This blog sets out some of the security functions and features of Oracle Fusion.
To keep things simple, it’s based around a UK/GBP based organisation to avoid multiple currency complications.
I’m going to look at the security and setup options that are available within Oracle Fusion, and how that impacts on ease of use for end users and system maintenance from a support perspective.
Standard Oracle terminology and abbreviations are used throughout. An element of familiarity with Oracle is assumed, so some Oracle specific terms are not explained in detail.
Functionality & Features
Roles provide access to functions and data: access to Fusion offerings (GL, AP, PO, etc.) & the functionality within the offerings (enter invoices, make payment, enter journals etc.) and data (invoices, account balances, etc.). Roles are then assigned to users. Roles apply to both GL and subledgers (AP, AR, FA, etc.).
The two sorts of security associated with the role are:
- Job Roles provide Functional security provides users with access to pages in application users interfaces and actions that can be performed there. This is used to setup what a user can do (enter invoices and/or approve invoices, enter journals and/or approve journals, etc.) and enforce segregation of duties
- Data Roles provide Data security allows users to see data in those pages. This is used to secure data so: user A accesses just balancing segment 001; user B accesses balancing segment 002; and user C accesses both 001 and 002
The functional and data aspects are assigned independently.
Data Access Set Security
Data Access Sets secure access to ledgers, ledger sets, and portions of ledgers using primary balancing segment values. If you have primary balancing segment values assigned to a legal entity, then you can use this feature to secure access to specific legal entities. Data access just applies to GL.
Use data access set security for Oracle Fusion General Ledger users to control access to entire ledgers or portions of the ledger represented as primary balancing segment values, such as specific legal entities or companies.
Segment Value Security
Set up segment value security rules on value sets to control access to parent or detail segment values for Chart of Accounts segments and apply to both the general ledger and business units.
Segment value security rules restrict data entry, online inquiry, and reporting.
Use segment value security rules to restrict access to transactions, journal entries, and balances based on certain values in the Chart of Accounts (such as specific companies and cost centre values) to individual roles.
A ledger set is a group of ledgers. Ledger sets must share the same Chart of Accounts and calendar. Ledger sets are used to simplify the management of multiple ledgers. For example: periods can be opened and closed for all the ledgers within a ledger set.
The purpose of a ledger set is to provide access to multiple ledgers at one time from a GL responsibility and provide the ability to run other concurrent programs and reports across an entire ledger set.
A Business Unit is a unit of an enterprise that performs one or many business functions. This unit can process transactions on behalf of many legal entities. Business Units just apply to subledgers.
Business units are assigned to one primary ledger. For example, if a unit is processing payables invoices, then it must post those invoices to a single ledger.
Business unit provide a security mechanism for transactions.
A business function represents a business process, or an activity that can be performed by people working within a Business Unit and describes how a Business Unit is used: Billing and revenue management, Expense management, Inventory management etc..
A Business Unit can perform many business functions in Oracle Fusion Applications. Prior to Oracle Fusion Applications, operating units in Oracle E-Business Suite were assumed to perform all business functions, while in PeopleSoft, each Business Unit had one specific business function. Oracle Fusion Applications blends these two models and allows defining Business Units with one or many business functions. In Oracle Fusion, Business Unit can be used in processing any transaction, reporting and data security.
Chart of Accounts Structures and Instances
The Chart of Accounts Structures define the structure (segment names, lengths etc.) of the Chart of Accounts flexfield.
The Chart of Accounts Instances inherit the elements of the Chart of Account Structure and are used in the day-to-day operation. However, importantly, different Instances can use different value sets for the same segment.
Primary and Secondary Ledgers
A secondary ledger can differ from its primary ledger by using a different accounting method, Chart of Accounts, accounting calendar, currency, or processing options. All or some of the journal entries processed in the primary ledger are transferred to the secondary ledger, based on configuration options.
Bank Account Data Encryption
You can encrypt your supplier and customer bank account numbers. Bank account encryption doesn’t affect internal bank account numbers.
Supplier, customer, and employee bank account numbers entered in Oracle applications are automatically encrypted. Encryption is based on the bank account encryption setting you specify on the Manage System Security Options page.
There are a few other concepts that should be mentioned:
- Enterprise This is the highest level classification and corresponds to the parent/group level.
- Legal Entity, this is a party with rights and obligations. It is likely that each Trust is a legal entity. Legal Entities can have one of more balancing segments assigned.
- Intercompany accounting allows Oracle to partially automate some of the accounting for transactions between entities within the group. It may make sense to have an intercompany segment within the Chart of Accounts to facilitate this.
- Cross validation allows control of which values within a value set may be used with other values in other value sets.
Interactions between functionality
There are some areas where functionality may interact:
- Difference in Data Security for GL Features Directly and Indirectly Based on the Balances Cube: It usually makes sense to align Data Access Sets and Segment Value Security.
- The Data Access Set and Ledger Set may “intersect”, if for example, you wish to have a ledger set that provides open/close functionality across 6 ledgers, but allows data entry ONLY in a 7th ledger, then you would create a ledger set with the 6 ledgers. Then, create a data access set, listing the ledger set and the additional 7th ledger. Use that data access set to assign to the GL responsibility. In this case, when the user attempts to open all the periods for the ledgers, it will only open them in 6 of the ledgers. The 7th ledger would not be included.