ctcLink Reference CenterResourcesPeopleSoft SecurityHCM SecurityHCM 9.2 Security - How to Read BHC_SEC_CERT

HCM 9.2 Security - How to Read BHC_SEC_CERT

Purpose:  Facilitate security recertification

Audience: Local Security Administrators (LSAs) and Employee Supervisors

How to Read the BHC_SEC_CERT report

About the Output File

The output file will be one Microsoft Excel file per supervisor.  Each sheet represents a different employee’s access. If an employee has no access, they will not appear in the spreadsheet at all.

The last sheet in the file will always be empty.

Note that this report will NOT return all roles and access a person has. This report will only return access non-default access.  Examples of excluded roles include ZZ PeopleSoft User and ZZ Employee.

Report Header

The report header includes basic information about the employee and supervisor.  It lists the institution, the supervisor, the employee’s name and ID, the last time the employee was paid, the employee’s business unit, and the employee’s classification.

Report header image
Approval Workflow (EOAW) User

This portion of the report shows users with approval authority.  Please review to ensure the level of approval or the need to be an approver is still accurate.  Approval authority should be at a supervisory level or higher.  The ZZ HCM Manager will allow managers to approve their employees transactions but there are other approval roles, for things such as Position Management that have to be assigned manually.  Ensure the users with approval authority are still active and applicable.

Approval Workflow EOAW User image
Global Payroll

Global Payroll handles payroll and absence processing.  This can be defined by countries as well.  The Global Payroll User Profile page defines the default values that users see in the Used By and Country fields when adding an element. When you create your payroll system using Global Payroll, you want to be sure that it meets all the requirements of your organization. One of the ways that PeopleSoft ensures this is by building the payroll system through the use of components called elements.  Users that process payroll or do absence management process will need access to USA as the country.

Global Payroll image
Delegation as Delegator

This section of the report shows transactions where the employee has delegated approval or initiation authority to another user.  It is imperative to review this section from an audit perspective.  There should be no open ended delegations, but if there are, they must be reviewed and audited at least yearly.  

Delegation as Delegator image
Delegation as Proxy

This section shows where this employee was delegated authority to approve or initiate transactions on behalf of other users.  A thorough review of this section to ensure the access is appropriate for this level of employee is necessary.

Delegation as Proxy image

The Supervisees tab will show a list of the employee’s direct reports and their department name and jobcode description.  This will allow recertification that the list is still correct and some of the employees in the list are not terminated but still show them as supervisor.  Please thoroughly review the list of supervisees for this supervisor.  

Supervisees image
HCM Roles with Navigation

This portion of the report is divided into two sections based on whether or not the role(s) a user has are locally assigned or must be assigned by the State Board security team.

If you're not sure what happens at a navigation, try navigating to that section of the ctcLink Reference Center. The Reference Center is organized to mirror the menu setup in ctcLink.

When reviewing navigations, page access, and roles, consider the following factors, all of which impact the probability of a data breach, or a user being able to act nefariously.

  • What level of information is available at the navigation
    • Refer to your institution’s internal documentation to better understand the following categories.
    • Category 1 data is public information. This includes information that is specified as Directory Information under our system’s shared definition per the Family Educational Rights and Privacy Act (FERPA).
    • Category 2 data is sensitive information. All data that isn’t public information is at least category 2, although some data will be higher.
    • Category 3 data is confidential, and includes things like social security number, citizenship status, driver’s license number, credit card number, bank account number, among other information.
    • Category 4 data is confidential information requiring special handling.
  • Whether or not the user has a role that grants them the ability to edit the data at the navigation, and, if applicable, whether or not the user has access to correct historical data.
  • What other navigations & information is on the role
  • Whether or not there are other roles that cover the navigation that might be more appropriate.
  • How robust your offboarding processes are.
  • Whether or not the user’s current job responsibilities require the access the user has.

Roles granted by SBCTC should be considered as a higher risk level. College should evaluate the access given by these roles rigorously.

HCM Roles with Navigation - Not Locally Assigned

Access granted in this section is covered by roles that are NOT on the local grant list, and must be added and removed by submitting a ticket to the State Board help desk.  

HCM Roles with Navigation Not Locally Assigned image
HCM Roles with Navigation - Locally Assigned

Access granted in this section is covered by roles that are on the local grant list.

HCM Roles with Navigation Locally Assigned image


Add your comment

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.