9.2 Finance Security Guide
Purpose: Overview of security settings for Local Security Administrators, including security roles assigned to User Profiles and additional security setup for Finance staff to properly manage financial transactions in the FSCM pillar.
Audience: Finance Local Security Administrators
Role Required: ZZ Local Security Admin
Finance Security Guide
- What is Security
- What does ZC/ZD/ZZ mean
- User ID Creation/Basic User ID and Role Administration
- Finance Security Roles and related secondary security setup
- Other Areas of Responsibility
- IT Audits
- Working with Security Administrators on Campus
- Requesting Security Changes
WHAT IS SECURITY?
- Security controls access to pages/data
- Each User has a single User Profile
- Profiles are attached to one to many roles
- Roles have zero to many permission lists
- Permission list contain page access required to perform business processes
- Security roles should be business process based
- Roles should contain the access needed to perform the business process
- Sometimes they are bundled with several business processes that should be performed by the same type of individual
- Roles Should not be built based on Job Titles
- Security is a way of protecting PII (Personally Identifiable Information) data
- Users should have the least amount of security possible to do their jobs
- Security should be audited regularly Offboarding
- Job Changes
- Segregation of Duties
WHAT DOES ZC/ZZ/ZD MEAN?
- Latest Role Re-Design implemented Roles and Permission Lists that begin with ZC/ZZ/ZD.
- ZC roles contain Correct History Access and should be limited to higher level users that understand downstream impacts.
- ZZ roles grant update access to pages and processes without correct history.
- ZD roles are read only/inquiry roles that do not allow any updates.
USER ID CREATION
New User Ids are Created in HCM upon hire via the CIB_USRPFL process.
The User ID is created with a base set of roles from the User ID template, then syncs to the Finance pillar using the Integration Broker:
- CTC_UN_HCM
- EOPP_USER
- NA Payroll WH Form User
- PAPP_USER
- ZZ_EMPLOYEE
- ZZ PeopleSoft User
- The CTC_%_DISTR role is dynamically added based on Institution. This role gives access to the college tile in Portal. (i.e. CLK for Clark, OP for Olympic, etc)
User ID Administration - General Tab
Nav: PeopleTools> Security > User Profiles > Distributed User Profiles
- Always ensure the account is unlocked for new and current accounts
- Ensure the EMAIL ID is correct
- The Process profile should be set for users to CTC_PT_PRCSPRFL_STAFF
- Select your institutions row/primary permission lists on the user profile.
- Ensure the symbolic ID is set to SYSAMD1
User ID Administration - ID Tab
The ID Type should be Employee and the EMPLID in the Attribute Value box.
*The values should now default in upon creation.
User ID Administration - User Roles Tab
Add the Appropriate Security Roles; If they are a core user provide additional role access as appropriate.
For terminated users, update the users access first in HCM, so that base roles will sync.
Then ensure that for terminated users the following role set is left:
- EOPP_USER
- PAPP_USER
- NA Payroll WH Form User
- ZZ FORMER EMPLOYEE
- The CTC_%_DISTR role. This role will have to be manually added back based on Institution. This role gives access to the college tile in Portal. (i.e. CLK for Clark, OP for Olympic, etc) However it should sync from HCM as it should manually be added back there.
Please see the QRG’s FSCM Security: User Preference Definition in Finance and FSCM 9.2 All 'ZZ' Security Roles for more information.
Workflow Approval Roles in Finance
Transactions that are submitted for approval are routed to users who have been assigned the workflow approval roles. Approval roles, usually starting with “ZZ_AW” require that the Route Control be selected. If the route control is not selected when the role is assigned, then the user will not be included in workflow routing for their Business Unit.
In addition to the “ZZ_AW” approval roles, the following roles require a route control:
- ZZ_AW_BI_INV (AR Billing Approval)
- ZZ CC Budget Approval
- ZZ GL Journal Approval
- ZZ GL Jrnl Accountnt Approval
For example, the ZZ GL Journal Approval role is configured as part of that AWE’s User List ZZ_UL_AWE_APPROVAL that does require a route control for workflow:
Approval Roles that do not require a route control
The ZZ Requisition, Purchasing and Voucher Approval roles are not included in the AWE Process Setup User Lists for workflow routing; instead they provide menu path navigation and approval features.
- ZZ Requisition Approval
- ZZ Purchasing Approval
- ZZ Voucher Approval
- ZZ Treasury Approvals
- ZZ Expenses Approval
Expenses Approval does have an AWE (approval workflow engine), however the User List uses an Application Class, rather than a role that requires route control settings. The T&E workflow is managed using Approver Assignment tables and HR Supervisor data.
If a route control is assigned to a role that is not included in the AWE Process Setup/User Lists, then it is not necessary to remove it. The added route control will not affect workflow routing.
If a route control is not assigned to a role that is used for AWE routing, then the approval request will not route to the user as expected. An error step will occur and the approval request will either route to the AWE administrator or route to the next step (depending on how the AWE Process Setup is configured to handle errors).
The route control assigned for AWE related roles should be reviewed if the user is transferring from another ctcLink college. AWE related roles should be removed at the prior college (also removing the route control), then added at the current college with the updated route control.
User ID Administration - Workflow Tab
Ensure the routing Preferences boxes are selected for Worklist and Email User.
Alternate User ID settings have been replaced by the Delegation functionality.
If the ZZ Delegation role is assigned to college users, the employee can use the Employee Self Service>Delegation tile to reassign approval workflow tasks before going on leave.
Security Administration is more than assigning roles and maintaining the UserID. There are other areas in the application that Security Administrators may be responsible for depending on how your institution is organized.
Nav: Commitment Control, Define Budget Security, Assign Rule to User ID (ZZ CC Local Config role)
Nav: Commitment Control, Define Budget Security, Request Build (ZZ CC Budget Processing or ZZ CC Local Config)
There are four available rules:
- BUDG_DT_R Allows Users to override the budget date on transactions that error due to the budget date on a transaction
- BYPASS_R Allows a User to bypass budget checking entirely. (This function is reserved for occasions such as when a user needs to correct a suspense journal that was generated from within a source application like Purchasing and whose accounting entries have already been budget-checked.)
- NOTIFY Enables users to be notified by workflow when budget exceptions occur or when a specified percentage of the budget has been used.
- OVERRIDE_R Allows users to override budget checking exceptions for a new transaction or pass a transaction that has failed budget checking.
Please see the QRG 9.2 Budget Security for Commitment Control for more information.
The payment security functionality limits the list of prompt values for secured fields to only those that meet the defined security-rule criteria. The prompt values are determined based on the rule definitions that are assigned to a given user or role. For SBCTC it is the valid bank codes and bank accounts for each institution.
Nav: Financial Gateway > Security > Security User Assignment
Role needed: ZZ Treasury Local Config
PeopleSoft Grants supports user security, which enables you to limit access to specific PeopleSoft Grants proposals based on the user and department. This is based off a Tree (for SBCTC its ALL Depts currently).
Nav: Setup Financials Supply Chain> Security > Grants Security > Grants Operator Security
Role needed: ZZ Local Security Admin
Please see the QRG FSCM 9.2 Grants Security for a list of ZZ roles and the related additional security setup.
This setup must be completed prior to configuring the User Preferences>Procurement> Req Authorization and/or PO Authorizations.
Nav: Setup Financials Supply Chain, Product Related, Procurement Options, Purchasing, Requester Setup
Nav: Setup Financials Supply Chain, Product Related, Procurement Options, Purchasing, Buyer Setup.
Role needed: ZZ Local Security Admin and/or ZZ Purchasing Local Config
Requester Setup
- The Ship To/Location SetID should be the local college business unit i.e. WA220; PO Origin SetID will always be WACTC;
- Origin should be ONL
- Requisition Status: Open will save the requisition and not submit to workflow without an extra step; Pending Approval/Approved will submit the Requisition into workflow upon save if workflow is used;
- The Ship To and Location can be set here if they have defaults that they use all the time; Sometimes if they request for more than one dept, its best to leave that blank here.
Buyer Setup
- The Department/Ship To/Location SetID should be the local college business unit (ex: WA220); the PO Origin SetID will always be WACTC.
- Origin should be ONL
- Default PO Status: Open will save the purchase order and not submit to workflow without an extra step; Pending Approval/Approved will submit the purchase order into workflow upon save.
- The Department/Ship To and Location can be set here if they have defaults that they use all the time; Sometimes if they purchase for more than one dept, its best to leave that blank here.
Maintaining Department Approvers for Purchasing Workflow
Add the manager’s Employee ID in the Manager ID field.
Nav: Setup Financials Supply Chain, Common Definitions, Design Chartfield, Define Values, Chartfield Values, choose the Department link.
Role needed: ZZ GL Local Configuration
Please see the following QRG’s for more information:
Procurement Card Security
Nav: Purchasing>Procurement Cards>Security>Assign Access Rights to PCard
With increased role security, you can control the level of information that is accessed by users, manage the assignments of different procurement cards, as well as setup proxies and default accounting distributions.
- CC_ADMINISTRATOR
- CC_APPROVER
- CC_RECONCILER
- CC_REVIEWER
- CC_USER_PO
- CC_USER_REQ
Procurement Card Proxies
Nav: Purchasing, Procurement Cards, Security, Assign Proxies
Role needed: ZZ Purchasing Local Config role
The Assign Proxies screen can be used to assign the employee as a proxy (depending on their assigned CC role) to multiple cards at once.
The Requester Default box will only appear if the proxy user has also been setup as a requester using the requester setup page. And the Buyer Default will only appear if the proxy has been setup as a buyer on the buyer default page.
If the Requester or Buyer Default is checked, it will set the pcard as the default payment method for the user when new requisitions or purchase orders are created. It will also update the pcard as the default payment method in the user’s Requester or Buyer Setup screen.
Authorize Expense Users - Employee
There is a process that populates this, but for a critical hire that needs access prior to the batch run, it can be manually update. This allows an employee to enter expense transactions on behalf of themselves or other employees. This could be handled by the Expenses Administrator on your campus.
Nav: Travel And Expenses, Manage Expenses Security, Authorize Expense Users
Role needed: ZZ Expenses User Admin
Expenses - Profile
This is where default chartfield are configured for expense transactions, and also it is where the Supervisor ID defaults in for approvals. This could be handled by the Expenses Administrator on your campus.
Nav: Travel And Expenses, Manage Employee Information, Update Profile
Role needed: ZZ Expenses User Admin
Expenses – Approver Assignment
This is where approvers for Expenses are defined by approval level. This is probably handled by the Expenses Administrator on your campus.
Nav: Setup Financials Supply Chain, Product Related, Expenses, Management, Approval Setup, Approver Assignments
Role needed: ZZ Expenses Local Config
Input the GL Business Unit and Approver Profile:
The Approver Assignment table is used to assign approval authority by department.
Please see the QRG 9.2 Recommendations for On and Off Boarding Employees for Expenses for more information.
User Preferences - Overall Preferences Tab
Setting up the User Preferences is most always the Security Administrator’s Responsibility and is included in the Local Security Admin role.
Nav: Setup Financials Supply Chain, Common Definition, User Preferences, Define User Preferences.
The Business Unit should be set to the college Business Unit and the SetID will always be WACTC
User Preferences – Process Groups
There are several different Finance process groups. These enable various actions available on transactions under the Action menu.
An example is the VOUCHER process group; This enables a user to run processes directly on the voucher entry pages, such as budget checking, doc tolerance, etc. without having to wait on batch processing.
The example below provides the user access to mass cancel AP payments and run Payment Post.
This example shows the process groups needed for unmatching AP vouchers.
User Preferences: Asset Management
Date Default Values
- Accounting Date - Supply a default date on which the transaction is distributed to the general ledger. The accounting date is validated against the open periods that are established in the Asset Management in the FIN_OPEN_PERIOD table to determine in which period the system posts.
The difference between the transaction date and the accounting date determines whether any prior period depreciation must be calculated. For example, suppose that a computer was acquired and placed in service on March 15, 2006 but was not entered in Asset Management until August 1, 2006. All general ledger periods prior to August are closed. In this case, Asset Management automatically calculates depreciation starting in March and posts it to the general ledger in August.
- Transaction Date: Supply a default date for asset transactions or leave this field blank to use the system date.
Auto-Run Transaction Loader
- Asset Management Integration: Select to add transactions from Maintenance Management to the transaction loader process (AMIF1000).
- Impairment/Revaluation Process: Select to always run impairment and revaluation processing when running the transaction loader process.
- Asset Retirement Obligations: Select this option to enable automatic always run Asset Retirement Obligation transaction processing when you click the Generate ARC button from either the ARO Measurement page or from the ARO Measurement in Mass Process Parameters page when running the transaction loader process (AMIF1000).
Edit Options for Interface Transactions
- Edit Review AP/PO Information: Select the options for this user for editing the Review AP/PO Information component. The available options are:
- All: Select this option to allow user to make edits to the following entries; Load Status, Asset ID, Dates Only fields and Operation Asset Details fields.
- Dates Only: Select this option to allow user to make edits to Load Status, Accounting Date and Transaction Date.
- Operational Asset Details: This is the default option. Select this option to allow user edits to asset operational fields only.
- None: Select this option to allow edits to only the Load Status.
- Edit Review Transactions Info: Select the options for this user for editing the Review Transactions component. The available options are:
- All: Select this option to allow user to make edits to the following entries; Load Status, Auto Approval Status, Dates Only fields, Operation Asset Details fields and most fields in the Distribution and Cost Information section.
- Dates Only: Select this option to allow user to make edits to Load Status, Auto Approval Status, Acquisition Date, In-Service Date, Accounting Date and Transaction Date.
- Operational Asset Details: Select this option to allow user edits to asset operational fields only.
- None: This is the default option. Select this option to allow edits to only the Load Status and the Auto Approval Status.
- Edit Unitization Information:
- Select All to allow user edits to all fields except for Interface ID and Interface Line Number.
- Select Operational Asset Details to allow user edits to asset operational fields only. Users granted this edit option cannot edit transaction amounts or distribution details.
- Select None to restrict user edits to all fields.
- Edit Consolidation Information: Use this field to manage user editing privileges of the asset consolidation details on the Consolidate -TO Asset page.
- Select All to allow user edits to all fields except for Interface ID and Interface Line Number.
- Select Operational Asset Details to allow user edits to asset operational fields only. Users granted this edit option cannot edit transaction amounts or distribution details.
- Select None to restrict user edits to all fields.
To Default Distribution Only: Select this option to consolidate interface lines with different chartfield to a single chartfield distribution. If you do not select this option, interface lines with different chartfield will be consolidated into a single asset ID with multiple chartfield distributions.
Property Pagelets
Business Unit - Select the business unit. This user will then have access to property assets from within the selected business unit.
Space Unit of Measure - Select the default unit of measure to access when a user is working with space allocations. The available options are:
- Acres
- Feet
- Hectares
- Meters
Property Class - Select the property class to be commonly used by default for this user ID when he or she is working with property assets. The available options are:
- Area
- Building
- Floor
- Site
- Space
Asset Tracking Options
Business Unit - Select a default business unit to use with the Scan Asset, Scan by Location, and Find Asset pages: The business unit you select here will appear in the search criteria for the Scan Asset and Find Asset pages.
For the Scan by Location page, the business unit you select here controls the scan location prompt values.
User Preferences – General Ledger
- For the Source leave it blank so it doesn’t limit the types of journals you can work on.
- Always check the Use Next Journal ID
- Until the issue with sub-journals is resolved, users will need the Change Journals from Journal Generator checked.
- If users need to post journals select that box.
- The Ledger/Ledger Group and Commitment control ledger groups are just defaulting so if you only enter journals for a specific ledger you can populate it here and it defaults to the transaction. If you enter for multiple, leave it blank.
General Ledger - Journal Entry Options
- Change Date on Correction Journals: Select to change the journal date in the corrections journal (which is on the Journal Suspense Correction page).
- Use Next Journal ID: Select to limit this user ID to the NEXT journal ID that is automatically entered by the system during online journal entry. If this option is selected, the Journal ID field becomes unavailable to this user ID, and the user cannot manually enter a journal ID.
- Change Journals from Journal Generator: Select to allow a specific user to update the ChartFieldand amounts on the Journal Entry page for a journal that was created by the Journal Generator process.
- Enter Adjustment Type Journal: Select to allow a specific user to enter a Book Code adjustment type journal.
- Note: This option is used for the Book Code feature, not the Adjusting Entry feature.
- Save Journal Incomplete Status: When you select this option for a specific user and the user adds a new journal, the selected option appears on the Journal Header page of various journal entry options. This option enables the user to save journal entry transactions with an incomplete status and prevents them from being edited or posted until they are complete.
- Allow GL Entry Event Bypass: Select to enable the user to bypass selecting entry events in PeopleSoft General Ledger journal entry, even if they are required on the Installation Options -Entry Event page.
- Allow Copy Journal with Control Accounts: Select to allow journals that contain Control Accounts to be copied. This applies to online or batch journal copy.
- Allow Delete Journal with Control Accounts: Select to allow journals that contain Control Accounts to be deleted. This applies to online or batch journal delete.
- Allow UnpostJournal with Control Accounts: Select to allow journals that contain Control Accounts to be unposted.
- Enter Date Code Adjustments: Select to enable a user to enter date code adjustments for journal entries. The Date Code is displayed on journal lines only for users with the Enter Date Code Adjustments check box selected.
- Enabled Online Journal Post: Select this check box to indicate that the user can select the Post Journal option from the Process field on the Journal Entry -Lines Page.
- Update Amortization Journal ChartFieldValues: Select to enable a user to update ChartFieldvalues on the Amortization Journal Stage Journal Page and the Journal Entry page for the actual amortization journals created.
General Ledger Online Journal Edit Defaults
- Re-Edit Previously Edited: Select to reedit journals marked as valid. When this option is deselected, valid journals are not edited again when you run Journal Edit from the Journal Entry page by clicking the Edit button.
- Mark Journal(s) to Post: Select to mark valid journals with a process request status of Post. If this option is not selected, it prevents batch journals from being marked to post.
- To approve journal entries using PeopleSoft Workflow, you should deselect this option.
- RecalcCurrency Exchange Rates: Select to reprocess foreign currency conversion at the journal line level.
General Ledger - Journal Post Defaults
- Skip Open Item Reconciliation: Select to bypass open items for a specific user ID during the online journal post process, allowing the user to reconcile the open items at a later time by using the Open Item Maintenance page.
- Skip Summary Ledger Update: Select to bypass summary ledger updates for a specific user ID during the online journal post process.
- Skip Essbase Incremental Load: Select to bypass the Essbase Incremental Load for a specific user ID during the online journal post process.
General Ledger Budget Post Options
- Skip Entry Event Processing: Select to enable a specific user to post the budget that is associated with a journal entry or allocation without generating entry events through the Entry Event Processor. This may occur when an error occurs in a transaction; however, the entry event processing is correct.
- Parent Budget Generation: Select to enable a specific user to generate parent budget impacts when posting child budget journals. This option determines how the Generate Parent Budget(s) option on the Commitment Control -Budget Journals -Enter Budget Journals -Budget Header page acts.
- Available options are:
- Always Generate: Select this option to always generate parent budget impacts. When this option is selected, the Generate Parent Budget(s) option on the Budget Header page is also selected and the field is unavailable and cannot be changed.
- Never Generate: Select this option to not generate parent budget impacts. When you select this option, the Generate Parent Budget(s) option on the Budget Header page is deselected and the field is unavailable and cannot be changed.
- User Specified: Select this option to choose whether to generate parent budget impacts for each budget journal. When you select this option, the Generate Parent Budget(s) option on the Budget Header page is available for you to choose.
Please see the QRG 9.2 Setting General Ledger User Preferences for more information.
User Preferences – Paycycle
Server File Destination specifies the destination of bank files.
Email ID is linked to the pay cycle criteria for an ACH pay cycle and is used to send out notifications. It can be set to a group email such as [email protected] or an individual email, however only ONE user in the system can be tied to this user preference.
User Preferences>Paycycle example:
Payment Selection Criteria at: Accounts Payable > Payments > Pay Cycle Processing
User Preferences – Receivables Data Entry 1
Default Business Units: Used to define the default group unit, deposit unit, and address that is associated with a user.
- Group Unit and Deposit Unit : Enter values that become the user's default values for business units. Although the user can override these default values, you can minimize data entry by entering the user's most frequently used business unit. The system uses the group unit and deposit unit as the default business unit for online pending groups, deposits, and worksheets.
- Use the address fields to store addresses for follow-up letters. The address information that you enter on this page is not validated against any table.
User Preferences – Receivables Data Entry 2
Payment Worksheet - Used to specify write-off tolerances and discount tolerances.
- Discount Tolerance Percent and Discount Tolerance: Enter the percent and amount to use to calculate the discount tolerance. These tolerances enable the user to enter an unearned discount amount that is less than or equal to the value that you enter. Enter the additional percentage that the user can add to the payment terms.
For example, if an item is 700.00 and the discount terms are 2 percent for 10/Net30, the normal discount would be 14.00. If you enter 10 in the percent field, the user can take up to an additional 10 percent of the discount amount, which is 1.40. The total discount would be 15.40. However, the total discount can never be more than the value in the amount field.
- Write-Off Percent Under, Underpayment Write-Off, Write-Off Percent Over and Overpayment Write-Off: Enter the percent and amount that define the maximum write-off for underpayments and overpayments. These values apply only to write-offs (such as Entry Types WAU and WAO). These values do not apply to adjustments or deductions associated with overpayments or underpayments (these are not write-offs). The user can enter a write-off amount as long as the amount does not exceed the specified write-off percentage of the payment.
- Item Write-Off: Enter the highest amount that this user can write off when the user writes off an amount for an individual item on a payment worksheet.
Maintenance Worksheet
- Max Write-Off (maximum write-off): Enter the maximum amount that the user can write off for either an individual item or for the remaining balance for a normal group or match group. The user can write off an amount below the maximum amount as long as it does not exceed the percentage of the original amount for the item. For example, if you enter an amount of 25.00, the user can write off amounts up to 25.00. However, if you enter a maximum write-off percentage of 10 percent, and the total original amount of an item is 240.00, the user cannot write off more than 24.00. For no limit, enter all 9s.
- Max Refund (maximum refund): Enter the maximum refund amount that a user can create.
- Write-off Days: Enter the minimum age of an item before a user can write it off on the maintenance worksheet. For no limit, enter 0.
- Max WO Percent (maximum write-off percent): Enter the maximum percentage of an item that this user can write off. For no limit, enter 100.
- Override Write off Tolerance: Select to enable the user to write off items or amounts that do not meet the write-off tolerances that are defined for the business unit, customer, or entry reason as long as the write-off meets the user's write-off tolerances. If the user's write-off action exceeds the tolerances in the business unit, customer, or entry reason levels, the system issues only a warning.
User Preferences – Procurement
- For the Location/Origin/Dept/Ship To location: these are defaults that will default to transactions. You can leave them blank if you purchase for more than one dept/location.
- Requester: Enter the name of the person whom this user will be authorized to enter requisitions. So if this user enters requisitions, put their user id here; Requester Setup has to be completed first.
- Buyer: Enter the name of the buyer for whom this user will be authorized to enter POs. Buyer setup has to be completed first.
User Preferences – Contract Process
Contract Process: Used to define contract process preferences by specifying the default contract status and authorized actions for a user.
- Contract Status: Select the status at which you want this user to open contracts. When the user creates a contract, the status appears by default based on the value you select.
- Approve Contracts: Select to provide the user the authority to approve procurement contracts.
- Enter Contracts/New Version: Select to provide the user the authority to create contracts and new contract versions.
- Hold Contracts: Select to provide the user the authority to place procurement contracts on hold.
- Close Contracts: Select to provide the user the authority to close procurement contracts.
- Cancel Contract: Select to provide the user the authority to cancel procurement contracts.
- Allow PO Contract Releases (allow purchase order contract releases): Select to provide the user the authority to release purchase order contracts.
- Allow AP Contract Releases (allow accounts payable contract releases): Select to provide the user the authority to release accounts payable contracts.
Default Display
- Process Option: Select a contract process option that you want to set up as default for the user. Contract process options enable you to determine a specific contract process for use throughout the contract's life cycle. You can use other process options, but the value you choose here defaults on the Contract Entry page (for the selected user).
- Values include:
- AP (Recurring Voucher)
- BRO (Release to Single PO Only)
- DST (Distributor)
- GN (General Contract)
- GRPM (Group Multi Supplier)
- GRPS (Group Single Supplier)
- MFG (Manufacturer)
- PADV (Prepaid Voucher with Advance PO)
- PO (Purchase Order)
- PPAY (Prepaid Voucher)
- RPOV (Recurring PO Voucher)
- SPP (Special Purpose)
- Contract Style: Select a contract style that you want to set up as the default style for this user. You can use other contract styles, but the value you choose here defaults on the Contract Entry page.
- Header Information
- Contract Control
- Voucher Options
- Amount Summary
- Order Options
- Item Lines
- Category Lines
- PO Information:
Select a group box option that you want to apply for this user. The value you select controls how the group box initially appears on the Contract page. Valid values for the group boxes are:
- Collapsed: Select to collapse (hide) the group box when the user initially accesses the Contract page.
- Open: Select to expand (open) the group box when he user initially accesses the Contract page.
User Preferences – Payables Online Vouchering
Default Values
- Origin: Such as ONL: Select the voucher origin for this user. The system tags all vouchers that are entered by this user with this origin, and uses the processing settings for this origin when it processes the voucher.
Operator Voucher Attributes:
- Pay Unmatched Vouchers and Pay Unmatch Amt (pay unmatched amount): Select Pay Unmatched Vouchers to give users the authority to pay vouchers that have not been matched up to the maximum amount that is specified in the Pay Unmatch Amt field. Authorized users must select the Pay Unmatched Voucher check box on the Voucher Attributes page in the Voucher component (VCHR_EXPRESS) for the system to select the voucher during the Pay Cycle Application Engine process (AP_APY2015).
Note: If you select the Pay Unmatched Voucher option, vouchers with the following match statuses (MATCH_STATUS_VCHR) are available for payment: T (ready), E (exception), D (dispute), O (overridden), and C (credit note). If you do not select the Pay Unmatched Voucher option, only vouchers with the match status of M (matched) or N (no match) are available for payment.
- Copy Matched and Closed PO (copy matched and closed purchase orders): Select to enable the user to copy matched and closed PO’s.
Note: If this option is selected for your user preferences and you create a voucher that references a PO that has a matched line (because an earlier voucher also referenced the PO) and an unmatched line, then when you copy the PO to the voucher, the matched PO line copies with both the amount and the quantity at zero.
- Override Accounting Date Edit: Select to enable the user to override the accounting date edit option on the Procurement Control-General Controls page.
- Security for Voucher Styles: Click to access the Voucher Styles page, where you can define the user authority for each of the voucher styles by selecting the appropriate check boxes.
Online Voucher Processing
- Do Not Check Voucher Amount and Check Voucher Amount: Select one of these options to determine whether the system performs an edit during online voucher entry against the voucher gross amount. Voucher build will also perform an edit against the voucher gross amount based on the selected option.
- Entry Limit: If you selected Check Voucher Amount, specify the voucher entry limit amount for this user. When you specify the entry limit, you must also specify its currency and a rate type.
- Prepay Limit: If this user has the authority to prepay vouchers, you can specify a maximum amount for each prepayment that the user can enter. You must also specify a currency and a rate type for the prepayment.
- Currency: Specify a currency for the entry limit or prepay limit amount.
- Rate Type: Specify a rate type for conversion to the transaction currency that is entered on the voucher.
- Enter Vouchers Only in Groups: Select to enable the user to enter only vouchers that are attached to a control group ID as defined on the Control Group Information page.
- Post Vouchers: Select to enable the user to post approved vouchers.
- Manually Schedule Payments: Select to enable the user to schedule payments manually, overriding the system's automatic payment scheduling. If you do not select this option, the user is unable to modify any of the scheduled payment information on the Voucher -Payments page.
- Authority to Override Match: Select to enable the user to override the match status of a voucher. If the voucher requires matching, the user has the authority to change the voucher match status to Not Applicable.
In addition, if the Matching Application Engine process (AP_MATCH) has been run but the process encountered match exceptions or errors, the user can override the match exceptions. When the exceptions are overridden, the user can rerun the Matching process; the Matching process updates the voucher match status to Matched.
- Record Payment: Select to enable the user to manually record payments for a voucher. When this option is deselected, the user is unable to specify Record as a payment action on the Payments page of the Voucher component.
- Override Withhold Calculation: Select to enable the user to override the timing of the withholding calculation on the Withholding page of the Voucher component. Withholding calculation can be at payment time or voucher posting time based on the withholding entity setting.
- Req. Valid Chart Field Combo's (require valid ChartField combinations): Select this check box for the system to automatically validate ChartField combinations on Quick Invoice vouchers. If the ChartField combination is invalid, the system prevents the user from saving the voucher.
- Require Balanced Invoice: Select this check box for the system to automatically perform balancing algorithms on Quick Invoice vouchers. If the vouchers are out of balance, the system prevents the user from saving the voucher.
User Preferences – Receiver/RTV Setup
Unit
- Override Non-Qualified Receipts for close: Select to enable the user to force close Non-Qualified receipts.
- Change Non-PO Receipt Price (change non-purchase order receipt price): Select to enable the user to change the receipt price for an item on a non-purchase order receipt.
- Interface Receipt: Select to automate the passing of inventory and asset information through the Receiver Interface Push process (PO_RECVPUSH).
- Run Close Short: Select to call the Close Short Process (PO_CLSSHORT) automatically during the Receiver Interface Push processing (PO_RECVPUSH).
- Subcontract Streamline: Select this check box if you want the Subcontract Streamline check box to appear selected by default for a subcontracted purchase order receipt for this user. The user will be able to override this field setting for a subcontracted purchase order receipt. The system determines whether to perform subcontract streamlining (purchase order receipt and production completion for the production ID in a single step) from the receipt. Streamline processing for subcontract RTVs enables you to process RTVs if completions have been performed on the associated receipt. The system includes negative production completion and production scrap for operations being returned against the subcontract. If this check box is deselected, the Subcontract Streamline check box will appear deselected for a subcontracted purchase order receipt for this user. The user will not be able to change this field setting for the subcontracted purchase order receipt. That is, this assumes subcontract streamlining is not enabled for this user.
- Blind Receiving Only: Select to prevent the receiver from seeing the order quantity or the remaining quantity from the purchase order. The receiver needs to count the items before entering the quantity received. When you select this check box, the No Order Qty, Ordered Qty, and PO Remaining Qty check boxes are deselected.
- No Order Qty (no order quantity): Select to prevent the receiver from seeing the purchase order quantity. The receiver must specify the actual quantity that is received by doing a live count of the items.
- Ordered Qty (ordered quantity): Select to use the purchase order quantity as the default quantity received.
- PO Remaining Qty (purchase order remaining quantity): Select to use the remaining quantity (original order quantity minus previously received quantities) on the purchase order as the default quantity received.
- Receiving Business Unit: Select the user's default receiving business unit. This business unit can be overridden during the receiving process so that you can receive goods into any valid Purchasing business unit.
- Days +/-Today: Enter the number of days plus or minus the current system date to be used as default search criteria on receiving pages when you are selecting purchase order schedules against which to receive.
- RTV Dispatch Option (return to vendor dispatch option): Select the dispatch method as this user's preference for the return to vendor functionality. This functionality provides a default value for dispatching the RTV to the Supplier.
- RTV dispatch option values include:
- Default to Business Unit: Select to use the dispatch option that is defined at the business-unit level. You define the business unit RTV dispatch option value using the Business Unit Options tab on the Purchasing Definition page. When processing RTV options, the system initially checks the user preference and then the business unit when you select the Default to Business Unit option.
- Manual: Select to indicate that the Dispatch processing for the RTV must be performed manually.
- Often collaboration must take place between procurement personnel and another group before an RTV line can be dispatched. For example, you might have to verify the disposition of goods with warehouse personnel before dispatching the RTV.
- RTV Inventory Ship Option (return to vendor inventory ship option): Select the return to vendor ship option that you want to use as this user's default value for the Inventory Process field on the RTV line. This option will only be used by the RTV function when the disposition on the RTV line has a value of Ship. The system determines the ship option default value by first checking the user preference ship option value. If the user preference value is Manual, Express, or Fulfillment then the system uses the value as the default value. If the user preference value is Default to Business Unit, the system uses the ship option value defined at the business-unit level.
- RTV Inventory ship option values are:
- Default to Business Unit: Select to use the inventory ship option that is defined at the business-unit level.
- Express: Select to use the RTV express option to process Purchasing and Inventory data collection transactions at the same time. This means that the user can perform Inventory issue (automatic issue) action from within the Purchasing RTV component. If the RTV line disposition is Ship, the system creates a material stock request with a status of Shipped to update inventory.
- Fulfillment: Select to set the user's preference to perform Inventory fulfillment processing for RTV transactions. This enables the user to create an Inventory material stock request transaction and to process it through Inventory fulfillment processing. The Fulfillment value is only valid for RTV processing when RTV line disposition is Ship.
- Manual: Select to indicate that the RTV ship transaction must be completed manually. This option requires that the inventory Express Issue function be used to ship the items to the supplier. When you use the Manual Inventory Ship option, the system does not perform RTV express functions. The user must use the Inventory Express Issue component to issue inventory returns that are being shipped to the vendor.
- RTV Inventory Destroy Option (return to vendor inventory destroy option): Select the return to vendor destroy option that you want to use as this user's default value for the Inventory Process field on the RTV line. This option is only used by the RTV function when the disposition on the RTV line has a value of Destroy. The system determines the destroy option default value first by checking the user preference destroy option. If the user preference value is Manual or Express then the system uses that default value. If the user preference value is Default to Business Unit, the system uses destroy option defined at the business-unit level.
- RTV Inventory destroy option values are:
- Default to Business Unit: Select to use the inventory destroy option setting at the business-unit level.
- Express: Select to use the RTV express option to process Purchasing and Inventory data collection transactions at the same time. This means that the user can perform Inventory adjustment (automatic adjustment) actions from within the Purchasing RTV component.
- Manual: Select to indicate that the RTV destroy transaction must be completed manually. This option requires that the Inventory Adjustment function be used to update inventory for the items being returned to the vendor.
User Preferences – Requisition Authorizations
Allowed Requisition Actions
- Can Work Approved Reqs (can work approved requisitions): Select to enable a user to change a requisition that has already been approved.
- Full Auth for All Requesters (full authority for all requesters): Select to give the user authority to add, update, cancel, delete, and close requisitions for all requesters. If you select this option, you don't need to configure the rest of this page.
- Override Preferred Vendor: Select to enable a user to change the default vendor on a requisition line. If this authority is not selected, the user is unable to manually suggest a vendor.
- Override RFQ Required Rule Flag: Select to enable a user to override the RFQ Required Rule option that was previously specified for a requisition in the requisition component.
- View/Override VAT Details (view or override value-added tax details): Select to view and override VAT details within the requisition component.
- Override Non-Qualified Requisitions for Close: Select to enable a user to close requisitions that are nonqualified for close.
- Can Send Approval Reminder: Select to enable a user to send reminders to pending approvers of requisitions.
Requesters User Authorization
- Requesters User Auth For (requesters user authority for): Requesters for whom this user can work requisitions. Select the requester that you want to designate as the user's default requester by selecting the check box to the left of the requester's name.
- Add, Update, Cancel, Delete, Close, and Reopen: Select to enable the user to add, update, cancel, delete, close, and reopen requisitions for this requester.
User Preferences – Purchase Order Authorizations
Allowed Purchase Order Actions
- Can Work Approved POs (can work approved purchase orders): Select to enable a user to change a purchase order that has already been approved or dispatched.
- Can Dispatch Un-Approved POs: Select to enable a user to dispatch purchase orders with a status of pending approval.
- Full Authority for All Buyers: Select to give the user authority to add, update, cancel, delete, and close purchase orders for all buyers. If you select this option, you don't need to configure the rest of the page.
- Override Non-Qualified POs for Close: Select to enable a user to close purchase orders that are nonqualified for close.
- Rebate ID Security Control: Select the vendor rebate agreement security control option for purchase orders. Options are:
- Hidden: Vendor rebate agreement fields are hidden from this user when he or she is maintaining purchase orders.
- Update: Vendor rebate agreement fields can be updated by this user when he or she is maintaining purchase orders.
- View Only: Vendor rebate agreement fields are only able to be viewed by this user when he or she is maintaining purchase orders.
- Can Send Approval Reminder: Select to enable a user to send reminders to pending approvers of purchase orders.
Buyers User Authorization
- Buyers User Authorized For: Select the buyers for whom this user can enter purchase orders.
- Add, Update, Cancel, Delete, Close, and Reopen Select to enable the user to add, update, cancel, delete, close, and reopen requisitions for this buyer.
User Preferences – Supplier Processing Authority
Supplier Processing Authority: For users needing to Enter Suppliers, select the Authority to Enter and the Bottom Supplier Audit is automatically Checked.
These two are the only valid options for the institutions as the Authority to Approve or Inactivate is for SBCTC use only.
User Preferences – Doc Tolerance Authorizations
Document Tolerance Exceptions Override Authority
- Override Purchase Order to Requisition Exceptions: Enables you to override document tolerance exceptions that are generated when an encumbrance exceeds the pre-encumbrance during document tolerance checking.
- Override Voucher to Purchase Order Exceptions: Enables you to override document tolerance exceptions that are generated when an expenditure exceeds the encumbrance during document tolerance checking.
Copying User Preference Definition Settings from One User to Another
Here's a tool that allows us to use the Launchpad tool to copy User Preference Definition settings from one user to another. The CTC custom Launchpad tool had been updated. The Copy User Preferences Setup Security component has changed, and the Launch Security Matrix and Launch Permission ListRole Builder components have been removed:
9.2 FSCM Security - Using Launchpad to Copy User Preference Definition Settings
IT AUDITS
Why are Audits Important?
- Decreases Risk Associated with IT
- Enhances Internal Control Environment
- Improves Internal Operations
- Identifies Potential Vulnerabilities
- Areas we will focus on today
- New User Access
- Current User Access
- Terminated User Access
- Segregation of Duties
- Tools
NEW USER ACCESS
- Document procedures and follow them.
- Always document the request, gain approvals, and save.
- Be able to show that what was requested was granted.
- Never accept phone calls as a form of authorization.
- Store for auditors.
- Ensure access is appropriate and limited to only what they need.
CURRENT USER ACCESS
- Periodically review current user’s access, at least twice a year.
- This is really recertification of user access.
- If job duties change, so should their access in the application.
- Document the changes, gain authorization.
- Ensure no segregation of duties issues are in place.
TERMINATED USER ACCESS
This should be handled on demand as users terminate but at least weekly.
Review Terminated users and confirm with HR that they are in fact terminated.
Coordinate with Security Administrator in HCM if Different to update roles to match the offboarding recommendations. QRG: 9.2 Offboarding - Security Procedure
SEGREGATION OF DUTIES
Segregation of duties is the concept of having more than one person required to complete a task. It is an administrative control to prevent fraud, theft misuse of information, or other security compromises.
For example, the person responsible for adding a vendor, should not be able to approve the vendor. You don’t want someone entering a vendor, and vouchering against that vendor, and running a paycycle for example.
Typically, whoever enters the transaction should not be the one approving it.
When onboarding a new hire, it is critical to consider any segregation of duties issues while assigning roles.
It is also critical to review Segregation of duties issues twice a year for audit purposes as well.
QFS_SEC_SEGREGATION_OF_DUTIES query is available to use:
TOOLS
Security Queries
QFS_SEC_ROLE_NAVIGATION_ACCESS: Displays user friendly menu navigation by Role and Page Access
QFS_SEC_OPR_DEF_TBL_FS_OPRCLS: Displays the OPRCLASS by the Business Unit for Users in OPR_DEF_TBL_FS
QFS_SEC_USER_EMAIL_RTE_CNTRL: Displays the user’s roles and associated route controls
BI publisher report: BFS_SEC_OPDF
Reporting Tools > BI Publisher > Query Report Scheduler
This report can be used by colleges to capture the finance operator defaults & other module-based security assigned to a user in the business unit. It can also be used for recertifying user access.
It includes User Preferences data and user data sources from the OPR_DEF_TBL, AM, AP, AR, BI, CA, FS, GL, OM, OB, OBT, OLE, PM, RTM, and VND tables. Data is also included for assignments to Process Groups, Pay cycles, Department Manager, P-Card Proxies, Buyer, Requestor, Treasury Payments, Vendors, Commitment Control rules, and Grants. The report also displays the prompted employee’s job information, HR status, operator profile settings, job code description, and all roles assigned to the user in the finance pillar.
User Preference Report
Nav: Setup Financials Supply Chain, Common Definitions, User Preferences, User Preferences Report
Role needed: ZZ Local Security Admin
Security Report (Commitment Control)
Nav: Commitment Control, Define Budget Security, Security Report
Role needed: ZZ CC Local Config or ZZ CC Budget Reports
WORKING WITH SECURITY ADMINS
- Provide as Much information as possible
- Navigation to Access Needed
- Functional description of Business Process
- Screen Shots of Errors
- Employee ID of users with Issues
- If it is a random issue, try to provide timings if available
- Remember least access needed to do a job is critical; do not give more security than needed, it is an audit issue
REQUESTING CHANGES TO SECURITY
There are times where roles may have too much access/not enough access, or are mislabeled, etc. SBCTC has a process for New Role Requests or Role Modification Requests:
Submit a service desk ticket to the Security Team by pillar.
SBCTC will review the request and log it in our change tracking system, then will gain functional approval and CMB approval before it goes through development and testing cycles.
0 Comments
Add your comment