SIS Security with Directory Services

1
SIS Security with Directory Services

• LaVonn M. Creighton
• VCCS Information Security Officer
• March 7, 2001

2
CONTENTS

• SIS Security with Directory Services
• SIS On-Line Security
• SIS Sign-on
• SIS Operator Classes
• SIS Model Operator Ids
• Securing Student Administration
• Securing Student Financials
• Directory Services
• Directory
• Directory Manager
• CAAM
• SA HTML Access (SIS web)
• How It All Works An Example

3
SIS On-Line Security

• Security that controls the data customers are
  able to access while in SIS. The secured details
  include
• Table/columns access via menus/panels/actions.
• Row level access via Security records used as
  either search records or F4 prompt tables.
• Field level access via PeopleCode or custom
  panels.

FOR MORE INFO...
Refer to the VCCS web document SIS Online
Security Guidelines
4
SIS Sign-on

• SIS Operator Ids
• Maximum of 8 characters in length (must start
  with alpha character).
• Must be unique.
• All operator ids are linked to a class to
  obtain similar attributes. Can be linked to more
  than one class.

5
Cont. SIS Sign-on

• SIS Passwords
• Maximum of 8 characters in length
• Password will be customers pin number for SIS
  only (online web). The same pin number will be
  used for the IVR system. This is a future
  enhancement by the Utility.

6
SIS Operator Classes

• Operator classes are used to organize customers
  into groups with common access rights.
• Operator Classes consist of
• Business process map
• Background disconnect interval
• Time-out minutes
• Signon times
• Menu items
• Process security groups

FOR MORE INFO...
Refer to the VCCS web document Instructions -
Creating SIS Security Classes.
7
Business Process Map

• A graphical representation of all the activities
  that make up the business process. Arrows show
  the relationships between the activities,
  indicating any dependencies in the sequence of
  activities.
• Currently all VCCS classes are defined using the
  business process map for a function area or the
  Student Administration business process map.

8
Background Disconnect Interval

• The amount of time before a disconnect gets
  issued for any instance of SIS that becomes an
  icon or moves to the background. It is used to
  free up resources that would otherwise be used to
  keep a database connection active for every open
  instance of PeopleTools.
• Currently all VCCS classes are defined with a
  background disconnect interval to never
  disconnect.

9
Time-out Minutes

• The number of minutes of inactivity allowed at a
  desktop before the system automatically signs you
  off of the SIS online system. Inactivity means
  no mouse clicks, keystrokes, import, file print
  or SQL activity.
• Currently all VCCS classes are defined with
  time-out minutes to never time-out.

10
Signon Times

• Signon days and times a customer is authorized to
  signon to the SIS online system.
• Currently all VCCS classes are defined with the
  signon times being 24 hours a day for Sunday
  through Saturday.

11
Menu Items

• Menu items represent panel groups
• Authorize access to the parent panel by granting
  access to the application or PeopleTool program
  in which that panel resides.
• Select the desired menu items and desired actions
  (add, update/display, update/display all,
  correction, display only).

12
Process Security Groups

• Groups of process definitions (one or more)
  created using Process Scheduler this gives
  access to particular batch processes (jobs) or
  reports.
• Currently all VCCS classes are defined using all
  process groups that come defined with SIS.

13
Multiple Classes

• When an operator id has multiple classes, one
  must be designated as the primary class. When an
  operator id is linked to multiple classes,
  permissions are inherited as follows
• Menu Items All classes. If any class specifies
  full access to an item, the operator has
  full access, even if other classes define it
  as display only.
• Signon Times All classes. The earliest start
  time and the latest end time are used for
  overlapping times.

14
Cont. Multiple Classes

• Process Groups All classes, but each process will
  use the primary classes process profile
  parameters.
• Business Process Map Primary Class
• Background Disconnect Primary Class
• Time-Out Minutes Primary Class

15
Initial Setup of Classes

• Initially, SIS will be setup with some classes
  defined based on job functions determined by the
  SIS modules or created by the various SIS
  Workgroups
• Admissions
• Student Records
• Financial Aid
• Student Financials
• Campus Community
• Advisement

FOR MORE INFO...
Refer to the VCCS web document Creating SIS
Security Classes
16
Cont.

• Colleges can share the classes created in SIS.
  For example, a student records person at JTCC may
  look at the same panels with the same authority
  (add, update/display, etc) as a student records
  person at NRCC.

17
Form Creating SIS Security Classes

Class Description
FOR MORE INFO...
Refer to the VCCS Creating SIS Security Classes
Form Creating SIS Security Classes.
18
Cont.

• College Actions
• College should review list of VCCS standard
  classes to see if a new class is necessary.
• If a new class is needed, complete the form
  giving a description of the class and submit to
  VCCS Information Security Officer
• Once class approved, VCCS Information Security
  Officer will create the class, give you the name
  of the class and let you have access to the class
  to test.
• Once class has your approval, it will be added to
  the list of VCCS standard classes.

19
Number of Classes

• The number of classes defined in SIS should be
  minimized because increasing the number of
  classes will negatively impact performance and
  increase the complexity and time required to
  administer customer level security.

20
SIS Model Operator Ids

• Model (generic) operator ids are created for the
  different type of VCCS customers.
• Examples can be JTSTUREC (student records for
  JTCC), NRADMISS (admissions for NRCC), etc.

FOR MORE INFO...
Refer to the VCCS web document Instructions
Creating SIS Operator Level Security.
21
Cont.

• The model operator ids created will be unique for
  each college. The model operator ids will
  reflect the security desired for the Student
  Administration or Student Financials portion of
  the SIS system. For example, the Academic
  Institution Security or Academic Program Security
  would be different for JTCC and NRCC. Some model
  operator ids could be JTSTUREC, NRSTUREC, etc.
• The model operator ids will be linked to an
  operator class.

22
Form Creating SIS Model Operator Ids

Model Operator Id Name
Class Name
FOR MORE INFO...
Refer to the VCCS web document Creating SIS
Model Operator Ids.
23
Cont.

• College Actions
• College Set-up must be complete in order to
  obtain the required values for security.
• Complete the model operator id form and submit it
  to the VCCS Information Security Officer.
• Supply the model operator id name on the form -
  maximum of 8 characters and should start with 2
  letter college code and be descriptive (if
  possible).
• Class name should come from the VCCS standard
  classes (could be new class previously created by
  class form).

24
Securing Student Administration

• Securing the Student Administration System
  involves the following
• Securing the academic structure
• Securing the academic organization
• Securing admissions
• Securing student records
• Securing 3C groups
• Securing service indicators
• Values come from the model operator id

25
Enrollment Security

• Enrollment access ids are used to define
  enrollment functions and select allowable
  enrollment overrides. The Enrollment access ids
  are attached to model operator ids.
• The enrollment overrides will be available on the
  Enrollment Request panel for operator ids.

26
Cont. Enrollment Security

• Currently there are two enrollment access ids
  available for VCCS use
• FULL access to enroll, enroll with permission,
  drop, drop with permission, grade basis change,
  unit change, wait list change, grade add, grade
  change and repeat coding at any time. Ability to
  do all overrides.
•  
• RSTR access to enroll and drop any time.
  Cannot do any overrides.

27
Securing Student Financials

• Securing Student Financials involves the
  following
• Setting unit security
• Setting item type security
• Setting SetId security
• Setting up company security
• Setting credit card security
• Setting origin security
• Security assigned by class.
• Values come from the model operator id

28
Directory Services
SIS
29
Cont.

• Applications involved in Directory Services for
  SIS Security
• Directory
• Directory Manager (DM)
• Customer Account Administrative Manager (CAAM)

30
Directory

• An oracle database with the following base
  information
• NameLaVonn Creighton
• TypeStaff
• Authority to access SIS
• Userid
• Password
• Pin Number
• Employee Id420145
• SISCopyId (Model Operator Id created from
  form)JTSTUREC

31
Directory Manager

• Directory is loaded from SIS (PeopleSoft).
• Directory Manager is a Developer/2000 client
  application used to update records in the
  Directory on an individual basis. A logon id and
  password is needed to enter the application.

32
Cont.
Customer Data
33
Cont.
SIS Model Operator ID
Application Data
34
CAAM

• Customer uses the CAAM to create their own
  customer id and password.
• Customer id and password will be used for all
  future VCCS applications, the first application
  being SIS.
• Customer also creates their pin number through
  the CAAM. Pin number will become the customers
  SIS password. Pin number is also needed to use
  the IVR system (future enhancement).

35
Create Pin Number for Account
36
Add Customer Id/Password
37
SA-HTML (WEB)

• Customers using the SIS web create their own
  operator ids/passwords (pin number) through the
  CAAM.
• All students will be given a default SISCopyid of
  STUDENT that has security access to perform the
  student roles from the web.

38
How It All Works-An Example

• SIS model operator id of JTSTUREC has been
  previously created in SIS (from the completed
  model operator id form).
• JTSTUREC has SIS security for the JTCC
  institution, JTCC careers, JTCC programs, JTCC
  academic organizations, etc.
• STUREC01 class previously created in SIS with
  access to all the student records menu items,
  process security groups, etc.
• JTSTUREC model operator id is linked to the
  STUREC01 class.

39
Cont.

• Customer LaVonn uses the CAAM to create a
  customer id of LAVONN, password of TEST pin
  number of 1234.
• Customer id LAVONN will get internal SIS
  security (institution, careers, programs,
  academic organization, etc.) from model operator
  id JTSTUREC. JTSTUREC value comes from the
  Directory.
• Customer id LAVONN will get all attributes from
  the STUREC01 class (business process map,
  background disconnect interval, time-out minutes,
  signon times, menu items, process security
  groups).

40
Cont.

• Any other customers at JTCC that are student
  records personnel can use the same JTSTUREC model
  operator id. This make security administration
  easier, because all security attributes will be
  copied from JTSTUREC to all student records
  personnel at JTCC.

41
Directory Updated

• Directory now shows customer has the following
  information
• NameLaVonn Creighton
• TypeStaff
• Authority to access SIS
• Userid LAVONN
• Password TEST (masked in DM)
• Employee Id420145
• Pin Number1234 (masked in DM)
• SISCopyId (Model Operator Id created from
  form)JTSTUREC

42
Message Broker

• Once information is entered in the CAAM and
  verified successful, the customer id, password
  and pin number are passed to the Directory. If
  the customer has SIS access, the userid and pin
  number (as the password) are then passed into
  SIS. The passing of information from one
  application to another is done with the message
  broker from ActiveSoftware.

43
Successful

• Customer LaVonn can now go to PeopleSoft and
  logon with the customer id of LAVONN and a
  password (pin number) of 1234. The CAAM can
  also be used to change the password and/or pin
  number.

44

• QUESTIONS?