Local Security Management Sessions - DG5

Purpose: This guide has been developed to provide a single location for all security matrix mapping related activities. As presentation decks are published they will be posted.  As meeting recordings are processing by WebEx and made available the recording links will become active.  

Schedule, Meeting Notes and Recordings for Recent and Upcoming Security Support Sessions

Want a question covered in an upcoming meeting?  Contact Bill Ramirez to get it on our agenda for an upcoming Support session: BRamirez@sbctc.edu

4/15/21: Answering Questions from Kick-Off and Helping Folks Get Started on the Workbooks
4/22/21: Help on Identifying UAT Testers in the Security Workbook
4/29/21: Support on Identifying UAT Testers - Special Focus on Approvers
5/6/21: Follow-Up on Self-Paced Security Training Module 1
  • Pre-Requisite: Make sure you have gone through Module 1 and passed the module test prior to attending.
  • Come prepared to login to SVX.
  • Meeting Recording
  • Meeting Notes
5/13/21: Security Support on Faculty/Advisors + Review CS Roles + Basic SACR Security
Running The Query to Display All Navigations and Roles

Not sure which role has access to the page your user needs?  There is a Query in the CS pillar that can be run anytime to look up which roles grant access to that page.  This query can be run by entering the navigational path displayed in our Quick Reference Guides (QRGs) to find out which role allows the user to get to that page.  For your convenience we have downloaded the results of that query run "Wide Open" meaning, leaving the navigation blank and running it for all 'Z' roles that have access to all pages in the CS Pillar.   Keep in mind, not all roles can be granted by a Local Security Administrator.  Those that are available for colleges to grant are designated with the ZZ Local Security Admin role after them.  When reviewing the attached workbook, filter the results to only those that can be granted by a college.

Query Name: QCS_SEC_ROLE_NAVIGATION_ACCESS

query parameters page
5/20/21:  Security Support on SF/FA Roles + SF/FA Relevant SACR Security
5/27/21: Security Support on Finance and User Preference Definition & Grants Security
6/3/21:  Follow-Up on Self-Paced Security Training Module 2 & 3, Local Security Management Discussion
  • Pre-Requisite: Make sure you have gone through Module 2 & 3 and passed the module tests prior to attending.
  • Come prepared to login to SVX.
  • College Agenda Items: [See foldable for content]
  • Share Your Expertise!  45 minute discussion
    • Colleges who checked "Yes" in their Tools and Practices/Policies Chart for one or more of these items will chat briefly about their experiences and plans:
      • Row 1 - Ticketing System
      • Row 5 - Template to Communicate Access Requests
      • Row 12 - Require Secondary Approval
  • Meeting Recording
  • Meeting Notes
College Agenda Items:
  • Submitted by Bellevue College on May 13, 2021. 15 minute discussion
    • What are other colleges using to verify the identity of users to delete their hint question answers?  What is recommended that we lookup using ctcLink to verify identities (note: not all students provide SSNs)?  Note: we plan on our Help Desk employees to have the rights to delete the password hint answers.
      • Response from SBCTC
        • College decision - there is no SBCTC policy or guideline
        • One district uses Birthdate, Mailing Address, SSN, email address..."Sometimes we had to be creative..."
        • NavBar > Navigator > Campus Community > Student Services Ctr (Student)
        • Role:  ZD CC Personal Info Student
        • ctcLink Security Listserv info page:  Mailman eLists
        • ctcLink Security Listserv subscription page: ctcLink-Security
    • How often are roles updated in the UAT environment via the Google Workbook?   If we need to make changes during UAT testing, can make live updates?
      • Response from SBCTC - We load what you have in Security Workbook (google sheet) as of the end of business on 6/22.  You can make adjustments yourself during UAT, but please make sure those are reflected IN YOUR WORKBOOK by 8/31 or you will lose them when we load again in September in preparation for Go Live.
    • We would like to create our own checklists for assigning permissions based on areas of responsibility.  Have other colleges done this that you know of?  Is there a template to get started?
      • Response from SBCTC
        • SBCTC College Relations/Triage Manager asked to reach out to colleges for info
        • ctcLink Security Listserv info page:  Mailman eLists
        • ctcLink Security Listserv subscription page: ctcLink-Security
    • “User Profile creation process is run periodically in Production to establish an initial User Profile when an active job record is established in the system.” How often is “periodically”?  Note: we often get  questions on such timings from our end users.
      • Response from SBCTC:
        • CS:  M-F Hourly 7 am - 7 pm
        • HCM: 8 am, 11 am, 2 pm, 5 pm
        • FIN: 7 am, 10 am, 1 pm, 4 pm
        • We created jobsets for all security related process in the pillars. So the times above include user profile, dynamic role and SJT processes as needed.
Additional Documentation

The files below were kindly provided by Everett Community College and are still in draft form.

6/10/21: Security Support on SACR Security in CS, Local Security Management Discussion Follow-Up
College Agenda Items:
  • Submitted by Bellevue College on June 8, 2021. 15 minute discussion
    • Which UAT tests can faculty and students do?
      • Response from SBCTC - pending
  • Submitted by Whatcom College on June 9, 2021.  30 minute discussion
    • Regarding the ZZ HR Employee Maintenance and ZC HR Employee Maintenance Roles:  Do you need both a ZC role and a ZZ role?   I’m guessing ZC doesn’t trump ZZ roles, like ZZ trumps ZD roles.  I  remember the role was way too broad for an HCM Director.  The ZZ role also notes many Correct History capabilities, though is also a ZC role as well.  Job data access really should be separated out, plus there is just a lot of access under this one role.
      • Response from SBCTC - pending
    • Regarding the ZZ HR Employee Maintenance Role:  Are there any HCM security tickets already opened for this role?
      • Response from SBCTC - pending
    • Regarding the ZZ SS Payroll and ZZ MSS Fluid Position Management Roles:  these Roles are required for UAT but no documentation on ctcLink Reference Center for what pages they provide access to.  ZZ SS Payroll can be assigned/removed by Local Security Administrator, while ZZ MSS Fluid Position Management cannot.
      • Response from SBCTC - pending
6/17/21: Security Support on Human Capital Management
  • Pre-Requisite: Watch the recording of the DG4 Session on HCM Roles
    • NOTE: Slide Deck for HCM in DG4 Session Materials was updated to reflect a role correction for the ZZ Payroll Inquiry role to correctly read as ZD Payroll Inquiry.
  • Meeting Recording
  • Meeting Notes

The HCM Team has provided some guidance on the roles to be assigned for employees involved in handling business functions related to paying part-time faculty and full-time faculty working moonlight hours, as managed within the Faculty Workload (FWL) custom module.  See the attachment below:

College Agenda Items:
  1. From 6/10/2021 webex:  For query QHC_SEC_ROLE_NAVIGATION_ACCESS, what do the values in column Page Access Description mean?  See roles ZD HR Position Management VW, ZZ HR Position Management and ZC HR Position Management.
    • SBCTC Response:  Please see the excellent explanation in this Toolbox.com article and in the PeopleTools 8.57 manual, page 51, paragraph "Actions".  Bottom line?  Values 8 and greater grant Correct History ability.
  2. From Whatcom 6/10/2021:  Why isn't ZZ Hiring Manager role not dynamically assigned to all managers; it looks like this role has to be enabled/assigned in order for managers to access hiring info.  If colleges use TAM, then all managers are assigned ZZ HCM Manager and ZZ Hiring Manager.  If not using TAM managers just get ZZ HCM Manager?
    • SBCTC Response:  Correct.  If the college will use TAM then ZZ Hiring Manager will be given to all managers.  If the college is not using TAM then managers will not get ZZ Hiring Manager.
  3. From Skagit 6/15/2021:  HR currently has limited access to SMS to look-up student employees to determine if they already have a SID in the system before they create an employment record.  If they do, HR needs to ensure the student record has the same SSN as the employee record so that two SIDs are not created for the one person.  Additionally, HR also verifies whether the student is currently enrolled in credits.  That enrollment determines whether the student employee is considered a student for federal tax withholding or not.  Will the duplicate SID issue be resolved by the new PS workflows, specifically, will they be able to hire a student and not create a duplicate person record by just following the normal search match process?   How will they continue to determine student status?  Will they need permissions to CS? 
    • SBCTC Response:  Yes, normal search match process should be enough to find a student  EMPLID in HCM and then use that EMPLID to complete the hiring process.   SSN is one of the criteria by which you can use search match.  For determining student status, if CS data is needed/desired, that will require the employee responsible for tracking that to have enough view only and query access (roles) in the CS pillar to determine student status. 
  4. From Skagit 6/15/2021:  How will access to Skagit (and Everett) data be granted to Bellevue shared Payroll staff?  They will need access to Payroll, Time and Labor and Absence Management, Benefits and HR Core, and the DRS Processing.
    • SBCTC Response:  The Bellevue payroll team will be assigned the appropriate row level permission list (Or data security) to view the payroll data for Skagit and Everett employees).
  5. From Bellevue 6/17/2021:  What is the link to the Post Go-Live Resources documentation in the Reference Center?
6/24/21: Review Outstanding Issues w/Security Workbook Entries Prior to Load into the SVX
College Agenda Items:
  1. From 6/17/2021 webex:  Is the ZZ Hiring Manager Role dynamically assigned?
    • SBCTC Response:  yes.
  2. From Whatcom 6/16/2021:
    • UPD Tabs: GL, Procurement Vouchers, Procurement Contract, Purchase Order - If we have only have one person assigned for a UAT test or UPD,  If we put a No in columns G thru AE, then we would have to have someone else who would have a Yes, correct?   
      • SBCTC Response:  The UPD-GL tab has the values that must be input into the user lines to make the pages work properly.  You will see the values set in the Sample lines and you will note in the headings it will state Always 'Y' or Always 'N' to provide you with what the values must be for this person to perform the duties related to the role assigned. The UPD-Procurement Vouchers have two sample row value sets, one for someone who only does voucher entry/processing and one for someone who also does quick invoice entry.  Use the provided sample values in order for those staff to perform the duties related to the assigned roles. Use those sample to populate the fields.
    • UPD – Supplier Process Was blank – with only the ZZ Supplier Entry role.  This wasn’t a required role for any UAT’s. Though we have 4 people who can update the supplier tables. This role was on the Local Security Grant Role list, but I thought SBCTC had to grant this access? I did assign the ZZ Supplier Entry role to our 4 staff, but not sure that was correct.
      • SBCTC Response:  There are no UAT tests that require this role.  By adding this access to your workbook, it will be loaded into the SVX environment and be available at Go Live.  This role should be assigned to your intended staff by 8/30/2021 before we perform the All Employees workbook load.  The role itself is able to be granted by the Local Security Administrator; however this role is one that falls into the category of "Pre-Production Access" and DG5 College SMEs are granted access into current ctcLink Production to submit updates to Supplier data in PeopleSoft Production today.  It is the "Pre-Production Access" that must be done by State Board, because a User Profile (e.g. 210_JSMITH) must be built in ctcLink Production and the role assigned to it, with User Preference Definition established in order for DG5 college users to access this functionality prior to Go Live.
    • UPD – Paycycle  Can SBCTC provide this data – this is our bank ACH info correct?
      • SBCTC Response:  This will be added manually by State Board during our security load process.  These are the folder locations where the system will go to look for ACH data files.
  3. From Bellevue 6/22/2021:
    • Can you clarify if the current temporary EMPLID will be automatically  populated by SBCTC in the UPD and SACR tabs for the 6/28 upload ? 
      • SBCTC Response:  Yes. They are driven based on the roles that you would select under Roles tab.
    • Additionally, we are seeing that EMPLID is being requested in more than 1  column in UPD tabs. i.e.,  UPD -Procurement Contract tab columns M and  N.
      • SBCTC Response:  Please leave EmplID blank until notified otherwise.
    • On another note, is the 6/25/21 Cycle 4 conversion still on schedule or did that get changed due to the change in the 6/28 date for upload ?
      • SBCTC Response:  Cycle 4 is On Schedule
    • Up until this morning, Bellevue College was able to utilize the User Report tab in the Google Workbook.  It is no longer functioning when I enter in someone’s Legacy ID.  I tried several Legacy ID’s with the same error results.. “No Data Available”.  Utilizing that tab was extremely useful for a variety of confirmations on our end.  Can you advise if this can be re-enabled for our use?
      • SBCTC Response:  Fixed
  4. From Everett 6/23/2021:
    • Is there information available about the newly developed accommodations roles? If so, will they be added to the workbooks?  If these new accommodations roles are not available, where is the information that defines which CS roles should be used?  Does HCM staff need access to roles in CS to see student workers' accommodation data? 
      • SBCTC Response:  Employee Accommodation data lives in the HCM pillar only and does not flow to the Campus Solutions pillar, this includes student workers. Accommodation data in the CS pillar is maintained by CS staff and is related to student learning needs, not employment related accommodates. There were 3 new roles added in HCM to support restricting access to Accommodation Data in HCM.  Those are:
        • ZD HR Accom Disability - This role grants view only access
        • ZZ HR Accom Disability - This role grants add/update access
        • ZC HR Accom Disability - This role grants correct history access

In CS there are also Accommodation Data specific roles and those are:

  • ZD CC Accommodations Dis - This role grants view only access
  • ZZ CC Accommodations Dis- This role grants add/update access
  • ZD_DS_QRY_CC_ACCOMMOD_HIGHSENS - Query record access
  • The workbook is not auto-populating the "UPD Proc Grp- AR Processing" tab with names of people who have the appropriate roles (there should be at least four people).  Can someone please take a look at it?
    • SBCTC Response:  Fixed
  • When we add someone to one of the '3Cs' Role on the CS tab, it adds them to where it wants on the 'SACR - 3C Group' tab causing the data on that row to be mis-alligned with the proper person.
    • SBCTC Response:  Fixed
DEADLINE 6/22/21  Extended! to 6/28/21: Finish Assigning Security Roles in Workbook for UAT Testers - Notify Security Team Workbook Readiness for Download.

Notify Jarman Singh (jsingh@sbctc.edu), Bill Ramirez (bramirez@sbctc.edu) and Tara Keen (tkeen@sbctc.edu) via email that the workbook is ready to download.  If not notified, will be downloaded at midnight.

7/1/21: Follow-Up on Query Security Self-Paced Training in Module 6
  • Pre-Requisite: Make sure you have gone through Module 6 of the PeopleSoft Security Administration Canvas course and passed the module test prior to attending.
  • Meeting Recording
  • Meeting Notes

 

  • FSCM User Preference Definition discussion - Tara <15 minutes>
  • PeopleSoft Security Administration Module 6 discussion - Bill <15 minutes>
  • PeopleSoft Security Administration Mod 6 Exercises discussion - Bill <15 minutes>
  • Some Query Resources in the Reference Center - Bill <15 minutes>
College Agenda Items:
  1. From Whatcom 6/16/2021:
    • UPD Tabs: GL, Procurement Vouchers, Procurement Contract, Purchase Order - If we have only have one person assigned for a UAT test or UPD,  If we put a No in columns G thru AE, then we would have to have someone else who would have a Yes, correct?   
      • SBCTC Response:  see 6/24/2021 College Agenda Items
    • UPD – Supplier Process Was blank – with only the ZZ Supplier Entry role.  This wasn’t a required role for any UAT’s. Though we have 4 people who can update the supplier tables. This role was on the Local Security Grant Role list, but I thought SBCTC had to grant this access? I did assign the ZZ Supplier Entry role to our 4 staff, but not sure that was correct.
      • SBCTC Response:  see 6/24/2021 College Agenda Items
    • UPD – Paycycle  Can SBCTC provide this data – this is our bank ACH info correct?
      • SBCTC Response:  see 6/24/2021 College Agenda Items
  2. From Everett 6/23/2021:
    • Is there information available about the newly developed accommodations roles? If so, will they be added to the workbooks?  If these new accommodations roles are not available, where is the information that defines which CS roles should be used?  Does HCM staff need access to roles in CS to see student workers' accommodation data? 
      • SBCTC Response:  see 6/24/2021 College Agenda Items
7/8/21: Refinement of Local Security Support Plan
  • DG4 Local Security Admins Discuss 'What We Wish We Knew' when they developed their local security support plans.  Special guests:
    • Jennifer Horrace, Centralia College (DG4)
    • Victor Portolese, Edmonds College (DG4)
    • Discussion topics:
      • How does your ctcLink security day compare with your old Legacy security day?
      • How is ctcLink security morale among your students, faculty, staff and administration?  How is it within your security team?
      • What do you wish you had known three months before DG4 GoLive?  What would you have emphasized more?  Emphasized less?
      • Other thoughts and guidance?
  • DG5 Colleges - "Open Lab"
    • Show and Tell on Your Local Plan Information Gaps
    • Discuss Challenges in Your Flow Diagrams or RACI
    • Share Solutions - What Parts of Your Plan Are You Most Proud Of?
  • Next week's Security SafeRoom session
  • OKTA Login Process
  • Meeting Recording
  • Meeting Notes
College Agenda Items:
  1. From Everett 7/1/2021:
    • these FSCM tab roles are not in the Workbook:
      • ZZ Payables Bank Setup
      • ZZ Treasury Integration
      • ZZ AW CommodityIT
      • ZZ Buyer
      • CTC Bank
      • ZZ Payables Bank Recon
      • ZZ PC Local Configuration
      • ZZ AR Banking
      • ZZ Awards Maintenance
      • ZZ Proposal Maintenance
      • ZZ AFRS Processing
        • SBCTC Response:  pending
    • What is the ZZ role processing role for ZD Purchasing Inquiry?
      • SBCTC Response:  pending
    • We are being told users creating a requisition will need the following roles: 
      • ZD  Purchasing Inquiry and ZZ Requisition Entry - this is a contradiction to what you shared this morning about ZD roles overwriting permissions.
        • SBCTC Response:  pending
  2. From Skagit 7/7/2021:
    • Regarding onboarding scenarios from the local security management planning guide:
      • Q1:  can you explain what the difference in setup when onboarding in the 4 different scenarios, after HCM has done their stuff and it comes to security lead.
        • New hires that have never worked at a ctcLink college previously.
          • SBCTC Response:  pending
        • Hiring an employee who has an existing job at one of our ctcLink colleges and already has an existing user profile.
          • SBCTC Response:  pending
        • Hiring an employee who used to work at a FirstLink college, but whose User Profile was never properly off-boarded and contains deprecated ‘CTC’  roles, rather than the necessary ‘Z’ roles.
          • SBCTC Response:  pending
        • Hiring a student who already has an existing user profile as an employee.
          • SBCTC Response:  pending
      • Q2: is there a batch process to assign roles, UDP, SACR to multiple people at once during peak periods of mass onboarding?
        • SBCTC Response:  pending
    • Regarding Position Transitions scenario: Unexpected departures of employees with pending approvals in a workflow.
      • Q3: Is there a defined process to assign workflow approvals to another party? Is that something security needs to deal with?
        • SBCTC Response:  pending
    • Regarding Offboarding scenarios:
      • Q4: Are there examples of the processes we need to do for these offboarding scenarios? (Do we just remove all roles?)
        • SBCTC Response:  pending
      • Q5: Is there a role/upd/sacr "reset" to remove all perms?
        • Off-boarding an employee who does not have a job at another institution.
          • SBCTC Response:  pending
        • Off-boarding an employee who has a job at another institution.
          • SBCTC Response:  pending
        • Off-boarding an employee who has a student relationship with your or other institution(s).
          • SBCTC Response:  pending
7/15/21: Open Q&A Session on Security Workbook All Employees and Local Security Support Plan  
  • OKTA login to SVX
  • Open Q&A on 'All Employees' in the Security Workbook
  • Open Q&A on Local Security Support Plan
  • Meeting Notes
College Agenda Items:
  1. From Big Bend 7/1/2021:
    1. How are security Role changes announced in Production?
      • SBCTC Application Services Response: The Functional Analyst on the Production side will send a notification to their Pillar Specific listserv and Security staff follow up with one to our ctcLink Security listserv: ctclink-security@lists.ctc.edu
  2. From Everett 7/8/2021:
    1. Are Distributed User Profiles tables that underlie the General, ID, User Roles, Workflow and Audit tabs exposed to college homegrown apps via Datalink?
      • SBCTC Data Services Response:  We can replicate any table that is in ctcLink.... we do replicate the system tables as well, such as those related to security.  Of course, all of the tables are filtered  by specific institution....assuming that the tables they are requesting are already being replicated as previous DG’s would have had the same need, and if they are not, we just need a request that includes a specific table name.
  3. From Bellevue 7/12, 7/13/2021:
    1. LSA Request:  Would you please add <employee 1> as an LSA in the SVX and UAT environments?
      • SBCTC Response:  pending
    2. <employee 2> is still not appearing in any UPD sheets.   EMPLID nnnnn0671   This issue was revealed in our 1-1 meeting a couple weeks ago and not sure if you have had an opportunity to take a deeper look into the cause.
      • SBCTC Response:  pending
    3. <employee 3> has recently been assigned a permanent EMPID nnnnn9671  per the SID to EMPLID Cross-Walk sheet.  However, his name is not auto populating in multiple SACR sheets.  Should this be manually added or will that cause other issues?
      • SBCTC Response:  pending
    4. <employee 4> EMPLID nnnnn0402.  Her  name was manually populated by us in multiple SACR sheets as instructed  by Eli during our 1-1 mtg. However, we noticed the formula in the cell for her is still  missing.  Will that pose any issues with UAT or future uploads by SBCTC?
      • SBCTC Response:  pending
    5. The User Report sheet is not functioning.
      • SBCTC Response:  pending
    6. A few of us host other colleges on our campuses. How have EMPLIDs and student access been handled by others post go-live?
      • SBCTC Response:  pending
DEADLINE 7/16/21: Submit Initial Local Security Support Plans

Notify Bill Ramirez (bramirez@sbctc.edu) and Tara Keen (tkeen@sbctc.edu) via email to submit plans and all additional materials.

OKTA SPECIAL SUPPORT SESSIONS

Environment Links to enable Local Security Administrators to resolve security issues in advance of user access:

Solution Validation Environment:

LSA and User Access Available for colleges who would like to get users comfortable with OKTA registration process in advance of the start of UAT.  
(Users will need to set their password in UAX as well, but can get the experience in SVX in advance if so desired.)

SVX  : OKtapreview.ctclink.us/
Login Username Format: 123456789@svx.local [where '123456789' is the user's Cycle #4 EMPLID]

User Acceptance Test Environment:

Early LSA ONLY Access to the User Acceptance Test environment for correcting any security issues in advance of the 7/28/2021 Kick-Off of UAT.
(Users will likely be registering their OKTA account for the first time in UAX, but those who will also need to access SVX will need to set their password in that environment as well.)

UAX  : OKtapreview.ctclink.us/
Login Username Format: 123456789@uax.local [where '123456789' is the user's Cycle #4 EMPLID]

7/22/21: Open Q&A Session on SVX Security for UAT
7/29/21: Open Q&A Session on Security Workbook UAT and All Employees
  • Open Q&A on UAT testers in the Security Workbook <30 minutes>
  • Open Q&A on 'All Employees' in the Security Workbook <60 minutes>
  • Meeting Recording
  • Meeting Notes
College Agenda Items
  1. From Everett 7/8/2021:
    1. Are Distributed User Profiles tables that underlie the General, ID, User Roles, Workflow and Audit tabs exposed to college homegrown apps via Datalink?
      • SBCTC Data Services Response:  We can replicate any table that is in ctcLink.... we do replicate the system tables as well, such as those related to security.  Of course, all of the tables are filtered  by specific institution....assuming that the tables they are requesting are already being replicated as previous DG’s would have had the same need, and if they are not, we just need a request that includes a specific table name.  See SBCTC dataLink page for more info.
  2. From Bellevue 7/12, 7/13, 7/28/2021:
    1. LSA Request:  Would you please add <employee 1> as an LSA in the SVX and UAT environments?
      1. SBCTC Response:  This employee is now added to the environments.
    2. <employee 2> is still not appearing in any UPD sheets.   EMPLID nnnnn0671   This issue was revealed in our 1-1 meeting a couple weeks ago and not sure if you have had an opportunity to take a deeper look into the cause.
      1. SBCTC Response:  pending
    3. <employee 3> has recently been assigned a permanent EMPID nnnnn9671  per the SID to EMPLID Cross-Walk sheet.  However, his name is not auto populating in multiple SACR sheets.  Should this be manually added or will that cause other issues?
      1. SBCTC Response:  pending
    4. <employee 4> EMPLID nnnnn0402.  Her  name was manually populated by us in multiple SACR sheets as instructed  by Eli during our 1-1 mtg. However, we noticed the formula in the cell for her is still  missing.  Will that pose any issues with UAT or future uploads by SBCTC?
      1. SBCTC Response:  pending
    5. The User Report sheet is not functioning.
      1. SBCTC Response:  pending
    6. A few of us host other colleges on our campuses. How have EMPLIDs and student access been handled by others post go-live?
      1. SBCTC Response:  to be addressed at PM meeting week of 8/2/21.
    7. Moving  forward with UAT testing and beyond, could we ask for a 1-1 for additional training on manually adding UPD and SACR settings?  We  have reviewed the exercises, Canvas modules and ctc Reference guide but still not clear on how to manually add them or look up to see if the  settings are in the environment for someone.
      1. SBCTC Response:  postponed per Bellevue request
  3. From Whatcom 7/16, 7/20/2021:
    1. What is the deadline for us updating security roles for our staff to  have roles in place by 7/28.  I know we can continue to fix/update in  the UAT environment.  Also,  I know we are tracking Security Workbook changes in our change log, but  what is the official process for requesting our changes to be pulled  into the UAT environment?  Also, for changes to the UPD tabs and SACR, do you want those changes tracked in our change log tab as well?
      1. SBCTC Response:  pending
    2. Can you remind me which records you look at in the QCS_DS_QUERY_RECORD_USER_RPT query to determine which role they are missing?
      1. SBCTC Response:  pending
    3. What is the process for adding new employees (post 6/25?) to ctcLink SVX/UAT.   
      1. SBCTC Response:  pending
    4. How will our Change Log Security additions/updates be added/moved into  SVX/UAT.   I thought SBCTC had to do this but other DG5 pms heard that our sec admins will have to do that.
      1. If  the colleges have to input all the security updates into SVX/UAT,  can our Sec Admin folks get early access to SVX/UAT so they can update security roles?
        1. SBCTC Response:  pending
8/5/21: Register for One-on-One Review of Security Workbook

We have a deadline coming up at the end of August for DG5 colleges to get their security workbooks completed and ready for the all employees load.  Let's review the workbooks with the colleges individually and address any issues we can together before they submit.  We've placed 8 holds on the calendar for the week of August 23, 1 hour per college. 

Let's discuss this now and decide which college gets which of these timeslots:

  • Monday, August 23 from 2:00 - 3:00 PDT - Everett
  • Monday, August 23 from 4:00 - 5:00 PDT - Green River
  • Tuesday, August 24 from 3:00 - 4:00 PDT - Big Bend
  • Tuesday, August 24 from 4:00 - 5:00 PDT - Grays Harbor
  • Wednesday, August 25 from 9:00 - 10:00 PDT - Whatcom
  • Wednesday, August 25 from 11:00 - 12:00 PDT - Bellevue
  • Thursday, August 26 from 1:30 - 2:30 PDT Skagit
  • Thursday, August 26 from 3:00 - 4:00 PDT Bellingham
College Agenda Items
  1. From Bellevue 8/2/2021:
    1. In an attempt to try and copy large number of SACR settings to multiple people, I’m looking at the Launchpad tool to save me from having to enter it hundreds of times for a group of people.  Not just for SACR, looking to find a way to “batch copy” Roles or SACR or UPD to people.  Can you clarify what this Launchpad cautionary sentence means: "The application will first delete the information in the user(s) you are copying the options selected first, and then copy in the new information."
      1. SBCTC Response:  We are not recommending the use of LaunchPad at this time.  User Profiles are global and attempting to drop and replace a complete role set could have detrimental impacts on a User Profile for a user with other role associations, such as student or employment relationships with other colleges.  Our secondary effort after all colleges are deployed will be to adopt a more effective mass security management tool and improve dynamic role assignment processes.
    2. Can we review these items in the Reference Center's Project Kickoff Information chapter as possible bulk-copy tools:
      1. Roles/Users
      2. FIN Security
      3. CS Security
        1. SBCTC Response:  Since bulk copy is not a recommended security practice we did not address this in today's session.
8/12/21: Review of Security Workbook
  • How the All Employees Security workbook load will work
  • Open Q&A on 'All Employees' in the Security Workbook
  • Review of new Job Aid for Workfirst, Workforce and Worker Retraining
  • Review of Manager Roles in FSCM and HCM
    • In HCM - ZZ HCM Manager and ZZ Hiring Manager roles are assigned dynamically, ZZ MSS Position Mgmt role must be manually assigned.
    • In HCM - NOT ALL MANAGERS - Depending on College Decisions: Position Management Budget Approval may be required for some VPs/Mgrs with division budget approval.
    • In FSCM:
      • ZZ Expenses Approval [Does not require Route Control]
      • ZZ Requisition Approval [Requires Route Control AND UPD Approval Checkbox] - depends on workflow decision (may be all supervisor)
      • ZZ Purchasing Approval [Requires Route Control AND UPD Approval Checkbox] - with Purchasing Approval Auth (not all supervisors)
      • ZZ Delegation [All approvers need the ability to delegate approval authority in their absence]
  • General Employee Access - Default Roles and What That Means
  • Discuss Recent Changes in Security Views - Tara <15 minutes>
  • Meeting Recording
College Agenda Items
  1. From Green River 8/11/2021:
    1. Do all employees need to be on the HCM tab?
      1. SBCTC Response: No, only those that need extra roles and supervisors who will need the ZZ MSS Position Management role added to them.
    2. If so, do we need to apply “ZZ Employee”?
      1. We thought this was dynamically applied to everyone, and that no action is needed on our part, but we are second guessing ourselves.
        1. SBCTC Response: No, this is now done dynamically on load.
      2. Do we also need to assign the Nav Bar to everyone?
        1. SBCTC Response: Add Nav Bar on the HCM tab so those who are given the extra roles can access the menu.
    3. What do Supervisors need to have assigned in HCM?
      1. SBCTC Response: ZZ HCM Manager and ZZ Hiring Manager (TAM) are dynamically applied. ZZ MSS Position Management is not yet, so needs to be assigned to managers.
    4. One item that we are also having trouble resolving is what to do with  employees that only need to perform basic Employee Self-Service  Transactions (enter time, manage leave, etc). For instance, a landscaper  or housekeeper only needs to report their time each week. Do these  employees need to be included in any of the pillar tabs? Our impression  was that these employees receive all the security roles they need via  dynamic “automagic”. Please advise us if this is not the case.
      1. SBCTC Response: Yes, that is the case. We’ll cover that topic during tomorrow's (8/12/2021) Security Support Session webex.
  2. From Whatcom 8/12/2021:
    1. Whatcom: Hey, 1st time login for UAX -  I have seen folks do this by entering their  perm EMPID, then clicking activate UAX link and had success.  The  ctcLink Reference center screen shots says don't enter EmpID.  SBCTC : B’se we have to re-enter the same info on next screen.  Whatcom:  Okay, but it doesn’t hurt anything if input your EmplID on the first log in screen does it?  SBCTC : No harm in entering twice. We were just trying to make end user’s life easy.
    2. Whatcom: What  happens on 8/30 if SBCTC added a role in UAX, but we forgot to add that role to the user in the Security Workbook?  Will the UAX role  assignment stay or be removed? SBCTC : It will be AS-IS. We are not going to reload workbook security in UAX.  Whatcom: Sorry, to be more clear -  for 8/30, you are uploading from Workbook pillar tabs to SVX.  So if we have added roles in SVX, but weren’t updated in our Workbook tabs, what happens when uploaded to SVX?  SBCTC : In SVX, Roles will be wiped out and reloaded with what is in workbook as of 8/30 download.  Whatcom: Thanks  again.  So based on below, is there any reason for our Security Admins to be adding/removing security roles in the SVX environment? We currently are keeping CAG, UAX, and the Workbook in sync – then were going to update all in SVX, but sounds like we don’t need to do that.  SVX will be wiped and uploaded from the workbook on 8/30.  So is there any reason for us to be in SVX currently??  SBCTC: Sorry for the confusion.  Jarman just confirmed we are not removing the existing roles in SVX  instead we will just reload from workbook which will just append any missing ones.
8/19/21: Review of Security Workbook
  • Open Q&A on 'All Employees' in the Security Workbook
  • Review of larger employee group access needs: Instruction Division Admins, Full/Part Time Faculty, Student Workers
  • Meeting Recording
College Agenda Items
  1. From Bellevue 8/12/2021:Is there a set of roles we can assign in ctcLink to allow people the equivalent access they currently have with FMSQuery (MS Access files)?
    1. SBCTC Data Services Response: The ctcLink budget reports (expenditures to allocation) that are listed in the Report Catalog are what was in FMS Query.  The Report Catalog has a listing of global reports and queries that have been created by the SBCTC Data Services ctcLink Reporting Team to support the colleges with reports on various topics for each pillar.  Please refer to the section on Budget Reports. Here is a link to the Report Catalog.  https://www.sbctc.edu/resources/documents/colleges-staff/data-services/peoplesoft-ctclink/report-catalog.pdf  The following roles will give access to all of the Finance pillar Budget  Reports listed in the “Budget Report” section of the report catalog.
      1. ZD_DS_QRY_COMCNTRL
      2. ZD_DS_QRY_GEN_LEDGER
      3. ZD_DS_QRY_BILLING
      4. ZD_DS_QRY_EXPENSES
      5. ZD_DS_QRY_PURCHASING
    2.  The following roles will give access to the HCM pillar Budget Report query listed in the “Budget Report” section of the report catalog.
      1. ZD_DS_QRY_PAYROLL
      2. ZD_DS_QRY_PAY_GARN_HIGH_SENS
      3. ZD_DS_QRY_HRCORE
8/26/21: Review of Security Workbook and Download/Environment Update Timelines
  • Open Q&A on 'All Employees' in the Security Workbook
  • Review of smaller employee group access needs:
    • Library Staff
    • Advising/Credential Evaluation
    • Department of Corrections Staff.  
    • Continuing Education
    • Disability Resource Center (DRC) Employees
    • Running Start
    • Volunteers - Receive standard nominal access like all other employees with an active job record.  They have an Employee Classification designating them as volunteers, which ensures the L&I payment required for volunteers is triggered.
  • Meeting Recording
DEADLINE 8/30/21 5pm: Finish Assigning Security Roles in Workbook for All Employees - Notify Security Team Workbook Readiness for Download.

Notify Jarman Singh (jsingh@sbctc.edu), Bill Ramirez (bramirez@sbctc.edu) and Tara Keen (tkeen@sbctc.edu) via email that the workbook is ready to download.  If not notified, will be downloaded at midnight.

9/2/21: Review of Security Workbook and Download/Environment Update Status
DEADLINE 9/15/21: Submit Final Local Security Support Plans

Notify Bill Ramirez (bramirez@sbctc.edu) and Tara Keen (tkeen@sbctc.edu) via email to submit plans and all additional materials.

9/16/21: DG5A Security Safe Room
  • DG5B and DG5C are excused
9/23/21: Review of Cycle 5 Data Conversion and Local Security Plans
College Agenda Items
  1. From Bellevue on 9/13/2021:
    1. Bellevue has the role ZD_DS_QRY_FIN_DATA_SERVICES in the Google Workbook and it is currently assigned to approximately 335 people in FSCM Roles for Staff tab.  I joined a WebEx today because I am not able to assign in SVX.  It was confirmed by Anna Rankin that it is not a college grantable role.  Can there be a comment in the Workbook stating that it is an SBCTC assigned role OR can it just be removed from Workbook to avoid confusion for LSA’s.  I could enter an OTM ticket but thought there may be other colleges that have this in their WB and may be confused also.
      1. SBCTC Response:  Not a valid role, used only by Data Services.  Should be marked invalid in the Security Workbook.
  2. From several colleges on 9/9/2021:
    1. Did previous deployment groups distribute/publicize EmplIDs to staff and students at GoLive?  If so, how?
      1. Edmonds response:  For employees, we created a tool for them to log in to using their local network credentials and then entering PII to return their SID and ctcLinkID numbers. We just modified the legacy ID lookup tool, so our  employees were already familiar.  For our students, we created a similar tool that asks them to enter their SID and PIN, and it simply returns their ctcLinkID. I wouldn't want to attempt "go live" without these two tools. 
EmplID Lookup image

2.  Centralia response: pending

  1. From Everett on 9/22/2021:
    1. I just wanted to confirm the date we need to have the SVX environment ready for go-live?
      1. SBCTC Response: End of Business on the Thursday before your Go Live.  We begin extracting your security from SVX early Friday morning.
    2. What data will be populating the CAG environment for the Oct 14th dry run? 
      1. SBCTC Response: It is the data from your All Employees deadline from your Security Workbook that was loaded into SVX before it was turned back over to colleges on 9/10/21.
9/30/21: Open Lab
10/7/21: How to Check in SVX Role Assignments and SACR Security

Queries to Run in SVX to Download Security Information in the CS Pillar:

  • QCS_SEC_USER_ROLES_BY_UNIT
    • Enter your Institution Code to dump down all users in the CS Pillar with an active job (as of the SVX Source Data State on 6/25 or new hires into SVX).
    • All EMPLIDs in SVX, their job/department information as of Cycle #4 conversion and what security roles are assigned to those users.
  • QCS_SEC_SACR_BASE_SECURITY_DTL - Basic SACR, Program, Plan and SF (BU, Inst, SetID)
  • QCS_SEC_SACR_3C_SCRTY - SACR 3C Security
  • QCS_SEC_SACR_ADM_RECR_SCRTY - Admissions/Recruiting SACR Security
  • QCS_SEC_SACR_ENROLLMENT_SCRTY - Enrollment Security (for ZZ Roles Only)
  • QCS_SEC_SACR_MILESTONE_COMPARE - Milestone SACR Security
  • QCS_SEC_SACR_PROG_ACTN_SCRTY - Program Action Security
  • QCS_SEC_SACR_SRVC_IND_SCRTY - Service Indicator Security
  • QCS_SEC_SACR_STDNT_GRP_SCRTY - Student Group Security
  • QCS_SEC_SACR_TEST_SCRTY - Test ID SACR Security
10/14/21: Open Lab
  • Meeting Recording: pending
College Agenda Items
  1. From Bellingham Technical College on 10/11/21:
    1. Is  it possible to run a query or view a screen that shows all the users  from my institution who are currently logged into ctcLink? 
      1. SBCTC Response: pending
    2. Is it possible to disconnect a user who is currently logged into ctcLink 
      1. SBCTC Response: pending
    3. How can I disable a user account to temporarily prevent them from logging  in to ctcLink?  I don’t want to remove all their roles as we may enable them again later on
      1. SBCTC Response: pending
10/21/21: Open Lab
Security Focus slide
  • Meeting Recording: pending
10/28/21: Open Lab
  • Meeting Recording: pending
College Agenda Items
  1. From several colleges on 10/21/21: What is the difference between https://gateway.ctclink.us and https://myaccount.ctclink.us?
    1. SBCTC Response:   https://gateway.ctclink.us is the direct access into Peoplesoft as it was before Okta. Now the login process has Okta in front represented by the “Connecting to ctcLink” banner highlighted in yellow. So when a user logs in, using  https://gateway.ctclink.us, they go directly to ctcLink. https://myaccount.ctclink.us  you can access your account profile and any published apps the user has access to.   This is where users can change their password, security questions, notification email address, check recent sign-in activity, and use any app chicklet to access their applications.  At this time, just ctcLink.   As  far as ctcLink access, a user can go either way to access ctcLink no difference, just a few extra clicks to get to ctcLink when you use https://myaccount.ctclink.us.  As far as being published, we publish both https://gateway.ctclink.us for ctcLink access and https://myaccount.ctclink.us for the password, security questions, notification email address, and where to check recent sign-in activity from my understanding.  I am not sure what each school does. Someone else would be better equipped to answer that one. Okta references  Reference Center http://ctclinkreferencecenter.ctclink.us/m/88854/c/362905 
      1. Peoplesoft direct login- https://gateway.ctclink.us
PeopleSoft Direct Login
ctcLink Gateway page

2. Okta Account management and App chiclets - https://myaccount.ctclink.us

Okta account login image
chicklet page
11/04/2021: DG5C Final Prep and Where to Focus Day 1 Post Go Live
  • Meeting Recording
  • Discussion on On Boarding employees missed in conversion and Off Boarding employees whose job data converted as 'Active' but the employee is not an active employee now that your college is on ctcLink.

0 Comments

Add your comment

E-Mail me when someone replies to this comment

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.