About account and subaccount security

The most common scenarios of managing the security of accounts and subaccounts are the following:

• Managing the visibility by branch:
  When your organisation consists of multiple branches (and you have created multiple branches in Visma.net ERP), you can configure the system so that it narrows the lists of accounts and subaccounts by branch on data entry forms.
  You can configure and use the restriction groups that include branches only if the Multi-branch support functionality is enabled in the Enable/disable functionalities (CS100000) window.
• Managing the visibility by user:
  If your organisation has sensitive general ledger accounts and subaccounts, you can provide the visibility of these objects to only a limited set of users.
  For performance reasons, visibility restrictions by user for subaccounts do not affect analytical (ARM) and window-based reports or general inquiries.
  This means that users who can view the reports and general inquiries that include subaccounts will see the full list of subaccounts.
• Managing the visibility of subaccounts by account:
  If you have subaccounts that users must use with only particular general ledger accounts, you can set up lists of available subaccounts for each general ledger account.
  
• Adding the needed objects to one restriction group to control visibility by multiple factors:
  For example: If you need to limit the users who use sensitive accounts, and only particular subaccounts must be used with these sensitive accounts, you can configure restriction groups to address this task.
  

If the By segment: all avail. segment values lookup mode is selected in the Segment keys (CS202000) window for the SUBACCOUNT segmented key (that is, if the users of your Visma.net ERP instance enter subaccounts by segments in windows), you manage the security of subaccount segments instead of entire subaccounts.
In this case, you need to add to a restriction group all subaccount segments that window a subaccount whose visibility should be restricted.

Cash accounts are one type of sensitive accounts that you may need to secure in the system.
The ways of managing the security of cash accounts differ from the ways of managing the security of general ledger accounts.
For more information, see:About the security of cash accounts.

If your organisation has users who have access to multiple branches, you can use restriction groups to narrow the lists of accounts and subaccounts on data entry forms by branch. With restriction groups set up in this way, users will make fewer mistakes when selecting accounts and subaccounts on data entry forms.

For example: Suppose that your organisation has two branches, the Headquarters office (HQ in the system) and the Regional sales office (RS).
The accounting department processes documents for both branches.
To configure the visibility restrictions of accounts and subaccounts by branch, you need to do the following:

1. You configure user roles for each branch (for example, Branch HQ and Branch RS) and assign both roles to the user accounts of the accountants.
   With the roles assigned, the accountants will see information for both branches in Visma.net ERP.
   For details, see: About security of organisation branches.
2. To configure the visibility of accounts within branches, you do the following in the General ledger accounts by branch access (GL103040) window:
   1. You create two restriction groups of type A (with direct restriction): the HQ Accounts group for the Headquarters office and the RS Accounts group for the Regional sales office.
   2. In the HQ Accounts group, you include the Headquarters branch (HQ) and the accounts that should be visible within the HQ branch.
   3. In the RS Accounts group, you include the Regional sales branch (RS) and the accounts specific to the RS branch.
3. To configure the visibility of subaccounts within branches, you do the following in the Subaccounts by branch access (GL103060) window:
   1. You create two restriction groups of type A (with direct restriction): the HQ subaccounts group for the Headquarters office and the RS subaccounts group for the Regional sales office.
   2. In the HQ subaccounts group, you include the HQ branch and the subaccounts that should be visible within this branch.
   3. In the RS subaccounts group, you include the RS branch and the subaccounts specific to this branch.

After you have configured restriction groups for accounts and branches, or subaccounts and branches, the system will narrow the lists of accounts or the list of subaccounts in data entry windows after a user selects a branch.
For example: Suppose that an accountant is adding an invoice in the Purchase invoices (AP301000) window and selects the HQ branch in the Branch column of the Document details tab.
In the Account column of the same tab, the accountant will see only accounts added to the HQ accounts restriction group.

Within branches, your organisation may have sensitive or confidential accounts and subaccounts which must be invisible for majority of users.
You can control the visibility of these accounts and subaccounts for users (that is, which users can view the accounts and subaccounts) by using restriction groups.

For example: Suppose that only a chief accountant of your organisation can work with the tax payable account.
To make this account visible to the chief accountant only, you need to do the following in the General ledger account access (GL104000) (GL104000) window:

1. You create a restriction group (for example, Access to VAT payable account) with direct restriction.
2. You add to the group the user account of the chief accountant.
3. You add to the group the tax account.

As another example, suppose that the subaccount for the financial department can be used only by accountants (and not by other users).
To make this subaccount visible to only accountants, you need to do the following in the General ledger account access (GL104000) window:

1. You create a restriction group (for example, Access to financial subaccount) with direct restriction.
2. You add to the group the user accounts of the accountants.
3. You add to the group the subaccount for the financial department.

You can specify which subaccounts can be used with only a particular account in windows in Visma.net ERP; thus, the specified subaccounts will appear for selection only if that account is selected. This limitation will help users to avoid errors when they select accounts and subaccounts in windows.

If you are using restriction groups to control the accounts and subaccounts that can be used together, you must create at least two groups and include all subaccounts in either of the groups.

For example, suppose that you need to restrict visibility of subaccounts for only one account.
To solve this task, you create two restriction groups.

In the first group with direct restriction, you include a general ledger account and the list of subaccounts that should be related to this account.
In the second group with inverse restriction, you include the same account and subaccounts that should not be displayed after users select this account.
As a result, when users select the account in a window, they will see only one of the subaccounts included in the first group.

For example: Suppose that the ELE-000 subaccount, which is used for electronics and computers, should be visible only after a user has selected the 12100 warehouse account, and the NSS-000 subaccount should be related to the 12200 warehouse account.
To restrict the visibility of the subaccounts by account, you should create the following restriction groups in the General ledger account access (GL104000) window:

1. Stock item subaccounts: In this group, you need to include the 12100 warehouse account and the ELE-000 subaccount.
2. Non-stock item subaccounts: To this group, you should add the 12200 warehouse account and the NSS-000 subaccount.

By using restriction groups, you can combine the functionality of the following scenarios:

• Managing the visibility of accounts to users
• Managing the visibility of subaccounts by account

To implement this functionality, you need to add users, accounts, and subaccounts (or subaccount segments) to the same group.
In this case, the visibility will be restricted as follows:

• Only users included in the restriction group will see the accounts and subaccounts added to the group.
• If a user included in the group selects an account in the group when processing a document, he or she will be able to select a subaccount from the list of only subaccounts added to the group.

For example: Suppose that the ELE-000 (electronics and computers) and FUR-000 (furniture) subaccounts should be visible only if a user has selected the 12100 warehouse account, and that only the warehouse workers User Y and User Z should work with these accounts and subaccounts. To restrict the visibility of the ELE-000 and FUR-000 subaccount by the 12100 account and to make the account and the subaccounts visible to only User Y and User Z, you should do the following in the General ledger account access (GL104000) window:

1. You create a restriction group (for example, Restriction of warehouse accounts).
2. You add to the group the 12100 warehouse account.
3. You add to the group the ELE-000 and FUR-000 subaccounts.
4. You add to the group User Y and User Z.

In the following table, you can find the list of windows that you can use to manage restriction groups with accounts, subaccounts, and subaccount segments, and tasks that you can resolve by using each window.

For information about how to add or remove objects from a restriction group, see: About operations with restriction groups.