Accounting Dimensions Security

This document explains the functionality regarding security on accounting dimensions in 'Accounting Identity. Open' (CRS630) and how to enable it by defining authorization in 'Accounting Dim. Define Authorization' (CRS638).

Overview

When a user class is set up in (CRS638), it determines the basic options and related options that the users have access to in (CRS630). Authorization is controlled for updating, deleting, creating, and copying, as well as using any of the related options on transactions per dimension, user class, and division. No authorization can be defined for related option 5=‘Display’, as this is always allowed. When using the copy option, the authorization is made using the combination of division and dimension that the transaction is copied to. This means that a user can copy from any division/dimension without authorization but must be authorized in the division/dimension that it is copied to.

The user classes are defined in 'User Class. Open' (MNS415) and a user can be included in one or more user classes in 'Users per User Class. Connect' (MNS416). If connected to more than one user class, the user is granted authorization for all those user classes.

For example, a user is connected to both user class A and B. Both user classes are defined in (CRS638):
  • The user is authorized to create in user class A
  • The user is authorized to create in user class B.

In this example, the user can create and change in the division and dimension where the user classes are defined.

Note: You can specify a ‘valid from date’ and ‘valid to date’ for users in (MNS416). This is blank by default but if the from date and to date are specified, users only have the authorization defined for the user class within the specified dates.

Status

A user class can either be in status 10=‘Preliminary’ or 20=‘Active’. Status 20=‘Active’ verifies access authorization for an accounting dimension in (CRS630), so that only users included in user classes connected to the accounting dimension have permission to maintain it. We strongly recommended that you use status 10=‘Preliminary’ whilst defining rules for authorization.

Note: A user class defined for a central (blank) division activates access authorization in all local divisions as well as in the central (blank) division for the specific dimension.

Authorization

Different authorization can be defined for a user class for different accounting dimensions. This means that users connected to the user class can have different authorizations for different accounting dimensions.

Different authorization can be defined for a user class for different divisions. This means that users connected to one user class could have authorization to maintain accounting identities defined for division ‘AAA’ only, whereas users connected to a different user class could have authorization to maintain accounting identities for division ‘BBB’ only. If setup exists for a user class in (CRS638) both for division ‘blank’, and for division ‘AAA’, users connected to that user class have authorization to maintain accounting identities both when logged on as a central user in division ‘blank’, and when logged on to division ‘AAA’. When logged on to division ‘AAA’, the user has the combined authorization as defined both for ‘blank division’ and division ‘AAA’.

Example

  • User classes ‘FINANCE-001’, ‘FINANCE-002’, ‘SALES-AAA’, and ‘SALES-BBB’ have been defined in (MNS415). The users working in the Finance department have all been connected to user class ‘FINANCE-002’ in (MNS416). The person who is mainly responsible for the chart of accounts, has also been connected to user class ‘FINANCE-001’. The users working in the Sales department have either been connected to user class ‘SALES-AAA’ or user class ‘SALES-BBB’ in (MNS416), depending on the division that they are working in (AAA or BBB).
  • Users in the Finance department should have authorization to maintain accounting identities in (CRS630), for all accounting dimensions 1-7, and for all divisions. There is, however, only one user who is authorized to use option 4=’Delete’ in (CRS630), for accounting dimension 1, used for accounts.
  • Users in the Sales department should only have authorization to maintain accounting identities in (CRS630) for accounting dimension 3, used for following up on ‘Product groups’. The product groups are defined per division in (CRS630), and the users in the Sales department are only allowed to maintain product groups for their own division.
  • Users not working in the Finance or Sales departments should not have authorization to do any maintenance of accounting identities in (CRS630) but should still be allowed to use option 5=’Display’ in (CRS630). That authorization is granted to all users, regardless of whether or not they are connected to a user class defined in (CRS638).

This table shows the setup required in (CRS638) to accomplish the authorization control in (CRS630):

Division Dimension User class Authorization
1 FINANCE-001 Option 4
1 FINANCE-002 Options 1, 2, 3, 11, 12, 13, 14
2 FINANCE-002 Options 1, 2, 3, 4, 11, 12, 13, 14
3 FINANCE-002 Options 1, 2, 3, 4, 11, 12, 13, 14
4 FINANCE-002 Options 1, 2, 3, 4, 11, 12, 13, 14
5 FINANCE-002 Options 1, 2, 3, 4, 11, 12, 13, 14
6 FINANCE-002 Options 1, 2, 3, 4, 11, 12, 13, 14
7 FINANCE-002 Options 1, 2, 3, 4, 11, 12, 13, 14
AAA 3 SALES-AAA Options 1, 2, 3, 4, 11
BBB 3 SALES-BBB Options 1, 2, 3, 4, 11

Follow these steps

  1. Create user class in 'User Class. Open' (MNS415).
  2. Connect users to the user class in 'Users per User Class. Connect' (MNS416).
  3. Create user class in 'Accounting Dim. Define Authorization' (CRS638) where user class name corresponds to the user class created in (MNS415). Specify the division and dimension for the user class.
  4. Select the basic and related options that users connected to user class will be authorized for.
  5. The status of the user class defaults to 10='Preliminary'. Functionality takes effect once the status is changed to 20='Active'.