Federal Policy Information:

Federal HR policies for higher education primarily concern compliance with regulations like adherence to non-discrimination laws for federally funded institutions. 

• Non-Discrimination Laws: Institutions receiving federal funds must comply with laws such as Section 503 and VEVRAA, requiring adherence to non-discrimination and equal employment opportunity (EEO) reporting. Provides an overview of non-discrimination laws associated with onboarding, such as job assignments, promotions, pay and benefits.

State & Local Policy Information:

• WAC 131-16-080: Washington State Legislative Policy on General standards of qualifications for community and technical college personnel.
• WAC 131-16-091:  Additional expectations to establish candidates for appointment meet or exceed standards in their areas of specialization out lined.
• WAC 131-16-092: Maintaining and improving certification competencies for professional-technical administrators and instructors
• WAC 131-16-093: Types of professional-technical education certificates. (upon hire)
• WAC 131-16-094: Certification process for professional-technical instructors.
• Faculty Collective Bargaining Agreements available for review on our SBCTC website.
  • Each college provides their latest collective bargaining agreement to SBCTC to be posted to the website.
  • Per OFM, in accordance with RCW 43.88.583(3) colleges that have provided their collective bargaining agreements can find those on the OFM site as well.
• Classified Community College Coalitions Collective Bargaining Agreements available on the OFM website:
  • WFSE Community Colleges
  • WPEA Community Colleges

Security IT Assets - OCIO Policy 141.10 [Link to Policy Document]

Effective Date: November 13, 2017

The state has a fiduciary responsibility to protect the IT systems, applications and data entrusted to it by its citizens. Therefore, it is necessary to take appropriate measures to ensure the security of these public IT assets.

Key Policy Call-Outs:

Responsibly protecting public IT assets is made possible through an enterprise approach to
security in state government that:

1. Recognizes an interdependent relationship among agencies, such that strengthening security for one strengthens all and conversely, weakening one weakens all.
2. Assumes mutual distrust until proven friendly, including relationships within government, with trading partners, and with anonymous users in a least-privilege approach to access control.
3. Supports industry standards where applicable.

See Also:
Policy No. 143 - IT Security Incident Communications
Appendix C: IT Security Non-Compliance/Deviation Form
Media Handling and Data Disposal Best Practices

• Manager Notifies HR of Hiring Selection: Opportunity for Alignment
  • Some colleges use Manager Self-Service for the hiring notification, other colleges do not allow Managers to make the request through MSS, but instead require the manager to notify HR outside of ctcLink (via phone, email etc.).
  • New Position: Position is approved and created using Position Management:
    • QRG: Manager Initiated - 9.2  MSS - Position Management - Fluid
    • QRG: HR Administrator Initiated - 9.2 Position Management - Fluid (New, Clone, & Updates)
  • Hire Into Exist Position: Position is updated to reflect new hire:
    • QRG: Manager Initiated - No QRG
    • QRG: HR Administrator - 9.2 Position Management - Fluid (New, Clone, & Updates)

• HR Enters Person Record and Enters Job Record (Employment Instance) & Set Primary Job Flag:
  • Regular Employee:
    • QRG: Add a Person (Search/Match Information)
    • QRG: 9.2 Hire a New Employee
    • QRG: 9.2 Use DRS Calendars (Assign employee to a specific DRS calendar)
  • Volunteer Employee (College Pays L&I Benefit):
    • QRG: Add a New Employee and Job Instance with Volunteer
  • Person of Interest:
    • Instructional Staff (Not Paid Through HCM)
      • QRG:Add an External Instructor/Person of Interest (POI) in HCM
    • Volunteers (College Does Not Pay L&I Benefit)
      • QRG:Hire a Person of Interest (POI)
  • HR either notifies Supervisor of EMPLID to provide to the new employee to help them activate their account or HR works directly with employee.
    • QRG: Okta - Activating Your ctcLink Account
    • QRG: Okta - Multi-Factor Authentication

After the initial job data record is established other departments can commence their onboarding procedures, such as the IT Helpdesk and Local Security Administrators.

When and employee is hired into the Washington State Community and Technical College system they may or may not have an existing security User Profile. 

• If the employee has never worked at a college in our system, then the ctcLink system will automatically generate a User Profile with a standard set of security roles applied to all employees.
• If the employee was formerly a student, they will have a User Profile in the Campus Solution (CS) pillar and Portal (ctcLink Gateway) only. Once a job data record is added, a scheduled process will automatically create a User Profile in the HCM and FSCM pillars.
• If they currently or previously work at another college in our ctcLink system, they will already have an existing User Profile in Portal (ctcLink Gateway) and all three pillars (HCM, FSCM and CS).
  • If the employee worked for and separated from a college before that college converted they will NOT have an existing User Profile and from a security stand-point will be treated as if the employee had never worked at a college in our system.
  • If the employee previously worked for another college in our system and separated fully they will have an existing User Profile with a ZZ Former Employee role, which will be removed automatically once an active job record exists again. In those situations, the ZZ Peoplesoft User and ZZ_EMPLOYEE roles will need to be manually added the by LSA.

Once the initial User Profile exists, additional updates are made to that profile setup data and page access. Some of this work can be done using automation of security role loading, but all User Profiles will require some level of manual maintenance to ensure access setup is complete:

• QRG: Assigning Roles to Users and General Tab Information
• QRG: 9.2 Security - Using Launchpad to Copy User Roles

Many employees only require base access to the system to enable their standard employee access for things like:

• Accessing Employee Self-Service for Submitting Leave Requests, Time Reporting, Maintaining Personal Information, Viewing Payroll Advices and W2s in HCM and Expense Reporting in Finance.
• Accessing Faculty Center or Advising Center (dynamically applied).

For ALL employees, once a User Profile exists, some additional adjustments are necessary for that profile to function for ctcLink system access:

• Start in the HCM Pillar Distributed User Profile, all relevant data will synchronize to the other pillars.
• Ensure User Profile is not locked (can occur if separated from another college).
• Set Primary and Row Level permission lists in HCM and FSCM to allow access to the primary college's data.
• Ensure the Email Address is updated to college issued email account.
• Verify Description (employee name) meets employee's expectation for Preferred Name.
• Verify Portal Institution (tile access) and Pillar Link Roles are assigned to Pillars where employee requires access.
• Verify base employee roles exist [ZZ Peoplesoft User, ZZ_EMPLOYEE, ] for "Former Employees."

However, employees who work in an administrative capacity, using ctcLink pages to perform their job duties, will require additional security roles to access those pages and likely some form of secondary security setup in either FSCM or CS. 

For those that require additional security role access, including access to menu or extra tile based navigations:

• Start in the HCM Pillar Distributed User Profile, all relevant data will synchronize to the other pillars.
• Set Process Profile [CTC_PT_PRCSPRFL_STAFF] for the process scheduler, for users who will schedule processes to run.
• Each pillar will need unique access setup performed to fully establish the employee's access. 

Opportunity for Alignment When a new employee is hired, they typically won’t know what access they need. Their supervisor, who understands the job duties, is best positioned to determine the required page access. Each college has its own process for enabling supervisors to request role access. Regardless of the method, the supervisor must identify the access needs and inform the Local Security Administrator. Ideally, the employee should complete relevant training courses before access is granted, though practices vary by college.

Supervisor Decision Based Role Assignments (by pillar):

• Supervisor Determines Job Based Role Assignments (All Pillars).
• Supervisor Determines If Employee Falls within a Standard (Templatized) Responsibility Set (e.g. Budget Manager) and Communicates this to LSA the applicable Role Grouping Template to apply using the Copy function.
  • QRG:  9.2 Security - Using Launchpad to Copy User Roles
• Supervisor Determines Appropriate Approval Responsibilities for HR/FIN Workflows (If Manager) in HCM and Finance.
• Supervisor or LSA Confer with Secondary Approvers (If Applicable) for Secure Area Role Access
  • Secure areas of Financial Aid page access
  • Secure areas of Student Financial page access
  • Secure areas of Human Resources page access
  • Secure areas of Financial data or access
  • Query Highly Sensitive Data access (viewing SSN, Date of Birth, Banking etc.)
  • Masking level in CS, unmasking PII capabilities in Finance.
• Determine if the new employee has Local Security Administrator responsibilities.
  • If so, contact SBCTC Support to request LSA access to be role applied. Not a role on the college role grant list.

Does this show evidence that they are currently or were previously employed at another college?    

• Determine if User has 'Active' job at another institution: Opportunity for Alignment
  • QRG: 9.2 Employee HR Status System-wide
  • If 'Active' at other college, LSA assess role assignments for SOD conflicts at YOUR college. Contact support if unique User Profile is required for YOUR college.
    • Evaluate the Employee job data in HCM and determine if YOUR college is the Primary College to assign the college Business Unit Primary & Row Security.
  • If they are no longer active at the other college, were they properly Off-Boarded?
    • If NOT properly Off-Boarded - Contact Other College to Ask for Proper Off-Boarding.   

How colleges are working with each other to confirm proper offboarding at the prior college and discern the individual access needs at each college and where they overlap or cause conflicts is currently a local decision. The task force will likely want to address this as a more globally defined recommended "Best Practice" to ensure consistency.

• [Primary College] Assign Primary Permission List and Row Level Permission List to unlock data access for your college.
  • If the employee is in a position of Time Administrator, Apply Row Level Security Permissions [CTC_nnn_TL_SUPERUSER].
  • Is Employee a Time & Labor Administrator for Another College?
    • Employees Can ONLY be TL Super User at ONE College in a User Profile - Contact Customer Support
• If the employee works in the HCM Pillar, Add HCM Base Admin Staff Access Roles:
  • ZZ Navigation Bar Access [HR/Payroll Staff, Managers Needing Query Access]
• If the college uses Talent Acquisition Management (TAM), all supervisors will have the hiring manager role applied dynamically.
  • ZZ Hiring Manager [dynamically applied at TAM active colleges]
• If the college uses Talent Acquisition Management (TAM), any employee who might be engaged in an interview panel will need the Interested Party role.
  • ZZ Interested Party[TAM active colleges] Opportunity for Alignment
    • Seattle District has this role applied dynamically to all employees. Other colleges have opted to apply this role manually.
• Apply Supervisor Approved Roles, including Approval Workflow Related Roles as appropriate.
• HR Director Determines Approval Responsibilities in HR Related Workflows:
  • These are processes where someone from the HR office must be involved in an approval process. Determining who in the HR office holds that responsibility is determined by the person in a leadership role in the HR office.
  • Determine if User is an Approver of Position Profile
  • Determine if User will be a 'Delegate' for Managerial Approvals (manually assigned ZZ HCM Manager role)
  • Determine if User is a FWL Contract Approver (if college participates)

• Supervisor Determines If Employee Falls within a Standard (Templatized) Responsibility Set (e.g. Registrar, Cashier) and Communicates this to LSA the applicable Role Grouping Template to apply using the Copy function.
  • QRG:  9.2 Security - Using Launchpad to Copy User Roles
  • QRG: CS 9.2 Default Roles and Masking Options for All Admin Campus Solutions Users
  • Former/Current Students with Existing User Profile: - Add Campus Solutions Base Admin Staff Access Roles (if missing):
    • ZZ SACR User Defaults
    • ZZ Navigation Bar Access
    • Verify base employee roles exist [ZZ Peoplesoft User] for employees who had a User Profile as a student prior to employment.
• Apply Requested SACR Security - LSA Coordinates with Supervisor on Appropriate SACR Security Settings
  • QRG: CS 9.2 SACR Security: Basic Requirements for Staff
  • QRG: CS 9.2 SACR Security:  3Cs Group Security
  • QRG: CS 9.2 SACR Security - Academic Program Security
  • QRG: Admissions Action Security
  • QRG: CS 9.2 - SACR Security: Enrollment Security
    • Verify with Supervisor if user has any Global Impacting SACR Security Settings from another institution.
  • QRG: CS 9.2 - SACR Security - Graduation Status Security
  • QRG: CS 9.2 - SACR Security: Milestone Security
  • QRG: CS 9.2 SACR Security - Service Indicator Security
  • QRG: CS 9.2 SACR Security: Student Groups
  • QRG: CS 9.2 SACR Security: Program Action Security
  • QRG: CS 9.2 - SACR Security: Test ID Security
    • Verify with Supervisor if user has any Global Impacting SACR Security Settings from another institution.
  • QRG: 9.2 CS Security - Using Launchpad to Copy SACR Settings
• Assign Primary + Row Level Security Permissions for Masking Rights, as defined by supervisor approval.
• Confirm that the user role assignments do not create a Segregation of Duties (SoD) conflict:
  • QRG: 9.2 Segregation of Duties Query - Campus Solutions
• Verify Permission List to grant access to Process Scheduler (CTC_PT_PRCS_PRFL_STAFF). This Permissions List will synchronize from HCM; however, this may be missing for those who had a student profile prior to employment.

In the HR Onboarding Process, under Faculty Setup, an instructor must be added to the Instructor/Advisor Table. Once that task is completed, the system dynamically assigns 
ZZ Faculty or ZZ Advisor roles, depending on how they were added to that table. If the employee already works as an instructor at another college in our system, they may already have an entry on this table and therefore may already have these security roles applied.    

• QRG: Verify Instructor on Instructor/Advisor Table
• QRG: 9.2 Add an Instructor to the Instructor/Advisor Table

After confirming that the instructor/advisor has the basic Instructor/Advisor table entry, each college determines if they require any additional page access to optimize their engagement with students:

• QRG: CS 9.2 - Advisors - Dynamic Role Access, Masking and Optional Role Recommendations

• [Primary College] Assign Primary Permission List and Row Level Permission List to unlock data access for your college.
• Assign Permission List to grant access to Process Scheduler (CTC_PT_PRCS_PRFL_STAFF).
• If campus email address is created AFTER the User Profile is built AND your college is the Primary job, verify the Email Address updated in HCM has synchronized to Finance for approval workflows.
• LSA applies supervisor determined roles and if Employee falls within a Standard (Templatized) Responsibility Set (e.g. Fiscal Analyst) LSA can load the applicable Role Grouping Template to apply using the Copy function.
  • QRG:  9.2 Finance Security Guide
  • QRG:  9.2 Security - Using Launchpad to Copy User Roles
• Confirm that the user role assignments do not create a Segregation of Duties (SoD) conflict:
  • QRG: 9.2 Segregation of Duties Query - Campus Solutions
• Apply Route Control profile for Business Unit.
  • QRG: 9.2 FSCM Security -Workflow Approval Roles in Finance
  • If active at another college, add your college's BU to the list of existing values for Route Control.
• Assign User Preference Definition decisions made by employee's supervisor and Finance Pillar Secondary Security Lead.
  • QRG: Manually Assign FS User Preferences
  • QRG: 9.2 FSCM Security - Using Launchpad to Copy User Preference Definition Settings
  • QRG: 9.2 FSCM Security - Process Groups 
• Determine if the employee requires some level of Budget Security for Commitment Control:
  • QRG: Budget Security 

If the job transition is due to the employee be hired for a second job as an instructor:

• Add Instructor to Instructor/Advisor Table for your Institution (may already exist if user works at another college, but must exist at your college or cannot be paid)
• System Dynamically Assigns ZZ Faculty or ZZ Advisor role (if does not already exist)    

• Old and New Supervisors Agree to Any Possible Lingering Job Duties (slow transition)
• New Supervisor Determines Job Based Role Assignments (All Pillars) that pertain to specific job
• Determine the key queries needed to be executed for the new position, assess the roles needed by running the Query Qxx_DS_QUERY_RECORD_USER_RPT to identify by User Profile Query Roles Required to Run each Query.
• CS: Supervisor Determines Appropriate SACR Security Settings 

• Determine if User is a Time and Labor Administrator [Can ONLY be TL Super User at ONE College in a User Profile]
• Determine if User is an Approver of Position Profile
• Determine if User will be a 'Delegate' for Managerial Approvals (manually assigned ZZ HCM Manager)
• Determine if User is a FWL Contract Approver (if college participates)

• Assess if the user has a User Preference Setup for another BU. If so, determine which college is the Primary BU.
• Establish Employee as Requestor/Buyer (if applicable)
• Establish PCard Security (if applicable)
• Define Approval Authority Values for Employee (Requisition, PO, Voucher)
• Review User Preference Decisions Made by Supervisor
• Expense Traveler Profile - If user has a profile for another college, determine which college is Primary.
• Commitment Control/Budget Security 

• FIN: Supervisor in Collaboration with Finance Office/Business Analyst Determines Appropriate User Preference Definition Settings
• FIN: Review Approval Authority Associated with the Position (Req, PO, Voucher)
• FIN: Review Req and PO Entry Needs (may be done by Finance or Admin Staff)
• FIN: Supervisor Determines Additional Secondary Security Needs (PCard, Requester, PO, Travel, Voucher, Commitment Control, Treasury, Grants)
• Yes    HCM/FIN: Supervisor Determines Appropriate Approval Responsibilities for HR/FIN Workflows (If Manager)
• HCM: HR Director Determines Approval Responsibilities in HR Releated Workflows
• "Route for Secondary Approvals (If Applicable) for Secure Area Role Access (e.g. FA, SF, HR, FIN, Query Highly Sensitive Data)"    

• Determine if User has 'Active' job at another institution. If NOT, were they properly Off-Boarded?
• If NOT properly Off-Boarded - Contact Other College to Ask for Proper Off-Boarding.
• If 'Active' at other college, assess role assignments for SOD conflicts at YOUR college. Contact support if unique User Profile is required.