Financials – General

Get Involved. Join the Conversation.

Topic

    Matt Nease
    Data Access by Legal Entity instead of Business UnitAnswered
    Topic posted November 7, 2019 by Matt NeaseGreen Ribbon: 100+ Points, tagged Financials, Receivables, Security, Setup / Administration 
    49 Views, 5 Comments
    Title:
    Data Access by Legal Entity instead of Business Unit
    Summary:
    How to assign data access to users by Legal Entity using custom Database Resource
    Content:

    A client has a requirement for billing managers to manage receivables activities by Legal Entity. Currently we have set up custom job roles that use Data Security Policies driven by Business Unit. However their are multiple LEs per BU, and the customer wants to restrict by LE, not BU. 

    I know under 'Security Console > Administration > General > Manage Database Resources' you can create a custom Database Resource, which is clear. However, FUN_USER_ROLE_DATA_ASGNMNTS does not have a Legal Entity column, so you seemingly cannot assign Legal Entities to users via 'Manage Data Access for Users', so I don't know what to do with the custom Database Resource . Is there another way to assign potentially multiple Legal Entities to a user other than 'Manage Data Access for Users' (or derive it somehow), that I could then use as a Condition SQL Predicate in a custom Database Resource? A billing clerk could handle 2 or more LEs, so I don't think it can be derived from their HR record.

    Best Comment

    Julien Dubouis

    Hi,
    AR is not optimized to work in a one BU/Multiple LE setup context. You can't segregate data based on a LE in subledgers, you have to use the grants on business units in the data security policies. The only way to make sure some users only see some LE and not all is to have distinct ledgers for each LE. Even a one BU per LE would not work as it is only a default link, nothing prevents you from changing the default LE and creating an invoice for another LE. The multiple LE per ledger approach can only be used in the case of a shared service center where every user could potentially work on every LE.
     

    Comment

     

    • Helle Hennings

      Hi Matt,

      In My Oracle Support there's a white paper which may help you address some of the business needs, refer to:

      Implement Enhanced Data Segregation for ERP (limit LOV of employees by Legal Employer)  – refer to MOS Doc note: 2324377.1
       
      Regards,
       
      Helle
    • Matt Nease

      Helle, thanks for the suggestion.

      This use case is a bit different, as it's not based on the Legal Employer assigned to an employee. We are assigned BU data access to employees, but then want them to only create AR invoices for certain (not all) LEs that align with that BU. I think if this is possible, it would have to be via a custom Database Resource defined in the Security Console. However documentation on how to do this is pretty light and the various ways I've attempted haven't worked so far.

    • Madhu Chalamalasetty

      Hi Matt,

         Have you tried any of the following Database resources?

      HR_LEGAL_ENTITIES

      VRM_LEGAL_ENTITIES_V

         Even if you figure this out, how will you be able to grant access in the Data access set?  As the access is only by BU. I don't see any Legal Entity

         May be once you defined the custom database resource, you may be able to define something in the "Data security Policies" section of the role.

         You may want to raise an SR to get the final confirmation. 

       

      Thanks,

      Madhu.

      • Matt Nease

        Madhu, we ended up scrapping this, one reason being you can't assign LE data access via a security context. Also the client wanted to segregate the creation versus the completion of an AR transaction, which I don't think is possible (i.e. one privilege for this).  

    • Julien Dubouis

      Hi,
      AR is not optimized to work in a one BU/Multiple LE setup context. You can't segregate data based on a LE in subledgers, you have to use the grants on business units in the data security policies. The only way to make sure some users only see some LE and not all is to have distinct ledgers for each LE. Even a one BU per LE would not work as it is only a default link, nothing prevents you from changing the default LE and creating an invoice for another LE. The multiple LE per ledger approach can only be used in the case of a shared service center where every user could potentially work on every LE.