Overview
The Access Security documents allow you to define criteria for document and accounting line security based on accounting line attributes.
Modules that rely on organization-based module security—Accounts Receivable and Capital Assets modules—are not affected by Access Security. Organization-based security always controls user access in these modules.
To turn on Access Security:
- Work with your technical staff to turn on the Access Security property.
- Set parameter ENABLE_ACCESS_SECURITY = Y.
-
Assign permissions:
- Initiate Document AccessSecuritySimpleMaintenanceDocument
- Look Up Records KFS-SEC
- Inquire Into Records KFS-SEC
- Edit Document AccessSecuritySimpleMaintenanceDocument PreRoute
Parameters
Following are the parameters that need to be reviewed and updated when Access Security is turned on.
- ACCESS_SECURITY_DOCUMENT_TYPES: Documents to which Access Security can be applied. The document type cannot be a parent document.
- ALWAYS_ALLOW_ACCOUNT_MGR_LINE_ACCESS_IND: Allows account managers to view or edit accounting lines for their accounts regardless of access permissions.
- ALWAYS_ALLOW_FISCAL_OFFICER_LINE_ACCESS_IND: Allows fiscal officers to view or edit accounting lines for their accounts regardless of access permissions.
- INITIATOR_IND: When set to Y the document initiator (or the document initiator of the related requisition if this is a PURAP doc) can view the document and notes/attachments regardless of Access Security permissions.
- ALWAYS_ALLOW_PRINCIPAL_INVESTIGATOR_LINE_ACCESS_IND: Allows principal investigators to view or edit accounting lines for their accounts regardless of access permissions.
- ALWAYS_ALLOW_SUPERVISOR_LINE_ACCESS_IND: Allows account supervisors to always view or edit accounting lines for their accounts regardless of access permissions.
-
ENABLE_ACCESS_SECURITY: Enables access security checks in the system.
Security Definition
The Security Definition document is used to define security attribute restrictions and the types of documents to which they apply. Once activated, a definition may be assigned to a model or principal.
This tab is used to identify a set of restrictions by name and specifies the types of restrictions included.
- Definition Id: System generated ID.
- Definition Name: Descriptive name for this definition
- Definition Description: A more detailed description of this set of rules.
-
Attribute Id: the attribute on which the restriction is to be based. Existing values may be edited using the Security Attribute lookup and maintenance document. New values require code. Following are the available attributes:
- Account: The account number entered into the accounting line is compared to the user’s access security value in the applicable security model. Note that Chart is not considered in the evaluation of this form of security access.
- Chart: The chart specified on the accounting line is compared to the user’s access security value in the applicable security model.
- Chart-Descend Hierarchy: The user’s access security is compared to the chart codes that report up to the chart code that has the security access restrictions.
- Object Consolidation: The access security restriction is derived from the object consolidation code associated with the object level code of the object code entered into the accounting line.
- Object Level: The access security restriction is derived from the object level code associated with the object code entered into the accounting line.
- Organization: The organization specified on the accounting line is compared to the user’s access security value in the applicable security model.
- Organization-Descend Hierarchy: The user’s access security is compared to the organization codes that report up to the organization code that has the security access restrictions.
- Principal Investigator: The access security restriction is derived from the project directors and their associated accounts with an award. Currently, the application requires users to enter the accounts as the security value. The project directors who are permitted to access the accounts are derived from the awards.
- Project Code: The project code specified on the accounting line is compared to the user’s access security value in the applicable security model.
- Sub Account: The sub-account specified on the accounting line is compared to the user’s access security value in the applicable security model.
- Restrict View Accounting Line: Indicates whether viewing of accounting lines is restricted. When this box is checked, affected users may open the document containing a restricted accounting line but may not view the line itself. If this restriction is selected and the Restrict Use/Edit Accounting Line option is not selected, affected initiators are allowed to enter an account or object code that they are restricted from viewing. When entering an account or object code in this situation, a user will not receive an error after clicking the add button, but any subsequent lookup by this user will not display the account or object code that is restricted. Instead the user will receive an error message.
- Restrict Use/Edit Accounting Line: Indicates whether editing of and using accounting lines is restricted. When this box is checked and Restrict View Accounting Line is not checked, affected users may view the restricted line but may not use or edit it in any way. Affected users who try to use the account will receive an error message.
- Restrict View Document: Indicates whether viewing of documents containing the accounting line is restricted. When this box is checked, affected users may not view any document containing the accounting line.
- Restrict Edit Document: Indicates whether editing of documents containing the accounting line is restricted. When this box is checked, affected users may not edit any document containing the accounting line.
- Restrict View Notes And Attachment: Indicates whether viewing of notes and attachments referencing this accounting line is restricted. When this box is checked, affected users may not view notes and attachments referencing the accounting line.
- Restrict Lookup: Indicates whether lookup of the accounts or object codes is restricted. When this box is checked, affected users may not look up the accounts or object codes.
- Restrict GL Inquiry: Indicates whether inquiries related to this account are restricted. When this box is checked, affected users cannot use any of the General Ledger balance inquiry screens. Affected users who try to view a restricted account receive an error message.
- Restrict Labor Inquiry: Indicates whether inquiries related to this Labor Ledger account are restricted. When this box is checked, affected users cannot use any of the Labor Ledger balance inquiry screens to view the restricted accounts. Affected users who try to view a restricted account receive an error message.
Document Types
This tab allows the user to define the document type(s) to which security is to be applied for this security definition.
Once the Security Definition is created, it is used to create Security Models. Security Models are where the members are assigned. .
Security Model
The Security Model document is used to create a model, or collection of definitions, and assign them to individual users (principals), groups, or roles.
This tab allows the user to identify and describe the security model.
Model Definitions
This tab allows the user to associate one or more security definitions with the model.
- Definition Name: A definition used in this model. Use the lookup icon to select an appropriate definition.
- Constraint Code: Indicates whether access/use is allowed or denied. Click the appropriate button.
- Operator: Specifies the range operator for attribute values for which access or use is allowed or denied. Select the appropriate operator from the list.
- Attribute Value: Identifies the specific attribute value (e.g., a specific account code) to which the definition applies.
-
Override Deny: Check the box to allow access that is otherwise denied.
For example, if the benefit object code should be restricted for all users except for members of the Managers and Operations group, you would setup one definition with two models—one to deny access to all users, and another to allow access to members of the Managers and Operations group. In the model for those in the specified group, you would check the Override Deny box.
Model Members
This tab allows the user to associate the model with one or more users or sets of users.
- Member Type Code: The type of member (principal, group, or role) assigned to this model.
- Member Identifier: The principal, group or role ID for the specific user or set of users associated with this model.
- Member Name: Completed based on the Member Identifier.
- Active From Date: The first date on which this model applies to the member.
- Active To Date: The last date on which this model applies to the member. Leave blank if there is currenlty no end to this members activation. Set to today's date to inactivate.
Security Principal
The Security Principal document is used to assign one or more models to a specific principal and define any security exception rules that apply to this principal.
Principal Models
This tab allows the user to associate one or more security models with the principal.
Principal Definitions
This tab allows the user to assign one or more security definitions to the principal. Using this tab, the user may assign an exception to a rule that would otherwise apply to the principal.
- Definition Name: A security definition to be applied to this principal. Use the lookup icon to select an appropriate definition.
- Constraint Code: Indicates whether access/use is allowed or denied.
- Operator: Specifies the range operator for attribute values for which access or use is allowed or denied.
- Attribute Value: Identifies the specific attribute value (e.g., a specific account number) to which the operator applies.
- Override Deny: Check the box to allow access that is otherwise denied.
Access Security Simulation
The Access Security Simulation screen allows users to simulate security based on accounting line attributes. This option also displays a list of allowed values for the selected attribute and user.
Comments
0 comments
Please sign in to leave a comment.