Reconciliations Global Admin, OneStreamAdmin and Local Admin Permissions

There is a difference in permissions granted to the Reconciliations Global Admin, OneStream Administrator and a Local Admin both from a configuration and end user standpoint.

Reconciliations Global Admin and OneStream Admin Permissions

Within Account Reconciliations Settings and Reconciliation Administration pages, any user in the Security Role [Manage Recon Setup] user group can change anything. This includes changing any Reconciliation Definition, Reconciliation Inventory, Account Groups, AutoRec, BalCheck, Mass Update, Tracking Levels and running Discover and Process Reconciliations from a Review-level Workflow Profile. This includes creating Access Groups and assigning the Local Admin flag to one or more members who can then continue managing related Reconciliation Inventory items and Account Groups.

On the Reconciliations page, these users can step in to prepare, approve, comment or view any reconciliation. These same rights apply to any OneStream System Administrator (anyone in the Administrators Security Group).

The Reconciliations Global Admin applies Access Groups to any Account Groups and newly discovered Reconciliation Inventory Items. By doing so, if the Access Group has at least one member that is marked as a Local Admin, they are making these items visible and editable by these Local Admins. If the Reconciliations Global Admin wishes the Local Admin to assign Reconciliation Inventory Items to Account Groups, they must first assign an Access Group to each Account Group and Reconciliation Inventory Item in order for these to be visible to the Local Admin. However, a Local Admin is able to create their own Account Groups if they assign a valid Access Group to it that is an Access Group that they manage.

Local Admin Permissions

An Account Reconciliations user becomes a Local Admin when the Reconciliations Global Admin assigns them to an Access Group with the Local Admin flag designation and then assigns that Access Group to Reconciliation Inventory Items or Account Groups.

The Local Admin has certain abilities that are shared with a Reconciliations Global Admin, but which are limited in these areas:

Account Groups

  • Can create, view and edit only those Account Groups which an Access Group is assigned which they manage as Local Admin.

  • Cannot delete, export or import Account Groups or use the Account Group Template.

Administration

  • Can navigate to the Reconciliation Administration page.

  • Cannot see the Account Reconciliations Settings icon, which prevents them from making any changes to Reconciliation Definitions, Tracking Levels or seeing the Settings page to make changes, such as Global Options, Control Lists or Certifications. They cannot run Discover.

Reconciliation Inventory Items

  • Can view, edit and delete Reconciliation Inventory Items where the Access Group property is set to one that they manage. Can assign Reconciliation Inventory Items to Account Groups and other Access Groups that they manage.

  • Cannot change the properties of any Reconciliation Inventory Item that they do not manage either manually or through the Reconciliation Inventory page or Mass Updates. Cannot assign a Reconciliation Inventory Item or Account Group to an Access Group they do not manage or to (Unassigned). Cannot assign a Reconciliation Inventory Item to an Account Group they do not manage or assign to (No Group) once already assigned to an Account Group.

Reconciliation Inventory Mass Update

  • Can perform Mass Updates to Reconciliation Inventory Items they manage.

  • Cannot assign a Reconciliation Inventory Item to an Access Group they do not manage or to (Unassigned). Cannot assign a Reconciliation Inventory Item to an Account Group they do not manage or assign to (No Group) once already assigned to an Account Group.

Access Groups

  • Can create, modify and delete the members of the Access Groups that they manage.

  • Cannot create, delete, export, import or perform Mass Updates on Access Groups. Cannot change the Local Admin property on any Access Group user or create new Access Group members of the type Local Admin. They cannot delete their own record.

Preparer and Approver Workflow page

  • Can perform activities in the Preparer and Approver Workflow page as any end user would, restricted to their assigned Access Group Role.

  • Cannot click the Process Reconciliations button on Review-level Workflow Profiles, which is reserved for the Reconciliations Global Admin.

Analysis and Reporting page

  • Can review any report with the same filters applied to any end user, yet the Reconciliation Access Groups Report will be filtered to only the Access Groups they manage.