About General Ledger Security
G/L Security is a feature of General Ledger that lets you limit the accounts that individual users can view or work with to minimize the risk of unauthorized activity.
With G/L Security, you can:
- Assign account access rights to individual users to control which accounts they can view and work with.
- Block off entire account segments or only the most sensitive accounts (for example, Payroll, Sales, Retained Earnings, Common Stock and Preferred Stock).
Default Account Access
You select the option to use G/L Security and set a default level of access to accounts using the Account tab of the G/L Options screen.
You can set the default account access as follows:
- All
Accounts. Allows all Sage 300 ERP users unrestricted
access to General Ledger accounts unless you set up restrictions in the
G/L Account Permissions screen.
Note: You do not require permission for all accounts to perform periodic maintenance functions, such as deleting inactive accounts. However, occasionally, you may find that you cannot edit or delete a structure code, segment, or source code because it is used by an account that you cannot see. In this case, a user with access to all accounts must modify the accounts that use the code or segment you are trying to delete.
-
No Accounts. Prevents all Sage 300 ERP users except user ADMIN from seeing accounts and account data in General Ledger and subledger applications unless you grant individual access rights to accounts in the G/L Account Permissions window.
If you choose No Accounts, other Sage 300 ERP users cannot enter Accounts Receivable invoices or post transactions unless you assign them permissions.
Granting Permissions to Specific Users
When you turn on G/L Security, the next time you sign into the company database, an Account Permissions icon appears in the G/L Accounts folder that lets you assign access rights to accounts.
You assign access depending on your security needs. For example, you can set up identical access rights for all Sage 300 ERP users within a department, division, or business unit that restrict access to accounts outside that group. For maximum security, you can block your entire chart of accounts to all Sage 300 ERP users except the ADMIN user.
You can test the effects of the G/L security options you select by logging on to Sage 300 ERP as a user other than ADMIN and checking which accounts are visible in the General Ledger Chart of Accounts window.
If you selected No Accounts, you will not see any account numbers in the Finder or in the Chart of Accounts screen.
G/L Security and Rollup Accounts
If you are using G/L Security and want to create rollup accounts, you must have access rights to view all member accounts of the rollup account in order to view the rolled up balances in the higher level account.
If a roll up account is accessible under the user’s security rights, all of its member accounts are also assumed to be accessible.
How Access Restrictions Affect Sage 300 ERP Users
Account access restrictions affect Sage 300 ERP user activities in the following ways:
- Account lookup and inquiry.
Users cannot look up restricted account numbers in Finders or perform account
inquiries in General Ledger.
If users enter restricted account numbers into fields, they will see an error message stating that the specified account does not exist in the General Ledger.
- Adding new accounts. Users cannot add new accounts that fall within a restricted segment range.
- Posting and other batch-related activities.
Posting is limited to batches that do not contain restricted accounts.
Users cannot view a batch that contains transactions with restricted account
numbers. The batch will not appear in batch list windows.
Even if the user has Journal Posting rights, they cannot post batches if G/L Security has been set to No Accounts.
- Invoice entry. Users cannot enter invoices for restricted accounts in Purchase Orders or Accounts Receivable.
- Importing and exporting account data. Users cannot import and export data for restricted accounts.
- Report generation. Restricted account ranges do not appear in financial reports created using Financial Reporter.
Security for Accounts that Use Blank Segments
If you use a mix of account structures in your chart of accounts, you need to consider how the program handles accounts that do not contain all the segments you use in your system.
If an account number does not include a particular segment, say division, the program considers this segment blank. Unless you specifically restrict blank values for the division segment, the segment will be allowed.
For the sample company, SAMLTD, account 1000 contains only the account segment. If you do not restrict blank division and region segments and the account segment 1000 is allowed, account 1000 will be visible.
To allow accounts that include division 100 - but restrict those that do not contain the division segment - you would set account permissions as follows:
-
If the default access set on the G/L Options screen is All Accounts:
Allow Segment From To No Division ZZZ Yes Division 100 100 All division segments with a blank value are restricted.
-
If the default access is No Accounts:
Allow Segment From To Yes Account ZZZZ Yes Region ZZ Yes Division 100 100 No Division Note: The order of permissions for the division segment is important.