Flexfield Value Set Security

Oracle E-Business Suite Flexfields Guide

Release 12.2.x

Prepared By: Ashraf Momtaz

Date:03-11-2015

1|Page
Flexfield Value Set Security

Introduction

Separation of Duties (SoD) is one of the key concepts of internal controls, and it is a
requirement for many regulations including Sarbanes-Oxley (SOX) Act, the Health Insurance
Portability and Accountability Act (HIPAA), and the European Union Data Protection Directive.
Its primary intent is to put barriers in place to prevent fraud or theft by an individual acting
alone. Implementing Separation of Duties requires an initial evaluation of the privileges
required for the various roles involved in administering applications. These roles should be
chosen to minimize the possibility that users could modify data across application functions
where the users should not normally have access. For flexfields and report parameters in
Oracle E-Business Suite, values in independent and dependent value sets can ultimately
affect functionality such as the rollup of accounting data, job grades used at a company, and
so on. Controlling access to the creation or modification of value set values can thus be an
important piece of implementing Separation of Duties in an organization.

Value Set Security

Flexfield value set security allows system administrators to restrict users from viewing,
adding or updating values in specific value sets. Value set security enables role-based
separation of duties for key flexfields, descriptive flexfields, and report parameters. For
example, you can set up value set security such that certain users can view or insert values
for any value set used by the Accounting Flexfield but no other value sets, while other users
can view and update values for value sets used for any flexfields in the Oracle Human Capital
Management applications. You can also segregate access by Operating Unit as well as by role
or responsibility.

Value set security uses a combination of data security and role-based access control in
Oracle User Management. Flexfield value set security provides a level of security that is
different from the previously-existing function security and flexfield value security features in
Oracle E-Business Suite:

Function security controls whether a user has access to a specific page or form, as
well as what operations the user can do in that screen.
Flexfield value security controls what values a user can enter into a flexfield
segment or report parameter (by responsibility) during routine data entry in many
transaction screens across Oracle E-Business Suite.
Flexfield value set security (this feature, new in Release 12.2) controls who can
view, insert, or update values for a particular value set (by flexfield, report, or value set) in
the Segment Values form (FNDFFMSV). Flexfield value set security affects independent and
dependent value sets for flexfields and report parameters, including Independent,
Translatable Independent, Dependent, and Translatable Dependent value set types. Flexfield
value set security also affects parent values for Table Validated value sets where the "Allow
Parent Values" flag is checked for the value set.

The effect of flexfield value set security is that a user of the Segment Values form will only
be able to view those value sets for which the user has been granted access. Further, the

2|Page
user will be able to insert or update/disable values in that value set if the user has been
granted privileges to do so.

Note that where a value set is being used by multiple flexfield segments or report
parameters, any changes made to a value set affect all segments or parameters that use the
same value set, even if access is not explicitly granted for the flexfield that shares the value
set.

Note: Flexfield value set security is not currently supported by the Account Hierarchy
Manager in Oracle General Ledger, though the Account Hierarchy Manager only provides
access to value sets that are used for the Accounting Flexfield. Flexfield value set security is
also not currently supported by the Setup Workbench in the Oracle Product Information
Management product. For both of these products, you should maintain tight control over who
has access to these pages on their menus.

Initial State of the Feature upon Upgrade

When you initially install or upgrade to Release 12.2.2, no users are allowed to view, insert
or update any value set values. You must explicitly set up access for specific users by
enabling appropriate grants and roles for those users.

We recommend using flexfield value set security as part of a comprehensive Separation of

Duties strategy. However, if you choose not to implement flexfield value set security upon
upgrading to or installing Release 12.2, you have two simple options to give users access to
all value sets for backwards compatibility:

1. Assign the seeded unlimited-access role ("Flexfield and Report Values: All privileges")
directly to users, responsibilities, or other roles. With this option, users who have function
security access to the Segment Values form and have this role either directly or indirectly can
see, insert, and update values for any value set.
2. Create an "all-value-sets, all-privileges, all-users" grant (complete backwards
compatibility, described later). With this option, any users who have function security access
to the Segment Values form can view, insert, and update values for any value set. This
option is very easy to set up, but it is not recommended because it defeats the purpose of
the Separation of Duties feature.

If you decide later that you want to implement flexfield value set security as part of your
Separation of Duties controls, you can delete such grants (revoke privileges) or end-date the
role assignments or the grants.

Important: For Release 12.2.2, Patch 17305947:R12.FND.C or later must be applied before
you use this feature. To determine if this patch has been applied, see "Flexfield Value Set
Security Reference Information". This patch is not necessary for later versions of Oracle E-
Business Suite after 12.2.2.

3|Page
Setting Up Flexfield Value Security

Setting up value security mostly consists of creating grants using the Functional
Administrator responsibility.

Grants

The grant has three basic parts that we assign when we create the grant:

1. Grantee and security context (who gets privileges and the context where privileges
are available)
2. Data security object Flexfield Value Set Security Object, object instance set, and
parameter values if needed (what data is affected by the grant)
3. Permission set (what privileges are allowed on the object)

The grant is where you associate a grantee (a single user or a group of users who have a
specific role or responsibility) with the object instance set and parameter values that identify
the correct value sets for the grantee. You set which specific flexfields, value set names, and
so on can be accessed as part of the grant. These are the specific parameter values that
correspond to parameters in the object instance set predicate (WHERE clauses). The grant is
tied to the data security object. The grant is also where you associate the appropriate
seeded permission set with the grantee. See the Seed Data Reference Information section
for lists of the available object instance sets and permission sets.

4|Page
New Value Sets

No users are allowed to view, insert or update any value set values unless access is explicitly
granted. You must explicitly set up access for specific users by enabling appropriate grants
and roles for those users. That restriction includes values for value sets created by the same
user. For example, if a user creates a new value set definition using the Value Set window
and immediately goes to create values for that new value set, the user will not be able to
find or enter values for that new set unless:

1. The user has a grant for that specific value set name.

OR

2. The user has an "all-value-sets" role or grant.

OR

3. The value set is attached to a flexfield or report segment, and the user has a grant or
role that gives access to that segment or report parameter.

5|Page
 Access Path in Segment Values Form

In the Find window for the Segment Values form, you have various ways to find and access a
particular value set for defining values, as shown in the following figure: by value set name,
by key flexfield, by descriptive flexfield, or by report parameter (parameters for concurrent
programs set up to use Standard Request Submission).

In the Find screen of the Segment Values form, the lists of values (LOV) pop-ups will show
you only those value set names, flexfields, structures, and so on for which you have been
granted access. If you have not been granted access to a particular value set, it will not show
up in the LOV. It will appear as if that value set does not exist. If you have no grants to any
value sets (either by name or through flexfields or report parameters), you will not see any
LOV entries, and you may see a message that List of Values contains no entries. You may
also see this message if you do not have access to any value sets specified by criteria you
have already entered in prior fields in the Find window.

6|Page
Shared Value Sets

Access to shared value sets can be granted through different pathways to the value set
name:

By value set name

By key flexfield segment
By descriptive flexfield segment
By report parameter

If you have a grant to access a particular value set, you must access that value set through
the path for which it was granted, such as through a particular key flexfield segment, even if it
is shared by other segments. For example, if you have a grant to the "Company" segment of
the Accounting Flexfield, "Vision Operations" structure, you cannot access that value set
through the "Parameter A" report parameter for the "Special" report in the Oracle General
Ledger application, even if they both use the same value set. However, you can always access
the value set by its name. Also, if you have a grant that gives access to the value set by its
name, then you can access it by either value set name or through whatever segment or report
parameter it is attached to.

7|Page
Multiple Grants to the Same Value Set

If a user has multiple grants to the same value set (through different pathways), and those
grants provide different privileges, the resulting privileges are the union of the privileges of the
grants, as shown in the following picture.

Roles

We recommend that you create roles and create grants to those roles rather than directly to
individual users. While you can create grants directly to individual users or responsibilities,
creating roles first and assigning them to users or other roles provides a more powerful and
flexible way to control access. You can assign roles to other roles, responsibilities, or individual
users as appropriate for your needs.

8|Page
Example

Example of Setting Up a Responsibility with Access to All Value Set

In this example, we want to give a specific responsibility (General Ledger Superuser)

access to insert and modify values for all value sets used for the Accounting Flexfield key
flexfield. The object All Rows that selects a single key flexfield structure is Key flexfield
structure. Because we want the Responsibility to be able to view/insert/update/disable
values, we will use the Flexfield Value Set Security Insert/Update Set permission set.

1- Login with Sysadmin User

2- Create the Role

First we create a role using the User Management responsibility. We navigate to the
Roles and Role Inheritance page and Search for General Ledger Super User.

9|Page
 3- Create the Grant

Once we click Create Grant, we can define our grant. Because we started from our role,
the Grantee Type and Grantee fields are already set to our role. If you want this grant to
apply within a particular responsibility (for example, to restrict the user to defining
Company values from within only a particular responsibility) or operating unit, you can
specify a responsibility or operating unit, but we leave them blank for our example. We
specify Flexfield Value Set Security Object in the Object field and select Next.

10 | P a g e
 4- Enter Required fields as show the press Next

5- Select Object Data Context and that determine which Value set you will be able to
insert and update
1- All Rows : will be able to insert and update all Value Sets
2- Instance : will be able to insert and update a specific value set
3- Instance Set: will be able to insert and update a group of value set with max 10
values sets

11 | P a g e
 6- Define Object Parameter and Select set Flexfield Value Set Security Insert/Update
Set

7- Review and Press Finish

12 | P a g e
 8- You will be notice with confirmation message press Ok to complete

9- You will find new Grant Assigned to our Role General Ledger Super User

10- Then you will got warning that you have to Run Workflow Background Engine from
System Administrator responsibility

13 | P a g e
Now Login with your User and to check your work you will be able to insert and update in
Value sets values.

14 | P a g e