The end of the ‘all or nothing’ approach around Value SetsPublished on: Author: Reina van Ewijk Category: Oracle
R12.2 brings the security we’ve all been waiting for, plus a smile on the face of the internal auditors. It ensures that the Super Users only have access to the value sets they are responsible for.
One of the features available in Oracle eBusiness Suite (eBS) Release 12.2 is Value Set Security. This is one of the new features with real added value.
Value Sets are used extensively in Oracle eBS: in Key Flexfields, Descriptive Flexfields and as Report Parameters. The maintenance of these sets can be a cumbersome task for your Functional Support Department.
This is why organizations usually delegate this maintenance to Super Users of the various business areas. This way, the Finance Super User can maintain Cost Centres and the Item Masters can maintain the sets that are relevant for them. The downside is that (before R12.2) a user simply either had access to the Value Set Values Form or not. In theory, they could ‘mess up’ any value set, including the ones they are not responsible for.
How does it work?
It will take some work from Functional Support to make this happen in R12.2. A mandatory Post-Upgrade step is to grant flexfield value set access to specific users. I would recommend giving your Functional Support Team full access to all the Value Sets. This Full Access Grant should be assigned to a responsibility that only Functional Support has in common. As an alternative you can assign this to persons. I believe assigning Grants and Roles to Responsibilities rather than Users is more efficient and transparent.
First things first: Super Power to Functional Support
Seeded role: Flexfield Value Set Security: All Privileges contain a Grant that has full access (insert/update) to all Value Sets.
Via role User Management, you can assign this to a specific responsibility.
Navigation Path: User Management > Roles & Role Inheritance.
Select the responsibility you want to give ‘superpowers’. Click on View in Hierarchy, next on Add Node and search and add role: Flexfield Value Set Security: All Privileges.
After you have run Workflow Background Process, all users that have Responsibility System Administrator can now maintain all Value Sets.
Next step: delegate your maintenance
Let’s make well-known Pat Stock, General Ledger Super User for Vision Operations (USA) responsible for the maintenance of the Department, Account and Sub-Account Value Sets linked to the Chart of Account of Vision Operations (USA).
First, determine the exact name of the value sets. For this business case, the Key Flexfield Segments Form will provide us this information.
Navigate to User Management > Role & Role Inheritance and click on CREATE ROLE. Fill in the required fields (Category, Role Code, Display Name, Description, Application and Active From) and click on SAVE, then on SECURITY WIZARD.
The Security Wizard will assist you in creating the Grant with the relevant access rights. Select the Flexfield Value Sets: Security Administration Setup.
Click on CREATE GRANT and fill in the required fields. The Value Set Privilege Options are: Insert, Insert/Update, Update, View Only.
You can authorize value sets by a number of methods, for example: Value Set Name, Key Flexfield Structure, Key Flexfield Segment, Descriptive Flexfield Name, Descriptive Flexfield Context, Concurrent Program Name.
For our business case we will use Value Set Name.
Click on APPLY to create the Grant, then on APPLY to update the Role.
The last step is to add this Role either to a User (PSTOCK) or to a specific Responsibility that is only assigned to the Super Users (General Ledger Super User).
Once the Workflow Background Process has completed, Pat Stock can only maintain her three Value Sets.
In comparison, the system administrator who received the Super Power Role: Flexfield Value Set Security: All Privileges will have access to all available value sets.
Things to consider
- When a Role with Grant is added as a Node to a specific Responsibility, the User will inherit the access and can maintain their granted value sets via any assigned responsibility which includes the Value Set Maintenance Form.
- Your Grant Information only allows a maximum of 10 parameters. In case you need to create a Role, which gives access to 15 Value Sets, either create 2 Grants and assign these to your Role or use another Authorize Value Set bymethod.
- In case you need to add another parameter (Value Set) to an existing grant, use the Security Wizard to update your Grant. This will allow you to select and add the Value Set Name, rather than the Value Set ID.
NOTE:2011055.1 - Flexfield Value Set Security in R12.2
Oracle® E-Business Suite, Flexfields Guide Release 12.2
Chapter 6 Flexfield Value Set Security