Skip to content

Security Handling in IFS Finance

Company Security in IFS Finance is handled by two different levels of security:

  • Company Security
  • Row Level Security

The main purpose of the Company Security is to make sure that the end user only has access to company data according to the settings for the user, i.e. a user should only be able to access information in authorized companies.

The Row Level Security is an advanced code string specific access filter on ledger transactions.

Use this page when you want to know how to implement company related security.

Concepts

Company Security

Company Security is an access filer that ensure that an user that is not an user within a given financial company will not be able to:

  1. Access any data that shows financial balances and transactions, such as invoices, vouchers, fixed assets transactions, payments etc.
  2. Add, Remove or Modify any basic data. An exception is the company information in the Enterprise module, since a company in this module is not considered as a financial company.

Row Level Security

The Row Level Security for IFS Finance is an advanced access filter, based on the code string, that is applied on the accounting balances and transactions in General Ledger and Internal Ledger. The Row Level Security adds the possible to, on code string level, control what balance and transaction rows an end user is allowed to see.

Company Security Interfaces

This section explains what interfaces to use when implementing the basic company security within the application code (views and PL/SQL-packages).

Company Security in Views

When implementing the basic company security for a view with company data that needs to have company security, the following statement should be added in the WHERE clause

WHERE EXISTS (SELECT 1   
              FROM USER_FINANCE_AUTH_PUB C  
              WHERE C.COMPANY = <VIEW_SOURCE_ALIAS>.COMPANY)  

One example:

CREATE OR REPLACE VIEW SOME_VIEW AS   
   SELECT *   
   FROM SOME_TABLE S  
   WHERE EXISTS ( SELECT 1   
                  FROM COMPANY_FINANCE_AUTH_PUB C  
                  WHERE C.COMPANY = S.COMPANY)  


The WHERE clause will ensure that a user accessing the view SOME_VIEW, will only be allowed to access data in financial companies in which the user is an authorized user.

Earlier implementation of company security utilized the following view that should be considered as deprecated:

View Name
COMPANY_FINANCE_AUTH_PUB
COMPANY_FINANCE_AUTH
COMPANY_FINANCE_AUTH1

Company Security in Business Logic

When company access needs to be checked and validated in the business logic then one of the following methods should be used:

  • User_Finance_API.Exist
  • User_Finance_API.Exist_Current_User

If the user does not have access to the company an error will be raised

PROCEDURE Exist (  
   company_ IN VARCHAR2,  
   userid_  IN VARCHAR2 );

The Exist method has the following parameters:

Parameter Description
company The company for which access should be checked
userid The identity of the user for which the access should be checked

Example of usage:

User_Finance_API.Exist('10', Fnd_Session_API.Get_Fnd_User);

In this example Fnd_Session_API.Get_Fnd_User is used to get the identity of the user that is currently running the code.

PROCEDURE Exist_Current_User (  
   company_ IN VARCHAR2);

The Exist_Current_User method is a simplified version of the Exist method and it checks if the current user id authorized to the company. It has the following parameters:

Parameter Description
company The company for which access should be checked

Example of usage:

User_Finance_API.Exist_Current_User('10');

When company access needs to be checked in the business logic, without raising an error if the current user does not have access to the company, one of the following methods should be used:

  • User_Finance_API.Is_User_Authorized
  • User_Finance_API.Is_Allowed
FUNCTION Is_Authorized (  
   company_ IN VARCHAR2) RETURN BOOLEAN;

The Is_Authorized method has the following parameters:

Parameter Description
company The company for which access should be checked

Example of usage:

IF (User_Finance_API.Is_Authorized('10')) THEN  
   <code when user have access to the company>;  
ELSE  
   <code when user does not have access to the company>;  
END IF;
FUNCTION Is_Allowed (  
   company_ IN VARCHAR2) RETURN VARCHAR2;

The Is_Allowed method does the same thing but instead returns a Varchar2 with the values (TRUE/FALSE). It has the following parameters:

Parameter Description
company The company for which access should be checked

Example of usage:

IF (User_Finance_API.Is_Allowed('10') = 'TRUE') THEN  
   <code when user have access to the company>;  
ELSE  
   <code when user does not have access to the company>;  
END IF;

Row Level Security Interfaces

For some of the components within IFS Finance, row level security is applied.

The row level security filter should be applied on views displaying balances and transactions within General Ledger and Internal Ledger.

Row Level Security in General Ledger Views

The following WHERE clause should be applied to a view in General Ledger in order to apply Row Level Security:

'TRUE' = (SELECT Authorize_Comb_Finance_API.Is_Allowed(<alias>.company, <alias>.posting_combination_id) FROM dual)

<alias> is the alias of the data source containing the transactions to be filtered. The data source must have columns that contain company and posting_combination_id.

Row Level Security in Business Logic in General Ledger

There are two methods that could be used to check if the current user is allowed to see a code string within the company. Both methods will return a string value, either TRUE or FALSE

FUNCTION Is_Allowed (  
   company_                IN VARCHAR2,  
   posting_combination_id_ IN NUMBER ) RETURN VARCHAR2;
Parameter Description
company The company for which access should be checked
posting_combination_id Unique id representing a code string
FUNCTION Is_Allowed_Codestring (  
   company_                IN VARCHAR2,  
   code_a_                 IN VARCHAR2,  
   code_b_                 IN VARCHAR2,  
   code_c_                 IN VARCHAR2,  
   code_d_                 IN VARCHAR2,  
   code_e_                 IN VARCHAR2,  
   code_f_                 IN VARCHAR2,  
   code_g_                 IN VARCHAR2,  
   code_h_                 IN VARCHAR2,  
   code_i_                 IN VARCHAR2,  
   code_j_                 IN VARCHAR2) RETURN VARCHAR2;
Parameter Description
company The company for which access should be checked
code_a Value of code part A (account)
code_b Value of code part B
code_c Value of code part C
code_d Value of code part D
code_e Value of code part E
code_f Value of code part F
code_g Value of code part G
code_h Value of code part H
code_i Value of code part I
code_j Value of code part J

Row Level Security in Internal Ledger Views

The following WHERE clause should be applied to a view in Internal Ledger in order to apply Row Level Security:

TRUE' = (SELECT Int_Led_Auth_Comb_Finance_API.Is_Allowed(<alias>.company, <alias>.ledger_id, <alias>.posting_combination_id) FROM dual)

<alias> is the alias of the data source containing the transactions to be filtered. The data source must have columns that contain company, ledger_id and posting_combination_id.

Row Level Security in Business Logic in Internal Ledger

There is one method that could be used to check if the current user is allowed to see a code string within a given company and ledger. The method will return a string value, either TRUE or FALSE

FUNCTION Is_Allowed (  
   company_                IN VARCHAR2,  
   ledger_id_              IN VARCHAR2,  
   posting_combination_id_ IN NUMBER ) RETURN VARCHAR2;
Parameter Description
company The company for which access should be checked
ledger_id The identity of the internal ledger that should be checked
posting_combination_id Unique id representing a code string