Local Security Management Overview

Purpose: This guide has been developed to provide a overview of basic security concepts with links to all reference materials available to aid a new Local Security Administrator into learning how to manage security for their college.

Audience: Local Security Administrators (LSAs)

Basic Concepts in PeopleSoft Security

PeopleSoft Security is comprised of many nested layers.  A User Profile, which contains Roles, which contain access rights defined in Permissions Lists. The visual below shows how those nested layers

Once a User Profile exists, there are other security 'additional' layers that are added in Campus Solutions (CS), Human Capital Manager (HCM) and Finance (FIN or FSCM) for the individual user's access needed:

In HCM - There is a unique Row Level permission list for Time Administrators.

In CS = There is SACR Security, that allows specific access to certain codes or functionality in CS.

In FIN (FSCM) = There is User Preference Definitions to control default values, limit functions and define the Business Unit a user has access to, in addition to Route Control Profiles for each approval role that denotes the Business Unit that approval is limited to approve for.

How User Profiles Are Created

Every person in the ctcLink System should only have one security profile, regardless of whether they are a student, employee or both, no matter how many colleges they are affiliated with.  One User Profile.  

STUDENTS

If they first start off as a student, they will get that User Profile created with a standard set of student roles, from the Campus Solutions (CS) User Profile template: CTC_STUDENT_TEMPLATE,  which will assign the following security roles to a student user ONLY IF they are not already an employee:

Student User Profiles only live in the CS Pillar and Portal (Gateway), and student bio/demo data will also only live in the CS pillar and does not synchronize to the HCM pillar, unless action is taken to make that student an employee.

  • ZZ PeopleSoft User - Basic access to general PeopleSoft functions granted to all ctcLink users, except former employees with no other access needs.
  • ZZ SS Student - Grants access via a link in Portal (Gateway) to Student Self Service.
  • IP_ADMISSIONS_USER - Online Admissions User.
  • EOPP_USER - Common Portal User that grants Portal Access.
  • PAPP_USER - Enteprise Portal User that grants Portal Access.

EMPLOYEES

If they first start off as an employee, they will get the User Profile created with a standard set of employee roles, from the HCM User Profile template: CTC_PS_USER_TEMPLATE, which will assign the following security roles to a user:

  • ZZ PeopleSoft User - Basic access to general PeopleSoft functions granted to all ctcLink users, except former employees with no other access needs.
  • CTC_UN_HCM - Triggers the HCM link in Portal. The UN stands for Unified Navigation in HCM.
  • EOPP_USER - Common Portal User that grants Portal Access.
  • PAPP_USER - Enteprise Portal User that grants Portal Access.
  • NA Payroll WH Form User - A delivered PeopleSoft HCM role enable access to update capable PDF tax forms.
  • ZZ_EMPLOYEE - Grants access to the HCM Self Service and Finance Self Service links in Portal (Gateway).

The existence of an "Active" Job Record will trigger the process to automatically create a User Profile in HCM only if one does not exist.  If the employee worked somewhere else in the ctcLink system, they will already have a User Profile that exists.  The LSA will need to edit that existing profile to meet the security needs for their college.

FORMER STUDENT, NOW EMPLOYEE

If they once were a student, and then become an employee, the Local Security Administrator will wait for the HR person to add that person's bio/demo data to HCM and add an employment instance in HCM.  This will trigger the creation of the User Profile in HCM.

SYNCHRONIZING OF USER PROFILES FOR EMPLOYEES

When a User Profile is created for an employee in HCM, it will synchronize to Portal (Gateway), Finance and Campus Solutions (if a User Profile doesn't already exist). Roles applied in HCM, that also exist in other pillars will also synchronize to those other pillars.

The automatic creation of a User Profile is NOT the end of what is needed for security.  The LSA must NOW do their part, each EACH pillar, this guide will walk a new LSA through each step in that process.

Colleges will NEED to have a defined process that directs how an employee is granted role and access approval from their manager.  That manager will then communicate those access needs to the LSA.  The LSA will perform the entry tasks to get security applied for the user.  LSAs will require the following roles to be able to perform their duties.

Local Security Admin Roles:

  • ZZ Local Security Admin - Grants access to the Distribute User Profile (add/update to college grantable roles) and the User Profile (display only all roles) and any additional security pages in CS or FIN (FSCM) pillar.
  • ZD_DS_QUERY_VIEWER - Grants access to run queries they have access to in Query Viewer.
  • ZD_DS_QRY_SECURITY_TABLES - Grants access to the tables (records) that pertain to security.

Role Approver Roles (optional):

  • ZD Local Security Admin - Grants DISPLAY ONLY access to the Distribute User Profile (add/update to college grantable roles) and the User Profile (display only all roles) and any additional security pages in CS or FIN (FSCM) pillar.
  • ZD_DS_QUERY_VIEWER - Grants access to run queries they have access to in Query Viewer.
  • ZD_DS_QRY_SECURITY_TABLES - Grants access to the tables (records) that pertain to security.

Recording demonstrating Basic Concepts in PeopleSoft Security and How User Profiles are Created (as listed above):

Intro to Security Training

On-Boarding an Employee

The first step in getting an employee into the ctcLink system is performed by the HR office (information provided below for reference).  Once they do their job, the dynamic process will run (every 3 hours from 7am to 7pm) and then the LSA can do their job, which is everything else a user will need to get into ctcLink.

Adding a Person Record into HCM [HR Staff]

Before adding a person record into the HCM pillar, first check to see if the person already exists in the system.  The person may have already worked for another college on ctcLink, or may have been a student at a college within the ctcLink system.  

9.2 Adding a Person

9.2 Modifying a Person

9.2 Add a New Employee Person Record and Job Instance

Adding a NEW Employment Instance in HCM [HR Staff]

Before adding an employment instance, the employee must have a person record in HCM.  Keep in mind, they might have a person record in the CS Pillar, but CS Bio/Demo data does not synchronize to HCM and must be added to the HCM system before the employment instance can be attached to the employee's person record.  

You can determine if they already have a student record in CS by navigating to: navbar > navigator > Campus Community > Person Information > Add/Update a Person and searching by name and comparing the Data of Birth and address information; note the EMPLID.  

You can then double check they are the intended person by navigating to: navbar > navigator > Campus Community > Person Information > Identification > External System ID and entering the EMPLID noted.  

NOTE: This will display the user's Employee SID, but be warned it also has the possibility of showing the user's clear text social security number, which is why access to this page is restricted to a specific security role: ZZ CC External System ID.

9.2 Add a New Employee Person Record and Job Instance

9.2 Add an Employment Instance (training video)

IF BRAND NEW ctcLink Person - Dynamic Process runs every 3 hours from 7am to 7pm to build a NEW HCM User Profile, which will sync to all pillars and portal.

Note: This process ALSO adds the ZZ HCM Manager role dynamically for any manager and ZZ Hiring Manager for TAM colleges.  It does NOT add the needed ZZ Expenses Approval and ZZ Delegation roles needed for managers in the Finance pillar. Those roles must be added by the LSA.

Local Security Admin Responsibilities

While the steps above are completed by HR Staff, all the steps below must be done by user with Local Security Administrator (LSA) access (ZZ Local Security Admin)

Adding a User Profile in HCM

The user profile will be automatically generated once a Job Data record exists.  Keep in mind that if the employee already had a job from a prior college on ctcLink, that employee will already have an existing user profile and you will need to review it to ensure it has the appropriate security roles.

The dynamic process that runs to create a NEW User Profile will also update any existing User Profiles with a CTC_xxx_DISTR security role when a person has an active job at a college.

Note: If the user is a Payable Time processor, they will require the TL Super User row level security of CTC_xxx_TL_SUPERUSER (where xxx = Company Code).

Updating General Tab on User Profiles in HCM

On the HCM User Profile, the General Tab contains fields that the LSA will need to update:

  • Symbolic ID: Must be set to SYSADM1
  • Primary: Must be set to CTC_PT_WAxxx_ALL (where xxx = Company Code)
  • Row Security: Must be set to CTC_PT_WAxxx_ALL (where xxx = Company Code)
  • Process Profiles: Must be set to CTC_PT_PRCSPRFL_STAFF (to grant ability to launch processes, including scheduled queries)

 

Updating General Tab on User Profiles in FSCM

On the FSCM User Profile, the General Tab contains fields that the LSA will need to update:

  • Symbolic ID: Must be set to SYSADM1
  • Primary: Must be set to CTC_PT_WAxxx_ACCESS (where xxx = Company Code)
  • Row Security: Must be set to CTC_PT_WAxxx_ACCESS (where xxx = Company Code)
  • Process Profiles: Must be set to CTC_PT_PRCSPRFL_STAFF (to grant ability to launch processes, including scheduled queries)
Updating User Preference Definitions in FSCM

All employees will need their Overall User Preferences set regardless of what they do at the campus.  This must be done AFTER the User Profile, General Tab is updated to point their Primary/Row permissions to your institutions.

Keep in mind, employees who work at more than one college might NOT have their Overall User Preferences pointing to your institution if their Primary job is at the other college.

9.2 Setting Overall User Preference

FSCM Security: User Preference Definition in Finance

Updating General Tab on User Profiles in CS

On the CS User Profile, the General Tab contains fields that the LSA will need to update:

  • Symbolic ID: Must be set to SYSADM1
  • Primary: Must be set to CTC_PT_MASK_xxx (where xxx = masking choice - read below)
  • Row Security: Must be set to CTC_PT__MASK_xxx (where xxx = masking choice - read below)
  • Process Profiles: Regular CS Staff - Set to CTC_PT_PRCSPRFL_STAFF (to grant ability to launch processes, including scheduled queries)
  • Process Profiles: Full/Part Time Faculty - Set to CTC_PT_PRCSPRFL_FACULTY (to grant ability to launch processes without allowing daily/weekly recurrence)

Masking Values: (If missing, no search return values will appear. Does not control college data access managed via SACR)

  • CTC_PT_MASK_ALL  (default) = Mask Social Security Number and Mask Date of Birth
  • CTC_PT_MASK_SSN = Mask Social Security Number and Unmasked Date of Birth
  • CTC_PT_MASK_NONE = Mask Social Security Number and Unmasked Date of Birth
  • CTC_PT_MASK_PARTIAL = Mask Social Security Number and Partial Masking of the Date of Birth
Adding SACR Security

If the newly hired employee will need to work in the CS Pillar they must have Basic SACR Security to enable their access to your college's data.  This is managed via SACR security, rather than through Primary and Row Level permissions on the User Profile, as is done in HCM and FSCM.

CS 9.2 SACR Security: Basic Requirements for Staff

In addition to Basic SACR Security, staff that have been granted specific page access will likely also require SACR Security relative to the specific page access:

CS 9.2 SACR Security - Academic Program Security

CS 9.2 SACR Security: Program Action Security

CS 9.2 SACR Security - Service Indicator Security

CS 9.2 - SACR Security: Milestone Security

CS 9.2 - SACR Security: Test ID Security

CS 9.2 - SACR Security: Enrollment Security

CS 9.2 SACR Security - Population Update Security

SACR- 3Cs Group Security (Financial Aid)

In addition to various additional SACR Security needed in the Student Administration area, if someone works with Student Financials data they may also require SACR Security for Student Financials.  This applies to Cashiers, Finance staff working in SF, Financial Aid staff reviewing student account data.

CS 9.2 - SACR Security: Student Financials

In some cases the entry time for adding SACR Security can be burdensome.  Areas such as Service Indicators, Student Groups and Population Update can have many values.  In those cases it may be more efficient to find a user who already has the exact or close to the same access for that area.  You can then choose to simply copy their security to the new person and edit it from there.  

Always be mindful of staff working at more than one college as they are not a good candidate to use as the source to copy from.

Assigning SACR Security Using User Replacement Security

Can be done by LSA with ZZ CC External System ID or ZC CC External System ID role access or by ctcLink Project via OTM Ticket Request

External System ID - Cross-Walking Legacy SID to PeopleSoft EMPLID

After a new hire has been added to an environment and their security has been established the project team will need to add an External System ID record for that employee.  If the employee was previously employed at another institution they will require their new employment relationship to the onboarding college to be added to the Solution Validation Environment (SVL).  This is used to ensure that Security User Profiles and all additional security is mapped to the legacy SID and any temporary EMPLIDs in that environment used to store that security can be mapped to the newly created Permanent EMPLID at Go Live.

Keep in mind this page and table store clear text SSN so access should not be broadly granted to view this information at a college.

Must be done by user with Local Security Administrator (LSA) access (ZZ Local Security Admin)

Adding Roles in HCM

Regarding Returning Employees

The Local Security Administrator must add the ZZ PeopleSoft User role manually if the person is not new to the system, but is returning as an employee.  

When a brand new user profile is created in ctcLink, by default the employee will have the base roles assigned, including the ZZ PeopleSoft User role.

If the employee already existed in the system then left, the ZZ PeopleSoft User role would have been removed as part of Offboarding,  When the employee returns to active employment, the role will need to be manually assigned by the Local Security Administrator.

Adding Roles in FSCM

Reference Materials for choosing what roles might need to be added in FSCM are available at the links below:

Pillar Security Matrix Mapping by Module – Finance (DG4)

Session 4: Understanding Finance Additional Security (DG4)

9/13/21: Security Support on Finance and User Preference Definition & Grants Security (DG6)

9/27/21 - Revision Security  on Finance and User Preference Definition & Grants Security (DG6)

FSCM Pillar - Roles with Route Control Profiles:

Keep in mind each role that is associated with Automated Workflow (AWE) will require a Route Control Profile specifying the college Business Unit to be added on the Roles tab of the User Profile in the same row as the AWE relevant role (see screen shot below).

Roles that require this entry that are visible to DG6 colleges are outlined below:

ZZ CC Budget Approval
ZZ GL Journal Approval
ZZ GL Jrnl Accountnt Approval
[Seattle District Only]
ZZ Purchasing Approval
ZZ Requisition Approval
ZZ Treasury Approvals
ZZ Voucher Approval
ZZ_AWE_ADMIN_xxx
(where xxx = Company Code)
ZZ_AWE_BI_APPR_xxx [Seattle District Only]
ZZ_AW_ALL_PROJECT_APPROVER [Tacoma District Only]
ZZ_AW_AMT_HDR_LEVEL_x (1 or 2)
ZZ_AW_AMT_LEVEL (1,2 or 3)
ZZ_AW_AP_REVIEW
ZZ_AW_BI_INV
ZZ_AW_BUDGT_JRNL_APPROVER
- (State Board Staff Only)
ZZ_AW_COMMODITY_xxx (xxx = Various Role Names)
ZZ_AW_EXEC_LEVEL_xx (numbered value)
ZZ_AW_GL_ACCOUNTANT
ZZ_AW_GL_ACCT_SUPERVISOR

These roles are existing in the system and tied to a global approval workflow lists that will be transitioned once all colleges are live from the CTC version of the security role to the equivalent ZZ_AW version of the role:

CTC_AW_COMMODITY_AV
CTC_AW_COMMODITY_FACILITIES
CTC_AW_COMMODITY_IT
CTC_AW_COMMODITY_BRANDING
CTC_AW_COMMODITY_SAFETY
CTC_AW_COMMODITY_TELECOM

Note: ZZ Expenses Approval does not require a Route Control Profile

Note: ZZ_AW_BUYER, ZZ_AW_AP_MANAGER and ZZ_AW_AP_SPECIALIST exist and will be associated with a approval workflow lists once all colleges are live, but at not currently in use today.

Query Security

Query security stands separate from page access security.  Below is a link to some background information on Query Access Groups and Companion Roles.

There are many, many queries available to assist LSAs in managing security data.  There are 3 that will be most commonly used Queries to manage security on a regular basis:

Understanding ctcLink PeopleSoft Query Security

0 Comments

Add your comment

E-Mail me when someone replies to this comment

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.