Local Security Management Sessions - DG6

Purpose: This guide has been developed to provide a single location for all security matrix mapping related activities. As presentation decks are published they will be posted.  As meeting recordings are processed by WebEx and made available the recording links will become active.  

Security Matrix Mapping Kick-Off 7/8/21

MEETING DATE/TIME: 7/8/21 - 1:30pm-4pm

Meeting Recording: WebEx Recording of 7/8 Kick-Off

AGENDA:

  • College Security Team
  • Security Management Plan
  • Security Matrix Mapping Workbook [Google Sheets]
  • UAT & Security Matrix Mapping Workbook
  • Security Training Approach
  • Schedule Review for Security Activities

TARGET AUDIENCE:

College PMs, IT Teams (responsible for Security Role Assignment and Ticket Triage), College SME Pillar Leads (responsible for role assignment decisions and additional security decisions, e.g. who gets access to assign/remove Service Indicators) and Test Lead(s) (responsible for determining who will test what in UAT).

Deck from DG6 Security Kick-Off:

Schedule, Meeting Notes and Recordings for Planned Security Support Sessions

Want a question covered in an upcoming meeting?  Contact Bill Ramirez, Kelly Barton and Alexa Mercado-Curtis to get it on our agenda for an upcoming Support session: [email protected], [email protected] and [email protected]

Starting 11/22 - Alexa and Kelly will be your new hostesses with the mostesses on our Security Support Sessions! Tara will still lead the sessions.

Early Meetings
7/12/21: Answering Questions from Kick-Off and Helping Folks Get Started on the Workbooks
7/19/21: Help on Identifying UAT Testers in the Security Workbook
College Agenda Items
  1. From Lake Washington 7/14/2021:
    1. When will the webex recording for the Security Matrix Mapping Kick-Off 7/8/21 be posted to the Reference Center?
      • SBCTC Response:  Please see 7/26 meeting content for more information.
    2. Initially DG6 colleges were given a deadline date of 07/28 to turn in our current local security support plan. Is it already planned to (and if not can we) discuss what the expectations are for this and exactly what needs to get turned in on or before this date?
      • SBCTC Response:  Please see 7/26 meeting content for more information.
  2. From Columbia Basin 7/14/2021:
    1. I know this was covered, but we are confused on it. How will employees who come and go be updated in the all employees tab over the next 9 months? There was mention of people coming from next validation cycle, but I’m not clear how that feeds into the workbook. Do we track that manually on Missing People tab or does project add it?
      • SBCTC Response: Please see 7/26 meeting content for more information.
    2. For the pillar areas, there was a recommendation to have backups. I’m not sure if the pillar folks are backups for the “All pillar” folks or if we need to have 3 people in the pillar (BAs for us) and then additional backup in each pillar for them. The IT director in me struggles with having more than the primary, highly trained 5 people able to do permission changes…if we were to go 8, that seems overkill.
      • SBCTC Response:  Please see 7/26 meeting content for more information.
    3. On the flip side of #2, how many people within the pillar should be active in training and following along as consultants within the pillar (not doing security work directly like BAs and All pillar folks)? I know the knowledge will be helpful for them, but with the project work I’m not sure how many more I can/should recruit into these roles for the next 10 months.
      • SBCTC Response:  Please see 7/26 meeting content for more information.
7/26/21: Support on Identifying UAT Testers - Special Focus on Approvers
College Agenda Items
  1. From Lake Washington 7/14/2021:
    1. When will the webex recording for the Security Matrix Mapping Kick-Off 7/8/21 be posted to the Reference Center?
      • SBCTC Response:  posted 7/19/2021
    2. Initially DG6 colleges were given a deadline date of 07/28 to turn in our current local security support plan. Is it already planned to (and if not can we) discuss what the expectations are for this and exactly what needs to get turned in on or before this date?
      • SBCTC Response:  SBCTC is looking for the colleges to provide their Legacy Policy/Procedures in the Security Support Plan. This is not to be turned in, but notify Tara and Bill Ramirez via email when it is completed. Tara will then look on the LSMP Tools and Practices tab of the workbook.
  2. From Columbia Basin 7/14/2021:
    1. I know this was covered, but we are confused on it. How will employees who come and go be updated in the all employees tab over the next 9 months? There was mention of people coming from next validation cycle, but I’m not clear how that feeds into the workbook. Do we track that manually on Missing People tab or does project add it?
      • SBCTC Response:  At the start of the next cycle the prior cycle All Employees tab of the security workbook is retired and any responses from the colleges are pulled forward into the new cycle All Employees tab. This repeats for Cycles 3 and 4. Any employees with an #N/A are new in the new cycle.
    2. For the pillar areas, there was a recommendation to have backups. I’m not sure if the pillar folks are backups for the “All pillar” folks or if we need to have 3 people in the pillar (BAs for us) and then additional backup in each pillar for them. The IT director in me struggles with having more than the primary, highly trained 5 people able to do permission changes…if we were to go 8, that seems overkill.
      • SBCTC Response:  The intent with the backups is colleges have a primary person for each pillar area as well as at least one alternate who can support if the primary is absent for any reason. Multiple alternates are ok.
    3. On the flip side of #2, how many people within the pillar should be active in training and following along as consultants within the pillar (not doing security work directly like BAs and All pillar folks)? I know the knowledge will be helpful for them, but with the project work I’m not sure how many more I can/should recruit into these roles for the next 10 months.
      • SBCTC Response:  Colleges should have at least one or two people following along in HCM, but for CS and FIN more will be required due to the nuances of the business processes in those pillars. In CS and FIN they may want to focus more on a module level (e.g. SF in CS or Purchasing in FIN).
8/2/21: Follow-Up on Self-Paced Security Training Module 1
  • Pre-Requisite: Make sure you have gone through Module 1 and passed the module test prior to attending.
  • Come prepared to log in to SVL.
  • Review Progress on Workbooks [College Security Team Tabs should be complete before today]
  • Meeting Recording: The meeting record was requested to be trimmed, however the trimmed content exceeds the file size limit of this QRG.
College Agenda Items
  1. From Lake Washington 7/29/2021:
    1. Do you know anything about the Security Request Change Form from another deployed college?
      • SBCTC Response:  SB is unfamiliar with this specific form.
  2. From Bates 7/29/2021:
    1. Did I hear at our last DG6 ctcLink  Security meeting that the deadline for submitting our workbooks was moved from the end of October to the end of December?
      • SBCTC Response:  UAT Tester Load Date is 10/22/21.  The All Employees Load Date is tentatively schedule for late December, but we are evaluating that date based on the Cycle #5 Conversion timelines.
8/9/21: Security Support on Faculty/Advisors + Review CS Roles + Basic SACR Security
  • Pre-Requisite: Watch the recording of the DG4 Session on CS Core Roles
  • Pre-Requisite: Make sure you have gone through Module 4 and passed the module test prior to attending.
  • Review Progress on Workbooks: All Employees [Cycle #2] and CS Roles for Staff Tabs
  • Meeting Recording
  • Meeting Notes <coming soon>
Running The Query to Display All Navigations and Roles

Not sure which role has access to the page your user needs?  There is a Query in the CS pillar that can be run anytime to look up which roles grant access to that page.  This query can be run by entering the navigational path displayed in our Quick Reference Guides (QRGs) to find out which role allows the user to get to that page.  For your convenience we have downloaded the results of that query run "Wide Open" meaning, leaving the navigation blank and running it for all 'Z' roles that have access to all pages in the CS Pillar.   Keep in mind, not all roles can be granted by a Local Security Administrator.  Those that are available for colleges to grant are designated with the ZZ Local Security Admin role after them.  When reviewing the attached workbook, filter the results to only those that can be granted by a college.

Query Name: [CS] QCS_SEC_ROLE_NAVIGATION_ACCESS

Query Name: [FIN] QFS_SEC_ROLE_NAVIGATION_ACCESS

Query Name: [HCM] QHC_SEC_ROLE_NAVIGATION_ACCESS

8/16/21:  Security Support on SF/FA Roles + SF/FA Relevant SACR Security
  • Pre-Requisite: Watch the recording of the DG4 Session on SF Roles
  • Pre-Requisite: Watch the recording of the DG4 Session on FA Roles
  • Pre-Requisite: Review the SF and FA Job Aids
  • Review Progress on Workbooks: All Employees [Cycle #2] and CS Roles for Staff Tabs
  • Discuss Recent Changes in Security Views - Tara <15 minutes>
  • Meeting Recording
College Agenda Items
  1. From South Puget Sound 8/11/2021:
    1. I know we have a security Job Aid Document for SF pillar, do we also  have one for CS, FIN, HCM pillars? If yes, can you please guide us.
      1. SBCTC Response: Here is a link to all available Security Job Aids:  CS Security Job Aids
8/23/21: Security Support on Finance and User Preference Definition & Grants Security
  • Pre-Requisite: Watch the recording of the DG4 Session on Finance Roles
  • Pre-Requisite: Make sure you have gone through Module 5 and passed the module test prior to attending.
  • Review Progress on Workbooks: All Employees [Cycle #2] and FSCM Roles for Staff Tabs
  • Meeting Recording

Sample Deck from DG5 Session for Insights into Topics:

College Agenda Items
  1. From South Puget Sound on 8/16/2021:  
    1. Is there a list of queries by pillar?
      1. SBCTC Response:  Here is a link to SBCTC Data Services ctcLink PeopleSoft Reporting, including departmental contact information. Here is a link to Most Used and Favorite Queries.
    2. Please cover what can change (access to queries and screens, et al) in Security on a PUM release and when a function change can impact a user that is actually unrelated to security.  Is security reset every time there is a change?
      1. SBCTC Response: There are times when a PUM release introduces new pages/components.  In those cases the Security team will need to determine whether this access is added to existing roles or grant via a newly created role.  Other times a PUM release could change the requirement for how additional security is maintained, meaning that before a User Preference Definition setting did not require a value, but due to a change in the PUM release a new required value must now exist to continue the use of a specific page. These are not always disclosed by Oracle upon release and are often discovered during testing.  Security role assignment in Production does not change with a PUM release, but the underlying permission lists can change should Oracle introduce a change to a component associated with an existing role.
  2. From Bates on 8/16/2021:
    1. I built out the Instructions sheet of our Security workbook to have both the content but also more tracking, supporting information & deadlines. I haven’t changed the sheet tab name and I didn’t see where there were any references. To me it looked like a readme.txt file  from the old days. Now that I’m about finished, would you check to see if any of my additions impacted calculations. I only modified the first sheet in the security workbook.
      1. SBCTC Response: The instructions tab just provides in writing the information given in the initial session for our security support meeting series.  There is no impact if colleges choose to leverage this page for their own note taking or tracking of progress.
  3. From Columbia Basin on 8/16/2021, 8/18/2021:
    1. I am working to figure out what steps are needed for sprint 1 test, and on the ctcLink reference center page for HH 001.09 (http://ctclinkreferencecenter.ctclink.us/m/102447/l/1364664-hh-001-9-enter-and-process-absence-takes) that about 1/3 of the way down it lists 5 steps in the test process. But  then if you scroll about 2/3 of the way down, when it describes the  security matrix mapping info, it lists 8 tests, and so does the google  shared security doc.  Which listing of tasks is correct? (1.9.3 is the same as 1.9.6, 1.9.4 is the same as 1.8.4 from  the previous step, and 1.9.5 is the same as 1.9.8.)
      1. SBCTC Response: The order of execution for some UAT tests can be confusing.  Depending on the decision box, a tester may follow only a portion of the test steps, not all.  We provide in the UAT Sprint 1 and Sprint 2 tabs, all steps and the security needed to perform each step.  Part of the work in security as it relates to UAT is to review the materials in advance and determine who should be performing which tests and if any are not relevant, those can be marked as n/a.
8/30/21:  Follow-Up on Self-Paced Security Training Module 2 & 3, Local Security Management Discussion
  • Pre-Requisite: Make sure you have gone through Module 2 & 3 and passed the module tests prior to attending.
  • Come prepared to login to SVL.
  • Share Your Expertise!  45 minute discussion  POSTPONED UNTIL 9/8/2021
    • Colleges who checked "Yes" in their Tools and Practices/Policies Chart for one or more of these items will chat briefly about their experiences and plans:
      • Row 1 - Ticketing System
      • Row 5 - Template to Communicate Access Requests
      • Row 12 - Require Secondary Approval
  • Meeting Recording
College Agenda Items
  1. From Bates on 8/16/2021:
    1. I built out the Instructions sheet of our Security workbook to have both the content but also more tracking, supporting information & deadlines. I haven’t changed the sheet tab name and I didn’t see where there were any references. To me it looked like a readme.txt file  from the old days. Now that I’m about finished, would you check to see if any of my additions impacted calculations. I only modified the first sheet in the security workbook.
      1. SBCTC Response: The instructions tab just provides in writing the information given in the initial session for our security support meeting series.  There is no impact if colleges choose to leverage this page for their own note taking or tracking of progress.
  2. From Renton on 8/20/2021:
    1. Are faculty supposed to do any testing for UAT? There are 3 tasks in the Security workbook for UAT testing that seem to be for them, but not sure if we should include them or not. CH.001.4.5 - Instructor Accepts/Rejects Contract on Faculty Center, CC.003.5.3 Enter Student Alert in Faculty Center (Fluid), CC.004.2.2  Assign Grades in Faculty Center Grade Roster
      1. SBCTC Response: Faculty can engage in UAT Testing to confirm that a FWL Contract appears in their Faculty Center and can also use the UAT environment to verify that they see enrolled students in the Class Roster and can view grading information in Sprint 2, End of Term testing.  Each college makes a choice about how they involve faculty in their testing process.  There is a step in the End of Term where colleges may engage faculty in grade entry, or may opt to make themselves as faculty, assign themselves to a class with grading access and then perform the grade entry.
  3. From Lake Washington on 8/23, 8/26/2021:
    1. I could not find the roles below in my DG6 Security Matrix Workbook in any of the tabs while I was working on assigning roles to my SF staff. These are all roles listed in the Student Financials job aide.
      1. ZZ_CC_QRY_RPT_TBL - This role recently underwent a name change to remove the underscores.  This was done to remove the impression that this role was related to query record access.  The role in fact is associated with a custom page built to support access to data used during FAM Dual Processing.
      2. ZD_DS_QRY_STUDENT_FINANCIALS - This role exists at the far right end of the CS Roles for Staff tab.
      3. ZD GL Inquiry - Role name corrected to ZD General Ledger Inquiry and exists in the FSCM roles for staff tab.
      4. ZD AR Inquiry - Role exists in the FSCM pillar.
      5. ZD SF Corporate Accounts - Role does not exist in ZD form. Will need to research why it is not in PRD.
      6. ZD SF Customer Accounts - Role exists in CS pillar and workbook.
      7. ZD SF Processing Inquiry - Role exists in CS pillar, missing from workbook, but will be added.
      8. ZZ SF Group Processing - Role exists in CS pillar and workbook.
        1. SBCTC Response: See notes in line above.
    2. If I am masking SSN, but granting query access like ZD_DS_QRY_FA_SSN_HIGHSENS and other highly sensitive data roles then what would a person be able to see from these queries if they can’t see the SSN? Would the queries still return useful information when run?
      1. SBCTC Response: Masking applies to page behavior and search results.  Query record access to highly sensitive data is controlled by the Query roles.  The two do not interact.
    3. On  the Workforce Development Security Aid the role ZZ SS Advisor is no  listed as a recommended Processing & Correct History role. If our Workforce Development staff do advise a caseload of students in addition to their Workforce specific duties would it be appropriate to give them this access as well?
      1. SBCTC Response:  Yes, and you would do so by having the instructor listed on the Instructor/Advisor table, which would trigger the dynamic role assignment. Marking that role in the Security Workbook would mean that you want that entry added upon load.
    4. We were recently presented with the option to do an optional instructor/Advisor table file to have Faculty Workload Project Team mass upload in the back end instead of us doing the work. How does this step affect us indicating in the Security matrix that we want to give people the ZZ SS Advisor and ZZ SS Faculty roles?
      1. SBCTC Response:  You still need to move FAC and PTF to the CS pillar for masking definition or additional roles.
    5. Why would I give someone this role over this one for class search capabilities: ZD CM Course Catalog vs. ZZ CS Search Class Cat Faculty
      1. SBCTC Response:  The role for faculty grants access to an expanded period of terms.
  4. From Walla Walla on 8/23/2021:
    1. Can you please explain more about this role, and typically who would have it on campus?  CH.001.4.3-Approve/Deny Instructor Contract: CTC_FWL_WAnnn_ALL_APPROVER Super Approver (typically only 1 or 2 staff would have this)
      1. SBCTC Response: This role is applied when a college is using the custom approval process for FWL.  Typically this would be assigned to the HR staff person responsible for ‘unsticking’ contracts that are awaiting approval and have been sitting with someone too long in an unapproved status, possibly due to being out or unable to access the system.
College Questions Previously Posed:
  • What are other colleges using to verify the identity of users to delete their hint question answers?  What is recommended that we lookup using ctcLink to verify identities (note: not all students provide SSNs)?  Note: we plan on our Help Desk employees to have the rights to delete the password hint answers.
    • Response from SBCTC
      • College decision - there is no SBCTC policy or guideline
      • One district uses Birthdate, Mailing Address, SSN, email address..."Sometimes we had to be creative..."
      • NavBar > Navigator > Campus Community > Student Services Ctr (Student)
      • Role:  ZD CC Personal Info Student
      • ctcLink Security Listserv info page:  Mailman eLists
      • ctcLink Security Listserv subscription page: ctcLink-Security
  • How often are roles updated in the UAT environment via the Google Workbook?   If we need to make changes during UAT testing, can make live updates?
    • Response from SBCTC - We load what you have in Security Workbook (google sheet) as of the end of business on the deadline date for UAT security workbook load.  You can make adjustments yourself during UAT, but please make sure those are reflected IN YOUR WORKBOOK by the second 'All Employee' deadline for security workbook load or you will lose them when we load again in September in preparation for Go Live.
  • We would like to create our own checklists for assigning permissions based on areas of responsibility.  Have other colleges done this that you know of?  Is there a template to get started?
    • Response from SBCTC
      • SBCTC College Relations/Triage Manager asked to reach out to colleges for info
      • ctcLink Security Listserv info page:  Mailman eLists
      • ctcLink Security Listserv subscription page: ctcLink-Security
  • “User Profile creation process is run periodically in Production to establish an initial User Profile when an active job record is established in the system.” How often is “periodically”?  Note: we often get  questions on such timings from our end users.
    • Response from SBCTC:
      • CS:  M-F Hourly 7 am - 7 pm
      • HCM: 8 am, 11 am, 2 pm, 5 pm
      • FIN: 7 am, 10 am, 1 pm, 4 pm
      • We created jobsets for all security related process in the pillars. So the times above include user profile, dynamic role and SJT processes as needed.
Additional Documentation - Sample Files Shared in Draft Form for Local Security Support

The files below were kindly provided by Everett Community College and are still in draft form.

9/8/21: Security Support on SACR Security in CS, Local Security Management Discussion Follow-Up
  • Share Your Expertise!  45 minute discussion
    • Colleges who checked "Yes" in their LSMP: Tools & Practices Security Workbook tab for one or more of these items will chat briefly about their experiences and plans:
      • Row 3 - Ticketing System
        • Clover Park - replacing existing ticketing system soon
      • Row 7 - Template to Communicate Access Requests
        • Clover Park
        • Columbia Basin - eForms approval mechanism
      • Row 14 - Require Secondary Approval
        • Clover Park
  • Meeting Recording
9/13/21: Security Support on Finance and User Preference Definition & Grants Security
  • Pre-Requisite: Watch the recording of the DG4 Session on Finance Roles
  • Pre-Requisite: Make sure you have gone through Module 5 and passed the module test prior to attending.
  • Review Progress on Workbooks: All Employees [Cycle #3] and FSCM Roles for Staff Tabs
  • Meeting Recording

Sample Deck from DG5 Session for Insights into Topics:

College Agenda Items
  1. From Renton on 9/8/2021:
    1. When will the Cycle 3 information be added to the workbooks, and what  would be the best way to sort through any changes as a result?
      1. SBCTC Response: deferred to 9/20/21 session
9/20/21: Security Support on Human Capital Management
College Agenda Items
  1. From Renton on 9/8/2021:
    1. When will the Cycle 3 information be added to the workbooks, and what would be the best way to sort through any changes as a result?
      1. SBCTC Response: You should start to see the Cycle #3 data in your workbooks today, if not the week before.
  2. From Shoreline on 9/13/2021:
    1. What is the function of the "Alternate Character Enabled" checkbox on the FSCM UPD Overall Preferences page?
      1. SBCTC Response:  Per PeopleBooks - "Select to activate alternate description buttons or links, which appear to the right of fields on many of the application pages. Click a button or link to enter or display alternate characters on the auxiliary page that appears."  Essentially, this is for implementations of PeopleSoft where the local language requires special characters.  In FSCM, this primarily applies when PS is implemented with Japanese as the local language.
  3. From Renton on 9/13/2021:
    1. I wanted to ask a question regarding the roles for staff as assigned from the UAT tab in the security workbook. There are roles in which it provides an option via an ‘or’ statement. For example CF.012.4 Manage Collections suggests assigning the roles ‘ZZ SF Processing Inquiry’ or ‘ZZ SF Collections’. In situations like this how  should we be choosing which role is better to complete the task? Would it be better to assign 1 of those roles or would you suggest assigning both of the roles so that the user has full access to the tasks they are assigned? We appreciate any insight you can provide us.
      1.  SBCTC Response:  Use the queries QCS_SEC_ROLE_NAVIGATION_ACCESS (CS), QFS_SEC_ROLE_NAVIGATION_ACCESS (FSCM) and QHC_SEC_ROLE_NAVIGATION_ACCESS (HCM) to run a query extract to open in Excel to see all possible menu navigation paths and which role grants access to a particular path.  Run each of these queries with the parameters as:
        1. Navigation like: % (using the percent symbol as wildcard)
        2. Role Name like %: Z% (to select all roles that being with Z)
      2. Filter the output to the two roles listed as an option on the workbook.  Based on the access being granted by each role, determine which role is the more appropriate role to be granted to the user at Go Live. This is the role to be chosen for that user to test with, as we want users to test with their production role set.
  4. From Clover Park on 9/17/2021:
    1. I was wondering if you could help understand the importance of the AS of Date field in the overall preferences page.  Training references the combo edit process. Is it referring to when the  combo code was created when the emplid was created in HCM. Seems like a  specific date to call but would like to understand it more. If you could  point me a direction it would be really helpful. As of Date: Displays the default as of date for the Combo Edit process.
      1. SBCTC Response:  researching...
  5. From Lake Washington on 9/17/2021:
    1. ZC AA Advisement Reports, ZC AA Local Configuration not in Security Workbook
      1. SBCTC Response: These roles were removed recently from production and therefore the workbook.  Use ZC AA ADVISEMENT REQUIRE in place of ZC AA Advisement Reports and ZC AA Local Configuration (a role that had invalid access associated by the vendor as was removed).
    2. ZC AA Advisement Exceptions in workbook but not in CS Pillar Security powerpoint list of ZC roles or in reference center
      1. SBCTC Response: This is a new role, recently added that was not in the prior power points.
    3. I asked this question a few weeks ago and was told this answer (also listed in the reference center as the answer): ZD_DS_QRY_STUDENT_FINANCIALS - This role exists at the far right end of the CS Roles for Staff tab.  I cannot find this in my workbook. Please let me know if I am just missing it. I see this role ZD_DS_QRY_STUDENT_FINANCE but not the other one.
      1. SBCTC Response: The second role name is correct.  
    4. ZZ SF Running Start security role- Information for what pages this role has access too is not included in the reference center. Can you please  provide more info about pages this role is able to see? This UAT step is really confusing our group: http://ctclinkreferencecenter.ctclink.us/m/102448/l/1364733-cf-003-2-add-student-running-start It  seems like our Running Start staff should be inputting most the information required however the Security Role required is ZC SF  Processing Advanced and just does not seem to be a role we should be providing a Running Start advisor. 
      1. SBCTC Response: pending
    5. Where is the best place for me to look at a list of all the queries that exist per pillar and what kind of information they should be able to access?
      1. SBCTC Response: MetaLink inventory available in the Data Services section of the agency website, www.sbctc.edu
    6.  I cannot find this role in the security workbook either: ZZ PT Report Manager.
      1. SBCTC Response: This role was recently removed from production access.
    7. Also, do we have an update on whether this role will be available in the workbook: ZD SF Processing Inquiry?
      1. SBCTC Response: researching...
9/27/21 - Revision Security  on Finance and User Preference Definition & Grants Security
  • Meeting Recording
  • Meeting Topics:
    • User Preference Definition for GL
    • Difference Between Options and Defaults in UPD
    • Advice on Using LaunchPad to copy UPD values from user to user
    • All Employee's Cycle #3 Data has been loaded.
    • UAT Sprint 1 tab - Finish assigning primary and backup testers by 10/1.
College Agenda Items
  1. From Lake Washington on 9/20/21:
    1. For TAM colleges, is the ZZ Careers WAnnn role automagically assigned?
      1. SBCTC Response: yes
10/4/21 - Open Q & A on Security Workbooks
College Agenda Items
  1. From Lake Washington on 9/27/21:
    1. I had a question for you about security related to student groups. I  know for staff to be able to update a specific student group, they must have ZZ access to that specific group. Do they also need to have inquiry (view) access to see any other student groups that a student might be assigned to? For example, my TRiO program will have the ability to activate/inactivate their specific students, but they would also like to be able to view some of the other groups their students might be in. I believe this information can also be accessed through the Advisor Center  but again, I am unsure if advisors can only see student groups for which they have been given view access. 
      1. SBCTC Response: pending
  2. From Clover Park on 9/27/21:
    1. I have a question on Pcards and security roles. The training for Pcards  makes it seem like you only need access to create a Req/PO, if the Pcard is attached to the user. I want to ensure we are setting the right  permissions. Are there other roles we need to have?
      1. SBCTC Response: pending
  3. From Walla Walla on 9/28/21 and 10/1/21:
    1. If we adopted TAM, would all employees need to be given at least the ZZ Interested Party role in HCM given that anyone can serve on a search  committee?  
      1. SBCTC Response: pending
    2. Is there a resource for assigning query roles for supervisors? I’m inclined to provide them with non-sensitive data queries, but would appreciate some guidance.
      1. SBCTC Response: pending
  4. From South Puget Sound on 9/28/21 and 9/1/21:
    1. Can you please guide us to any documentation related to Delegation?  I see this - http://ctclinkreferencecenter.ctclink.us/searches?utf8=%E2%9C%93&text=delegation&commit=Search We wanted to know if there is any better overview of who all should have this role, documentation and how do we assign in each pillar?
      1. SBCTC Response:  Delegation is a separate role in the Finance Pillar, but comes as part of Employee Self Service and Manager Self Service in HCM. Below are a few links about Delegation:
        1. Finance Pillar - Expenses Travel Authorizations
          1. 9.2 FIN - Accept Delegated Authority
          2. 9.2 FIN - Create Delegation Request
          3. 9.2 FIN - Reject Delegated Authority
          4. 9.2 FIN - Review of Delegation Request
          5. 9.2 FIN - Revoke Delegation
        2. Finance Pillar - Expenses Cash Advances
          1. 9.2 FIN - Accept Delegated Authority
          2. 9.2 FIN - Create Delegation Request
          3. 9.2 FIN - Reject Delegated Authority
          4. 9.2 FIN - Review of Delegation Request
          5. 9.2 FIN - Revoke Delegation
        3. Finance Pillar - Expenses - Expense Reports
          1. 9.2 FIN - Accept Delegated Authority
          2. 9.2 FIN - Create Delegation Request
          3. 9.2 FIN - Reject Delegated Authority
          4. 9.2 FIN - Review of Delegation Request
          5. 9.2 FIN - Revoke Delegation
        4. Finance Pillar - Employee Self Service - Expenses
          1. 9.2 Delegate Entry Authority
        5. Human Capital Mgmt Pillar - Employee Self Service
          1. 9.2 Creating and Accepting Absence Mgmt and T&L Delegation (Using Fluid Tile)
    2. If a user has a role ZZ Requisition entry assigned, then the user populates in UPD Requisitions tab of google docs. So, are there are any default values for user preferences that we can add? Are we simply copying what is provided in the SAMPLES but choose between the two if it mentions Y,N. Please see examples below:
      1. For Requisitions in the Override Preferred Supplier column – does it always  have to be N? And for Requestor User Auth Add we can select either Y or N? Please confirm so we can follow the same or other tabs in google doc.  See SPSCC Screenshot 1 below.
        1. SBCTC Response: We have improved the examples in your workbook, but essentially yes, if it states 'Y' in the sample, use the 'Y' if it states 'N' in the sample, use the 'N' and if it states Y or N, then choose one of the two options.
      2. Same thing for Asset Management. Will AM Integration always be N and Edit Review AP/PO Information as ALL? See SPSCC Screenshot 2 below.
        1. SBCTC Response: Where applicable we have marked items as 'Always N' otherwise, we will list the 'Y or N' option.
    3. Where do we enter Primary, Row Security for user profiles in Google Doc?  Do they have default values when uploaded initially even though we don’t provide? See SPSCC Screenshot 3 below.
      1. SBCTC Response: these are assigned for you upon load.  They are not entered into the workbook.  The HCM Roles for Staff tab does have a column to identify those users who need the TL Superuser row level permission.
    4. For the UPD tabs which auto-populate, if we remove someone from the <Pillar> Roles for Staff tabs, do they automatically get removed from the UPD tabs?  How does the Match column work and what do we need to do manually to make sure  the data in the UPD tabs is accurate when we need to remove someone?
      1. SBCTC Response: Yes, they will be removed from the additional security tabs.  Once you have entered values for the user, enter the SID to 'anchor' those values to the right of the Match column to the user's SID.  This way if the users on the left shift due to role additions or removal you can shift the rows accordingly based on the SID entered in the Confirm SID field.  This was covered in the recording from our meeting on 10/13 around the 15 minute mark.
    5. For UAT, we know in the CS Pilar, we will be entering test/fake students for the enrollment tests and will continue using those test students downstream for tests in FA and SF areas. For the HCM pillar, we will be entering test/fake  employees when doing the Hiring tests (we will not be using TAM).  However, for payroll tests, will we be using existing SPSCC employees that are already in the test environment or will we continue to use the test employees we created during the Hiring tests?
      1. SBCTC Response: We recommend using both.  Your Full time, salaried employees are automatically included in your payroll testing.  
    6. Could you please also advise on how and where do we enter route control value on google doc as well?
      1. SBCTC Response: We load that for you for the relevant roles.  You just need to remember to do it for any approval role you manually enter.
    7. So, if a user has ZZ TL Process Time, then the user needs CTC_240_Tl_SUPERUSER as the Row level security right per below SPSCC Screenshots 4 and 5 below.. What would be the default value after the initial load? Because, I see CTC_PT_ALLDISTRICT_ROWSEC as the value for your username, let’s say if we give you ZZ TL Process Time and I am trying to understand how can CTC_240_TL_SUPERUSER overwrite the default value. How many values can actually be in Primary/Row Level security.
      1. SBCTC Response: The users who you check in the TL Superuser column on the HCM Roles for Staff tab will get the TL Superuser row level security assigned to them.
    8. I’m feeling really behind in get the Google workbook updated. My Security Team is using a separate spreadsheet to collect data from supervisors and process owners on what roles individuals need to do their jobs.  I’m trying to update the Google workbook with their data, and I have a few questions for you about the security workbook:
      1. Where should we be at this point in terms of completing various tabs in the  workbook?  We were focused on assigning UAT and getting those folks  ready to add to the Google sheet, but you mentioned in the 8/23 meeting that you expected to see all employees’ Extra Roles columns completed by the end of last week. I feel like each session adds more things to do and their  piling up to the point where I cannot figure out where to start or how well we are progressing.
        1. SBCTC Response: We expected folks to have identified who needed to be moved to the pillar Roles for Staff tabs by that date.  You have two deadlines, have your tester security ready by 11/1 and have the rest of your employees ready by 12/30.
      2. Is the SVL being used to create the roles in Production or will the Google  sheet be used in the final conversion at Go Live.  There’s some confusion in on our group about how that will work because we are supposed to be keeping the Google sheet updated throughout UAT but also updating roles in the SVL? It seems redundant. 
        1. The slide deck from our security kickoff states “1/2/22 to the week of Go  Live – Review and Refine Security in SVL (College Teams). How does this  apply to DG6c when our Go Live is in May? 
          1. SBCTC Response: We are reviewing granting a role load extension or possible second 'All Employees' load for Groups B and C.
SPSCC Screenshot 1
SPSCC Screenshot 2
SPSCC Screenshot 3
SPSCC Screenshot 4
SPSCC Screenshot 5
10/13/21: Open Q & A on Security Workbooks

Notice:  A request was made to extend the security workbook load deadline for UAT Testers from the 10/22/2021 date.  We have reviewed the flexibility we have in the schedule and made some minor adjustments to our approach and can accommodate a shift to Monday, 11/1/2021 @5pm and still make our conversion timelines.

College Agenda Items
  1. From Lake Washington on 10/6/21 and 10/12/21:
    1. Would  you need ZD TL Admin View Config, ZD TL Admin View Enrollment, ZD TL  Admin View Time, or ZD TL View Local Config if you have ZZ TL Maintain  Local Config or ZZ TL Process Time roles? 
      1. SBCTC Response: pending
    2. Who would need these roles? ZC Absence Mngmt Central Confi or ZC HR Central Configuration? 
      1. SBCTC Response: pending
    3. ZD_DS_QRY_HCM_DATA_SERVICES Who Needs This? 
      1. SBCTC Response: pending
    4. What does the role ZZ Talent Administrator/ZZ Payroll Support do? 
      1. SBCTC Response: pending
    5. I was  trying to run the query below in SVL to try to figure out the questions myself, and I have all of the roles necessary but I still could not get it to work: QCS_SEC_ROLE_NAVIGATION_ACCESS 
      1. SBCTC Response: pending
    6. In  addition, on the SACR Tabs I have folks who are not populating over from  the previous tabs and are leaving blank spots. I have not edited anything in columns A-H on any of the tabs. Second, If I just want people to view not enter in information in SACR-TEST ID tab should I list the tests I want them to view. This is most folks on my list. Is there another role I can give them so that they can see test scores?
      1. SBCTC Response: pending
    7. The LWTech Security workbook HCM pillar HCM Combo Code column still does not work properly. It just says loading when I try to enter in anything in that row. In addition I still do not see a ZZ Local Security Admin role in the HCM or the FSCM tabs.
      1. SBCTC Response: Fixed in the workbooks now.
    8. What does the ZZ Grants Processing role do in the FSCM pillar?
      1. SBCTC Response: The ZZ Grants Processing role will allow them to create a proposal and submit the proposal.  Most of the colleges already have the grant awarded to them before they ever enter it into ctcLink.  Colleges will need to enter a grant in as a proposal so that they can create a budget.
  2. From South Puget Sound on 10/31/21:
    1. Could you please clarify:  If a person has Requisition Processing for one area but also has  Requisition Approver for another, they only show on the UPD –  Requisitions tab once.  How do you distinguish between one and the other. Do we add user preferences for both roles on the same line? 
      1. SBCTC Response: As far as the requisition question – both are on the same tab. The approval is controlled by the approval workflow definition. For example: If they are the department approver then it is guided by the department number in the chart string of the accounting for the  requisition. All approvers could be requesters as well as approvers. Most likely not all requesters are approvers.
    2. Also,  I cannot find the ZZ Treasury Integration role on the FSCM Roles for Staff, but it is listed on the powerpoint slide deck we have been using as a reference guide. Has it been removed or renamed?
      1. SBCTC Response: That role was removed and the power point will be updated.
    3. ZZ Proposal Maintenance also seems to be missing.
      1. SBCTC Response: This role was changed to ZZ Proposal Processing and has been updated in your workbooks and materials.
Treasury Cash Management slide
10/18/21: Follow-Up on Query Security Self-Paced Training in Module 6
  • Pre-Requisite: Make sure you have gone through the PeopleSoft Security Administration Canvas course, Module 6, and passed the module test prior to attending.
  • Some Query Resources in the Reference Center
  • PeopleSoft Security Administration Mod 6 Exercises discussion
  • Meeting Recording
College Agenda Items
  1. From Columbia Basin on 10/15/21:
    1. There are four security roles that I’ve been trying to assign in the matrix but cannot find in any of the Roles for Staff tabs. They are listed as required in the UAT worksheets. 
      1. ZD_DS_QRY_QUERY_VIEWER
        1. Role name corrected to ZD_DS_QUERY_VIEWER in the Security Workbooks and Online UAT Materials.
      2. ZZ Proposal Maintenance
        1. Role name corrected to ZZ Proposal Processing in the Security Workbooks and Online UAT Materials.
      3. ZZ_DS_QRY_STUDENT_FINANCIALS
        1. Role name corrected to ZD_DS_QRY_STUDENT_FINANCE in the Security Workbooks and Online UAT Materials.
      4. ZZ_DS_QUERY_VIEWER
        1.  Role name corrected to ZD_DS_QUERY_VIEWER in the Security Workbooks and Online UAT Materials.
      5. It  looks like there aren’t any ZZ Queries at all in any of the pillars, and  I’m not sure what’s up with ZZ Proposal Maintenance. There is only one Proposal role (ZZ Proposal Processing).
        1. SBCTC Response: Role names for Queries were typos and should always begin 'ZD' and ZZ Proposal Maintenance did undergo a name change in Production to ZZ Proposal Processing.  Updates in lines above.
    2. Working on the Local Security Management Plan and want to be explicit where possible (and of course know this for when we’re in production). Please correct the untruths in the following paragraph:
      1. On setting up an employee (student) initially, each needs to have a minimum set of rôles that all employees (students) get. Some/many/all of these are security rôles the system attaches as part of initialization of the record. Local LSA is responsible to manually (though uniform for that college) some/no rôles.  Discussions around what’s auto-magic and what’s not come up in our meetings but my notes are certain to be incomplete (and perhaps my added errors).  Please point me to reference page(s) where I can fill in the blanks in the following lists. 
      2. EMPLOYEE AUTO-MAGICALLY
        1. <list ‘o rôles > 
      3. EMPLOYEE UNIVERSAL MINIMUM BUT LSA AT COLLEGE TASK
        1. <list ‘o rôles > 
      4. STUDENT AUTO-MAGICALLY
        1. <list ‘o rôles > 
      5. STUDENT UNIVERSAL MINIMUM BUT LSA AT COLLEGE TASK
        1. <list ‘o rôles > 
          1. SBCTC Response: pending
    3. We’re going to instantiate a process to strip the off-boarded-but-not-working-at-another-college employee down to the minimum viable/needed nub (“down to the foundations”). When I know this, I will include a link to (what I presume will evolve over time) the ctclinkreferencenter page(s). I’m asking for the differentiation on the auto-magically/LSA universal set for the purpose of building documentation so that future LSAs will have pattern recognition. I presume this also will evolve over time, but would like to produce a baseline cheat sheet. 
      1. SBCTC Response: pending        
  2. From Bellevue 8/12/2021:  Is there a set of roles we can assign in ctcLink to allow people the equivalent access they currently have with FMSQuery (MS Access files)?
    1. SBCTC Data Services Response: The ctcLink budget reports (expenditures to allocation) that are listed in the Report Catalog are what was in FMS Query.  The Report Catalog has a listing of global reports and queries that have been created by the SBCTC Data Services ctcLink Reporting Team to support the colleges with reports on various topics for each pillar.  Please refer to the section on Budget  Reports. Here is a link to the Report Catalog.  https://www.sbctc.edu/resources/documents/colleges-staff/data-services/peoplesoft-ctclink/report-catalog.pdf   The following roles will give access to all of the Finance pillar Budget Reports listed in the “Budget Report” section of the report catalog.
      1. ZD_DS_QRY_COMCNTRL
      2. ZD_DS_QRY_GEN_LEDGER
      3. ZD_DS_QRY_BILLING
      4. ZD_DS_QRY_EXPENSES
      5. ZD_DS_QRY_PURCHASING
    2.  The following roles will give access to the HCM pillar Budget Report query listed in the “Budget Report” section of the report catalog.
      1. ZD_DS_QRY_PAYROLL
      2. ZD_DS_QRY_PAY_GARN_HIGH_SENS
      3. ZD_DS_QRY_HRCORE
  3. From Shoreline on 10/18/2021:  In today’s security sessions you mentioned that we could do some practice query training. Could you provide some direction as to what training you  were referencing and how we can access this? Are these canvas trainings?
    1. SBCTC Response: Yes,  the Data Services team has a page on our agency site that provides this information (link below) and I’ve highlighted the two areas you are  seeking: https://www.sbctc.edu/colleges-staff/data-services/ctclink-peoplesoft-reporting.aspx
ctcLink PeopleSoft Reporting screenshot
10/27/21 : Review Outstanding Issues w/Security Workbook Entries Prior to Load into the SVL
College Agenda Items
  1. From Lake Washington on 10/18, 10/19, 10/20, 10/21 and 10/25/2021:
    1. Have you all considered having a contact information list for every Local Security Admins at each of the CTC schools? This came up in our Data Governance committee in our Local Security Management discussions about related to onboarding and offboarding employees who have worked at or are currently working at other colleges in the SBCTC system.
      1.  SBCTC Response: pending
    2. Also I was wondering if someone could go over what to do on the SACR Pop  Update tab for Pop Select Security. The instructions on the reference center are not enough information for me to figure out what to do here.
      1. SBCTC Response: pending
    3. Could someone explain what this FSCM query is for? I could not find it in the Common Tables for Reporting Excel Doc:  ZD_DS_QRY_STF_PROCESS | ZD_DS_QRY_STF_PROCESS_HIGH_SEN
      1. SBCTC Response: pending
    4. Also we are working on the SACR tabs in our workbook, the match column in the SACR-Service Ind tab is not turning green for us when we try to confirm an “SID” to lock it. Also do you also have an eta of when the folks that aren’t carrying over and showing as blanks in the workbook will be present?
      1. SBCTC Response: pending
    5. Why aren’t the individuals assigned to the ZC AD App Entry role in the CS Pillar needing additional SACR Admissions Action Security?
      1. SBCTC Response: pending
    6. One more question, In the FSCM pillar the Query Viewer role is given  automagically to staff? And can you confirm that giving budget managers access to run queries in FSCM by giving them the query ZD_DS_QRY_COMCNTRL role gives them access to reconcile their budgets.
      1. SBCTC Response: pending
    7. I am having another issue with the LWTech Security Workbook. One of our staff is not funneling over from the CS Roles for staff tab to the SACR tabs at all: Alexandra Wallace.
      1. SBCTC Response: pending
    8. Maybe you have already done this, but if you could also forward over the fact that we have multiple SACR tabs which the match feature is not working when we confirm the SID that would be great!
      1. SBCTC Response: pending
    9. I found 4 staff members who have the ZZ CC 3Cs User role or the ZZ CC 3Cs  Mass Change role, but are not funneling over to the SACR 3C Group tab. They are Lino Martins. April Ake, and Asma Abdulrahman. Also, the UPD AR Processing tab is not funneling folks who have the roles required for additional UPD at all.
      1. SBCTC Response: pending
    10. I also have the one other employee who is not funneling over at all to other tabs: Alexandra Wallace. Are all my previous questions listed on the College Agenda Items page?
      1. SBCTC Response: pending
  2. From South Puget Sound on 10/26/2021:
    1. If  a user has been assigned to ZZ Req Entry, ZZ Req Processing and ZZ Req  Approval but UPD is assigned just for Entry, will this work, and if so  how? Is user’s access restricted to Entry but they can see the pages for Processing and Approval?
      1. SBCTC Response: pending
    2. Same question for PO Processing… ZZ PO Entry, ZZ PO Processing ZZ PO Approval?
      1. SBCTC Response: pending
    3. UAT question for “Search for an existing purchase order” – the Security  Workbook states they would need ZZ Purchase Order Processing role, but this is Admin role, how can we give this to a user who is not an Admin?
      1. SBCTC Response: pending
    4. We have a user who needs to be able to see PO and Req but we don’t want to  give them Processing (per UAT sheet),  What can’t we give ZD roles instead? There is ZD Purchasing Inquiry and there is no ZD Requisition Inquiry.
      1. SBCTC Response: pending
    5. Can we get more explanation about UPD - Paycycle, ZZ Payment Creation? Do we  need to fill in the Server File Destination column or does the Sample give us our current Server info? Can we get more details about if we need to setup a server to receive files and how is that folder used?
      1. SBCTC Response: pending
    6. In Security Workbook,  UPD Grant security tab:  What tree name should we use? Will it be 240_GM_SECURITY for SPSCC?
      1. SBCTC Response: pending
    7. If User X and User Y both have ZZ Req Approval, ZZ Req entry, ZZ Req  Processing, internally we know they can’t approve their own. Does the system automatically restrict users not to approve their own? How is it configured?
      1. SBCTC Response: pending
    8. In the Security Workbook, UPD-Requestions tab, how / can we add two Id's  under Requesters user auth field?  If a user is entering req entry for themselves and on behalf of another X user. We know we can do this in SVL and eventually in Production, just not sure how to show this in the workbook.
      1. SBCTC Response: pending
  3. From Columbia Basin on 10/22 and 10/26/2021:
    1. Ericka Garcia from Budget Services will be handling the Finance-only role in HCM called ZZ HR Combo Code. In the google sheet, it is highlighted in yellow as marked as “Granted to Finance Users Only”. I have added Ericka to my ‘HCM Roles for Staff” on the google sheet, but when I try to select her for the ZZ HR Combo Code security,  it just continually says LOADING… without ever giving me the option to  select that security role. Can you ask Tara for help? Am I doing something wrong since it is a restricted role?
      1. SBCTC Response: fixed 10/26/2021 11:39am TKeen
    2. SACR  – Stu Financials: Are we understanding correctly that we copy down exactly what is in rows 4, 5, and 6 based on whether they are a cashier,  FA, or SF? (With the exception of using our own college code?)
      1. SBCTC Response: pending
    3. SACR  – Program: Cell C6 has incorrect coding but I don’t want to mess with it since these are auto-populated. All other tabs have a blank above the list of names but this row does not. It doesn’t show as a match due to the coding in C6.
      1. SBCTC Response: pending
    4. SACR – Program Action: What do we mark if we ONLY want them to have access to manage student attributes but not program or plan?
      1. SBCTC Response: pending
    5. SACR – Plan: what is the alternative to ALL?
      1. SBCTC Response: pending
    6. SACR  – Application Center: What does the Wnnn code stand for? Is that supposed to be our college code? Why enter it here; is there an alternative to WA190?
      1. SBCTC Response: pending
    7. SACR – 3C Group Security: There is no key to tell us what I, U, and D stand for. Is this Inquire, Update, and Delete?
      1. SBCTC Response: pending
    8. SACR – Service Indicators: We are missing codes from our college. Should this tab list our CBC service indicators?
      1. SBCTC Response: pending
    9. SACR – Stu Group: The groups listed are not ours. Should this tab list our CBC student groups?
      1. SBCTC Response: pending
    10. SACR  – CTM Transaction: Same question as Renton. Could you please explain the impact of selecting “All” vs “Admissions Application”?
      1. SBCTC Response: pending
  4. From Renton on 10/26/2021:
    1. In the Security Workbook there is a new SACR tab – CTM Transaction for people with the ZZ AD App Entry role in CS. The options on this tab are All access or  ADMISSIONS_APPLICATION I wanted to know if you could speak more on how these options would impact our testers.
      1. SBCTC Response: pending
11/1/2021 Open Q&A Session Initial Local Security Management Plans Awaiting Submission
  • DG5A Local Security Admins Discuss 'What We Wish We Knew' when they developed their local security management plans.  Special guests:
    • Benjamin St. Germain, Skagit Valley College ctcLink Project Manager
    • Donald Denney, Skagit Valley College Local Security Administrator
    • Discussion topics:
      • How does your ctcLink security day compare with your old Legacy security day?
      • How is ctcLink security morale among your students, faculty, staff and administration?  How is it within your security team?
      • What do you wish you had known three months before DG4 GoLive?  What would you have emphasized more?  Emphasized less?
      • Other thoughts and guidance?
  • DG6 Colleges - "Open Lab"
  • Show and Tell on Your Local Plan Information Gaps
  • Discuss Challenges in Your Flow Diagrams or RACI
  • Share Solutions - What Parts of Your Plan Are You Most Proud Of?
  • Meeting Recording
  • Meeting Notes <coming soon>
DEADLINE 11/5/21 - Local Security Management Plans and Finish Assigning Security Roles in Workbook for UAT Testers - Notify Security Team Workbook Readiness for Download

Notice: A request was made to extend the security workbook load deadline for UAT Testers from the 10/22/2021 date.  We have reviewed the flexibility we have in the schedule and made some minor adjustments to our approach and can accommodate a shift to Friday, 11/5/2021 @5pm and still make our conversion timelines.

Notify Jarman Singh ([email protected]), Bill Ramirez ([email protected]) and Tara Keen ([email protected]) via email that the workbook is ready to download.  If not notified, will be downloaded at midnight.

11/10/2021 Review Security Workbook Load for UAT Testers
College Agenda Items
  1. From South Puget Sound on 11/4, 11/8 and 11/9/2021:
    1. We do see ZZ Treasury Integration role in ctcreference guide and also in  PowerPoint but it is missing in security workbook google doc. Please assist.
      1. SBCTC Response: SBCTC Response: ZZ Treasury Integration role was removed as a college-accessible role in production. It needs to be updated in the reference center materials. It will get cleaned up across various resources that show it as a college-facing role.
    2. Can you please verify that all of our Service Indicators have been updated in our Security Workbook for SPSCC?   I am attaching a copy of our submitted homework that seems to show some are missing (see email "SPSSS Service Indicators" of 11/8/2021).
      1. SBCTC Response: We will reach out to make sure we get your service indicators corrected. We don’t have to load them right away -- there’s a lot of work that needs to be done so we have time.
    3. Where / when will you post the Security Support Plan examples you provided at our last meeting.
      1. SBCTC Response: We will post security plan examples in the meeting where that was the chief topic.
    4. Now that you have our workbook data, what’s the timeline for what happens next?
      1. SBCTC Response: SBCTC Response: For us, the timeline will be that everything from security workbooks gets loaded in the SVL environment around 11/18 or 19. Conversion execution commences 11/17, but they need to go through the bio demo conversation as well as job data conversion before pulling SVL security access out of the system. Once we load security and extract data out of SVL, we will release SVL for a little bit. Wouldn’t recommend doing anything in that environment until it’s refreshed in the first week of December but it will allow you to explore the environment for what we did load and see if anything about what was loaded won’t work for you. You can track changes in SVL but recognize that it won’t impact what happens in UAT. We’ll still need to apply changes in UAT. Essentially, we’re going to load to SVL and extract from SVL to load into conversion process and release to SVL but will be refreshing it once the conversion is complete 12/6-8, in time for you to get in 12/9 to take a look at SVL and UAT environments. Stay tuned.
    5. If  we need to make changes to the UAT assignments, can we enter the changes in the Workbooks and then track them so we can add to UAT environment on 12/9?
      1. SBCTC Response: Please do so and utilize the change log method. Use headers provided or create ones that work for you. May want to enter who owns it, approves it, responsible for entering in UAT, etc. UAT changes do not automatically get made in SVL.
    6. When can we expect to see our Workbook data in the SVL so we can begin updating changes? For example, if deleting roles between now and UAT, we can track the changes in the workbook, but when do we have access to the SVL make the changes there?
      1. SBCTC Response: Role additions can be added to security workbook. Next time we do all employees load, we’ll pick them up and load into SVL for you.
    7. When does the SVL get uploaded to UAT? For example, if deleting roles between now and UAT, we can track the changes in the workbook, but will need to update UAT on 12/9?
      1. SBCTC Response: Role removals are removed by you in SVL. Roles are additive and not taken away. 
    8. I believe you covered this before but we cannot find it in our records.  Can you give us a query that will tell us all of the Security Roles that have been assigned to a user including any SACR or UPD settings assigned.  Can this query be run for an individual user as well as for the entire college?  Also is there a specific list of queries that would be particularly useful for Security Administrators?
      1. SBCTC Response: We have a query that can tell roles assigned that would need to be run in each pillar. There are queries that allow you to see SACR data specific to the SACR table you are entering in. For UPD, there aren’t queries but there’s a built-in report in the FIN pillar and we can go over those later.
      2. Yes, there is a list of queries for SAs. See recording 50:10.
DEADLINE [EXTENSION APPROVED] - 11/18/21: Submit Initial Local Security Support Plans

Notify Bill Ramirez ([email protected]) and Tara Keen ([email protected]) via email to submit plans and all additional materials.

11/29/2021 Review Initial Local Security Management Plans Submitted
  • Review All Submitted Plans - Insights on Submitted Local Security Management Plans
  • Discuss Flow Diagrams and RACIs
  • Top 5 Questions Your Plans Should Answer
  • Local Material Inventory - Where will staff get their answers for how to get access (added/removed/fixed) based on your college's triage protocols?
  • Meeting Recording <will be inserted after meeting>
Recent Meetings
12/6/21 OKTA, UAT and Getting Ready for EMPLID Based Environment Access
  • Logging into Non-Prod PeopleSoft Environments Using Okta
  • Managing Okta Resets
  • Triage for First Time Account Activation
  • Verifying Loaded Security in UAT and SVL
  • Meeting Recording
College Agenda Items
  1. From South Puget Sound on 11/18 & 12/1:
    1. What security roles can be assigned specifically for help desk support? What roles give them View/Edit access to General tab of the User profile in security?
      1. SBCTC Response: It depends on what you want to give your help desk folks. If you’re not having them do security, you can give them view-only access. We typically see help desk support folks given access to OKTA account reset to assist with login issues. We must add that for you; add those individuals to your security workbook team tab and state ‘OKTA reset only.’
    2. What security roles gives access to the QXX_SEC_USER_ROLES_BY_UNIT reports, which can be assigned to users other than LSA. What additional roles are needed to give access to the tables related to these queries?
      1. SBCTC Response: ZD_DS_QUERYVIEWER & ZD_DS_QRY_SECURTIYTABLES. We will add these roles for anyone you have on your security team so you have them available in your environment.
    3. I recently found a security role I need to assign to my Instructional Administrative Assistants but I cannot find it in our Google doc. The role is: ZD CM INSTR SCHED. Has this role been discontinued or changed? Please advise.
      1. SBCTC Response: A response will be provided here as it becomes available.
  2. From Shoreline 12/3:
    1. Do you have any information about the best way to triage incoming Tech Support Services requests for UAT? Are there any lessons learned or helpful tips for the best way you have seen other deployment groups manage those requests during UAT?
      1. SBCTC Response: Typically, we see folks submitting them as issues in UAT. If they look to be security, one of the a-team can kick it your way to the security staff. We can also address questions in the room. We’ll create OTM tickets to document requests and assign them to you so you can incorporate them into your workbook and apply fixes in SVL if they’re removal-related.
    2. I had heard in a meeting that once an OTM ticket is placed that is security based, SBCTC will update those security settings on their end but this will still need to be documented by our team and adjusted in the workbook to reflect the changes for go-live. Is this correct?
      1. SBCTC Response: We try to encourage LSAs to self-support security in UAT. If LSAs aren’t available, our test coordinators will resolve on the fly and assign OTM tickets to you so you can reflect changes in your security workbook or trigger the conversation about access.
    3. Would you be willing to meet with our team (or just me if they are not available) next week to walk through a “typical” access request we might see during UAT so I can alleviate some of the stresses around the steps for our security folks and they feel more prepared for the UAT process?
      1. SBCTC Response: Yes, reach out to Kelly ([email protected]) and Alexa ([email protected]) who will find time on Tara’s calendar.
    4. As part of our UAT process, we plan to run the full onboarding process end to end with an employee who does not currently have an EMPLID in HP (they are a temp) in order to get them in the PS environment and able to participate in UAT. This would require us to add their full security settings within ctcLink as they were not part of the original submitted workbook. Is there any issues with this or anything we should know from your perspective going into this task?
      1. SBCTC Response: Great, yes, do it. You’re going to do lots of this as more folks are being added. We can go through the on-baording process in one of our drop-in sessions and record that section and make it available.
1/5/2022: [Rescheduled from 1/3/2022]
College Agenda Items
  1. From Walla Walla on 12/21:
    1. Student email: Where is the “campus” email populating from during conversion (our guess is the supplemental file if we chose to submit it)? If we don’t configure it pre-conversion, is there ability to do a post conversion batch upload for student CAMPUS email address ([email protected])? Do students have the security to change CAMPUS email address in self serve? When students receive any automated messaging, is CAMPUS email the default email address that messaging routes to or is that default completely up to the student?
      1. SBCTC Response: Student e-mails convert as 'home' rather than 'student' under e-mail address type. Tara needs to do research on batch upload for campus e-mail address. Further response pending.
    2. Staff email: We assume this is populating from PPMS for conversion. Do employees have the security to change the Campus email in self serve? (Our tests indicate they may). Can we disallow their ability to change their CAMPUS email address in self-serve?
      1. SBCTC Response: Yes, populated from PPMS unless you give HCM team the optional e-mail file. Employees do have the ability to select their campus e-mail and update their bio data. The ability to make changes is a global setting so all or nothing. Person data is global.
  2. From South Puget Sound on 12/21: (Tara, see e-mail for full context)
    1. Given this recent discovery of missing information in our Security workbook, I am growing increasingly concerned that we may be missing additional security / SACR role assignments due to these workbook omissions. Additionally, the delay in getting these updates in the workbook is creating problems for our LSAs who are trying tracking the changes they have to make in the UAT environment so that testers can complete that work. We cannot easily track each column of a SACR security tab if those columns are wrong or missing from the tab.
      1. SBCTC Response: Tara resolved/responded directly.
  3. From Shoreline on 12/28: (Tara, see e-mail for full context)
    1. We are having some issues onboarding a new employee through ctcLink.
      1. SBCTC Response: Tara resolved/responded directly.
  4. From Lake Washington Tech on 1/4:
    1. These SACR tabs in the google security workbook do not funnel in from the main CS tab for the security roles listed below. I noticed this in UAT and applied these staff the following SACR security manually. Is it possible to get this adjusted in the workbook before the load on Friday so that these staff are set with security roles for go-live?
      SACR TABS
      Admissions Action tab  ZC AD App Entry, ZC AD App Mass Change
      Plan tab- ZC AD App Entry
      Application Center  ZC AD App Entry
      Population Update  ZC AD App Entry
      1. SBCTC Response: Tara resolved/responded directly. Reiterated at 30:00 mark of 1/10/2022 Webex recording.
1/6/2022 - DG6A Special Session
1/10/2022
1/13/2022 - DG6A Extra Session
  • Webex Recording [will be posted after session]
College Agenda Items

1. From Lake Washington Tech on 1/5/2022:

  1. In the User Preferences  Process Group Definition for Vouchers UPD tab, the source transaction and process group are switched in cells W3 & W4 and X3 & X4. Some of our folks did not have either source transaction, while some only had MTCHEXCPTN even though they were marked in the workbook for both (MTCHEXCPTN & MTCHOVRD). One of our SMEs was missed entirely for all source transactions in the workbook. If I can adjust what I enter in any way so that this converts correctly for go-live, please let me know.
    1. SBCTC Response:
1/20/2022 - DG6A Extra Session
1/31/2022 - Delegation and HCM Manager Roles, Plus Open Q&A
  • WebEx Recording
  • Meeting Topics:  
    • What the College SME 'Go Live' Validation MOCK Experience will be like.
      • Colleges can expect to receive a list of HCM User Profiles for active employees at their college to review users with bad or missing emails.
      • Colleges can expect to receive a list of employee's who have a job at another ctcLink College to determine which is the employee's primary job.
      • College PMs can expect to receive the password for the ALL ACCESS account for their college.
      • Users will log in using their EMPLID and a default format password.
    • Deadlines for All Employee Security Workbook download for DG6B (2/4) and DG6C (3/1).
    • Confirmation of certain security roles:
      • Roles with 'Data Services' in the role name are not for college use, as they are intended for the Data Services analysts at the State Board.
      • LSAs needing access to security queries need only the Query Viewer role and ZD_DDS_QRY_SECURITY_TABLES role.
      • ZD SF Returns role is missing from the Security workbook.  Agreed to add it to all workbooks.
2/7/2022
  • WebEx Recording [pending]
2/14/2022
  • WebEx Recording
  • Meeting Topics:  
    • Update as of 2/11: More new queries and a CS BI Publisher report now in Production
      • The BI publisher report is called BCS_SEC_SACR. It is a combined report for the QCS_SEC_SACR%COMPARE query data in a Connected Query for a single user, Runs to Excel. Must be run from Reporting Tools > BI Publisher >Query Report Scheduler. It also includes Student Financials SACR.
        • To run:
          1. Reporting Tools > BI Publisher > Query Report Scheduler
          2. Create a new run control (I suggest the name of the report): BCS_SEC_SACR
            *This only has to be once and then the parameters only updated
          3. Data Source Type = Connected Query
          4. Report Name = BCS_SEC_SACR
      • There are new queries: A new Compare query for SACR Student Financials security: QCS_SEC_SACR_SF_COMPARE
      • There is also an assumption in this reporting that a user with Business Unit security will have Institution Security. This query will identify any employees that do not have Institution Security but do have a Business Unit SF security assigned: QCS_SEC_SACR_SF_BU_NO_INST
      • Please continue to reference the reporting catalog as our amazing data services team continues to provide more tools for us! https://www.sbctc.edu/resources/documents/colleges-staff/data-services/peoplesoft-ctclink/report-catalog.pdf
College Agenda Items
  1. From South Puget Sound on 2/14/2022
    1. I was adding some SACR security to an employee on Friday and I saw that there appeared top be new SACR tabs in the UAT and also in SVL, that I have never seen before and are not included in our security Workbook. The new options I saw are: Graduation Status Security, Academic Item Registry Admin, CTM Transaction Security, APT Action Security, Notification Consumer Security. “CTM Transaction Security” is in our workbook, but there are additional options in the UAT and SVL environments that are not in the workbook. I also cannot find any information on these options on the website. Are there directions for these new options? Will they be added to our workbook, or will I need to update these specific SACR options in the SVL environment?
2/23/2022
3/30/2022
  • Webex Recording not available

Recent Security Training Materials on FSCM

Important Queries for Checking Role Assignments in CAG

Qxx_SEC_USER_ROLES_BY_UNIT (QCS in CS, QHC in HCM, QFS in FSCM)

- Allows LSAs to dump down all roles assigned to staff with active jobs at your college.

Qxx_DS_QUERY_RECORD_USER_RPT  (QCS in CS, QHC in HCM, QFS in FSCM)

- Allows LSAs to compare a Query to a User to see what roles might be missing.

Qxx_SEC_ROLE_NAVIGATION_ACCESS - (QCS in CS, QHC in HCM, QFS in FSCM)

- List of menu navigation paths and the security roles that grant access to a page.  Also gives insight into what ELSE that role grants access to.  Might be helpful to download all navigation  and "Z" roles and distribute to your approvers.

SIDE NOTE: If sending a complete dump of all navigation and roles, it is recommended to remove all roles that LSAs at a college cannot grant before distributing to role approvers so they do not get confused.

QCS_SEC_SACR_BASE_SECURITY_DTL

- Allows LSAs to view SACR Security Baisc + Program, Plan, Transcript Type, Student Financials

4/11/2022
  • Topics for Today:
    • Key Queries Added to Local Security Management Overview
    • Reviewing User Profiles for Permission Lists and Emails
    • Companion Role Cross-Check - Using the Qxx_SEC_USER_ROLES_BY_UNIT  query to ensure companion roles are in place
      • Query name differs by pillar: (QCS in CS, QHC in HCM, QFS in FSCM)
      • Query designed to allow LSAs to dump down all roles assigned to staff with active jobs at their college.
      • Companion Role Checks:
        • All users with an AWE/Approval role should also be able to delegate (ZZ Delegation).
        • All users with a role granting page access that requires Query access.
        • CAMPUS SOLUTIONS
        • Business Role:  ZZ FA CTC Reports
        • Query Dependency Role(s): ZD_DS_QRY_FA_SSN_HIGHSENS, ZD_DS_QRY_FINANCIAL_AID
        • Business Role:  ZZ SF Charges and Payments
        • Query Dependency Role(s): ZD_DS_QRY_SF_BANK_HIGHSENS, ZD_DS_QRY_STUDENT_FINANCE
        • Business Role:  ZZ SR NSC Reporting
        • Query Dependency Role(s): ZD_DS_QRY_SR_SSN_HIGHSENS, ZD_DS_QRY_STUDENT_RECORDS
        • HUMAN CAPITAL MANAGEMENT
        • Business Role:  ZD Benefits Reporting
        • Payroll for North America > CTC Custom > CTC Reports > Employee Tracking  Benefits
        • Payroll for North America > CTC Custom > CTC Reports > TIAA-CREF Over 6 Pct
        • Query Dependency Role(s): ZD_DS_QRY_BENEFITS
        • Business Role:  ZD TL Admin View Time
        • Payroll for North America > CTC Custom > CTC Reports > Hourly Earnings  Barg
        • Query Dependency Role(s): ZD_DS_QRY_TIMELABOR
        • Business Role:  ZZ Payroll Payment Processing
        • Query Dependency Role(s):
        • ZD_DS_QRY_PAYROLL
        • ZD_DS_QRY_PAY_BANK_HIGH_SENS
        • ZD_DS_QRY_PAY_GARN_HIGH_SENS
        • ZD_DS_QRY_PAY_NETPAY_HIGH_SENS
        • ZD_DS_QRY_PAY_SSN_HIGH_SENS
        • ZD_DS_QRY_PAY_VISA_HIGH_SENS
        • Business Role:  ZZ Recruiter
        • Query Dependency Role(s): ZD_DS_QRY_TALENT_MGNT
        • Depending on approval to Highly Sensitive data, these query roles may also need to be assigned:
        • ZD_DS_QRY_TAL_MGMT_SSN_HI_SENS
        • ZD_DS_QRY_TAL_MGMT_VISA_HISENS
        • ZD_DS_QRY_TAL_MGT_ACCOM_HISENS
        • Business Role:  ZZ SS Payroll
        • Query Dependency Role(s):  ZD_DS_QRY_HRCORE
        • Depending on approval to Highly Sensitive data, these query roles may also need to be assigned:
        • ZD_DS_QRY_HRCORE_DR_LI_HI_SENS
        • ZD_DS_QRY_HRCORE_SSN_HI_SENS
        • ZD_DS_QRY_HRCORE_BANK_HI_SENS
        • ZD_DS_QRY_HRCORE_CRCRD_HI_SENS
        • ZD_DS_QRY_HRCORE_ACCOM_HI_SENS
        • ZD_DS_QRY_HRCORE_VISA_HI_SENS
        • FINANCE
        • Business Role:  ZZ Accounts Payable Reports
        • Query Dependency Role(s): ZD_DS_QRY_ACCTPAY, ZD_DS_QRY_BANKING_HIGHSENS
        • All users granted Query module access, also have ZD_DS_QUERY_VIEWER role.
        • All users granted a Highly Sensitive Data role, also have the associated Query module role.
  • Webex Recording

College Agenda Items

  1. From Yakima Valley 3/31/2022
    1. We have staff that support faculty. Is there a way that we can give the support staff view-only access to what the faculty they support see? For example, their classes, student rosters, and the students they advise? This is a request we are receiving from faculty. More details: We have a group of “super users” that will be assisting faculty. These super users are not faculty members; they are support staff (classified and exempt professional staff) that will be tasked with assisting with faculty workshop training as well as providing guidance to faculty when they need assistance. They are part of our faculty training network. So, for Security Access, we want these individuals to have view access to the Faculty Center and the Advisor Center so they can assist the faculty members that they support. For example, we want Kelley DiBenedetto (Secretary Senior for Arts & Sciences) to be able to assist BIOL faculty... how to find their class roster, how to find their advisees, etc. So, can we provide non-faculty with the faculty center and the advising center in Security?
      1. SBCTC Response: Please refer to the 37:32 mark on the recording for a visual display.
4/18/2022
4/27/2022 - Alternate Meeting
DG6A DEADLINE 1/7/2022 Notify Team of All Employees Workbook Download Readiness

Notify Jarman Singh ([email protected]), Kelly Barton ([email protected]), Alexa Mercado-Curtis ([email protected]) and Tara Keen ([email protected]) via email that the workbook is ready to download.  If not notified, will be downloaded at 4am-5am Monday 1/10/22.

*DG6 Groups B & C Deadline changed to 2/4/2022.

DG6B DEADLINE 2/4/2022 Notify Team of All Employees Workbook Download Readiness

Notify Jarman Singh ([email protected]), Kelly Barton ([email protected]), Alexa Mercado-Curtis ([email protected]) and Tara Keen ([email protected]) via email that the workbook is ready to download.  If not notified, will be downloaded at 4am-5am Monday 2/7/22.

*DG6 Groups B & C Deadline changed to 2/4/2022.

DG6C DEADLINE 3/1/2022 Notify Team of All Employees Workbook Download Readiness

Notify Jarman Singh ([email protected]), Kelly Barton ([email protected]), Alexa Mercado-Curtis ([email protected]) and Tara Keen ([email protected]) via email that the workbook is ready to download.  If not notified, will be downloaded at 4am-5am Monday 1/10/22.

*DG6 Groups B & C Deadline changed to 2/4/2022.

DEADLINE 2/7/2022: Submit Final Local Security Support Plans

Notify Bill Ramirez ([email protected]) and Tara Keen ([email protected]) via email to submit plans and all additional materials.

0 Comments

Add your comment

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.