ctcLink Reference CenterResourcesPeopleSoft SecurityFIN SecurityFSCM 9.2 Security - How to Read BFS_SEC_CERT

FSCM 9.2 Security - How to Read BFS_SEC_CERT

Purpose:  Facilitate security recertification

Audience: Local Security Administrators (LSAs) and Employee Supervisors

How to Read the BFS_SEC_CERT report

About the Output File

The output file will be one Microsoft Excel file per supervisor.  Each sheet represents a different employee’s access. If an employee has no access, they will not appear in the spreadsheet at all.

The last sheet in the file will always be empty.

Note that this report will NOT return all roles and access a person has. This report will only return access non-default access. If you need comprehensive information, you should run BFS_SEC_OPDF instead.  Examples of excluded roles include ZZ PeopleSoft User and ZZ Employee.

Report Header

The report header includes basic information about the employee and supervisor.  It lists the institution, the supervisor, the employee’s name and ID, the last time the employee was paid, the employee’s business unit, and the employee’s classification.

QRG

Report Header image
Operator Default FS

This section displays the user’s default operator values.

Operator Default FS image
Process Group Security

Process Groups allow control of the on-demand features such as budget check or posting directly in AP & AR transaction pages.

QRG

Process Group Security image
Asset Management Preferences

Default Asset Management settings include date defaults, edit options for the entries in the AP/PO Information, Review Transactions, Unitization, Consolidation, and Default Distribution pages. The Auto-Run Transaction Loader options include running this process, and whether to include the impairment/revaluation, and asset retirement options. The Property Pagelet settings include Business Unit, UOM & location. The Asset tracking option shows the user’s default business unit for search criteria and prompt values.

Asset Management Preferences image
Billing Preferences

Default Billing Job defaults that include server, output destination, and job run options.

Billing Preferences image
Contracts Preferences

Default settings and contract status authorizations.

Contracts Preferences image
General Ledger Preferences

Default GL settings include default ledger, ledger group, and journal entry sources. Journal Entry options include defaulting to use the NEXT journal id number, the Change Journals from Journal Generator option for editing sub journals, ability for the user to post journals, and allowing to copy/delete/unpost journals. The Online Journal Edit Defaults options include allowing the user to re-edit valid journals and Mark Journals to Post  however this option is not usually checked as it bypasses approval workflow. Journal Post Defaults include journal post options to bypass open item reconciliation and summary ledger updates for a specific user. The Budget Post Options include options for the creating events through the Entry Event Processor, Parent Budget Generation which is usually set to Always Generate to keep parent-child budget inline.

QRG

General Ledger Preferences image
Paycycle Preferences

PayCycle Output Destination settings, such as server file destination for bank files and email id for notifications, can be added for users with PayCycle processing access.

Paycycle Preferences image
Purchase Order & Requisition Approval Roles

Assigned approval roles for PO and Requisition approval workflow.

Purchase Order & Requisition Approval Roles image
Procurement Preferences

Optional defaults for procurement transactions, such as location, origin, department, ship to location, requester, and buyer.

Procurement Preferences image
Contract Process

Procurement contract process and default display options including contract status, authority approve/enter/hold/close/cancel contracts and process PO & AP contract releases.

Contract Process image
Payables Online Vouchering

Default settings for origin (online entry, batch, etc.), operator voucher authority to pay unmatched vouchers, copy from closed PO’s, override accounting date.

Payables Online Vouchering image
Voucher Styles

Security for Voucher Styles allows the user to access to various voucher types.

Voucher Styles image
Online Voucher Processing

Online Voucher Processing options include not checking vs. checking voucher amount limits, ability to post vouchers, manually schedule payments, authority to override matching, and recording payments.

Online Voucher Processing image
Quick Invoice Configuration

Default settings for Quick Invoice entry that requires a valid chart field combo and/or requires a balanced invoice.

Quick Invoice Configuration image
Receiver/RTV Setup

Default settings for receiver entry that include allowing the user to force close non-qualified receipts, change non-PO prices on a receipt, close short, to use the Interface Receipt option to automate passing of inventory and asset information, and to allow subcontract streamline overrides. Other options include blind receiving only where the user cannot see ordered and remaining quantities, No Order Qty to hide the PO quantity, Ordered Qty use default PO quantity, PO Remaining Qty to default to the remaining quantity from the PO, the user’s default business unit, and the days plus or minus the current system date to use. The RTV options (return to vendor) include dispatch, inventory ship and inventory destroy options, if in use.

Receiver RTV Setup image
Requisition Authorizations - Allowed Requisition Actions

Allowed actions include approval (for workflow approvers), cancel, delete, close, and reopen. Other options include whether the user can work on approved requisitions, has full authority for all requesters at the location, whether a preferred supplier can be overridden, whether a RFQ (request for quote) required flag can be overridden, if non-qualified requisitions for closure can be overridden, and whether the user can send an approval reminder.

Requisition Authorizations Allowed Requisition Actions image
Purchase Order Authorizations - Allowed Purchase Order Actions

Allowed actions include approval (for workflow approvers), cancel, delete, close, and reopen. Other options include whether the user can work on approved PO’s, can dispatch unapproved PO’s, has full authority for all buyers at the location, can override non-qualified PO’s to close, and whether the user can send an approval reminder.

Purchase Order Authorizations Allowed Purchase Order Actions image
Document Tolerance Exceptions Override Authorizations

Settings include whether the user can override document tolerance exceptions when a PO exceeds the requisition amount or if the expenditure (voucher) exceeds the encumbrance (PO) amount.

Document Tolerance Exceptions Override Authorizations image
Supplier Processing Authority

For users to Enter Suppliers, the Authority to Enter option is checked. The Supplier Audit is automatically checked. The Authority to Approve or Inactivate is for SBCTC use only.

Supplier Processing Authority image
Finance Operator Receivables Preferences

The Receivables preferences are used to set user default values and Payment Worksheet write-off tolerances and discount tolerances.

Finance Operator Receivables Preferences image
Finance PO Buyer Authorizations

Buyers for whom this user can work purchase orders and actions that can be taken; add, update, cancel, delete, close, and reopen.

Finance PO Buyer Authorizations image
Finance PO Requestor Authorizations

Requesters for whom this user can work requisitions and actions that can be taken; add, update, cancel, delete, close, and reopen.

Finance PO Requestor Authorization image
Finance PO Buyer Authorizations for Employee

Buyers this user can work purchase orders and actions that can be taken; add, update, cancel, delete, close, and reopen.

Finance PO Buyer Authorizations for Employee image
Finance PO Requestor Authorizations for Employee

Requesters this user can work requisitions and actions that can be taken; add, update, cancel, delete, close, and reopen.

Finance PO Requestor Authorizations for Employee image
Finance Operator Grant Security

Grant security enables access to grant projects based on selected project security trees and department(s).

QRG

Finance Operator Grant Security image
Finance Operator KK Commitment Control Rule Security

BUDG_DT_R: Allows Users to override the budget date on transactions that error due to the budget date on a transaction.

BYPASS_R: Allows a User to bypass budget checking entirely.(This function is reserved for occasions such as when a user needs to correct a suspense journal that was generated from within a source application like Purchasing and whose accounting entries have already been budget-checked.)

NOTIFY: Enables users to be notified by workflow when budget exceptions occur or when a specified percentage of the budget has been used.

OVERRIDE_R: Allows users to override budget checking exceptions for a new transaction or pass a transaction that has failed budget checking.

QRG

Finance Operator KK Commitment Control Rule Security image
Finance Operator Treasury Payment Security

Users with the Security User Assignment will be able to process the ACH/EFT payment dispatch, review payments, review payment files, override payment status, and override payment file status.

Finance Operator Treasury Payment Security image
Finance Operator Route Controls

College Route controls that are added to ZZ_AW roles used for approval workflow.

QRG

Finance Operator Route Controls image
Finance Operator Department Manager

Lists departments where the user is listed as the manager.

QRG

Finance Operator Department Manager image
Finance Operator Expense Approval

Lists departments where the user is an approver for travel and expense transactions.

QRG

Finance Operator Expense Approval image
Finance P-Card Proxy Assignments to Operator

Lists procurement card proxy assignments assigned to another user (reconciler, administrator, reviewer, approver).

Finance P Card Proxy Assignments to Operator image
Finance P-Card Proxy Assignments by Operator

Lists procurement card proxy assignments (reconciler, administrator, reviewer, approver).

Finance P Card Proxy Assignments by Operator image
Finance Travel Expense Authorized by Operator

Displays whether a user has authorized another user to edit and submit T&E expense on their behalf.

QRG

Finance Travel Expense Authorized by Operator image
Finance Travel Expense Assignments as Authorized Operator

Displays whether a user can edit and submit T&E expense on behalf of another user.

Finance Travel Expense Assignments as Authorized Operator image
Finance Workflow Approvals

Lists roles if the user is included in approval workflow routing.

QRG

Finance Workflow Approvals image
Delegation as Delegator

Lists delegation assignments established by the user.

QRG

Delegation as Delegator image
Delegation as Proxy

Lists delegation assignments if approving on behalf of another user.

Delegation as Proxy image
FSCM Roles with Navigation

This portion of the report is divided into two sections based on whether or not the role(s) a user has are locally assigned or must be assigned by the State Board security team.

If you're not sure what happens at a navigation, try navigating to that section of the ctcLink Reference Center. The Reference Center is organized to mirror the menu setup in ctcLink.

When reviewing navigations, page access, and roles, consider the following factors, all of which impact the probability of a data breach, or a user being able to act nefariously.

  • What level of information is available at the navigation
    • Refer to your institution’s internal documentation to better understand the following categories.
    • Category 1 data is public information. This includes information that is specified as Directory Information under our system’s shared definition per the Family Educational Rights and Privacy Act (FERPA).
    • Category 2 data is sensitive information. All data that isn’t public information is at least category 2, although some data will be higher.
    • Category 3 data is confidential, and includes things like social security number, citizenship status, driver’s license number, credit card number, bank account number, among other information.
    • Category 4 data is confidential information requiring special handling.
  • Whether or not the user has a role that grants them the ability to edit the data at the navigation, and, if applicable, whether or not the user has access to correct historical data.
  • What other navigations & information is on the role
  • Whether or not there are other roles that cover the navigation that might be more appropriate.
  • How robust your offboarding processes are.
  • Whether or not the user’s current job responsibilities require the access the user has.

Roles granted by SBCTC should be considered as a higher risk level. College should evaluate the access given by these roles rigorously.

FIN Roles with Navigation - Not Locally Assigned

Access granted in this section is covered by roles that are NOT on the local grant list, and must be added and removed by submitting a ticket to the State Board help desk.  

Not Locally Assigned image
FIN Roles with Navigation - Locally Assigned

Access granted in this section is covered by roles that are on the local grant list.

Locally Assigned image

0 Comments

Add your comment

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.