Security groups

Security groups are configurations that specify that users can view, create, and process only transactions, documents, and other records associated to the security group values to which the user is secured.

This configuration also controls the security group values to which users can attach their documents and transactions. Security groups are unique and apply to a finance enterprise group.

Each type of security group and business group security is manged in the Global Ledger > Setup > Global Ledger Security Setup menu.

Caution: 
Security groups affect only transactional business classes and do not restrict data when setting up the application for administrative roles. Pie charts and bar graphs are not affected by security groups, they aggregate data by company, unless otherwise specified. Some application reports that do not have dimension security parameters are not affected by security groups, including reports that retrieve setup data. Security groups secure data in the FSM application and do not affect BI reporting. Some security groups affect Birst reporting in Infor Birst Analytics out of the box and all security groups can be configured to affect row-level data in Birst dashboards and reports.

Security group types

These security group types can be configured to secure users to the associated data types:

  • Security groups types based on global ledger groups: These security groups are linked to existing groups that are managed in global ledger. These security groups filter lists in applicable modules based on the configured members of the associated global ledger group. For example, the accounting entity security group filters journal transactions in global ledger based on the accounting entities defined as members of the global ledger accounting entity group.
    • Accounting Entity Security Groups: Secure actors of this group to information specified by an accounting entity group that is defined in the finance enterprise group. Accounting entity groups define the accounting entities to which the actors are secured.
    • Company Security Groups: Secure actors of this group to information specified by a global ledger company group. Global ledger company groups define the global ledger companies to which the actors are secured.
    • Cash Code Security Groups: Secure actors of this group to information specified by a cash code group defined in the global ledger. Cash code groups define the cash codes to which the actors are secured.
    • Vendor Class Security Groups: Secure actors of this group to information specified by a vendor class group defined in the global ledger. Vendor class groups define the vendor class to which the actors are secured.
  • Security groups based on dimension hierarchy: These security groups define levels of a hierarchical structure to which actors have access. Access is hierarchical and granted at the summary level, you cannot select a posting level. Granting access to a summary level of the hierarchy gives access to all child levels down to the posting level. These security groups ensure actors cannot create records with values representing objects to which they do not have access. For example, if an actor attempts to create a record and the form includes a project field, the project field does not display projects to which the actor does not have access. Additionally, if the actor attempts to manually specify the name of a project to which they do not have access, an error is displayed and the record cannot be saved. In some cases, these security groups also filter lists.
    • Accounting Unit Security Groups: Secure actors of this group to information related to one or more accounting units.
    • Finance Dimension Security Groups: Secure actors of this group to information related to one or more summary dimensions.
    • Project Security Groups: Secure actors of this group to information related to one or more projects.
    • Chart Account Security Groups: Secure actors of this group to information related to one or more summary chart accounts.
  • Business group security: Security groups are not created for business groups. Vendor business groups and customer business groups are managed in global ledger, and then actors are added to a single vendor or customer business group in Global Ledger Security Setup. Vendor and customer lists are filtered according to the business groups to which the actors are secured.
    • Vendor Business Group Security: Secure actors to one existing vendor business group in global ledger. In the Payables module, vendors are filtered by Vendor Group.
    • Customer Business Group Security: Secure actors to one existing customer business group in global ledger. In the Receivables module, customers are filtered by Customer Group.

Modules affected out of the box

Security rules are defined for all major business classes for all modules. In addition, for business classes that have global ledger company, accounting entity, finance dimension, accounting unit, chart account, project, cash code, or business group as a field, security rules are defined for these modules:

  • Global Ledger
  • Payables
  • Asset Management
  • Receivables
  • Cash

Within the affected modules, security rules define how data is secured for users who are added to security groups.

  • When creating records, selection lists for a field include only data elements to which the user has access. For example, if the creation form includes a field for a finance dimension, the list only displays summary dimensions to which the user has access.
  • When a record is saved, an error is displayed if a value has been specified that the user can not access. For example, if the user types the name of a project to which they do not have access, an error is displayed when they try to save the record.
  • If a direct inquiry is made, for example, a display of global ledger totals, only records with accessible values are displayed. If a record includes a value to which the user does not have access, an accounting unit, for example, that record is not displayed.
    Note: If a record includes a field that is not required and is applicable to a security group, that record is displayed if the field is blank. For example, if a user does not have access to finance dimension 1, global ledger totals still displays records where that finance dimension is blank.

This table shows the modules with business classes that are secured by delivered security rules out of the box for each security group type. This table also shows a sample of the type of data secured by the security group within the module. If an actor has access to a module by role definition, you may also want to add them to security groups to further secure data in that module.

Security group type Affected modules out of the box Sample data secured
Accounting Entity Security Groups Global Ledger Journal transactions filtered by accounting entity.
Accounting Unit Security Groups Various Forms to create records with accounting unit values secured. Applicable fields in these forms do not display restricted values and the user cannot save the record if they manually specify a restricted value.
Finance Dimension Security Groups Various Forms to create records with values for the applicable finance dimension secured. Applicable fields in these forms do not display restricted values and the user cannot save the record if they manually specify a restricted value.
Project Security Groups Project Management Forms to create records with project values secured. Applicable fields in these forms do not display restricted values and the user cannot save the record if they manually specify a restricted value.
Chart Account Security Groups Various Forms to create records with chart of account values secured. Applicable fields in these forms do not display restricted values and the user cannot save the record if they manually specify a restricted value.
Company Security Groups Global Ledger

Payables

Receivables

Project Management

Asset Management

Purchasing

Billing

Supply Chain Management.

 Lists and forms for which company is a primary key are filtered by company. For example invoices and purchase orders.
Cash Code Security Groups Cash Management Cash codes filtered by cash code group.
Vendor Business Group Security Payables Vendors filtered by Vendor Group.
Vendor Class Security Groups Payables Vendors filtered by Vendor Class Group
Customer Business Group Security Receivables Customers filtered by Customer Group.

For information about out-of-the-box security rules that secure application data based on configured security classes, see Delivered security rules.

Actor context definition in security groups and business group security

After security groups are created, you must link users to existing security groups and business groups using actor context records. Even if a security group exists for a data element, an actor can access all data until there has been an actor context record created for them in the associated security group type. For example, if you create a security group for projects, a user can access all projects until they have been linked to a project security group with an actor context record. After an actor context record is created for an actor in a security group type, they can only access the data specified by the security group to which they belong. Actors can only be secured into one security group for each security group type. Determine the security group types that are applicable to each actor based on the modules to which they have access.