How to Use QXX_SEC_QURY_RECORD_USR_RPT_BA
Purpose: The purpose of this query is to provide a single place to check user configuration for query security. It is also intended to allow a user to pick an optimal set of roles when onboarding a user who needs access to multiple queries.
The query allows a user to input up to 6 queries (labeled “Query 1-6”) and 3 BI Publisher Reports (labeled “Report Name 1-3”. This allows a Business Analyst (BA) or Local Security Administrator (LSA) to see what records each query uses, and what role options can be used to grant access to the record.
Additionally, there are four prompts that allow a BA\LSA to see what the user’s report would look like if the user had that role in addition to the roles they have already been granted access to (labeled “What if Grant Role 1-4”).
Finally, there’s a checkbox that allows a BA\LSA to only look at the records that the user does NOT have access to. This can be helpful if you’re troubleshooting why a user is unable to find a complex query that uses many records, and the BA\LSA believes the user should already have access to view it.
Audience: Local Security Administrators (LSAs)
Remember to grant query access in line with WaTech Policy Sec-06, 1:
“Agencies must manage user or system access throughout the account life cycle from the identification of a user to the granting, modification or revocation of a user’s access privileges following the principle of least privileges.”
Sometimes it is prudent to revamp a business process rather than grant query access to a user.
How to Use QXX_SEC_QURY_RECORD_USR_RPT_BA
Because query security is handled slightly differently in the Campus Solutions (CS) pillar than it is in the Human Capital Management (HCM) and Finance and Supply Chain Management (FSCM) pillars, this version of the query is structured slightly differently than QHC_SEC_QURY_RECORD_USR_RPT_BA and QFS_SEC_QURY_RECORD_USR_RPT_BA.
In order to have access to a query, a user must have at least one query role (Role that starts “ZD_DS_QRY…”) that grants access to that record. Many records are covered by more than one query role. This query returns one row per record, and tells you which query or queries from the prompts use the record, as well as listing out the query roles that can be used to grant access to the record. This allows the user to analyze the set of queries the user needs to use together as a set,
Row Type
There are four row types. Row types 1 and 2 help you review the user’s basic setup and ensure it is appropriate. Row type 3 helps you locate the appropriate query role(s) to give the user access to, and row type 4 is only returned in CS, and helps you determine if the user needs additional SACR to be able to run the query.
Row type 1 tells you whether or not the user has the role that grants access to the Query Viewer navigation.
Not all users who need query access require query viewer access. For example, if a user needs to be able to assign student groups using a population select query, but does not need to review results of other queries, it would be prudent to grant only the roles required to access the population select query, and NOT grant access to the navigation.
Row type 2 tells you whether or not a user has Institution SACR. Nearly all queries in CS require either Institution or Business Unit security.
Row type 3 tells you what records are used by the prompted queries and/or reports. Each record will only be listed once, even if it’s used by more than one query in the prompts. This helps you evaluate the impacts to a user if you do not grant access to a specific record. For example, if a user provides you with four queries they need to run, and all four of them include a record only covered by ZD_DS_QRY_ADM_SSN_HIGHSENS, not granting the role will mean the user is unable to use any of the queries.
CS Only: Row type 4 tells you what prompt tables are used, and what record each prompt table is secured by. You can use this information to deduce what SACR the user will need to successfully run the query.
Record
Because you can enter more than one query\report, and query access is granted at the record level, this query summarizes information at the record level. This column contains the record associated with the row.
Queries use Record
This is a list of the prompted queries and queries referenced by the prompted reports that reference the record in the record column. In the example below, both queries use VCS_STDNT_MASTR, but only QCS_CC_SSN_LOOKUP uses SCC_PERS_NI_QVW.
Role Options for Record
Granting any one of the roles in this column will grant the user access to the record. For example, in the example below, granting XX140CS03 the role ZD_DS_QRY_CAMPUS_COMMUNITY would give the user access to SCC_EMAIL_QVW, VCS_BIO_PRIORTY, and VCS_BIO_PRIMARY, but not VCS_STDNT_MASTR or SCC_PERS_NI_QVW. You can test this by adding the role to the first “What if Grant Role” prompt.
If you double-click a role name, it will highlight the role name, allowing you to copy it and paste it into one of the “What if Grant Role…” prompts.
User has access?
This column returns a note indicating the whether or not the user needs role or SACR adjustments.
CS Only: Record Secured Using
This column can be used to evaluate whether or not the user is likely to need additional SACR to run the query. If the record is secured using “Institution Security View”, for example, the user will need to have institution security. Other common values would be “Operator Stdnt Groups,” and “Std Grp All Status Sec Prompt,” which would indicate that the user needs Student Group SACR to be able to use the query and have it work correctly.
In the example below, the user would have access to run QCS_CC_LOOKUP_BY_EMAIL after being granted the role ZD_DS_QRY_STUDENT_RECORDS
End of procedure
0 Comments
Add your comment