ctcLink Reference CenterResourcesPeopleSoft SecurityCS SecurityCS 9.2 Security - How to Read BCS_SEC_CERT

CS 9.2 Security - How to Read BCS_SEC_CERT

Purpose:  Facilitate security recertification

Audience: Local Security Administrators (LSAs) and Employee Supervisors

How to Read the BCS_SEC_CERT report

About the Output File

The output file will be one Microsoft Excel file per supervisor.  Each sheet represents a different employee’s access. If an employee has no access, they will not appear in the spreadsheet at all.

The last sheet in the file will always be empty.

Note that this report will NOT return all roles and access a person has. This report will only return access non-default access. If you need comprehensive information, you should run BCS_SEC_SACR instead.  Examples of excluded roles include ZZ SS Student and ZZ Employee.

Report Header

The report header includes basic information about the employee and supervisor.  It lists the institution, the supervisor, the employee’s name and ID, the last time the employee was paid, the employee’s business unit, and the employee’s classification.

Report Header image

The first table shows the user’s job and department, along with their Permission List settings on their Distributed User Profile.  ProcProfClass is the user’s Process Profile.  The OprClass and RowSecClass values are the Primary and Row Security values.  More information about Primary and Row Security values can be found in the Default Roles and Masking Options for All Admin Campus Solutions Users QRG.

First Table image
SACR Core Security

This table lists the user’s

  • Institution (Institution Security - QRG)
    • Institution security controls access to most of the student data available in Campus Solutions, including Advisor Center, Student Services Center, and most of the navigations under Student Records.
    • Institution security is “parent” to many other parts of SACR security.  Here’s a brief overview of the hierarchy, and what each branch does.
      • Institution
        • Acad Career (Institution/Career Security - QRG)
        • This branch controls access to what program\plan data a user can access for a student.
          • Acad Program (Academic Program Security - QRG)
            • Acad Plan (Academic Plan Security - QRG)
        • Institution Set
        • Set ID
        • Campus (Institution/Campus Security - QRG)
        • Tscrpt Type (Transcript Type Security)
          • This value controls functionality that isn’t currently leveraged in ctcLink
        • Tscrpt Report (Transcript Report Security)
          • The value(s) here control which  kind(s) of transcripts a user is allowed to produce under navigations that start with Main Menu>Records and Enrollment>Transcripts
          • This value is NOT required to run an unofficial transcript out of Advisor Center or Student Homepage
        • Adv Report (Advisement Report Security)
          • There are three values for this: ADV (Advisment), WIF (What-If), PLN (Planner). You can also select “ALL” to grant a user the ability to run all kinds of advisement reports.
        • Recruit Center (Recruiting Center Security)
          • The value(s) here control which Recruiting Centers a user can work with.  Most of the navigations affected by these values start with Main Menu>Student Recruiting
        • Appl Center (Application Center Security)
          • The value(s) here control which admissions applications a user can work with\view.  Most of the navigations affected by these values start with Main Menu>Student Admissions
        • Adm Action (Admissions Action Security  QRG)
          • The values here control what admissions actions a user can perform on a user’s admissions application.  Users who process admission applications usually need access to APPL, MATR, and WADM at a minimum.  Being intentional about the values assigned to a user here makes onboarding new processors easier, and helps ensure compliance with local business processes.  Most navigations affected by these values start with Main Menu>Student Admissions
        • Program Action (Program Action Security)
          • The values here control what actions a user can take on a student’s Program\Plan stack.  Most of the navigations affected by these values start with Main Menu>Records and Enrollment>Career and Program Information
        • Test ID (Test ID Security)
          • These values control what test scores a user can see in Advisor Center/Student Services Center, and also which values the user can see under
            • Main Menu>Student Admissions>External Test Score Processing


Main Menu>Student Recruiting>External Test Score Processing

Main Menu>Records and Enrollment>Transfer Credit Evaluation>Test Results

  • Grad Status (Graduation Status Security)
    • These values control what actions a user can take in the Graduation module.  These values are configured by each institution.  Most of the navigations affected by these values start with Main Menu>Records and Enrollment>Graduation
SACR Core Security image
SACR 3C Security

3C security is local to the institution.  Each object (checklist, comment, communication) created in the 3C module must be associated with a 3C group in order for users to be able to see and use it (i.e. assign it to students).  Most of the navigations affected by this security start with

  • Main Menu>Campus Community>3C Engine
  • Main Menu>Campus Community>Checklists
  • Main Menu>Campus Community>Comments
  • Main Menu>Campus Community>Communications


SACR 3 C Security image
SACR Academic Organization Security

Academic Organization Security is required for most navigations under Main Menu>Curriculum Management.  Unlike the majority of other SACR values, it is a tree-based value.  Giving a user access to a node gives them access to everything below that node.  Each institution has a “top” node and multiple nodes under it that reflect their organizational structure under that.  This enables LSAs to grant access to these navigations in a very granular way.  

The Academic Organization tree can be reviewed under the navigation Main Menu>Tree Manager>Tree Viewer.  The Tree Name is ACAD_ORGANIZATION.  Your institution’s nodes start with your institution number (for example, all Bates Technical College nodes start with 280).  

For example, if a user is given the value 140ENGLD, they will have access to 140PTWR and 140ENGL, but they will not have access to anything under 140COMHUMD.  Alternatively, Clark’s LSA could grant access to 140CLARK to give them access to the entire Clark College tree, or 140BEECHU to give them access to only nodes below that note.

Academic Organization Tree image


SACR Academic Organization Security image
SACR Milestone Security

Milestone Security is required to both view and edit Milestones.  This value is a child of institution.  


SACR Milestone Security image
SACR Service Indicator Security

Service Indicator Security is only required to EDIT (place or release) Service Indicators.  All users with access to the navigation will have access to see the service indicators a student has on them, and those service indicators that are configured to be displayed in student center or in Advisor Center will be displayed regardless of the user’s SACR Service Indicator Security.

Service Indicator Security is a child of institution so you must grant Institution for the user before you can grant them access to place or release service indicators.


SACR Service Indicator Security image
SACR Student Group Security

Student group security is required to both edit and view student groups.  It is a child of institution, so you must grant Institution for the user before you can grant them access to view or edit student groups.


SACR Student Group Security image
SACR Population Selection Security (Population Update Security)

Population Selection Security is global.  If you grant a user access to Population Selection Security, you will grant it for all institutions that user has access to.  

QRG Link

SACR Population Selection Update image

SEVIS Security is global.  If you grant a user access to SEVIS, you will grant it for all institutions that user has access to.

School Code (QRG)

Program Sponsor (QRG)

SACR SEVIS Security image
SACR Academic Progress Tracker (APT) Action Security

Academic Progress Tracker is not currently used in ctcLink. PeopleSoft requires the system to choose between Academic Advisement Reports (AARs) and Academic Progress Tracker, and ctcLink is set up to use AARs.

SACR Academic Progress Tracker Action Security image
SACR Constituent Transaction Management (CTM)

Admissions Application Suspense Management (QRG)

SACR Constituent Transaction Management Transactions image
SACR Consumer Notification

This setting relates to functionality that isn’t currently set up in ctcLink.

SACR Consumer Notification image
SACR Academic Item Registry (AIR)

Academic Item Registry is related to Academic Progress Tracking functionality, which is not currently used in ctcLink. PeopleSoft requires the system to choose between Academic Advisement Reports (AARs) and Academic Progress Tracker, and ctcLink is set up to use AARs.

SACR Academic Item Registry image
SACR Advising Notes

Advising note security determines what advising note categories a user has access to view, create and/or edit. These values affect both the Advisor Homepage that’s associated with ZZ SS Advisor and Main Menu>Academic Advisement>Student Advisement>Advising Notes.  The ZZ SS Advisor role gives page access, but to create/edit/view Advising notes the user must have one of the local grantable roles for advising such as ZZ/ZD Advising Notes  XXX.


SACR Advising Notes image
SACR Student Financials

Changes to some of the following settings will not take effect until the nightly

SF Business Unit

Business Unit controls access to view and edit financial information.  It is a “parent” to Cashier Office.  Typically, changes to this value don’t take effect until an overnight job runs.  This value affects most navigations under

  • Main Menu>Student Financials
  • Main Menu>Financial Aid

Review the Assign Access to Advising Notes - Note Category Access QRG for more in-depth information.

All SF Business Unit

This is primarily for multi-institution districts, and is a list of all the Business Units the person running the report has access to see.

Cashier Office

Cashier’s Office security needs to be granted in connection to the Cashier and should be coordinated with the person managing daily head cashier processing. Additional setup is required under

Set Up SACR>Product Related>Student Financials>Cashiering

This affects the navigations under

Student Financials>Cashiering>Cash Management


This SACR Security shows which Company ID the employee is tied to.  This limits them to data from that company when accessing data.

Credit Card

This isn’t used in ctcLink but this would control access for viewing credit card numbers at the institution.  

Item Type

Indicates whether or not the user has any item type security. (See SACR Item Type section of report for individual security details and the Item Type Security QRG)

Institution Set

Institution Sets are used to group business units within institutions.  ctcLink does not leverage that functionality, so each institution has one business unit and one institution set.

Origin ID

Origin Types represent sources of charges or payments that are used during group posting. You can also use the description that you define for an origin as criteria for selecting groups during group data entry. You must have Origin SACR for this function.  This section shows users with Origin SACR.

This qrg shows BU, institution set, origin ids, and setid


here is a good link to pull info from too:


Set ID

PeopleSoft delivers the capability to have business units role up into a single setid.  This setid shows what the employee has access to data wise.  In ctcLink, this always is tied back to Business Unit.  This limits what data the employee can see by institution.

SACR Item Type

The Item Type Security QRG is quite comprehensive.  Review it to better understand this section.

CS Operator Defaults

These two sections are informational only.  They do not need to be confirmed as they are set by the   user under Menu > Set Up SACR > User Defaults.  (QRG)

CS Roles with Navigation

This portion of the report is divided into two sections based on whether or not the role(s) a user has are locally assigned or must be assigned by the State Board security team.  

If you're not sure what happens at a navigation, try navigating to that section of the ctcLink Reference Center. The Reference Center is organized to mirror the menu setup in ctcLink.

When reviewing navigations, page access, and roles, consider the following factors, all of which impact the probability of a data breach, or a user being able to act nefariously.

  • What level of information is available at the navigation
    • Refer to your institution’s internal documentation to better understand the following categories.
    • Category 1 data is public information.  This includes information that is specified as Directory Information under our system’s shared definition per the Family Educational Rights and Privacy Act (FERPA).
    • Category 2 data is sensitive information.  All data that isn’t public information is at least category 2, although some data will be higher.
    • Category 3 data is confidential, and includes things like social security number, citizenship status, driver’s license number, credit card number, bank account number, among other information.
    • Category 4 data is confidential information requiring special handling.  
  • Whether or not the user has a role that grants them the ability to edit the data at the navigation, and, if applicable, whether or not the user has access to correct historical data.
  • What other navigations & information is on the role
  • Whether or not there are other roles that cover the navigation that might be more appropriate.
  • How robust your offboarding processes are.  
  • Whether or not the user’s current job responsibilities require the access the user has.

Roles granted by SBCTC should be considered as a higher risk level.  College should evaluate the access given by these roles rigorously.

Not Locally Assigned

Access granted in this section is covered by roles that are NOT on the local grant list, and must be added and removed by submitting a ticket to the State Board help desk.

Not Locally Assigned image
Locally Assigned

Access granted in this section is covered by roles that are on the local grant list.  

Locally Assigned image

<ta-da! text>


Add your comment

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.