The first step in getting an employee into the ctcLink system is performed by the HR office (information provided below for reference).  Once they do their job, the dynamic process will run (every 3 hours from 7am to 7pm) and then the LSA can do their job, which is everything else a user will need to get into ctcLink.

The user profile will be automatically generated once a Job Data record exists.  Keep in mind that if the employee already had a job from a prior college on ctcLink, that employee will already have an existing user profile and you will need to review it to ensure it has the appropriate security roles.

The dynamic process that runs to create a NEW User Profile will also update any existing User Profiles with a CTC_xxx_DISTR security role when a person has an active job at a college.

Note: If the user is a Payable Time processor, they will require the TL Super User row level security of CTC_xxx_TL_SUPERUSER (where xxx = Company Code).

On the HCM User Profile, the General Tab contains fields that the LSA will need to update:

• Symbolic ID: Must be set to SYSADM1
• Primary: Must be set to CTC_PT_WAxxx_ALL (where xxx = Company Code)
• Row Security: Must be set to CTC_PT_WAxxx_ALL (where xxx = Company Code)
• Process Profiles: Must be set to CTC_PT_PRCSPRFL_STAFF (to grant ability to launch processes, including scheduled queries)

On the FSCM User Profile, the General Tab contains fields that the LSA will need to update:

• Symbolic ID: Must be set to SYSADM1
• Primary: Must be set to CTC_PT_WAxxx_ACCESS (where xxx = Company Code)
• Row Security: Must be set to CTC_PT_WAxxx_ACCESS (where xxx = Company Code)
• Process Profiles: Must be set to CTC_PT_PRCSPRFL_STAFF (to grant ability to launch processes, including scheduled queries)

All employees will need their Overall User Preferences set regardless of what they do at the campus.  This must be done AFTER the User Profile, General Tab is updated to point their Primary/Row permissions to your institutions.

Keep in mind, employees who work at more than one college might NOT have their Overall User Preferences pointing to your institution if their Primary job is at the other college.

9.2 Setting Overall User Preference

FSCM Security: User Preference Definition in Finance

On the CS User Profile, the General Tab contains fields that the LSA will need to update:

• Symbolic ID: Must be set to SYSADM1
• Primary: Must be set to CTC_PT_MASK_xxx (where xxx = masking choice - read below)
• Row Security: Must be set to CTC_PT__MASK_xxx (where xxx = masking choice - read below)
• Process Profiles: Regular CS Staff - Set to CTC_PT_PRCSPRFL_STAFF (to grant ability to launch processes, including scheduled queries)
• Process Profiles: Full/Part Time Faculty - Set to CTC_PT_PRCSPRFL_FACULTY (to grant ability to launch processes without allowing daily/weekly recurrence)

Masking Values: (If missing, no search return values will appear. Does not control college data access managed via SACR)

• CTC_PT_MASK_ALL  (default) = Mask Social Security Number and Mask Date of Birth
• CTC_PT_MASK_SSN = Mask Social Security Number and Unmasked Date of Birth
• CTC_PT_MASK_NONE = Mask Social Security Number and Unmasked Date of Birth
• CTC_PT_MASK_PARTIAL = Mask Social Security Number and Partial Masking of the Date of Birth

If the newly hired employee will need to work in the CS Pillar they must have Basic SACR Security to enable their access to your college's data.  This is managed via SACR security, rather than through Primary and Row Level permissions on the User Profile, as is done in HCM and FSCM.

CS 9.2 SACR Security: Basic Requirements for Staff

In addition to Basic SACR Security, staff that have been granted specific page access will likely also require SACR Security relative to the specific page access:

CS 9.2 SACR Security - Academic Program Security

CS 9.2 SACR Security: Program Action Security

CS 9.2 SACR Security - Service Indicator Security

CS 9.2 - SACR Security: Milestone Security

CS 9.2 - SACR Security: Test ID Security

CS 9.2 - SACR Security: Enrollment Security

CS 9.2 SACR Security - Population Update Security

SACR- 3Cs Group Security (Financial Aid)

In addition to various additional SACR Security needed in the Student Administration area, if someone works with Student Financials data they may also require SACR Security for Student Financials.  This applies to Cashiers, Finance staff working in SF, Financial Aid staff reviewing student account data.

CS 9.2 - SACR Security: Student Financials

In some cases the entry time for adding SACR Security can be burdensome.  Areas such as Service Indicators, Student Groups and Population Update can have many values.  In those cases it may be more efficient to find a user who already has the exact or close to the same access for that area.  You can then choose to simply copy their security to the new person and edit it from there.  

Always be mindful of staff working at more than one college as they are not a good candidate to use as the source to copy from.

Assigning SACR Security Using User Replacement Security

Reference Materials for choosing what roles might need to be added in HCM are available at the links below:

Pillar Security Matrix Mapping by Module – Human Capital Management (DG4)

6/17/21: Security Support on Human Capital Management (DG5)

9/20/21: Security Support on Human Capital Management (DG6)

Reference Materials for choosing what roles might need to be added in FSCM are available at the links below:

Pillar Security Matrix Mapping by Module – Finance (DG4)

Session 4: Understanding Finance Additional Security (DG4)

9/13/21: Security Support on Finance and User Preference Definition & Grants Security (DG6)

9/27/21 - Revision Security  on Finance and User Preference Definition & Grants Security (DG6)

FSCM Pillar - Roles with Route Control Profiles:

Keep in mind each role that is associated with Automated Workflow (AWE) will require a Route Control Profile specifying the college Business Unit to be added on the Roles tab of the User Profile in the same row as the AWE relevant role (see screen shot below).

Roles that require this entry that are visible to DG6 colleges are outlined below:

ZZ CC Budget Approval
ZZ GL Journal Approval
ZZ GL Jrnl Accountnt Approval [Seattle District Only]
ZZ Purchasing Approval
ZZ Requisition Approval
ZZ Treasury Approvals
ZZ Voucher Approval
ZZ_AWE_ADMIN_xxx (where xxx = Company Code)
ZZ_AWE_BI_APPR_xxx [Seattle District Only]
ZZ_AW_ALL_PROJECT_APPROVER [Tacoma District Only]
ZZ_AW_AMT_HDR_LEVEL_x (1 or 2)
ZZ_AW_AMT_LEVEL (1,2 or 3)
ZZ_AW_AP_REVIEW
ZZ_AW_BI_INV
ZZ_AW_BUDGT_JRNL_APPROVER - (State Board Staff Only)
ZZ_AW_COMMODITY_xxx (xxx = Various Role Names)
ZZ_AW_EXEC_LEVEL_xx (numbered value)
ZZ_AW_GL_ACCOUNTANT
ZZ_AW_GL_ACCT_SUPERVISOR

These roles are existing in the system and tied to a global approval workflow lists that will be transitioned once all colleges are live from the CTC version of the security role to the equivalent ZZ_AW version of the role:

CTC_AW_COMMODITY_AV
CTC_AW_COMMODITY_FACILITIES
CTC_AW_COMMODITY_IT
CTC_AW_COMMODITY_BRANDING
CTC_AW_COMMODITY_SAFETY
CTC_AW_COMMODITY_TELECOM

Note: ZZ Expenses Approval does not require a Route Control Profile

Note: ZZ_AW_BUYER, ZZ_AW_AP_MANAGER and ZZ_AW_AP_SPECIALIST exist and will be associated with a approval workflow lists once all colleges are live, but at not currently in use today.

Reference Materials for choosing what roles might need to be added in CS are available at the links below:

Pillar Security Matrix Mapping by Module – Core Campus Solutions (DG4)

Pillar Security Matrix Mapping by Module – Financial Aid Campus Solutions (DG4)

Pillar Security Matrix Mapping by Module – Student Financials Campus Solutions (DG4)

Session 5: Understanding CS Additional Security (DG4)

8/9/21: Security Support on Faculty/Advisors + Review CS Roles + Basic SACR Security (DG6)

8/16/21:  Security Support on SF/FA Roles + SF/FA Relevant SACR Security (DG6)

9/8/21: Security Support on SACR Security in CS, Local Security Management Discussion Follow-Up (DG6)

Refer to QRG Okta - Multi-Factor Authentication for How to Login with Multi-Factor Authentication and How to set up your Multi-Factor Recovery Options.

To enable Multi-Factor Authentication for an Employee, the local security administrator must add the role ZZ_OKTA_MFA to the distributed user profile for the Employee in HCM. This role will then sync to Portal and enable Multi-Factor Authentication for the employee. If the person is a student, then the role needs to be added to the distributed user profile in Campus Solutions, so that it will sync to portal for the student. This access sync’s to portal real time.

If a user no longer needs to have Multi-Factor Authentication enabled, the local security administrator would remove the ZZ_OKTA_MFA role from HCM and/or Campus Solutions. This procedure removes it from Portal and removes the MFA Requirement.

It is recommended that users set up more than one recovery method. If the user forgets their Multi-Factor Authentication credentials/access, follow the same procedures as if the user forgets their password.

It is up to each campus to define the set of users that they want to enable MFA for.

Query security stands separate from page access security.  Below is a link to some background information on Query Access Groups and Companion Roles.

There are many, many queries available to assist LSAs in managing security data.  There are 3 that will be most commonly used Queries to manage security on a regular basis:

Understanding ctcLink PeopleSoft Query Security

Qxx_SEC_USER_ROLES_BY_UNIT (QCS in CS, QHC in HCM, QFS in FSCM)

- Allows LSAs to dump down all roles assigned to staff with active jobs at your college.

Qxx_DS_QUERY_RECORD_USER_RPT  (QCS in CS, QHC in HCM, QFS in FSCM)

- Allows LSAs to compare a Query to a User to see what roles might be missing.

Qxx_SEC_ROLE_NAVIGATION_ACCESS - (QCS in CS, QHC in HCM, QFS in FSCM)

- List of menu navigation paths and the security roles that grant  access to a page.  Also gives insight into what ELSE that role grants  access to.  Might be helpful to download all navigation  and "Z" roles  and distribute to your approvers.

SIDE NOTE: If sending a complete dump of all  navigation and roles, it is recommended to remove all roles that LSAs at  a college cannot grant before distributing to role approvers so they do  not get confused.

QCS_SEC_SACR_BASE_SECURITY_DTL

- Allows LSAs to view SACR Security Baisc + Program, Plan, Transcript Type, Student Financials

Basic Steps to Follow for Query Security:

1. Queries that start with CTC can be in any pillar. You may need clarification from the user about which pillar the query is in
2. Queries that start with QCS are in the CS pillar. Queries that start with QFS are in the FSCM pillar. Queries that start with QHC are in the HCM pillar.
3. Get the user's ID
4. In the pillar the query lives in, open one tab to the user's Distributed User Profile and the other to query viewer
5. Run QXX_SEC_QURY_RECORD_USR_RPT_BA, entering the User's ID and query(ies) the user needs access to into the prompts
6. If the query indicates that the user has access to all of the records used by the query(ies), ensure the user has the role ZD_DS_QUERY_VIEWER
7. If the query indicates the user does not have access to one or more records, review the list of roles that grant access to the record(s) the user is missing, and follow your internal query role approval process. Remember that granting access to a query role will nearly always grant access to queries other than the one the user needs, too, so be cautious about approving query role access!
8. If the query is in the CS pillar, the user may need additional SACR security to be able to run the query successfully. You can use QCS_DS_QUERY_RECORD_RPT. If any of the records are labels SCRTY, the query probably requires additional SACR.
9. Grant the approved roles on the Distributed User Profile

If a role name exists as an identical match in other pillars, the roles will sync across the pillars.  

For instance, if a college admin adds the ZD Local Security Admin role in HCM, it will sync across pillars and add that role to CS and FS automatically.  And if they delete the ZD Local Security Admin role from a user in HCM, it will remove it from the same user in FS and CS.  

Therefore local security admins will need to be mindful of which roles sync across pillars so that they can remove/add them in the other pillars as needed.  In the example above where they added the ZD Local Security Admin in HCM, they may need to now go to CS and FS and remove the role from the user if they don’t need it in those pillars.  

For changes made in HCM for these types of roles, it syncs to CS/FS and PT.  If the change is made in FS, then there is no sync.  And if the change is made in CS, it syncs only to PT.

College Grantable roles that are affected by the above, in addition to the ZZ/ZD Local Security Admin are:

• The college CTC_XXX_DISTR roles in HCM.  Changes made to this access in HCM, will sync to FS and PT as the DISTR roles do not exist in CS.
• The college CTC_XXX_CC roles in CS, changes to this will sync to Portal.
• ZZ PeopleSoft User
• EOPP_USER
• PAPP_USER
• ZD_DS_QUERY_VIEWER
• ZZ Former Employee role (is now dynamic so should be ok) but it syncs from HCM to FS/PT
• ZZ Navigation Bar Access role (exists in CS too, not FS)
• ZZ_EMPLOYEE (exists in FS/HCM/PT)
• ZZ_CS_STAFF (exists in CS/PT)
• ZZ SS Student/ ZZ SS Advisor/ZZ SS Faculty ( sync from CS to PT)
• ZC CC Personal Info Student (CS) syncs to portal
• ZD CC Personal Info Student (CS) syncs to portal
• ZZ CC Personal Info Student (CS) syncs to portal
• ZZ CC Pers Info NID Update (CS) syncs to portal

Note:  ZZ Local Security Admin role functions the same, it syncs from HCM to FS/CS/PT but this role is only grantable by SBCTC.  

QHC_SEC_ROLE_GRANT_DEFN_PILLAR and QCS_SEC_ROLE_GRANT_DEFN_PILLAR queries

These queries will show an LSA any role that will sync across pillars. This will allow the LSA to go back and check the other pillar areas to ensure the role is needed. For example if a person needs the ZD Local Security Admin in HCM but not FS/CS, and the LSA adds the role to the user in HCM, that role exists in the other two pillars and will sync across and get added to the user in FS/CS. If the role is not needed in FS/CS, the LSA will need to go manually remove it.