Transcription
Security AdministratorUser GuidePeopleSoft 9.2GeorgiaFIRSTGeorgiaFIRST FinancialsUniversity System of Georgia
(This page is intentionally left blank for printing purposes.)2
TABLE OF CONTENTSINTRODUCTION: PEOPLESOFT SECURITY BASICS .6SECURITY DESIGN STRATEGY (OPTIONAL) . 6DYNAMIC ROLES . 7PERMISSION LISTS . 7WORKFLOW ROLES . 8CHAPTER 1: SECURITY ADMINISTRATION .9CHAPTER 2: MANAGING USER SECURITY . 10USER PROFILES . 10GENERAL TAB. 12PERMISSION LISTS . 14USER ROLES TAB. 15WORKFLOW TAB . 16SELF-REGISTRATION . 17DETERMINING ACCESS . 18Activity 1: . 23INSTITUTION-SPECIFIC JOB AIDS AND FORMS. 24Activity 2: . 24CHAPTER 3: MANAGING USER PREFERENCES . 25GENERAL PREFERENCE . 25OLE INFORMATION AND PROCESS GROUP . 27ASSET MANAGEMENT USER PREFERENCES . 31GENERAL LEDGER USER PREFERENCES. 34JOURNAL ENTRY OPTIONS. 34ONLINE JOURNAL EDIT DEFAULTS. 35JOURNAL POST DEFAULTS . 35BUDGET POST OPTIONS . 35PAYCYLE USER PREFERENCES . 36PROCUREMENT. 37PAYABLES ONLINE VOUCHERING . 38RECEIVER SETUP . 41PURCHASE ORDER AUTHORIZATIONS . 45BUYERS USER AUTHORIZATION (OPTIONAL) . 45SUPPLIER PROCESSING AUTHORITY . 46DOCUMENT TOLERANCE AUTHORIZATIONS . 47REQUISITION (REQ) AUTHORIZATIONS . 48Activity 3: . 49CHAPTER 4: WORKFLOW MANAGEMENT . 50WORKFLOW ADMINISTRATION . 51User’s Guide for Security Administrators 2017 Board of Regents of the University System of Georgia. All Rights Reserved.3v 1.0
APPROVAL ROLES VS. ROUTING ROLES . 51CHAPTER 5: MANAGING MODULE SPECIFIC SECURITY . 52ACCOUNTS PAYABLE . 52Activity 4: . 55ACCOUNTS RECEIVABLE . 55BENEFIT RECONCILIATION MODULE . 55BOR PAYROLL MODULE . 56BUDGET PREPARATION (BUDGET PREP) . 58COMMITMENT CONTROL . 58Activity 5: . 61EXPENSES . 61Activity 6: . 63GENERAL LEDGER. 63PURCHASING . 64BUYER ROLES . 64BUYER SETUP . 65Activity 7: . 68CHAPTER 6: EPROCUREMENT (EPRO) . 69TYPES OF ROLES INVOLVED . 69REQUESTER SECURITY ROLES . 70REQUESTER SETUP . 71HOW DO APPROVALS WORK?. 73APPROVAL STAGES . 74APPROVAL TIME LIMITS. 79EPRO ADMINISTRATORS . 80EPRO APPROVER SETUP . 81SPECIAL ITEM APPROVER SECURITY ROLES . 81DEPARTMENT MANAGER ID . 82ADDITIONAL DEPARTMENT MANAGERS . 84PROJECT MANAGER ID . 85Activity 8: . 86CHAPTER 7: MANAGING QUERY SECURITY . 87NAVIGATION TO QUERY MANAGER COMPONENTS . 88USING QUERY VIEWER . 88CHAPTER 8: IT AUDIT . 90NEW HIRES. 90TERMINATED USERS . 90TERMINATED USER QUERY . 92Activity 9: . 93CURRENT USERS . 93User’s Guide for Security Administrators 2017 Board of Regents of the University System of Georgia. All Rights Reserved.4v 1.0
DOCUMENTATION AND APPROVALS . 93MONITORING . 93SEGREGATION OF DUTIES QUERY . 94Activity 10: . 95Activity 11: . 96Activity 12: . 96INSTITUTION AUDIT CHECKLIST . 96FREQUENTLY ASKED QUESTIONS . 98User’s Guide for Security Administrators 2017 Board of Regents of the University System of Georgia. All Rights Reserved.5v 1.0
Introduction: PeopleSoft Security BasicsSecurity Design Strategy (Optional)Before we focus on security, we will begin with an overview of the PeopleSoft Financials security designphilosophy. The three components of this system are Users, Roles, and Permission Lists.User Profiles, i.e., the user, refers to any employee set up to use the system. Each user is assigned one or moreroles. These roles determine which business processes a particular user is allowed to perform. The businessprocesses are contained in Permission Lists (see chart above).Roles are “granular,” which means that each role is based upon a specific business process. Therefore, accessneeded to complete a business process is mapped into corresponding role/roles. For example, if you assign a userthe Voucher Entry role, that user automatically has access to the page to Add Vouchers.Some business processes require only one role to complete. More complex business processes, such as running apay cycle under Accounts Payable, may require multiple roles to complete. Our granular approach promotesUser’s Guide for Security Administrators 2017 Board of Regents of the University System of Georgia. All Rights Reserved.6v 1.0
flexibility across institutions and reduces the risk of segregation of duties issues. ITS designs and creates the rolesand permission lists and allows institutions to administer the delivered roles to their individual users through adistributed user profile. We will cover this more in the security administration area of this document.Dynamic RolesTo make role assignment faster and more efficient, the GeorgiaFIRST model utilizes the dynamic rolesfunctionality within PeopleSoft. Dynamic roles allow administrators to assign roles based on preset permissions.Roles can be assigned dynamically using several different methods. One method is by creating a query that says,If a user has access to role X, then automatically give them role XX as well. In addition, if a user has access to pageX, then role X can also be assigned. The benefit of creating a dynamic role is that, when role X is removed, role XXis also removed. Queries, PeopleCode, or Directories can be used to assign dynamic roles.Currently, ITS has only one Dynamic Role: the BOR EX APPROVAL role. Any user who is on the ExpensesApprover Assignments page automatically gets this role. As a result, they also receive permission to approveexpense transactions. Upon termination, the user should be removed from the Expenses Approver Assignmentspage. The Dynamic Role will automatically be removed from their user profile.Permission ListsPermission Lists, building blocks of end-user security authorizations, control what a user can and cannot access. Auser inherits permissions through the role or roles the security administrator assigns to them. In the chart above,notice that permission lists are assigned to roles, which are then assigned to user profiles. A role may containnumerous permissions and a user profile may have numerous roles assigned to it. Because permission lists areapplied to users through roles, a user inherits all the permissions assigned to each role to which the user belongs.The user's access is determined by the combination of all of the roles assigned.A Permission List may contain any number of the following permissions: sign-on times, page permissions,component interface permissions, web libraries, and so on. Although a permission list may contain one or morepermissions, the smaller the number of permissions within a particular permission list, the more flexible andscalable that permission list is.User’s Guide for Security Administrators 2017 Board of Regents of the University System of Georgia. All Rights Reserved.7v 1.0
Please note: Data permissions are assigned directly to the User Profile either through a Primary Permissions listor Row Security Permissions list (this will vary in HR or Finance). Navigator Homepage and Process Profilepermission lists are also assigned directly to the user profile.All permission lists start with the module, i.e., GL for General Ledger, and are then followed by the name of thepermission list. For example, GL PAY INTERFACE is a General ledger permission list. Tools version 8.4 allows youthe naming length of 30 characters for a permission list.There are two tables that contain information on permission lists: PSCLASSDEFN - Permissions Lists Definition PSAUTHITEM - Authorized Menu ItemWorkflow RolesWhen enabled, some delivered business processes provide for the routing of work through an automated processcalled workflow. For example, when an Accounts Payable clerk enters a voucher, and an Accounts Payablemanager needs to approve it, the system will automatically route the transaction to the manager using workflow.Each business process needs to be configured to include a rule set to route the work to the appropriate users. Insome cases, this is a role assigned to the user profile. Roles used in this manner will be designed and created toallow for the routing of work and provide only this function. They will be different from other roles in that theyare shell roles, with no page access.User’s Guide for Security Administrators 2017 Board of Regents of the University System of Georgia. All Rights Reserved.8v 1.0
Chapter 1: Security AdministrationSystem security involves protecting financial data against modification, loss, theft, and unauthorized disclosure.To ensure the safety of data, GeorgiaFIRST has a security framework with several key areas of control, such asdata access, password management, user account management, authorization management, and audit logs.Security administration is distributed to each institution, and it is that institution’s responsibility to administer,update, and maintain it. This is done through role grant and distributed user profiles. Since ITS creates the rolesand permissions, each institutional security administrator must have a security role that allows access to thedelivered roles. This role is BOR LOCAL SEC ADMIN and contains all the delivered roles that are not institutionspecific. In addition, for institution-specific roles such as BOR EP ADMINXX, BOR PO ADMINXX, etc., theadministrator also needs BOR LOCAL SEC ADMINXX (XX is the first two digits of the institution ID).The core job functions of the security administrator at the campus level include but are not limited to: User Profile ManagementoCore Security Roles ManagementoEMPLID ManagementoEmail Address ManagementoPassword ResetoAccount Lock Out/ResetoCommitment Control SecurityoUser PreferencesoApproval SetupSecurity Monitoring (will be covered more in the IT Audit section below)oNew UsersoTerminated UsersoPosition ChangesUser’s Guide for Security Administrators 2017 Board of Regents of the University System of Georgia. All Rights Reserved.9v 1.0
Chapter 2: Managing User SecurityUser Profiles define individual PeopleSoft users. You begin the security process by defining User Profiles and thenlinking each User to roles. Normally, a User Profile is linked to at least one role in order for it to be a valid profile;however, it is possible to have a User Profile with no Roles if, for example, a user who is not allowed access to thePeopleSoft application needs to receive workflow-generated emails. As we explained in the Introduction, themajority of permissions (values) that make up a user profile are inherited from the linked roles.User ProfilesThe first thing you must do to set up a User Profile is create a User ID by entering appropriate values, such as userpassword, work email (.edu) address, employee ID, and so on. To set up a User Profile, follow the navigation:PeopleTools Security User Profiles Distributed User Profiles.There are three ways to manually create a new User Profile. First, you can click on the “Add a New Value” tab andadd a User ID. The User ID should be unique and not contain white space or any of the following specialcharacters: ; : & , \ / " [ ] ( ). People Tools version 8.5 allows you the naming length of up to 30 characters.User’s Guide for Security Administrators 2017 Board of Regents of the University System of Georgia. All Rights Reserved.10v 1.0
(Some institutions prefer that the User ID not be tied to the user’s name. Check your institution to see if theyhave a preferred style for User IDs.) Click the Add button.The second way to create a new Profile is to use the Copy User Profile feature to duplicate a similar profile. Thebenefit of using this method is that, if you have a core user with 50 roles and hire another user who needs thesame 50 roles to replace them, you either have to manually add the 50 roles or do the Copy User Profile, whichcopies the roles. To copy a User Profile, follow the navigation: PeopleTools Security User Profiles Copy UserProfile. The name of your new profile will need to be different from the one you are about to copy.Please note: The third way to create a User Profile is to have the user self-register. This method is explained onpage 24.User’s Guide for Security Administrators 2017 Board of Regents of the University System of Georgia. All Rights Reserved.11v 1.0
General TabNow that you have created a new User ID, you can enter the user’s values into fields located under the “General”tab.1. Start by entering the Symbolic ID. Click the down arrow and select the system default (SYSADM1).(Users who will only be authenticating through a Directory will not need a Symbolic ID for access intothe system.)User’s Guide for Security Administrators 2017 Board of Regents of the University System of Georgia. All Rights Reserved.12v 1.0
2. Enter a password and then confirm it by entering it again in the Confirm Password field. Thispassword should conform to existing password constraints set in the system. See chart below.When a password is entered, the system will automatically make the password longer and return dots, then savethe profile.User’s Guide for Security Administrators 2017 Board of Regents of the University System of Georgia. All Rights Reserved.13v 1.0
The only other fields that may be required on the “General” tab are the Process Profile and Primary fields in thePermission Lists portion of the page.Permission ListsThe Process Profile Permission can control which processes a user is allowed to run. In the GeorgiaFIRST model,processes are not grouped into different process permissions. If a user has security to a page, he or she can runthe process because all processes have been consolidated into one permission. To add a process, typePT PRCSPRFL into the Process Profile.The Primary permission list is what controls which institution’s data the user can access, update, and inquire on.For example if a university’s Business Unit is XXXXX, the user’s primary permission list is BOR BU XXXXX. This listenforces row level security and allows users to see data only from their institution. To give permission for aPrimary level,1. Click on the Search symbol beside the Primary key field.2. Click the number that corresponds to your organization.3. Click Add.If the local security administrator creates the profile manually, the process profile defaults from the local securityadministrator’s profile.The next tab on the User Profile is the ID tab. This tab is used to set the ID type for the user. For end users whoare employees, this will be set to Employee.User’s Guide for Security Administrators 2017 Board of Regents of the University System of Georgia. All Rights Reserved.14v 1.0
After setting the ID type to Employee, the Attribute field will be activated. You will be required to complete theAttribute Value field before you can save the Profile. This field will be the employee ID (EMPLID) for the user. Forquick look up and validation, type in the first several digits of the employee ID and click the Search button. Thedescription field should match the name of the user and will auto populate from the EMPLID.User Roles TabUse the User Roles tab to attach the roles you need to complete the user profile definition.The business processes you are trying to complete determine what roles you need. For example, if the businessprocess is “Enter a PO Voucher”, then you look up the role associated with that process, such asUser’s Guide for Security Administrators 2017 Board of Regents of the University System of Georgia. All Rights Reserved.15v 1.0
BOR AP VOUCHER ENTRY. Because all roles are not intuitive, you may need to consult Job Aids on theGeorgiaFirst website (http://www.usg.edu/gafirst-fin/documentation/job aids/category/security).Workflow Tab1. The Workflow tab is where you define routing preferences or workflow attributes. For RoutingPreferences, select Worklist User if the user is an approver or may receive a system notification intheir worklist. This is selected by default, and I suggest leaving it checked for active employees.2. The Email User checkbox allows end users to receive system notifications via work email (.edu).These notifications will be sent to the email address on the user’s General Tab. This box is selected bydefault, and I suggest leaving it checked for active employees.3. The Workflow Attributes section allows a user to have an alternate approver defined. If a userdefined as an approver is going to be out of the office for a predefined time, you can redirectapprovals to a specified User ID for a date range. The Reassign Work To section allows the securityadministrator to reassign ALL transactions in this individual’s worklist to a new approver. To redirectapprovals, search for new approver and click on the User ID. Then click SAVE.User’s Guide for Security Administrators 2017 Board of Regents of the University System of Georgia. All Rights Reserved.16v 1.0
Please Note: This will reassign EVERYTHING. If this person is an ePro Approver and a General Ledger Approver, itwill send all R
User Profiles define individual PeopleSoft users. You begin the security process by defining User Profiles and then linking each User to roles. Normally, a User Profile is linked to at least one rol
