You can use GL account security to define which roles/users can access particular GL accounts. You should not use GL account security unless you want to restrict users to specific GL accounts. You can use the GL Security Code field for a GL account even if you are not using GL account security.
When configuring GL account security, if no roles/users are assigned to the GL account security access privilege, it is considered inactive and all users have access to all GL accounts regardless of value in the GL Security Code field. If a role/user is assigned (activating the access privilege), all unassigned users are unable to access any GL account to which they are not assigned. Therefore, it is very important to plan your security restrictions and permissions before assigning security.
When configuring GL Account Security, you need to:
- Create the GL Account Security Codes
- Assign the GL Account Security Codes to GL Accounts
- Determine the GL Account Security Code Behavior
- Configure the Access Privilege(s)
Create the GL Account Security Codes
First you need to define the GL security codes you are assigning to the GL accounts. Most organizations use one level of security, such as department. To configure the GL security codes:
- Click the GL Account Security Codes link from the Main Menu. The GL Account Security Codes screen opens.
- Select GL security code 1. Show the Code column to easily identify security code 1.
- Right-click and select Edit. The Edit GL Account Security Type screen opens.
- Update the Description field to your desired name for the GL security code, such as Department.
- Select the GL Account Security Codes tab.
- Click the Add button. The Add GL Account Security Code screen opens.
- Enter the necessary information:
- Description - Name of the security code. Using the Department example, Audio Visual or Catering.
- Code - Unique alphanumeric value.
- Status - Only active security codes are available for selection.
- Click OK. You return to the Edit GL Account Security Type screen.
- Repeat steps 6-8 for all security codes.
- Click OK.
- If necessary, repeat steps 2-10 for security code types 2 and 3.
Assign the GL Account Security Codes to GL Accounts
Now you can assign the security codes to the appropriate GL accounts.
- Click the GL Accounts link from the Main Menu. The GL Accounts screen opens.
- Select the accounts to assign to a GL account security code. Use Shift+Click or Ctrl+Click to select multiple accounts.
- Right-click and select Edit Multiple. The Edit Multiple GL Accounts screen opens.
- Check the GL account security code check box for the GL account security code you want to assign to the selected accounts. The name of the field is the description you entered in step 4 in the above section.
- Select the security code to assign to the selected accounts from the drop-down.
- Click OK.
If you are not using the GL account security codes for security purposes, you do not need to proceed with the remaining steps.
Determine the GL Account Security Code Behavior
After you have set up your GL account security codes and assigned them to the GL accounts, you need to configure the desired behavior for the security codes with the access privileges.
- Click the General Ledger Configuration link from the Main Menu. The General Ledger Configuration screen opens.
- Select the General tab.
- Expand the Advanced section.
- Select the desired behavior from the GL Security Code Restriction Mode drop-down:
- No value selected or All - A role/user must have access to all security codes enabled and attached to a GL account to view the account in inquiries and use the GL account in source transactions.
- ANY - Grants access if the role/user has access to any one of the security codes on the GL account. When selecting Any, a user has access to any account that has a security code to which he/she is granted access. If a user is not assigned to one of the GL Accounts by GL Security access privileges (see below section), the user is not restricted from other accounts that have security codes to which the user has access. When this is to Any and the user is assigned to All Details of the access privileges, this grants the user access to all GL accounts, regardless of the other GL Security privilege settings.
- Click OK.
Configure the Access Privilege(s)
To configure the GL account security code access privileges:
- Click the Access Privileges link from the Main Menu. The Access Privileges screen opens.
- Locate the Allow Access to GL Accounts By GL Security access privilege. There are three different access privileges: Allow Access to GL Accounts By GL Security (applies to security code #1), Allow Access to GL Accounts By GL Security #2 (applies to security code #2) and Allow Access to GL Accounts By GL Security #3 (applies to security code #3). You need to configure each of these with the access you desire.
- Select the access privilege.
- Right-click and select Edit. The Edit Access Privilege screen opens.
- Select the Access Privilege Details tab.
- Click the Manage button. The Assign Access Privileges screen opens.
- Select the role(s) and/or user(s) to assign to the access privilege in the Available section of the screen. Use Ctrl+Click or Shift+Click to select multiple roles and/or users.
- Click the single right arrow button to move the selected role(s) and/or user(s) to the Selected section of the screen.
- Click OK. You return to the Edit Access Privilege screen.
- Select the Access Privilege Details tab.
- Select the role/user to assign to a particular security code.
- Right-click and select Assign Details. The Assign Details screen opens.
- Select the code(s) which the role/user can access from the Available section. If the role/user needs access to all codes, select the Access to All Details (*ALL) option. Use Ctrl+Click or Shift+Click to select multiple security codes.
- Click the single right arrow button to move the selected code(s) to the Selected section of the screen.
- Click OK. You return to the Edit Access Privilege screen.
- Repeat steps 10-15 to assign the appropriate codes to each role/user.
- Once complete, click OK on the Edit Access Privilege screen.
- Repeat steps 2 - 17 for security code #2 and security code #3 if applicable.
GL Account Security Code Example
The most common scenario is using only GL Security Code #1 to prevent certain users from seeing GL Accounts assigned to a particular GL account security code. For example, if you only want some users to see the GL accounts related to payroll.
- Create the a Payroll GL account security code using the steps in Create the GL Security Account Codes.
- Create a General or All Users GL account security code using the steps in Create the GL Security Account Codes.
- Assign the Payroll GL account security code to the appropriate payroll GL accounts using the steps in Assign the GL Account Security Codes to GL Accounts.
- Assign the General or All Users GL account security code to all other GL accounts using the steps in Assign the GL Account Security Codes to GL Accounts.
- Configure the GL account security code behavior for Any using the steps in Determine the GL Account Security Code Behavior.
- Configure the access privileges (see below) using the steps in Configure the Access Privilege(s).
- Assign all users who should have full access to the privilege with a value of All Details. All Details is the default setting for a roles/user assigned to the privilege.
- Assign users who should have access to only the General or All Users GL account security code but not the Payroll accounts to the access privilege. Then use the Assign Details action to give them access only to the All Users GL account security code.
- If a user needs to have access to only GL accounts assigned to the Payroll GL account security code, then assign the user to the access privilege. Then use the Assign Details action to give the user access to only the Payroll Gl account security code.
Comments
6 comments
It is also worth mentioning that you should review the setting of Org Parm GL160:
This parameter is used to indicate when the behavior of the GL Security Code access privileges.
By default, a user must have access to all security codes enabled and attached to an account in order to view this account in inquiries and use the account in source transactions (e.g. purchasing). Leave the parameter blank if this is the desired behavior.
If the organization wishes to grant access to an account to a user that has access to ANY security code on the account, enter ANY in the alphanumeric value. When this value is entered, a user will have access to any account that has a security code to which they have been granted access. If a user is not assigned to one of the GL Security privileges, the user will NOT be restricted from other accounts that have security codes to which they do have access.
**NOTE: When this parameter is set to ANY and a user is assigned to all details of any of the security privileges, this will grant the user access to ALL general ledger accounts, regardless of the other GL Security privilege settings.
-1 upvotes
In the 'Allow Access to GL Accounts by GL Security' there is an option to select a 'View' checkbox. Can you please explain what restrictions are in place when a user/role only has View access turned on?
Thanks.
0 upvotes
Can you please advise what the phrase "Additional control allows users to be given view only access." means? I cannot find any information on the implications of setting someone's access to View only. What I was hoping for was that they can 'View' the GL Code in order to select for POs but they cannot approve POs to the account (unless there is another way to do that?)
0 upvotes
Hi Sean,
Apologies for never responding - I just saw these questions as I was doing some content review. I will get you these answers ASAP.
Thanks,
Maggie
0 upvotes
Hi Sean,
Using View Only will prevent a user from modifying budget values for the GL account but will allow them to view it. It doesn't have any impact in other areas of the system.
Thanks,
Maggie
0 upvotes
Thanks Maggie - not sure how this could be useful. Could I suggest that it also controls the approval of POs? (Eg, view/access the GL but not be able to 'transact' against it)
It is very common for people to be able to do the data entry of POs on behalf of others. In these cases we need to give them full GL access to many codes. Typically these same people can approve POs on a sub-set of GL accounts (therefore they have level 9 PO approval access). If we could allow them to code POs to the GLs but not have approval access to those GLs, then we can give them the task of entering the PO while delegating the approval to the true GL code owner.
Effectively they can use the GL but not post to it.
0 upvotes
Please sign in to leave a comment.