1. OBJECTIVE AND SCOPE
1.1 Objective of this Procedure
The purpose of this document is to describe the process to manage users accesses in the BFC tool and to execute the Internal Controls related to the users management.
1.2 Scope
This procedure applies to the BFC Administration team.
2. REFERENCE DOCUMENTS
3. DEFINITIONS
BFC - Business Financial Consolidation (Solvay's Group Consolidation Tool).
BFC-Admin - BFC Administration Team (Team in charge for the Administration of the BFC).
GAR - Group Accounting Reporting Team.
HR - Human Resources.
GUDSIS - The Human Resources tool that has the information about all employees of Solvay Group.
IS Adagio - The team responsible to update the Active Directory Group (AD) list.
4. SUMMARY
4.1 Principle and Context
It is necessary to create and keep a user access well tuned with the role, to allow the user to either enter the necessary information in the packages or to validate the information that has been entered, according to the user's responsibility.
There are some internal controls related to the process of users management to assure that the database is up to date, it means, to assure that the users have the rights according to the role, that the users that left the group have the account in BFC disabled, as well as that the inactive users have the account temporary deactivated.
4.2 Responsibility
The BFC-Admin team is responsible to manage the user accesses in BFC, such as:
- Create or update an access.
- Request the approval for the Consolidation Manager when the user needs sensitive rights.
- Request to add the user to the Active Directory.
- Validate the HR information.
- Execute the Internal Controls .
The SLA (Service Level Agreement) for requests to create or update a user in BFC is:
- Closing Period: 1 hour.
- Outside Closing Period: 1 day.
4.3 Overview
The requests to create a new user or to updated the profile of a user are done through the BFC-Admin mailbox.
The updates can be:
- To change the rights (Functional Profile or Data Access Group).
- To reactivate a user.
- To deactivate a user.
The information necessary to create a user in BFC is:
- First name and Last Name.
- The Solvay's network user.
- The Email address of the user.
- The rights that the user needs (Region; Companies; enter or just view data, etc); or if there is an user to use as reference to copy the rights.
The following flowchart describes the process to create a user in BFC.
The management of the users in BFC is done in the Security module within the Administration domain.
In this module it is done the management of:
- Users.
- Owner groups.
- Functional profiles.
- Data access groups.
4.3.1 Overview - Owner Group
The Owner Group is an information to group users by Region, Site, Team, etc.
The following table describes the definitions of the main Owner Groups, according to the responsibility of the users.
| Position | Access type | BFC Owner Group | |||
|---|---|---|---|---|---|
| 1 | SBS - RTR
| Front Office | Country Accounting Manager (CAM) | Limited access by Countries of entities under SBS responsibility | RTR-FO-<country> |
| General Ledger Manager (GL) | Limited access by Region (EMEA - APAC - LAM - NAM) of entities under SBS responsibility | ||||
| Process Expert (PE) | Access to all entities of the Group | ||||
Service Center (SC) | Country teams | Limited access by Region (EMEA - APAC - LAM - NAM) of entities under SBS responsibility
| RTR-BO-BANGK RTR-BO-LISBO RTR-BO-CURIT | ||
| Transversal teams | Access to all entities of the Group under SBS responsibility | ||||
| 2 | Accountant | Local | Accountant (Non SBS entities) | Limited access by Entities under their responsibility | LOC-ACC |
| 3 | Controllers | Business | Controllers - Business | Limited access by Business | CONTR-BU-<business> |
| Site/Entity | Controllers - Entity | Limited access by Entities (or Group of entities) | CONTR-ENT | ||
| 4 | Auditors | Internal | Internal auditor | Access (display only) to all entities of the Group | AUDIT-INT |
| External | External auditors | Access (display only) to all entities of the Group and Journal Entries (only consolidation) | DELOITTE | ||
| 5 | Consolidators | Consolidators | Consolidators | Access to all entities of the Group and Journal Entries | GAR-CONSO |
4.3.2 Overview - Functional Profile
The Functional Profile defines the actions that the users can perform in BFC in each module, as: entry data in the packages or just access for consultation; reopen the packages; run consolidation; etc.
The main Functional Profiles in BFC are:
- ADMINISTRATEUR - BFC tool administrators.
- ADM-LEGER - BFC tool administrators (light).
- CONSOLIDEUR - GAR Consolidation team.
- CONSO-SAISIE - For responsible for regional coordination (APAC, NAM, LAM).
- AUDIT - For internal or external auditors to consult the entire tool (data, scope, customization).
- SAISIE-RESTIT - People responsible for enter data in the packages (CAM or SC).
- RESTIT-PACK - For people that need to consult and extract reports.
- RESTITUTION - People that need to consult and edit reports (Controllers mainly).
Some of these Functional Profiles can be considered as sensitive, because they allow to perform critical actions in BFC, as:
- Change and Consult Dimension Builder (All definitions of the BFC, as Reporting Units; Business structure; etc).
- Change and Consult Rules.
- Change the Reports.
- Manage and Consult Top Entries (Data entered at the Consolidated Level).
- Create; update; lock and unlock Consolidations.
- Unlock packages (Reopen packages Published in Standard mode).
- Unprotect packages (Reopen packages published by Special Permission).
- Publish by Special Permission (Publish packages with errors).
The creation of a sensitive user must be formally approved by the Consolidation Manager.
4.3.3 Overview - Data Access Group
The Data Access Group defines the categories that will be allowed to access, the level of the data that can be reached in each category, and how it can be accessed.
The definitions are based on:
- Categories
- ACTUAL0 - Category with Shareholding data
- ACTUAL1 - Category with Provision data
- ACTUAL1-TAX - Category with Tax data
- ACTUAL2 - Category with Financial Statements data
- ACTUAL3 - Category with Annual report disclosures data
- PREV - Category with Business data - Budget
- RSB - Category with Business data - Restructuring
- Level of Access to each Category
- Data entry access - Allows to access the data in the Packages
- Data analysis access - Allows to access the data in Reports
- Consolidation access - Allows to access consolidated data
- Central manual journal entry - Allows to access the consolidated adjustments
- Definitions of view (most used)
- Reporting Unit - The companies the user will have access
- Activity1 - The Markets the user will have access
- Activity2 - The CGUs the user will have access
Note that the Reporting Units are mainly defined as a filter when the user needs to see multiple companies.
4.3.4 Overview - Authentication
The Authentication defines whether or not the user connects with the Network credentials (User and Password). There are two types of Authentication:
- External - Linked to Single Sign On (Network User and Password).
- Internal - Not linked to Single Sign On (Different user and temporary Password).
By default a user should be created with External Authentication, except in the cases that:
- The user needs a second profile - A user can only have one access with SSO.
The user is outside the Solvay Network.
The request is done in the closing period - Because the BFC-Admin team has only one hour to create the access in this period; after this period when the user is added to the AD group the authentication should be updated to External.
The users with the Internal authentication will have to manage the password directly in BFC.
They will need to change it every two months and request to the BFC Admin team to refresh the password in case of issue.
5. VALIDATE THE USER STATUS IN THE GUDSIS TOOL
All the active users in BFC should be granted that are active in the GUDSIS tool, thus before create a new user in BFC it needs to be checked the status of the user in the GUDSIS.
To access the GUDSIS, use the following link:
http://py2sapr3.solvay.com:8155/sap/bc/gui/sap/its/zzh_GUDSIS
Then choose the option Personal Member view detail.
To search someone in the GUDSIS enter the Name (Last Name and/ or First Name) of the person.
First, check if the user is active.
The "End Date" must be 31.12.9999.
Then, collect the information necessary to create the user in BFC:
- SAP user ID (it will be the same for BFC)
- Email address
- Employee's function
If the user is not active in the GUDSIS, the access can not be created in BFC. |
6. REQUEST TO ADD THE USER IN THE ACTIVE DIRECTORY GROUP
After it was ensured that the user is active in the Group, it has to be requested to include the user in the Active Directory Group.
To request to add the user to this directory, follow these two steps:
- Create a ticket in the portal Solution Manager (Solman)
- Send an e-mail to $IS-Adagio-Wintel <IS-Adagio-Wintel@solvay.com>
In the Solvay One portal, open Solia Services.
In My Solia Services, click on Solution Manager.
Click on the Change Request Mgmt menu and choose the option Requests for Change.
In the Request for Change window click on the button New.
The following fields must be completed as indicated.
- Title: Request to add user to AD BFC User Group
- GBU/Function: S01 SBS
- Impact: Medium
- Urgency: Medium
- End User Priority: P3: Medium
- Nature: Recurrent
- Zone Are of Requestor: EMEA
- Project: ZGEN
- Category 1: IS GAHS
- Category 2: Wintel
- Compliancy Risk: Low
- GxP Impact Risk: Low
- Application Interdependency Risk: Low
- Business Risk: Low
In the field Text it should be entered the following information to describe the request.
"Hello,
Please update AD Group EUA\DC_GG_BFC_Users for the following user:
Login: eua\XXXXXXXX (SAP user collected in the GUDSIS)
Name: FirstName LASTNAME
email: FirstName.LASTNAME@solvay.com
Thank you in advance for your assistance.
Best regards,"
Then Save the request to submit it to Adagio Team.
After submit the request in the Solution Manager tool, the request also has to be sent by e-mail.
Send the same information informed in the field Text that described the request, to $IS-Adagio-Wintel <IS-Adagio-Wintel@solvay.com> and keep $BFC-Admin <BFC-Admin@solvay.com> in copy.
7. CREATE THE USER IN THE BFC
The creation of a new user can be done in the option New User, or through Save as from another user.
Note that to create through Save as the authentication mode of the referential user should be as Internal. If the authentication is External change it to Internal, however do not select the option Save but Save as. |
In the tab General enter:
- The Code - BFC ID (The SAP user available in the GUDSIS).
- The Short description - LAST NAME and First name.
- The Long description - LAST NAME and First name.
In the tab User enter:
- The Owner Group.
- The Functional Profile.
- The Data Access Group.
- The E-mail address.
In this example the user is a member of the Transversal team of the Service Center from Bangkok.
In the tab Authentication select if the user's authentication is Internal or External.
Note that for Internal authentication it has to be defined a temporary password, thus select the option "Change password..."
The rule to define a password is to enter "solvay" + the year.
Example: solvay17 (for 2017).
In the tab Translation enter the full name of the user either in French and English, Short and Long descriptions.
Then Save it.
8. MANAGEMENT OF OTHER OBJECTS IN THE SECURITY MODULE
8.1 Management of Other Objects in the Security Module - Owner Group
The creation of a new Owner Group may be necessary when there is a new organisation team in the Group.
As example, when the Group acquired the Cytec Group, it was necessary to create accesses to the new comers from the Cytec Group with common rights, then to easily identify them it was created the Owner Group named "CYTEC".
The management of the Owner Groups is done in the Security module within the Administration domain.
The creation of a new owner group can be done through the option "New Owner Group".
In the tab General enter the:
- Code.
- Short description.
- Long description.
In this example, it was determined the Code and the Descriptions as "CYTEC".
In the tab Translation enter the description either in Short and Long description for French and English languages.
8.2 Management of Other Objects in the Security Module - Functional Profile
It might be necessary to create or update a Functional Profile when there is a new need for a group of users.
The creation of a Functional Profile must be formally approved by the Consolidation Manager.
The management of the Functional Profiles is done in the Security module within the Administration domain.
A new Functional profile can be created from the scratch in the option "New Functional Profile", or through the "Save as" from another one.
To update an exist Functional Profile open it and perform the necessary changes.
In the tab General enter the:
- Code.
- Short description.
- Long description.
In the tab Access Rights selection the actions that the users will be able to perform in each of the following domains:
- Analysis - Schedules, dashboards and reports (organization and execution).
- Operation - Management of reporting sessions.
- Administration - Management of Tasks, Security, Log & Monitoring.
- Setup - Customization of the BFC: Category Scenario, Set of rules, Documents.
- General Options - Miscellaneous.
In this example, it was requested to create a new Functional Profile for the BOIC Team, with reference to the Functional Profile SAISE-RESTIT. The new profile should enable the users "Consult the structure" in the domain Setup.
In the tab Translation enter the description either in Short and Long description for French and English languages.
8.3 Management of Other Objects in the Security Module - Data Access Group
A new Data Access Group should be created when there is a specific need for a group of users and there is any that meets the needs.
The management of the Data Access Group is done in the Security module within the Administration domain.
A new Data Access Group can be created from the scratch in the option "New Data Access Group", or through the "Save as" from another one.
In the tab General enter the:
- Code.
- Short description.
- Long description.
In the tab Definition, it has to be defined the categories that will be allowed to access, the level of the data that can be reached in each category, and how it can be accessed (In the Packages or in the Reports).
In the column "Accessible" flag the categories to be accessed, and then inform the Data Definition in the level of information that should be reached.
In this example, the Data Access Group "SOLVAY-SA", allows to access the categories:
- ACTUAL0
- ACTUAL1
- ACTUAL1-TAX
- ACTUAL2
- ACTUAL3
And the level of information that can be reached is the Package Data, according to the definitions in the columns Data Entry Access (Packages) and Data Analysis Access (Reports).
In this Data Access Group, it was created the Definitions:
- SOLVAY-SA-W - SOLVAY SA Write Access
- SOLVAY-SA-R - SOLVAY SA Read Access
What defers both definitions is that the SOLVAY-SA-W has restrictions in the Activity1 and Activity2.
Both definitions have the same criteria for Reporting Unit: a filter name SOLVAY-SA.
The filter in the Reporting unit restrict the access to the companies: 00001 and 00231.
9. OTHER ACTIONS
9.1 Other Actions - Management of a Filter of Reporting Units 
A filter of Reporting Units defines the companies that a user can access.
When there is a new team in charge for a group of companies, or any other specific need, it may be necessary to create a new filter.
A filter of Reporting unit also should be updated when there is a new company that was acquired by the Group, or the consolidation method changes and a given team needs to fill its packages.
The management of a Filter of Reporting Units is done in the module Dimension Builder within the Setup domain.
Change the Functional Mode to the option "Filters".
A new Filter can be created from the scratch in the option "New Filter", or through the "Save as" from another one.
In the tab General enter the:
- Code.
- Short description.
- Long description.
In the tab Definition enter the criteria of the filter:
This example the filter is quite simple, it just allows the view for the companies 00001 and 00231.
A filter with more criteria can be created by using the following definitions.
- The Operators:
Insert operator AND
Insert operator OR
- Other Dimensions:
- Types of Matching:
As example the filter created for the North American Entities that was defined:
- Geographical area AMSU (Lantin America) or Country MX (Mexico)
- And the entities different than U0% (the % defines that any character after the U0 is disregarded, then it filters everything that start with U0)
- And the entities different than GEST%
- And the entities type S (Legal Entity)
By click on the icon 
Test Filter, it shows the companies that are considered in the Filter.
In this filter 53 companies matched the criteria defined.
In the tab Translation enter the description either in Short and Long description for French and English languages.
9.2 Other Actions - Add a user to the Distribution List
When the request is to create a user for a CAM or a Controller, they must be added in the Distribution List under the BFC-Admin team responsibility, that are:
- $ DL-FI Accounting: This list is for the Accountants of the Group.
- $ DL-FI Controlling: This list is for the Controllers of the Group.
The details should be seen in the following procedure:
9.3 Other Actions - Update the Contacts in the List of Companies
When the request is to create a user for a CAM, the List of Companies should updated for the companies that the new CAM will be in charge.
The details should be seen in the following procedure:
10. INTERNAL CONTROLS
10.1 Internal Controls - Create a new user
When a new user is created in BFC the request must be archived as evidence.
* The creation of a sensitive user must be formally approved by the Consolidation Manager.
Answer to the initial request with the print screen of the new user created.
The email should be archived in PDF format in the following folder:
\\nohvfs01\dcfi-ccontrol\CONTROLE INTERNE GAR\BFC-ADMIN\01. GESTION SECURITE BFC\02. IT FC SEC\IT FC SEC-07\Demandes d'accès BFC
The File name should be:
20YY-MM-DD - new access FirstName LastName
10.2 Internal Controls - Deactivate Users
There are some Internal Controls defined for the security module. The internal control SEC-11: Reconciliation done on a regular basis between the HR and BFC.
In this control it is defined that the users should be deactivate in two instances:
- Inactivity - when the user does not connect for more than six months.
- Left the Group - when it is identified that the user left the group.
To execute this control it is necessary to extract the users from the BFC and a report from GusSis to confirm if the users are active in the Group.
10.2.1 Internal Controls - Deactivate Users - Extract the Users from the BFC
To identify users that did not connect in the last six months, go to the Security module and group the users by the the column "Active".
Select all active users and in the "File" menu choose the option "Print" and the "Selected Items".
Open the option Browse to select the options to save the file:
- Location to save the file
- The File name: BFC-SEC-11-Solvay-BFC_Users_20YY.MM.DD
- Save as type: Delimited String (*.csv)
Select Save, and in the next screen OK.
Open the excel file just saved, and note that the information will be shown as text, thus it may be necessary to Convert the information.
For this:
- Select the column "A"
- In the tab "Data" choose the option "Text to Columns"
- Select the option "Delimited"
- Mark the option "Semicolon"
- Then click on "Finish"
After have the information organized by column delete the first two rows, which are empty.
10.2.2 Internal Controls - Deactivate Users - Extract the GUDSIS Report
To extract the report of user from GUDSIS, access the the following link:
http://py2sapr3.solvay.com:8155/sap/bc/gui/sap/its/zzh_GUDSIS
And the select the option Queries.
It will download a feature that enables to run the report in SAP (PP2 - HR Production)
When the downloaded feature is opened it automatically drives to the SAP, where it should be select the option "DOWNLAOD GUDSIS DATA" within the menu OTHERS, then click on the button "Execute Query".
It will open the transaction "Program to download User's Data from GUDSIS".
In the field "Personnel Number" open the Multiple Selection (
) option.
In the tab "Select Ranges" enter the range: 00000001 to 99999999.
Then save the selection by click on the button 
.
Afterwards, it will come back to the initial screen of the transaction and the transaction can be run by click on the button 
.
The columns necessary to execute the control are:
- Last name
- First name
- SAP user
- User Status
So change the layout by click on the button "Change Layout" 
.
In the Column Set there are all options of columns available.
In the Displayed Columns it is selected the columns to be displayed.
After select the columns to save the change on the button 
.
After the change of the layout the information can be extracted.
Click on the button "Export" 
, and choose the option Spreadsheet.
It will open a sequence of screens:
1 - inform that the Filters, sorting and subtotal are not taken into account when the report is extracted. Just confirm it.
2 - Select the option "Table" to export the report as normal spreadsheet, the other option extracts the report as a pivot table.
3 - Has only one option, so just confirm.
It will open a temporary spreadsheet, so the information can be pasted in a new tab in the same spreadsheet of the users extracted from the BFC.
10.2.3 Internal Controls - Deactivate Users - Users that left the Group
To identify the users that left the group, in the report extracted from the BFC it is necessary to retrieve the User Status from the report extracted from the GUDSIS.
The source to look for the Status can be either the SAP User or the Full Name, because some users can have two profiles in BFC, than the BFC Code of the second profile is different of the SAP User.
For this reason, it can be added a column and compile the Last Name and First Name of the user, in the same way they are created in BFC.
After the users that left the group are identified they must be deactivate in BFC.
In the user's profile in the tab "User", remove the flag from the field "Active" and update the following fields:
- Owner Group: PARTI
- Functional Profile: DESACTIVE
- Data Group: RIEN
With these definitions the profile can not perform anything and has access to nothing in the system.
In the tab 
(Comment) enter the old definitions of the user and the deactivation date.
The information must be entered in either French and English languages.
10.2.4 Internal Controls - Deactivate Users - Inactive Users
Select the column "Last Connection Date" and sort it.
Look for the users that the information in this column is prior to the last six months, these users must be deactivated in BFC.
Note there are some users that are used for Test purposes that should not be deactivated, also pay attention to do not deactivate any user that has just been reactivated close to the date of execution of this control and has not connected yet. |
In the user's profile in the tab "User", remove the flag from the field "Active" and change the current "Owner Group" to "NET".
In the tab (Comment) enter the Deactivation Date and the Old Owner Group.
This information should be entered in either French and English languages.
The conclusion of this procedure assures that the users are create and update in accordance to their role and needs, as well an accuracy of the database of users in BFC, ensuring that only active users in the HR and users that really access the BFC have their profile enabled.
Through this process it is also possible to ensure that the other objects of the Security module are well maintained.