1. OBJECTIVE AND SCOPE

1.1 Objective of this Procedure

The purpose of this document is to describe the process to manage users accesses in the Security module of BFC tool, as well as to execute the Internal Controls related to the users management.

1.2 Scope

This procedure applies to the BFC Administration team.


2. REFERENCE DOCUMENTS

3. DEFINITIONS

BFC - Business Financial Consolidation (Solvay's Group Consolidation Tool)

BFC-Admin - BFC Administration Team in charge for the Administration of the BFC

GAR - Group Accounting Reporting Team (Consolidation team)

HR - Human Resources

GUDSIS - Solvay Human Resources tool hosting information and Master datas of Solvay's employees

IS Adagio - Team responsible to update the Active Directory Group (AD) list.

SLA - Service Level Agreement.

CAM - Company Accounting Manager.


4. SUMMARY

4.1 Principle and Context

It is necessary to create and keep a user accesses in BFC aligned with user's position, responsibilities and needs: either to enter the necessary information in the BFC reporting packages or to retrieve, analyse and validate the consolidated results.

Internal controls related to the process of users management have been defined to guarantee a secured management of accesses:

  • BFC users are granted accesses rights aligned with their responsibilities and needs in the BFC reporting cycles,
  • Any new access requested in BFC is duly approved,
  • Accesses of users who left the group are disabled,
  • Inactive users have their BFC account temporary deactivated.


4.2 Responsibility

The BFC-Admin team is responsible to manage the user accesses in BFC, such as:

  • Create or update BFC accesses,
  • Request the approval from Consolidation Manager each time sensitive rights have to be granted to a user,
  • Request to IT updates on BFC Active Directory list (list set up to allow SSO Single Sign On usage in BFC),
  • Check active status of users in HR tool (Gudsis),
  • Guarantee compliance of users management with BFC Internal Controls (execute controls and store evidences),
  • Support both Internal and External audit campaigns related to Internal Controls.


The SLA (Service Level Agreement) for requests to create or update a user in BFC is:

  • During Closing Periods: 1 hour
  • Outside Closing Periods: 1 day

4.3 Process Overview and Key Principles

Requests to create a new user or to update the profile of an existing user are submitted by end user to BFC-Admin ($SBS FinanceSL Fin Acc SU BFC Admin) mailbox . 

The updates can be:

  • Change the existing rights (Functional Profile or Data Access Group)
  • Reactivate a deactivated user
  • Deactivate a user

The compulsory information necessary to create a user in BFC is:

  • First name and Last Name
  • Solvay's network ID
  • Email address
  • Functional rights needed (scope of companies, editing or view rights...); or reference to the rights of an existing user fitting the needs of the requestor


The following flowchart describes the process to create a user in BFC.



The management of the users in BFC is performed directly  in the BFC_Production database  / Security module within the Administration domain.

Security module covers:

  • Users
  • Owner groups
  • Functional profiles
  • Data access groups

4.3.1 Overview - Access Definitions

Each access in BFC is a combination of:

  • Owner Group: used to allocate users in defined organizations/teams
  • Functional Profile: Type of actions the user will be able to perform in BFC,: "editing" versus "read only" rights
  • Access Group: Scope of data on which access is granted: segregation can be made by reporting category, by scope of legal companies and/or by scope of Businesses


4.3.2 Overview - Functional Profile

The Functional Profile defines the actions that the users can perform in BFC in each module: data entry in reporting packages, access for consultation, posting of journal entries, reopening of packages; consolidations run...

The main Functional Profiles in BFC are:

  • ADMINISTRATEUR - BFC tool Administrators - note that Administrators have FULL rights in ALL modules
  • ADM-LEGER - BFC tool administrators (light)
  • ADM-REGION - BFC Regional Support Members
  • CONSOLIDEUR - Consolidation rights
  • CONSO-SAISIE - For responsible for regional coordination (APAC, NAM, LAM)
  • AUDIT - For internal or external auditors to consult the entire tool (data, scope, customization)
  • SAISIE-RESTIT - People responsible for enter data in the packages (CAM or SC)
  • RTR-BO-COR- Same rights as SAISIE-RESTIT plus Rights to reopen packages
  • RESTIT-PACK - For people that need to consult and extract reports
  • RESTITUTION - People that need to consult and edit reports (Controllers mainly)
  • ROBOTS - To allow each robot user perform multiple robot actions: Import SAP file / BFC monitoring / Package re-openings


Some of these Functional Profiles can be considered as sensitive, because they allow to perform critical actions in BFC, as:

  • Change and Consult Dimension Builder (All definitions of the BFC, as Reporting Units; Business structure; etc).
  • Change and Consult Rules.
  • Change the Reports.
  • Manage and Consult  Top Entries (Data entered at the Consolidated Level).
  • Create; update; lock and unlock Consolidations.
  • Unlock packages (Reopen packages Published in Standard mode).
  • Unprotect packages (Reopen packages published by Special Permission).
  • Publish by Special Permission (Publish packages with errors).

The creation of a sensitive user must be formally approved by the Consolidation Manager.


4.3.3 Overview - Data Access Group

The Data Access Group defines the categories that will be allowed to access, the level of the data that can be reached in each category, and how it can be accessed.

The definitions are based on:

  • Categories
    • ACTUAL0 - Category with Shareholding data
    • ACTUAL1-TAX - Category with Tax data
    • ACTUAL1 (no more used since 2020)
    • ACTUAL2 - Category with Financial Statements data
    • ACTUAL3 - Category with Annual report disclosures data
    • PREV - Category with Business data - Budget
    • RSB - Category with Business data - Restructuring
  • Level of Access to each Category 
    • Data entry access - Allows to access the data in the Packages
    • Data analysis access - Allows to access the data in Reports 
    • Consolidation access -  Allows to access consolidated data
    • Central manual journal entry  - Allows to access the consolidated adjustments
  • Definitions of view (most used)
    • Reporting Unit - The companies the user will have access
    • Activity1 - The Markets the user will have access
    • Activity2 - The CGUs the user will have access

Note that the Reporting Units are mainly defined as a filter when the user needs to see multiple companies.


4.3.4 Overview - Authentication 

The Authentication defines whether or not the user connects with the Network credentials (User and Password). There are two types of Authentication:

  • External - Linked to Single Sign On (Network User and Password).
  • Internal - Not linked to Single Sign On (Different user and temporary Password).

By default a user should be created with External Authentication, except in the cases that:

  • The user needs a second profile - A user can only have one access with SSO.

  • The user is outside the Solvay Network.

  • The request is done in the closing period - Because the BFC-Admin team has only one hour to create the access in this period; after this period when the user is added to the AD group the authentication should be updated to External.


    The users with the Internal authentication will have to manage the password directly in BFC.
    They will need to change it every two months and request to the BFC Admin team to refresh the password in case of issue.


5. VALIDATE THE USER STATUS IN THE GUDSIS TOOL

All the active users in BFC should be granted that are active in the GUDSIS tool, thus before create a new user in BFC it needs to be checked the status of the user in the GUDSIS.


To access the GUDSIS, use the following link:

http://py2sapr3.solvay.com:8155/sap/bc/gui/sap/its/zzh_GUDSIS


Then choose the option Personal Member view detail.


To search someone in the GUDSIS enter the Name (Last Name and/ or First Name) of the person.


First, check if the user is active.

The "End Date" must be 31.12.9999.


Then, collect the information necessary to create the user in BFC:

  • SAP user ID (it will be the same for BFC)
  • Email address
  • Employee's function




If the user is not active in the GUDSIS, the access can not be created in BFC.


6. REQUEST TO ADD THE USER IN THE ACTIVE DIRECTORY GROUP

After ensuring that the user is active in the Group, it has to be requested to include the user in the Active Directory Group.

To request to add the user to this directory, follow these two steps:

  • Create a ticket in the portal Solution Manager (Solman)
  • Send an e-mail to $IS-Adagio-Wintel <IS-Adagio-Wintel@solvay.com> 

In the Solvay One portal, open Solia Services.


In My Solia Services, click on Solution Manager.



Click on the Change Request Mgmt menu and choose the option Requests for Change.


In the Request for Change window click on the button New.


The following fields must be completed as indicated.

  • Title: Request to add user to AD BFC User Group
  • Change Manager: Chee Keong CHOY
  • GBU/Function: SBS
  • Partner: Internal Change (Solvay ONLY)
  • Zone Are of Requestor: EMEA
  • Change Cycle/Phase: ZGEN - NON SAP Servers
  • Landscape/ Branch: SAP_EHP1_FOR_SAP_NETWEAVE00001
  • Category 1: IS GAHS
  • Category 2: Wintel
  • Category 3: Financial Consolidation
  • Category 2: AD Account Management
  • Impact: Medium
  • Urgency: Medium
  • End User Priority: 3: Medium
  • Risk Category: Low
  • GxP Impact Risk: Low
  • Application Interdependency Risk: Low
  • Business Risk: Low


In the field Text it should be entered the following information to describe the request.

"Hello,
Please update AD Group EUA\DC_GG_BFC_Users for the following user:
Login: eua\XXXXXXXX (SAP user collected in the GUDSIS)
Name: FirstName LASTNAME
email: FirstName.LASTNAME@solvay.com

Thank you in advance for your assistance.

Best regards,"


Then Save the request to submit it to Adagio Team.


After submit the request in the Solution Manager tool, the request also has to be sent by e-mail.

Send the same information informed in the field Text that described the request, to $IS-Adagio-Wintel <IS-Adagio-Wintel@solvay.com> and keep $BFC-Admin <BFC-Admin@solvay.com> in copy.


7. CREATE THE USER IN THE BFC

In the Security module go to the option New User.


In the tab General enter:

  • The Code - BFC ID (The SAP user available in the GUDSIS).
  • The Short description - LAST NAME and First name.
  • The Long description - LAST NAME and First name.


In the tab User enter:

  • The Owner Group.
  • The Functional Profile.
  • The Data Access Group.
  • The E-mail address.


In this example the user is a member of Finance Operations from Bangkok Service Center.


In the tab Authentication select if the user's authentication is Internal or External.


Note that for Internal authentication it has to be defined a temporary password, thus select the option "Change password..."

The rule to define a password is to enter "solvay" + the year.

Example: solvay19 (for 2019).


In the tab Translation enter the full name of the user (LAST NAME First Name), in French and English, Short and Long descriptions.

Then Save it. 





8. MANAGEMENT OF OTHER OBJECTS IN THE SECURITY MODULE

8.1 Management of Other Objects in the Security Module - Owner Group

The creation of a new Owner Group may be necessary when there is a new organisation team in the Group.

As example, when the Group acquired the Cytec Group, it was necessary to create accesses to the new comers from the Cytec Group with common rights, then to easily identify them it was created the Owner Group named "CYTEC".


The management of the Owner Groups is done in the Security module within the Administration domain.

The creation of a new owner group can be done through the option "New Owner Group".


In the tab General enter the:

  • Code.
  • Short description.
  • Long description.

In this example, it was determined the Code and the Descriptions as "CYTEC".


In the tab Translation enter the description either in Short and Long description for French and English languages.


8.2 Management of Other Objects in the Security Module - Functional Profile

It might be necessary to create or update a Functional Profile when there is a new need for a group of users.

The creation of a Functional Profile must be formally approved by the Consolidation Manager.


The management of the Functional Profiles is done in the Security module within the Administration domain.

A new Functional profile can be created from the scratch in the option "New Functional Profile", or through the "Save as" from another one.

To update an exist Functional Profile open it and perform the necessary changes.


In the tab General enter the:

  • Code.
  • Short description.
  • Long description.


In the tab Access Rights selection the actions that the users will be able to perform in each of the following domains:

  • Analysis - Schedules, dashboards and reports (organization and execution).
  • Operation - Management of reporting sessions.
  • Administration - Management of Tasks, Security, Log & Monitoring.
  • Setup - Customization of the BFC: Category Scenario, Set of rules, Documents.
  • General Options - Miscellaneous.


In this example, it was requested to create a new Functional Profile for the BOIC Team, with reference to the Functional Profile SAISE-RESTIT. The new profile should enable the users "Consult the structure" in the domain Setup.


In the tab Translation enter the description either in Short and Long description for French and English languages.





8.3 Management of Other Objects in the Security Module - Data Access Group

A new Data Access Group should be created when there is a specific need for a group of users and there is any that meets the needs.


The management of the Data Access Group is done in the Security module within the Administration domain.

A new Data Access Group can be created from the scratch in the option "New Data Access Group", or through the "Save as" from another one.



In the tab General enter the:

  • Code.
  • Short description.
  • Long description.


In the tab Definition, it has to be defined the categories that will be allowed to access, the level of the data that can be reached in each category, and how it can be accessed (In the Packages or in the Reports).

In the column "Accessible" flag the categories to be accessed, and then inform the Data Definition in the level of information that should be reached.

In this example, the Data Access Group "SOLVAY-SA", allows to access the categories:

  • ACTUAL0
  • ACTUAL1 (no more used since 2020)
  • ACTUAL1-TAX
  • ACTUAL2
  • ACTUAL3

And the level of information that can be reached is the Package Data, according to the definitions in the columns Data Entry Access (Packages) and Data Analysis Access (Reports).


In this Data Access Group, it was created the Definitions:

  • SOLVAY-SA-W - SOLVAY SA Write Access 
  • SOLVAY-SA-R - SOLVAY SA Read Access 

What defers both definitions is that the SOLVAY-SA-W has restrictions in the Activity1 and Activity2. 

Both definitions have the same criteria for Reporting Unit: a filter name SOLVAY-SA.



The filter in the Reporting unit restrict the access to the companies: 00001 and 00231.

If it is necessary to create or update a Filter of Reporting Units see the topic: 

9.1 Other Actions - Management of a Filter of Reporting Units.


9. OTHER ACTIONS

9.1 Other Actions - Management of a Filter of Reporting Units 

A filter of Reporting Units defines the companies that a user can access.

When there is a new team in charge for a group of companies, or any other specific need, it may be necessary to create a new filter.

A filter of Reporting unit also should be updated when there is a new company that was acquired by the Group, or the consolidation method changes and a given team needs to fill its packages.

The management of a Filter of Reporting Units is done in the module Dimension Builder within the Setup domain.

Change the Functional Mode to the option "Filters".


A new Filter can be created from the scratch in the option "New Filter", or through the "Save as" from another one.



In the tab General enter the:

  • Code.
  • Short description.
  • Long description.


In the tab Definition enter the criteria of the filter:

This example the filter is quite simple, it just allows the view for the companies 00001 and 00231.


A filter with more criteria can be created by using the following definitions.

  • The Operators:

 Insert operator AND

 Insert operator OR


  • Other Dimensions:


  • Types of Matching


As example the filter created for the North American Entities that was defined:

  • Geographical area AMSU (Lantin America) or Country MX (Mexico)
  • And the entities different than U0% (the % defines that any character after the U0 is disregarded, then it filters everything that start with U0)
  • And the entities different than GEST%
  • And the entities type S (Legal Entity)

By click on the icon Test Filter, it shows the companies that are considered in the Filter. 

In this filter 53 companies matched the criteria defined.


In the tab Translation enter the description either in Short and Long description for French and English languages.



9.2 Other Actions - Update the Contacts in the List of Companies

When the request is to create a user for a CAM, the List of Companies should updated for the companies that the new CAM will be in charge.

The details should be seen in the following procedure:


10. INTERNAL CONTROLS

The internal controls linked to BFC users access management are documented in the following chapters:

SEC-07 (APP.01) Access Requests

SEC-04 (APP.10) Access Rights

SEC-03 (APP.01) Functional Profiles

SEC-11 (APP.02) Users Deactivation


END OF THE PROCEDURE.