There are two instances of the Solution Validation Environment, SVL and SVX. Both are in active use for security and business process testing purposes:

• SVL is currently in use by Deployment Group 2 colleges. In the future, Deployment Groups 4 and 6 will use SVL.
• SVX is for use Deployment Group 3 colleges. In the future, Deployment Group 5 will use SVX.

DG2 [Not yet in use for DG4 or DG6]:

SVL LINK:  https://pt-svl.peoplesoft-nonprod-aws.ctclink.sbctc.edu/ptsvl/signon.html

SVL DATA: The data in SVL is based on the snapshot taken during the Go-Live conversion weekend, Oct. 25 - 28, 2019.

Current Usage and Limitations:  DG2 colleges may use SVL to adjust security role assignments for individual staff who existed in the ctcLink system at conversion (Oct. 28, 2020).

The CS Pillar was updated to Image 15 to align with the Production environment; however, no data refreshes are scheduled for SVL until Deployment Group 4 Cycle #2 conversion is executed in April/May 2020.

If a refresh is desired by DG2 colleges this request can be entertained until such time as this environment is reverted to DG4 usage.  All DG2 college must agree on the refresh request for it to take place to avoid disrupting a college's activities in this environment.

DG3 [Not yet in use for DG5]:

SVX LINK:  https://pt-svx.peoplesoft-nonprod-aws.ctclink.sbctc.edu/ptsvx/signon.html

SVX DATA:  The data in SVX is based on a Nov. 8, 2019 snapshot taken during the Cycle #4 conversion activities. The Course Data was updated with a Dec. 10, 2019 snapshot from PS Production.

Current Usage and Limitations:  At this time, DG3 Colleges are to use SVX to apply security role assignments intended for production deployment for staff who had a job record in Legacy as of Nov. 8, 2019. The EMPLID numbers assigned to these employees are their permanent EMPLIDs.

No refreshes are scheduled for SVX until after Deployment Group 3B Go-Live is executed in early May 2020.
NOTE: The colleges deployed in DG3A have access to the CAG environment for their continued Solution Validation use.  This ensures that colleges in DG3B will retain their access to manage local security activities until their group's Go Live in May.  The DG3A colleges using CAG can soon access this environment using the same LDAP password as used in SVX.  DG3B college users do not exist in CAG as they were not part of that conversion.

DG3 colleges may also use SVX to work through college business processes using PeopleSoft, such as:

• Re-execute User Acceptance Tests in the SVX environment with a broader group of employees to gain a clearer understanding of how PeopleSoft will behave.
• Perform specific, repeatable tasks so individuals or departments can practice and develop a level of comfort in the system.
• Work through complex tasks for which the college has yet to define their local business process.
• Create local desktop procedures to ensure staff have post-Go-Live materials specific to their college.

College security team resources managing role assignment will require the  ZZ Local Security Admin role assigned for each pillar where role management will occur.  

Campus Solutions (CS)

The local security administrator role has navigation access to the following pages in the CS Pillar.  Not all pages are currently in use. Thes are noted in red and labele "not used." Where Quick Reference Guide (QRG) materials exist, they are linked.  Additional guides are being developed and links will be activated when complete.

• Launchpad > Launchpad
• PeopleTools > Security > Common Queries
• PeopleTools > Security > User Profiles > Distributed User Profiles
• Set Up SACR > Security > Secure Student Administration > CTC Custom > Document Security
• Set Up SACR > Security > Secure Student Administration > Process > Mass User Security Replacement
• Set Up SACR > Security > Secure Student Administration > Setup > User Security Replacement
• Set Up SACR > Security > Secure Student Administration > User ID:
  • 3C Group Security, Academic Institution Security, Academic Item Registry Admin, Academic Org Security, Academic Plan Security, Academic Program Security, Admissions Action Security, Advisement Report Security, Application Center Security, Enrollment Security, Graduation Status Security, Institution/Campus Security, Institution/Career Security, Milestones Security, Population Update Security, Program Action Security, Recruiting Center Security,  Service Indicator Security, Student Group Security, Test ID Security, Transcript Report Security,  Transcript, Type Security, APT Action Security (not used), CTM Transaction Security (not used), SEVIS Pgm Sponsor Security (future use - not currently used at colleges), SEVIS School Code Security (future use - not currently used at colleges).
• Set Up SACR > Security > Secure Student Financials > Process > Set Security
• Set Up SACR > Security > Secure Student Financials > User ID >
  • Business Unit, Credit Card and Bank Account, Institution Set, Item Type, Origin IDs, SetID, Student Institution Set
• Set Up SACR > User Defaults

Colleges organizing around this work will need to make the decision whether to centralize all pillars role management under a single resource, a group of resources or will separate out to a primary resource per pillar.  

For SACR Security, an additional set of roles exist that allows colleges to grant specific users the ability to 'View' the SACR Security Setup for users [ZD Setup SACR - WA Sec] or Add/Update SACR Security Setup [ZZ Setup SACR - WA] without having to grant them full access to local security administration tools with the ZZ Local Security Admin role.  

Colleges will need to determine locally how to organize around this work.

Financials/Supply Chain Management (FSCM)

This role has navigation access to in the FSCM Pillar:

• Launchpad > Launchpad
  • Using Launchpad to Produce a Security Matrix
  • Applying Roles Through Launchpad
• PeopleTools > Security > Common Queries
• PeopleTools > Security > User Profiles > Distributed User Profiles
• PeopleTools > Security > User Profiles > User Profiles
• Portal Objects > Navigation Collections > Accounts Payable Center > Definitions > Business Unit/Ledgers > User Preferences - Payables
• Portal Objects > Navigation Collections > Contracts Center > User Preferences
• Portal Objects > Navigation Collections > IT Asset Definitions Center > Resource Settings > Define User Preferences
• Portal Objects > Navigation Collections > Lease Administration Center > My Information > My Preferences
• Set Up Financials/Supply Chain > Common Definitions > User Preferences > Define User Preferences
• Set Up Financials/Supply Chain > Common Definitions > User Preferences > User Preferences Report
• Set Up Financials/Supply Chain > Product Related > Procurement Options > Purchasing > Buyer Setup
• Set Up Financials/Supply Chain > Product Related > Procurement Options > Purchasing > Requester Setup
• Set Up Financials/Supply Chain > Security > Grants Security

Human Capital Management (HCM)

The local security administrator role has navigation access to in the HCM Pillar:

• Launchpad > Launchpad
• PeopleTools > Security > Common Queries
• PeopleTools > Security > Permissions & Roles > Roles
• PeopleTools > Security > User Profiles > Copy User Profiles
• PeopleTools > Security > User Profiles > Distributed User Profiles

How Does Query Security Work?

To run a query, the role ZD_DS_QUERY_VIEWER is required in addition to the appropriate ZD_DS_QRY% query record role(s).

Navigation: NavBar > Navigator > Reporting Tools

The ZD_DS_QUERY_VIEWER role grants access to the following pages:

• Reporting Tools > Query > Query Viewer
  • Reporting Tools > Query > Schedule Query
  • Reporting Tools > BI Publisher > Query Report Viewer
  • Reporting Tools > BI Publisher > Query Report Scheduler
  • Reporting Tools > BI Publisher > BIP Report Search
  • Reporting Tools > Pivot Grid > Pivot Grid Viewer
  • Reporting Tools > PS/nVision > Define Report Request

Query Records and Access Groups

Queries are secured by Record. Query Trees are used to connect the query Records to security Roles via Access Groups.

For a user to run a query, in addition to the user having the ZD_DS_QUERY_VIEWER role, the records contained in that query must be associated to an Access Group on the query tree and the user must have the role associated to the Access Group. If the user does not have a role assigned to the associated Access Group, they will not see the query; in some cases, users may get an error message that they don’t have the access group to a specific record when a BI Report is attempted. Each Access Group is a logical grouping of data. The ctcLink system is grouped by module, for example FA, SR, AD, etc.

• Records can be in more than one Access Group
• Each Access Group is associated to a Role the begins with ZD_DS_QRY
• There are Access Groups/Roles that provide an additional layer security for highly sensitive data (Category 4 data) by module

Highly sensitive data includes:

• Bank Account Number
• SSN/National ID (contains SSN)
• Driver’s License Number
• Visa Work Permit Number
• Net Pay
• Garnishments
• Accommodations (Disability Status)
• Passwords
• Credit Card Number

• The Local Security Administrators (Rolename:  ZZ Local Security Admin) assign query access roles to users.
• In the Campus Solutions pillar, a user’s SACR Security assignments will limit rows returned in query results for the SACR secure areas.

Resources for Local Security team and College Data Owners

• \\nas-oly-1\common.it\Data_Services\ctcLink Reporting\Query Security\Role_QryRole_Dependencies.docx

Business Role and Query Role Dependencies

Certain Business Roles grant access to pages/components within PeopleSoft that are dependent upon Query access to data in the system.  In order for role to be effective it must be paired with a companion Query role to ensure the pages properly return the desired result.  Below are the business role and query role dependencies that exist in each pillar.

CAMPUS SOLUTIONS

Business Role:  ZZ FA CTC Reports

Query Dependency Role(s): ZD_DS_QRY_FA_SSN_HIGHSENS, ZD_DS_QRY_FINANCIAL_AID

Business Role:  ZZ SF Charges and Payments

Query Dependency Role(s): ZD_DS_QRY_SF_BANK_HIGHSENS, ZD_DS_QRY_STUDENT_FINANCE

Business Role:  ZZ SR NSC Reporting

Query Dependency Role(s): ZD_DS_QRY_SR_SSN_HIGHSENS, ZD_DS_QRY_STUDENT_RECORDS

HUMAN CAPITAL MANAGEMENT

Business Role:  ZD Benefits Reporting

1. Payroll for North America > CTC Custom > CTC Reports > Employee Tracking  Benefits
2. Payroll for North America > CTC Custom > CTC Reports > TIAA-CREF Over 6 Pct

Query Dependency Role(s): ZD_DS_QRY_BENEFITS

Business Role:  ZD TL Admin View Time

Payroll for North America > CTC Custom > CTC Reports > Hourly Earnings  Barg

Query Dependency Role(s): ZD_DS_QRY_TIMELABOR

Business Role:  ZZ Payroll Payment Processing

Query Dependency Role(s):

• ZD_DS_QRY_PAYROLL
• ZD_DS_QRY_PAY_BANK_HIGH_SENS
• ZD_DS_QRY_PAY_GARN_HIGH_SENS
• ZD_DS_QRY_PAY_NETPAY_HIGH_SENS
• ZD_DS_QRY_PAY_SSN_HIGH_SENS
• ZD_DS_QRY_PAY_VISA_HIGH_SENS

Business Role:  ZZ Recruiter

Query Dependency Role(s): ZD_DS_QRY_TALENT_MGNT

Depending on approval to Highly Sensitive data, these query roles may also need to be assigned:

• ZD_DS_QRY_TAL_MGMT_SSN_HI_SENS
• ZD_DS_QRY_TAL_MGMT_VISA_HISENS
• ZD_DS_QRY_TAL_MGT_ACCOM_HISENS

Business Role:  ZZ SS Payroll

Query Dependency Role(s):  ZD_DS_QRY_HRCORE

Depending on approval to Highly Sensitive data, these query roles may also need to be assigned:

• ZD_DS_QRY_HRCORE_DR_LI_HI_SENS
• ZD_DS_QRY_HRCORE_SSN_HI_SENS
• ZD_DS_QRY_HRCORE_BANK_HI_SENS
• ZD_DS_QRY_HRCORE_CRCRD_HI_SENS
• ZD_DS_QRY_HRCORE_ACCOM_HI_SENS
• ZD_DS_QRY_HRCORE_VISA_HI_SENS

FINANCE

Business Role:  ZZ Accounts Payable Reports

Query Dependency Role(s): ZD_DS_QRY_ACCTPAY, ZD_DS_QRY_BANKING_HIGHSENS

Troubleshooting Query Access Issues

Rolename required to see the Troubleshooting queries:  ZD_DS_QRY_SECURITY_TABLES

Troubleshooting Queries - Set 1:  

• QFS_DS_QUERY_RECORD_RPT
• QHC_DS_QUERY_RECORD_RPT
• QCS_DS_QUERY_RECORD_RPT

The first step is to review the records in the query and ensure they are assigned to a DS Query Tree Role.

1. Run the query QFS_DS_QUERY_RECORD_RPT to return the records in the query and verify they are in a ZD_DS_QRY% role.  The query prompts for the Query Name.

Columns Displayed:
Query Name: Title or Name of the Query.
Record: Records used in Query.
High Sensitive Indicator: Indicates the record contains a High Sensitive field and will need a High Sensitive role.
ZD DS QRY Role 1 = Y 0 = N:  Flag to indicate the Record is in a Data Services query tree role

• If there is a record with a 0 in this column, refer ticket to Data Services.  The record needs to be added to the appropriate tree and access group.
• If all records are 1 in this column then all records are assigned to a DS Query Tree role and we can move on to Step 2, verifying the specific user’s access to these records.

Troubleshooting Queries - Set 2:  

• QFS_DS_QUERY_RECORD_USER_RPT
• QHC_DS_QUERY_RECORD_USER_RPT
• QCS_DS_QUERY_RECORD_USER_RPT

2. Run the query QFS_DS_QUERY_RECORD_USER_RPT to return the roles associated with the records in the query and the User record access.  Query prompts for Query Name and User ID.

Columns Displayed:

Query Name:
Record:  records used in query
High Sensitive Indicator:  Indicates the record contains a High Sensitive field and will need a High Sensitive role.
Roleuser Record Access:  Indicates if the User has access to the record through a ZD_DS_QRY% role.
Role Name  Role that gives access to the record used in the query.

If the User has access to the record through a listed Role Name, then the Roleuser Record Access column will have the UserID populated.  If the Roleuser is blank, the User does not have access to that record and the roles that will grant access to the record are listed in the last column labeled Role Name. Normal approval processes at your College should be followed before assigning any new roles to a User.

Other helpful query and security related queries and are located in the SECURITY query folder:

FINANCE

• QFS_DS_QUERY_ROLE_USER_RPT - Query Viewer Role Users
• QFS_DS_QUERY_TREE_RECORD_RPT - Query Tree Groups and Records
• QFS_DS_QUERY_TREE_REC_USER_RPT - Query Tree Groups Records User
• QFS_DS_QUERY_TREE_USER_RPT - Query Tree Groups User
• QFS_SEC_USER_ROLES_BY_UNIT - Job Company Unit Prompt w Role
• QFS_SEC_ROLE_NAVIGATION_ACCESS - Role Navigation and Access Lvl

HUMAN CAPITAL MANAGEMENT

• QHC_DS_QUERY_ROLE_USER_RPT - Query Viewer Role Users
• QHC_DS_QUERY_TREE_RECORD_RPT - Query Tree Groups and Records
• QHC_DS_QUERY_TREE_REC_USER_RPT - Query Tree Groups Records User
• QHC_DS_QUERY_TREE_USER_RPT - Query Tree Groups User
• QHC_SEC_USER_ROLES_BY_UNIT - Job Company Unit Prompt w Role
• QHC_SEC_ROLE_NAVIGATION_ACCESS - Role Navigation and Access Lvl

CAMPUS SOLUTIONS

• QCS_DS_QUERY_ROLE_USER_RPT - Query Viewer Role Users
• QCS_DS_QUERY_TREE_RECORD_RPT - Query Tree Groups and Records
• QCS_DS_QUERY_TREE_REC_USER_RPT - Query Tree Groups Records User
• QCS_DS_QUERY_TREE_USER_RPT - Query Tree Groups User
• QCS_SEC_USER_ROLES_BY_UNIT - Job Company Unit Prompt w Role
• QCS_SEC_ROLE_NAVIGATION_ACCESS - Role Navigation and Access Lvl

Resources for Query Developers

https://www.sbctc.edu/colleges-staff/data-services/ctclink-peoplesoft-reporting.aspx

WHAT ROLE DO I NEED TO GET ACCESS TO THIS PAGE?

While all the pillars (CS, HCM and FSCM) use the same Security > User Profile component to manage security, the specific roles that exist within each pillar differ to support the tasks relevant to that pillar.  

To assist colleges in understanding which roles have access to a specific navigational path, a set of queries was developed to provide real-time specifics about roles in the system.

• CS Pillar: QCS_SEC_ROLE_NAVIGATION_ACCESS
• HCM Pillar: QHC_SEC_ROLE_NAVIGATION_ACCESS
• FSCM Pillar: QFS_SEC_ROLE_NAVIGATION_ACCESS

In order to run these Queries the user must have the following two roles in the User Profile for EACH pillar they want to run the Query in:

• ZD_DS_QRY_SECURITY_TABLES
• ZD_DS_QUERY_VIEWER
• ZZ Navigation Bar Access (Required in CS & HCM)

These queries have two run-time prompts:

• Navigation like (%Admit%)
  Enter a portion of a navigational path BETWEEN the percentage (%) symbols. In query, the percentage symbol (%) operates as a wild card, allowing one to search for a portion of a navigational path regardless of what is before or after the entered string.

The string entered must be in mixed case. For example, to search for any pages related to Admissions, do not enter %admissions% or the system will return no matching rows.  Instead enter %Admissions% to return all possible navigational paths containing the word Admissions:

_{Ciber Solutions > Online Admissions > Admissions Configuration > Reference Relationship Config
Campus Community > Student Services 2 - Hidden > Admissions Summary
Set Up SACR > Product Related > Recruiting and Admissions > Alternate Evaluations > Early Fin Aid Categories}

Or, enter a full navigational path, such as a path found in a Quick Reference Guide (QRG). For example, %Records and Enrollment > Enroll Students > Quick Enroll a Student%. When entering a full navigational path do not include the NavBar > Navigator> portion, and ensure that any 'greater than' symbol (>) used in the navigation has a space before and after.

• Role Name like % (optional)
  Enter Z% to run the query and return only the new 'Z' roles created with the security redesign, otherwise many deprecated 'CTC' roles which are no longer used (and are targeted for removal) will be returned in the results.

HOW CAN I SEE ALL THE ROLES ASSIGNED TO STAFF AT MY COLLEGE?

While the roles assigned to users in the SVX environment are the ones that will end up being deployed to Production at Go Live, you may want to dump down what roles were assigned to testers in the UAX or UAT environments for each pillar (CS, HCM and FSCM) and compare them to what has been assigned to users in the SVX environment.   

To assist colleges in seeing what users have been assigned, a set of queries were developed to provide real-time specifics about roles in the system.

• CS Pillar: QCS_SEC_USER_ROLES_BY_UNIT (Enter the Institution Code - e.g. WA130)
• HCM Pillar: QHC_SEC_USER_ROLES_BY_UNIT (Enter the Company Code - e.g. 130)
• FSCM Pillar: QHC_SEC_USER_ROLES_BY_UNIT (Enter the Finance Business Unit Code - e.g. WA130)

In order to run these Queries the user must have the following roles in the User Profile for EACH pillar (top 2 roles) they want to run the Query in, some pillars will require additional roles (see notations):

• ZD_DS_QRY_SECURITY_TABLES
• ZD_DS_QUERY_VIEWER
• ZZ Navigation Bar Access (Required in CS & HCM)
• ZD_DS_QRY_HRCORE (Required in HCM)

The following security related trainings are scheduled to be delivered for DG3 Colleges in preparation for finalizing security in the SVX environment.

Distributed User Profile Security

This training is being offered twice and will cover the following topics:

Provide Local Security Administrators guidance on managing the following security tasks using Distribute User Profiles, including -

• Assigning Primary and Row Level Security
• Assigning Process Profiles
• Portal Tile Access
• Role Assignments
• Running Queries to Find the appropriate roles or understand available navigation within a role.
• Running Queries to export user role assignments for each pillar for your institution.

Click to View the Meeting Recording - Tuesday 2/11/2020 -  1:00 PM - 2:30 PM

Click to View the Meeting Recording - Friday 2/14/2020 - 8:30 AM - 10:00 AM

Security for the Finance Pillar

This training is being offered twice and will cover the following topics:

• Business functions in the Finance Pillar and associated roles.
• Defining User Preferences in FSCM and associated roles.
• Applying Route Control Profiles, purpose and associated roles.

Click to View Meeting Recording - Wednesday 2/12/2020 9:00 AM- 10:30 AM

Click to View Meeting Recording - Friday 2/14/2020 2:30 PM-4:00 PM

Security for Financial Aid

This training is being offered twice and will cover the following topics:

• Business functions in the Campus Solutions Pillar for Financial Aid staff and associated roles.
• Setting up SACR Security and associated roles.
• FAM Dual Processing roles for FA Staff.

Click to View Meeting Recording - Thursday 2/13/2020 - 10:00 AM - 11:30 AM

Security for Student Financials in the CS Pillar

This training is being offered twice and will cover the following topics:

• Business functions in the Campus Solutions Pillar for Student Financials staff and associated roles.
• Setting up SACR Security and associated roles.
• FAM Dual Processing roles for SF Staff.

Click to View Meeting Recording - Friday 2/14/2020 - 1:00 PM - 2:30 PM

Security for HCM Pillar

This training is being offered once and will cover the following topics:

• Business functions in the HCM Pillar for HR/Payroll staff and associated roles.
• HCM Manager role application.
• Special Primary Permissions Lists for Time Administrators.
• UPDATED SLIDE DECK - NOW INCLUDES SCREEN SHOTS FOR HOMEPAGES AND QUERY ROLES

Click to View Meeting Recording - Wednesday 2/12/2020 - 3:30 PM - 4:30 PM

Security for CS Core

This training is being offered once and will cover the following topics:

• Business functions in the Campus Solutions Pillar (curriculum management, advising, enrollment, admissions, etc.) and associated roles.
• Setting up SACR Security and associated roles.

Click to View Meeting Recording - Friday 2/14/2020 10:00 AM - 12:00 PM