HCM/FSCM/CS 9.2 Security - How to Set up and Conduct a ctcLink Supervisee Access Recertification or Supervisee Access ctcLink Audit
Purpose: Facilitate security recertification
Audience: Local Security Administrators (LSAs)
How to Set up and Conduct a ctcLink Supervisee Access Recertification or Supervisee Access ctcLink Audit
State OCI policy SEC-06 Access Control Policy, section 1.e, states, in part,
"Agencies must perform a user access review, at a minimum, semiannually. Review of privileged accounts must occur at least quarterly.
i. Agencies must remove all unauthorized accounts and access discovered during the user access review procedure. "
The recertification reports assume that all users at your institution have an active job with an active supervisor in order for them to work.
- Ensure all active employees at your institution are assigned to an active supervisor. This is necessary because the reports used to complete this business process assume that all active employees are supervised by an active employee
- Run QHC_SEC_INACTIVE_SUPERVISOR and work with HR to get those employees who are assigned to inactive supervisors either
- Separated, if no longer working, or
- assigned to an active employee.
- Run QHC_JOB_NO_SUPERVISOR to get a list of employees who do not have a supervisor on their job record. Work with HR to get those employees assigned to a supervisor.
- Run QHC_SEC_INACTIVE_SUPERVISOR and work with HR to get those employees who are assigned to inactive supervisors either
- Run QHC_SEC_ACTIVE_SUPER_W_EMPL to get a list of all the supervisors at your institution and the number of people who report directly to them.
You may need or want to schedule this query and run the results to HTM so you can refer back to the results, and because it may time out when running (if it returns a Proxy Error, it timed out)
Note that the query returns one row per employee, sorted on supervisor. In the screenshot below, rows 1 and 2 refer to the same supervisor, but different supervisees, and rows 3 thru 7 refer to the same supervisor but different supervisees. You can export the query results, delete the columns after “Nbr in HC for Recert”, and remove the duplicates to get an unduplicated list of supervisors and what pillars you need to run the recertification report in. Alternatively, if you choose to recertify the entire college at once, you can run the BXX_SEC_CERT reports without a value in the Supervisor prompt and the system will generate one report per supervisor.
For each supervisor, you will need to review the “Nbr in CS for Recert”, “Nbr in FS for Recert” and “Nbr in HC for Recert”.
a. If “Nbr in CS for Recert” is greater than 0, you will need to run BCS_SEC_CERT for the supervisor. If that number is 0, however, the supervisor does not have any direct reports who have recertifiable roles in CS.
b. If “Nbr in FS for Recert” is greater than 0, you will need to run BFS_SEC_CERT for the supervisor. If that number is 0, however, the supervisor does not have any direct reports who have recertifiable roles in FSCM.
c. If “Nbr in HC for Recert” is greater than 0, you will need to run BHC_SEC_CERT for the supervisor. If that number is 0, however, the supervisor does not have any direct reports who have recertifiable roles in HCM
- Run the applicable reports using the following steps
- Open each pillar
- Navigate to
- Main Menu>Reporting Tools>BI Publisher>BIP Query Report Scheduler
- Either use the “Find an Existing Value” tab to locate a Run Control ID that you’ve already created (you’ll be able to change the query parameters on the next screen), or select “Add a new Value”.
Note that the process monitor retrieves the settings of the run control when it starts execution. So if you set up a run control id, change it and hit save BEFORE the execution starts, the process will run on the new settings, not those when you hit run. If you need to run the report several times close together with different prompt values, it’s recommended you make several different run control IDs.
d. Set Data Source Type to “Connected Query”
e. Select the report, BXX_SEC_CERT where XX is CS in CS, FS in FSCM, and HC in HCM
f. Fill in the applicable prompt values
g. Click ok
h. Click Run
i. Click OK
j. Once the process is complete, the result files will be distributed to the navigation
Main Menu>Reporting Tools>Report Manager
- Download and email the resulting Excel file(s) to each supervisor to review.
- Have supervisors indicate the following and return the file to you
- Employees who no longer work for them and inactive volunteers.
- Any ctcLink access an employee/volunteer does not need
- Follow the separation instructions for employees who are no longer working for your institution and inactive volunteers.
- Remove access for active employees who have excess access.
0 Comments
Add your comment