BGSU/PeopleSoft

1
(No Transcript)
2
CSS SECURITYBG_at_100 Open ForumNovember 2009
BGSU/PeopleSoft
3
Agenda

• What is CSS Security and why is it important?
• What are Roles and Permissions?
• What are the steps for getting access to CSS?
• What training do I need to complete?
• Once I fill out the security form what happens to
  it?
• What needs to happen when an employee with CSS
  access leaves the department or university?
• What is Query Security?
• Report Distribution Security
• Additional Security Policies
• Security FAQs

4
CSS Security
5
What is CSS Security and why is it important?
CSS Security

• Security is critical in shared data applications
  specifically in regards to confidentiality and
  user access control
• Typically there is a need to restrict viewing and
  modification of the data to ensure that sensitive
  information such as salaries, home addresses, or
  Social Security Numbers are not visible to
  everyone who has access

• Your job requirements are the key to your CSS
  security access

6
Assigning Security is a 3-Step Process
3-Step Process

• Creating Permission Lists
• Defining Roles
• Setting up User Profiles

These 3-steps ensure that information (data) a
user can access is authorized and appropriate
based on assigned job duties
7
What are Permissions and Roles?
8
Permission Lists
Permission Lists

• Permission lists are the building blocks of user
  security authorization
• A permission list grants a degree of access to a
  particular combination of elements that allow
  access to pages, tools, and personalization

9
Role-Based Security
Role-Based Security

• A Role, at a high level, is a job description
• Roles effectively define the appropriate access
  level for every CSS user
• In addition, we can enforce segregation of duties
  through Roles

10
Menu Paglets
Roles and Permission Lists

• Below is an example of how role-based and
  permission list security affects CSS access

• Admissions Role

• Student Records Role

• Database Administrator Role

11
Page Access
Roles and Permission Lists

• Before you can do anything with a page, you have
  to get to it first
• If you have access to a page, your role
  determines if you have read-only access, but not
  update capabilities
• Example
• Menu Path ? Campus Community ? Student Services
  Center ? (using same student BGSU ID)

12
Page Access Examples
Roles and Permission Lists

• These examples demonstrate how the difference in
  access levels works

13
Page Access Examples
Roles and Permission Lists
14
Row-Level Security
Roles and Permission Lists
15
What are the Steps for Getting CSS Access?
16
What Training do I Need to Complete?
CSS Training

• The first step in this process is to complete the
  necessary training courses
• Menu Path ? BGSU.edu/bgat100

17
CSS Online Training
CSS Online Training

• You will navigate to the BG_at_100 Project Home
  Page

18
CSS Online Training
CSS Online Training

• Click the appropriate link under CSS Training Web
  Page

19
CSS Online Training
CSS Online Training

• On this page we click the Checklist for this
  Training Track link

20
CSS Online Training
CSS Online Training
21
The Security Form
Security Form
22
The Security Form
Security Form
23
The Security Form
Security Form
24
Once I complete the security form what happens to
it?
Security Form Steps

• Print the security access form and complete all
  required sections
• Have your reporting manager review and sign form
• Send security access form to TSC
• TSC scans the form into OnBASE
• You receive email detailing your access request
  so you can verify
• Functional lead reviews and either approves or
  denies access
• You receive another email when the form has been
  sent to the Security Administrator
• Once the Security Administrator provides access,
  you receive another email with your assigned
  security access so you know what access you have

25
Removing Security Access
Security Access Removed

• What happens when an employee with CSS access
  leaves the department or BGSU?

26
Query Security
27
Query Security
Query Security

• Query Security is a 3-step process
• Granting access to the query tool
• Determining which tables (records) a user can
  query against and assign access groups
• Setting-up the users query profile

28
Query Viewer and Query Manager
Query Security

• Menu Path ? http//www.bgsu.edu/bgat100 ? Query
  Viewer/Manager Training

29
Query Training Classes
Query Security

• There are two prerequisite query classes that
  must be completed first
• Menu Path ? http//www.bgsu.edu/bgat100 ? Query
  Viewer/Manager Training ? Click the link for
  Query Viewer or Query Manager link

30
Report Distribution Security
31
My Reports Security
Report Security

• Why is Report Security important?

32
Additional Security Policies
Security Policy
33
Additional Security Policies
Security Policy
34
Additional Security Policies
Information Technology Policy

• Information Technology Policy is located at
  http//www.bgsu.edu/offices/cio/page52522.html
• The Information Technology Policy is to be
  reviewed and is agreed to by all users prior to
  receiving a BGSU account
• This policy provides documentation for user
  responsibility regarding data
• All users must only access or attempt to access
  information technology resources that they are
  authorized to use and then only in a manner and
  to the extent authorized
• Users are required to protect the
  confidentiality, integrity, and availability of
  information technology
• Users are to keep this policy and responsibility
  in mind when accessing data and also consider
  when forwarding or sharing data extracted from
  the CSS system

35
Security FAQs
36
Security FAQs
Frequently Asked Questions

• Advisor Roles what is available via Faculty
  Center and who can see items via Faculty Center
  vs. who needs to take the courses and request the
  Advisor role in order to be able to see advising
  information?
• If you are an employee you will see the faculty
  center, but the Advisor tab will not work for
  you.  You will see all classes that you are
  teaching, and information about the classes like
  class roster, grade roster, and early alert.  If
  you are not teaching any classes you will see the
  faculty center, but there will be no information
  in it.
•  
• The advisor role must be requested nobody gets
  it automatically.  In April we gave it to all the
  current faculty, but made the decision that it
  would have to be requested by everyone going
  forward.  This will enable access to the Advisor
  tab and allow you to see all your advisees.
•  
• Please note the DARS link is now called Student
  Degree Audit.  This link is on the portal, not in
  the Faculty Center.

37
Security FAQs
Frequently Asked Questions

• If I just complete the 4 prerequisite courses,
  what security access can I request?
• Any role that does not require further training. 
  Each module (Financial Aid, Admissions, etc.)
  usually has a view only role that can be
  requested without further training.
• What emails, from TSC, will I receive when I
  submit a CSS Security Access Request form?
• When the TSC receives your request form and puts
  it into the system you will receive an email. 
  This is just letting you know they have received
  your request
• When the functional leads have approved your
  request you will get another email.  This lets
  you know that you have been approved, but now
  security has to do the physical work of setting
  up your access
• When your access is set up and you can log on you
  will receive a final email
• You may, at any time, receive an email letting
  you know your request was denied.  You will
  always be given a reason for the denial.  You
  will need to complete a new request form and
  submit again. You cannot make corrections on the
  old form and re-submit.
•  

38
Security FAQs
Frequently Asked Questions

• I tried to send an email requesting the same
  access as my co-worker that worked with the old
  system, why cant you do that with CSS?
• There is a structured approach to getting access
  that makes sure we can prove that every
  individual with access to CSS has the appropriate
  level of access.  The basic parts are
• Supervisor approval no matter who you are,
  someone must sign your request form as your
  supervisor.  This first begins to establish your
  need for access and the appropriateness of the
  access you are requesting.  It can also alert
  your supervisor that perhaps others in your area
  may also need this access in case you are absent.
• Complete necessary training everyone who wants
  access to the system needs to have some
  training.  You may be familiar with CSS from a
  previous job, but we feel it is necessary for you
  to become familiar with how we use it here at
  BGSU.  And if you have never used CSS then you
  will need a basic understanding of the whole
  system.  This is important because what you do in
  the system can impact many other people
  throughout the whole system.  Making changes in
  Financial Aid can impact Student Records, Bursar,
  etc.  and you need to be aware of this.
• You must ask for specific pre-defined roles.  CSS
  uses a completely different security method than
  any of our old systems.  It is important to
  understand the difference.
• The old systems used a user-based approach.  This
  means that access was assigned to each individual
  user, and changes to a persons access were made
  directly to that persons account.  This is
  inefficient and requires lots of manpower,
  especially if changes need to be made to large
  groups of people.

39
Security FAQs
Frequently Asked Questions

• Functional Lead approval because CSS is a
  single integrated system, the functional leads
  must all review and approve all access requests. 
  This is done to ensure that the appropriate level
  of access is assigned.  Because what you do in
  one area can affect all other areas, all the
  functional leads need to be sure they understand
  what access you are being given.
• Final Approval by Security and user setup The
  ITS security team has the final approval.  Please
  dont misunderstand this if the functional
  leads approve your access, the security team will
  probably not deny it.  They are looking for just
  a few specific things.  The role must exist and
  there must be proper segregation of duties.  The
  functional leads will check for this too, but
  security is just doing a final check in case
  something may have been missed.
•  This brings us to an answer to the question
  (finally)!  If you say you want the same access
  as someone else, it gives the distinct impression
  that you do not know what access you are asking
  for, and the approvers do not know what access
  they are allowing you to have.  If you list the
  roles you need then there is no question about
  what you are asking for, or what is being
  approved.   
•  Another reason for not allowing this is that it
  is not a specific enough request.  Does that mean
  wipe out all your current access and give you
  only what someone else has, or does it mean keep
  whatever access you may have and only add
  whatever else the other person has?  The biggest
  problem with this is that theres no way to audit
  this.  If you are given the same access as
  someone else, what do we do if that persons
  access changes?  If an audit is done it will show
  that your access is no longer the same.  The best
  way to avoid this situation is to ask for the
  specific roles you need.
•  And finally, if you copy someone elses request
  form and expect the same access you may be
  surprised to see that you dont get it.  Please
  remember that the person could have submitted
  many request forms and has access beyond what was
  on the form you copied.

40
Security FAQs
Frequently Asked Questions

• Outline what happens when a CSS Security Access
  Request form is denied and give examples of
  reasons why a CSS Security Access Request form
  may be denied
• You will be sent an email stating why the form
  was denied.  A copy of your request form will be
  attached.  You will need to fill our a new
  request form and submit the form. You cannot
  make corrections on the old form and re-submit.
• For example your form may be denied because the
  functional leads could not find proof that you
  completed training.  Even if you can provide that
  proof, you must still submit a new form.  The
  functional leads cant go back and approve a form
  once it has been denied.  This is done because we
  must be able to provide a complete audit trail
  for every request form.
• Asking for a role that does not exist you dont
  need to have the role name spelled exactly right,
  but if its not obvious it will probably get
  denied.
• No Supervisor signature every request form must
  be signed by your supervisor, no matter who you
  are.  You cant sign as both the person making
  the request and the supervisor.
• Supervisor Signature may not be valid we are
  not trying to determine if the signature has been
  forged, but there are no University policies
  (outside the Office of the President) that allow
  the use of stamps or someone to sign on your
  behalf.  Using stamps or signing someone elses
  name with your initials next to it will cause the
  form to be denied.
• Asking for access just like person X you must
  specifically list the roles you want.
• Checking all boxes on the form there are many
  roles because they each perform a different
  function.  No single person will ever need all
  the roles.
• Asking for all access that a person is qualified
  for you must specifically list the roles you
  want.
• Asking for the same access you had in the old
  system there is no direct correlation to the
  old system.
• Asking for access to a specific page or process
  a page or process likely exists in multiple roles
  and we need to know which role you need.

41
Security FAQs
Frequently Asked Questions

• I would like specifics about Query training (both
  online and hands-on) explain the difference
  between Viewer and Manager, and what training is
  needed/required prior to requesting security
  access how to request access.
• Query Viewer will allow you to run predefined
  queries, but not edit them or create your own
  queries.  There are two online training classes
  that you must pass before requesting access
• Fundamentals of Database Structure
• Query Viewer
•  
• There is a class called Query Runner this is an
  optional classroom based training class and is
  not required for any Query role.
•  
• Query Manager will allow you to run queries, as
  well as edit them and create your own queries. 
  You must complete the two online query classes
  listed above, and then sign up for a two day
  hands on Query Manager training class.  You must
  complete the two prerequisite classes before
  signing up for the Query Manager class.
•  
• Details for requesting Query Access roles are
  provided in all Query classes.

42
Security FAQs
Frequently Asked Questions

• Many times users request access to all courses
  (or take all courses available to them on MyBGSU)
  rather than just completing 1 specific course
  needed for their level of access.  Just to
  specify that taking training and requesting
  access doesnt mean that level of access will be
  granted.
• Completing a training class does not grant you
  access to anything.  It is one part of the
  process of gaining access to the system.  You
  must submit a request form asking for access
•  
• If you need help filling out a security request
  form please contact one of the functional leads.
• The security forms are very confusing to me how
  do I know how to fill them out?
• If you need help filling out a security request
  form please contact one of the functional leads.

43
Security FAQs
Frequently Asked Questions

• How does access to the Student Center and Faculty
  Center happen?
• Access to the Student Center is automatically
  given to all students and employees.  If you have
  never applied to or taken classes at BGSU then
  you will not see anything in the Student Center.
• Access to the Faculty Center is denied to all
  students, but automatically given to all
  employees.  This includes student employees, so
  in that case students will have access to it. 
  But it will only show information for the classes
  you are teaching, so if you are not an instructor
  it will remain blank for you.  Remember, this
  access does not include the Advisor tab and you
  will not be able to look at any student
  information unless you are teaching a class.

44
Security FAQs
Frequently Asked Questions

• Who should I contact if I forget my password or
  lock my CSS account?
• The TSC can unlock your account.
• Your CSS password is the same as your Network
  (windows)  password the name password you use
  to log on to your computer every day.  The TSC
  can help you change that password if you forget
  it, but it will change your password everywhere.
• Who should I contact if I have questions about
  security?
• If you are having a problem logging on or getting
  into the system, contact the TSC.
• If you have questions regarding what kind of
  access you should request, please contact the
  appropriate functional lead.

45
Questions
46
For Inquiring Minds
For Project Information bgsu.edu/bgat100
47
We Want Your Feedback

• Complete the evaluation form and place on table
  near exit door

48
Thank You!

• The BG_at_100 Project Team