Visma Net
About account and subaccount security
In Visma Net, you can control which users will use particular general ledger accounts and subaccounts.
To configure the security of general ledger accounts and subaccounts, you can use a
combination of user roles and restriction groups.
By using user roles, you can
configure the access of users to branches and to all branch-specific accounts
and subaccounts.
With restriction groups, you can set up the visibility of particular accounts and subaccounts within branches and for certain users, and you can limit the use of subaccounts with particular accounts.
Most common scenarios with accounts and subaccounts
In this topic, you will read about using restriction groups and branch-specific
roles to configure and manage the security of accounts and subaccounts.
The sections below describe in detail the most common scenarios of managing the security of accounts and subaccounts. These are:
- Managing the visibility by branch
- Managing the visibility by user
- Managing the visibility of subaccounts by account
- Adding the needed objects to one restriction group to control visibility by multiple factors
Managing the visibility by branch
When your organisation consists of multiple branches (and you have created multiple branches in Visma Net), you can configure the system so that it narrows the lists of accounts and subaccounts by branch on data entry forms.
You can configure and use the restriction groups that include branches only if the Multi-branch support functionality is enabled in the Enable/disable functionalities (CS100000) window.
SCENARIO
Suppose that your organisation has two branches, the Headquarters office (HQ in the system) and the Regional sales office (RS). The accounting department processes documents for both branches.
The following table explains how to configure the visibility restrictions of accounts and subaccounts by branch.
| STEP | ACTION |
|---|---|
| 1 | Configure user roles for each branch (for example, Branch HQ and Branch RS). |
| 2 |
Assign both roles to the user accounts of the accountants. Result: The accountants will see information
for both branches in Visma Net. |
| 3 |
In the General ledger accounts by branch access (GL103040) window:
|
| 4 |
In the Subaccounts by branch access (GL103060) window:
|
| 5 | Result: The system will narrow the lists of accounts or the list of subaccounts in data entry windows after a user selects a branch. |
Resulting visibility
Suppose that an accountant is adding an invoice in the Purchase invoices (AP301000) window and selects the
HQ branch in the Branch column of the
Document details tab.
The accountant will
only see accounts added to the HQ accounts restriction group.
Managing the visibility by user
If your organisation has sensitive general ledger accounts and subaccounts, you can provide the visibility of these objects to only a limited set of users.
For performance reasons, visibility restrictions by user for subaccounts do not affect analytical (ARM) and window-based reports or general inquiries. This means that users who can view the reports and general inquiries that include subaccounts will see the full list of subaccounts.
SCENARIO 1
Suppose that only a chief accountant of your organisation can work
with the tax payable account.
The following table explains how to make this account visible only to the chief
accountant.
| STEP | ACTION |
|---|---|
| 1 | Go to the General ledger account access (GL104000) window. |
| 2 |
Create a restriction group (for example, Access to VAT payable account) with direct restriction. |
| 3 | Add the user account of the chief accountant to the group. |
| 4 | Add the tax account to the group. |
SCENARIO 2
Suppose that the subaccount for the financial department can
be used only by accountants (and not by other users).
The following table explains how to make this subaccount
visible only to accountants.
| STEP | ACTION |
|---|---|
| 1 | Go to the General ledger account access (GL104000) window. |
| 2 | Create a restriction group (for example, Access to financial subaccount) with direct restriction. |
| 3 | Add the user accounts of the accountants to the group. |
| 4 | Add the subaccount for the financial department to the group. |
Managing the visibility of subaccounts by account
You can specify which subaccounts can be used with only a particular account in windows in Visma Net. This means that only the specified subaccounts will appear for selection if that account is selected. This limitation will help users to avoid errors when they select accounts and subaccounts in windows.
If you are using restriction groups to control the accounts and subaccounts that can be used together, you must create at least two groups and include all subaccounts in either of the groups.
SCENARIO
Suppose that you need to restrict visibility of subaccounts for only one account.
The following table explains how to solve this task.
| STEP | ACTION |
|---|---|
| 1 | Create two restriction groups. |
| 2 | In the first group with direct restriction, include a general ledger account and the list of subaccounts that should be related to this account. |
| 3 | In the second group with inverse restriction, include the same account and subaccounts that should not be displayed after users select this account. |
| 4 | Result: When users select the account in a window, they will see only one of the subaccounts included in the first group. |
PRACTICAL EXAMPLE
Suppose that the ELE-000 subaccount, which is used for electronics and computers, should be visible only after a user has selected the 12100 warehouse account, and the NSS-000 subaccount should be related to the 12200 warehouse account.
The following table explains how to restrict the visibility of the subaccounts by account in this particular case.
| STEP | ACTION |
|---|---|
| 1 | Go to the General ledger account access (GL104000) window. |
| 2 | Create the restriction group Stock item subaccounts and include the 12100 warehouse account and the ELE-000 subaccount. |
| 3 | Create the restriction group Non-stock item subaccounts and include the 12200 warehouse account and the NSS-000 subaccount. |
Visibility of accounts, subaccounts, and users
If you need to limit the users who use sensitive accounts, and only particular subaccounts must be used with these sensitive accounts, you can configure restriction groups to address this task.
To implement this functionality, you need to add users, accounts, and subaccounts
(or subaccount segments) to the same group.
SCENARIO
Suppose that the ELE-000 (electronics and computers) and FUR-000 (furniture) subaccounts should be visible only if a user has selected the 12100 warehouse account, and that only the warehouse workers User Y and User Z should work with these accounts and subaccounts.
The following table explains how to restrict the visibility in this case.
| STEP | ACTION |
|---|---|
| 1 |
Go to the General ledger account access (GL104000) window. |
| 2 |
Create a restriction group, for example Restriction of warehouse accounts. |
| 3 |
Add the 12100 warehouse account to the group. |
| 4 |
Add the ELE-000 and FUR-000 subaccounts to the group. |
| 5 |
Add User Y and User Z to the group. |
| 6 | Result: User Y and User Z will only be able to select subaccounts ELE-000 and FUR-000 in combination with warehouse account 12100 when processing a document. |
Subaccount segment values
If the By segment: all avail. segment values lookup mode is selected in the Segment keys (CS202000) window for the SUBACCOUNT segmented key (that is, if the users of your Visma Net instance enter subaccounts by segments in windows), you manage the security of subaccount segments instead of entire subaccounts.
In this case, you need to add all subaccount segments, that form a subaccount whose visibility should be restricted, to a restriction group.
Cash account security
Cash accounts are one type of sensitive accounts that you may need to secure in the system.
The ways of managing the security of cash accounts differ from the ways of managing the security of general ledger accounts. For more information, see:About the security of cash accounts.
Windows for account and subaccount security
In the following table, you can find the list of windows that you can use to manage restriction groups with accounts, subaccounts, and subaccount segments, and tasks that you can resolve by using each window.
| Task | Window |
|---|---|
| To initially configure the visibility of accounts and subaccounts (or subaccount segments) to users. | General ledger account access (GL104000) |
| To initially configure the visibility of accounts by branches. | General ledger accounts by branch access (GL103040) |
| To initially configure the visibility of subaccounts (or subaccount segments) by branches. | Subaccounts by branch access (GL103060) |
| To change the visibility of an account in multiple restriction groups. | Restriction groups by general ledger account (GL104020) |
| To change the visibility of a subaccount in multiple restriction groups. | Restriction groups by subaccount (GL104030) |
| To change the visibility of a subaccount segment in multiple restriction groups. | Restriction groups by sub segment (GL104040) |
| To change the visibility of system objects by a user in multiple restriction groups. | Restriction groups by user (SM201035) |
| To change the visibility of system objects by a branch in multiple restriction groups. | Restriction groups by branch (GL103020) |
For information about how to add or remove objects from a restriction group, see: About operations with restriction groups.
