.

Copyright Oracle, 2007. All rights reserved.

Advanced Security
Effective mm/dd/yy

Page 2 of 20

315817557.doc
Rev 1

Advanced Security

Copyright Oracle, 2007. All rights reserved.

Advanced Security
Effective mm/dd/yy

Page 3 of 20

315817557.doc
Rev 1

Objectives

Copyright Oracle, 2007. All rights reserved.

Advanced Security
Effective mm/dd/yy

Page 4 of 20

315817557.doc
Rev 1

Data Access Security for Legal Entities and Ledgers

Data Access Security for Legal Entities and Ledgers

Data Access Sets are a security feature that enables you to grant and secure access to ledgers,
or portions of the ledger, by its balancing segment values or management segment values.
If a balancing segment value is assigned to a ledger, then you can secure access to specific
balancing segment values.
Furthermore, if you have balancing segment values assigned to a legal entity, then you can
secure access to specific legal entities.
Data Access Set Types:
Full Ledger Access means you have access to the entire ledger.
- For example, this could mean read-only access to the entire ledger or both read and
write access.
Specific BSVs means you can only access one or more balancing segment values for that
ledger.
- You can specify read-only, read and write access, or a combination of the two for
different balancing segment values.
Notes:
Copyright Oracle, 2007. All rights reserved.

Advanced Security
Effective mm/dd/yy

Page 5 of 20

315817557.doc
Rev 1

 Segment Value (Flexfield) Security Rules provide similar functionality. A key feature of
Segment Value Security is general data access restriction within a responsibility.
Data Access Sets provide more advanced configurations within a responsibility, because
you can now have tailored access rules to multiple ledgers within the same responsibility.
- For example, you can block access to one segment for one ledger and allow access for
the same segment in another ledger in the same responsibility for balancing and
management segments.

Copyright Oracle, 2007. All rights reserved.

Advanced Security
Effective mm/dd/yy

Page 6 of 20

315817557.doc
Rev 1

Data Access Security for Legal Entities and Ledgers

Data Access Security for Legal Entities and Ledgers

BSV security adds an important aspect to multi-ledger processing. This aspect of Data Access
Sets enables us to maintain more granular control for multi-ledger processing at the
responsibility level.
For example, while reviewing ledger sets, you can perform the following GL processes across
multiple ledgers simultaneously:
Opening and closing periods
Creating period-closing journals, mass allocations, and recurring journals
Translating balances
Viewing journals and balances using account inquiry
Financial Reporting, including both standard reports and FSG reports.
With BSV Data Access Security, you can prevent or limit access to certain processes. For
example, you can generate recurring journals for a subset of BSVs for multiple ledgers in a
ledger set. For cross-ledger operations, a responsibility with limited access to one BSV in a set
of ledgers can still run FSG reports, but can only query data from the segments for which the
responsibility has access.
Copyright Oracle, 2007. All rights reserved.

Advanced Security
Effective mm/dd/yy

Page 7 of 20

315817557.doc
Rev 1

Data Access Security for Legal Entities and Ledgers

Data Access Security for Legal Entities and Ledgers

If you have read and write access to the entire ledger, then you can enter and post journals to
all BSVs for the ledger.
If you have read and write access to only some BSVs for the ledger, then you will only be able
to enter and post journals for those BSVs.
When viewing a journal, you only need read access to any of the BSVs contained in the journal
lines. For journal lines which you do not have BSV access to those lines will not appear in the
journal entry, but the credits and debits will still balance.
When modifying a journal batch, you must have write access to all ledgers or BSVs that are
used in that batch.
You are allowed to change, reverse, tax, delete, and post a journal if you have write access to
all of the ledger/BSV combinations in the batch.
You can only update, approve, delete, or post a batch if you have write access to all of the
ledger/BSV combinations in the batch.

Copyright Oracle, 2007. All rights reserved.

Advanced Security
Effective mm/dd/yy

Page 8 of 20

315817557.doc
Rev 1

Data Access Security for Legal Entities and Ledgers

Data Access Security for Legal Entities and Ledgers

A key point to keep in mind as we view the next few examples is that access is granted at the
responsibility-level.
Here is an example of a Data Access Set having full ledger access to a ledger. The ledger called
US Corporate has three balancing segment values assigned to it that represent each of the three
different legal entities for this ledger, US East, US West, and US South.
Here we have specified read-only access on this ledger, so you will only be able to view
existing journals, view balances, and view reports for all balancing segment values.

Copyright Oracle, 2007. All rights reserved.

Advanced Security
Effective mm/dd/yy

Page 9 of 20

315817557.doc
Rev 1

Data Access Security for Legal Entities and Ledgers

Data Access Security for Legal Entities and Ledgers

This example shows a Data Access Set that secures access by BSVs. The same ledger called
US Corporate is assigned to this Data Access Set. You can specify read-only access to BSV 01
that represents the US East Legal Entity, and you can specify read and write access to the other
two balancing segment values for legal entities, US West and US South.
Thus, for US East (BSV 01), you will only be able to view journals, view balances and view
reports. You will not be able to enter journals or update balances for BSV 01.
On the other hand, for BSVs 02 and 03, in which you have full read and write access, you can
enter and post journals, view and update balances, and view and run reports for those balancing
segment values.

Copyright Oracle, 2007. All rights reserved.

Advanced Security
Effective mm/dd/yy

Page 10 of 20

315817557.doc
Rev 1

Data Access Security for Legal Entities and Ledgers

Data Access Security for Legal Entities and Ledgers

By assigning more than one ledger to a Data Access Set, you can access multiple ledgers from
a single responsibility.
Here, we have assigned two ledgers to the Data Access Set, the EMEA ledger and the APAC
ledger. By assigning read and write privileges to both ledgers, you will be able to view, enter
and post journals, view and update balances, and view and run reports for both ledgers.
You can also secure each ledger by assigning read-only or read and write access to different
ledgers assigned to the same Data Access Set.
The emphasis here is that we can specify both broader access to multiple ledgers and more
granular access by restricting access to specific BSVs.

Copyright Oracle, 2007. All rights reserved.

Advanced Security
Effective mm/dd/yy

Page 11 of 20

315817557.doc
Rev 1

Setup and Process

Copyright Oracle, 2007. All rights reserved.

Advanced Security
Effective mm/dd/yy

Page 12 of 20

315817557.doc
Rev 1

Data Access Security for Legal Entities and Ledgers Setup and
Process

Data Access Security for Legal Entities and Ledgers

Setup and Process
The setup for the security aspect of Data Access Sets is the same as we saw earlier.
You manually define a Data Access Set and tailor it to your needs, or use the system-generated
Data Access Sets.
Again, if you have more than GL responsibility assigned to a particular user, each
responsibility for the particular user has access to the superset of all combined Data Access
Sets assigned to the users responsibilities.

Copyright Oracle, 2007. All rights reserved.

Advanced Security
Effective mm/dd/yy

Page 13 of 20

315817557.doc
Rev 1

Data Access Security for Legal Entities and Ledgers Setup Define Data Access Set

Data Access Security for Legal Entities and Ledgers

Setup - Define Data Access Set
(N) Setup : Financials : Data Access Sets
Notice the Access Set Type field. There are three options:
Full Ledger
Balancing Segment Value
Management Segment Value
Each Data Access Set must be of one of these access set types. Depending on the Access Set
Type, you can assign more specific access restrictions, such as to specific business segment or
management segment values.
To specify BSV levels of data access granularity, the Access Set Type must be set accordingly
and the corresponding BSVs specified in the Specific column under Access Details > Values.

Copyright Oracle, 2007. All rights reserved.

Advanced Security
Effective mm/dd/yy

Page 14 of 20

315817557.doc
Rev 1

Management Reporting and Security

Management Reporting and Security

In Release 12, a new type of segment qualifier has been added, a management segment
qualifier. You can assign this to a segment in which you want to perform management reporting
and analysis. For example, you can include a Cost Center, a Line of Business, or a Product
Line because they tend to have managers assigned to them.
If you choose a management segment, you can use data access sets to limit access to specific
management segment values.

Copyright Oracle, 2007. All rights reserved.

Advanced Security
Effective mm/dd/yy

Page 15 of 20

315817557.doc
Rev 1

Management Reporting and Security

Management Reporting and Security

Above is an example of how the management segment may be used. This is the cost center
organizational hierarchy. Director A has cost center OU97, Director B has OS69 and Director C
has OX53.
Assume Director A and his counterparts are very competitive with each other and theyre
always competing on who has the lowest expenses and who gets the higher budgets, etc.
By assigning the cost center segment as the management segment, we can secure read and
write access to certain management segment values based on cost center manager.
For example, Director A may have read and write access to only his cost center enabling
him to modify budget amounts or expense items and view his results in management
reports.
Director A would not have access to Director B or Director Cs cost center or to Vice
President's cost center (which most likely is a parent value of all of his direct reports).

Copyright Oracle, 2007. All rights reserved.

Advanced Security
Effective mm/dd/yy

Page 16 of 20

315817557.doc
Rev 1

Management Reporting and Security

Management Reporting and Security

On the other hand, the Vice President would have full read and write access to his cost center
0683 which is the parent of his direct reports Child cost center:
Director A OU97
Director B OS69
Director C OX53
The VP has full access to all of his direct reports data. Having access to the parent account will
allow access to child data.

Copyright Oracle, 2007. All rights reserved.

Advanced Security
Effective mm/dd/yy

Page 17 of 20

315817557.doc
Rev 1

Management Reporting and Security

Copyright Oracle, 2007. All rights reserved.

Advanced Security
Effective mm/dd/yy

Page 18 of 20

315817557.doc
Rev 1

Management Reporting and Security Setup

Management Reporting and Security Setup

Select a segment of your chart of accounts to designate as your management segment.
Define a data access set secured by management segment values within a ledger or across
ledgers in a ledger set.
Assign the data access set to a responsibility, and the security will take effect for that
responsibility.
This is available in all applications that use data access sets.
Note: The management segment can be any segment except the balancing segment, natural
account segment or intercompany segment.

Copyright Oracle, 2007. All rights reserved.

Advanced Security
Effective mm/dd/yy

Page 19 of 20

315817557.doc
Rev 1

Summary

Copyright Oracle, 2007. All rights reserved.

Advanced Security
Effective mm/dd/yy

Page 20 of 20

315817557.doc
Rev 1