9.2 Security - Offboarding Automation

Purpose:  Use this document as a reference to off-board a separated employee's security in ctcLink.

Audience: Security staff

Reference Guide Under Construction

Only Local Security Administrators with the ZZ Local Security Admin role and ZD Local Security Admin view-only role have access.

If you need assistance with the above security roles, please contact your local college supervisor or IT Admin to request role access.

Using Custom Process to Automatically Offboard Security

Navigation: NavBar > Navigator > PeopleTools > Security > CTC Custom > CTC Processes > Offboarding Automation

When navigating to the Offboarding Automation page, you will land on the Run Control ID Search page. To Find an Existing Value (Run Control ID) associated with a prior run of this process saved previously by you click the Search button. If this is the first time navigating to this page, click the Add a New Value tab and enter a new Run Control ID, then click the Add button, which will open the page for entering scheduling parameters.

In the Run Parameters box, enter your college's Company Code (for example 090 for Highline College) and the Empl ID of the employee being separated. Once both parameters are entered click the Run button to launch the process. This will automatically save the parameters entered under this Run Control ID for the next time you seek to run this process. You can then simply edit the Empl ID each time you run the process and it will save the most recently executed parameter set under the Run Control ID.

Once the process has been launched, click the Process Monitor link to view monitor the progress of the scheduled process and to access the log files the process will produce upon successful completion.

If you navigate away from this page, you can go back and review the log files by going directly to the Process Monitor using the following navigation:

Navigation: NavBar > Navigator > PeopleTools > Process Scheduler > Process Monitor

  1. In viewing the Process Monitor, your User ID will automatically populate to see all processes scheduled by you in the last 1 day.
  2. You can edit the number of days if you are seeking to numerous previous runs of all processes to gather the needed log files.
  3. You may also limit the view by entering the specific process name CTC_OFFBD_AE to see only those process logs related to Offboarding Automation.
  4. In the process list, click the Details link to access the logs related to the desired run. This will open the Process Detail page. In the Actions section, click View Log/Trace to open the page showing all log files.
  5. Note the Expiration Date. This is how long the file will be available in the system. Log files should be downloaded and saved for audit records prior to this date or these files will no longer be available. If log files were not downloaded, a subset of the information related to offboarding is available by running the auditor queries (covered in the section below).
  1. The log files generated by this process are as follows in the sections below:
HCM Log Files

These 3 log files are generated and each contains specific information:

CTC_OFFBD_RPT - This log file shows process parameters and execution times.

  • Run Date/Time of the process launch.
  • Process Instance Number.
  • Operator ID of launched the process.
  • Run Control ID.
  • Company Code.
  • Empl ID of the separated employee.

CTC_OB_USER_ROLES - This log file contains the changes made on the HCM pillar User Profile.

  • Before and After information on on Primary and Row Permission List values.
  • Security Roles Kept
  • Security Roles Deleted

AE_CTC_OFFBD_AE - This log file contains the majority of information related to the execution of the offboarding process.

  • Details from Query: CTC_SEC_HR_STATUS_SYSTEM_LEVEL
  • Employee ID, Name and Status in the ctcLink HR System
  • Alert: If an employee is a Manager
  • ROLENAME(s) BEFORE Off Boarding
  • ROLENAME(s) to be removed for Off Boarding
  • ROLENAME(s) remaining after Off Boarding
  • Content of the Email Notification triggered by the process.

 

FSCM Log Files

These 2 log files are generated and each contains specific information:

CTC_OFFBD_RPT - This log file shows process parameters and execution times.

  • Run Date/Time of the process launch.
  • Process Instance Number.
  • Operator ID of launched the process.
  • Run Control ID.
  • Company Code.
  • Empl ID of the separated employee.

AE_CTC_OFFBD_AE - This log file contains the majority of information related to the execution of the offboarding process.

  • ROLENAME(s) BEFORE Off Boarding
  • ROLENAME(s) to be removed for Off Boarding
  • ROLENAME(s) remaining after Off Boarding
  • Delete Other Security Access:
    • deleting rows for:  Financial Gateway Security - PS_PMT_SEC_USR_OPT
    • deleting rows for:  Financial Gateway Security - PS_PMT_SEC_USR_RUL
    • deleting rows for:  Remove Grants Security -- PS_GM_SEC_TREE_OPR
    • deleting rows for:  Remove Grants Security -- PS_GM_SEC_DEPT_OPR
  • Expense Delegation Removed - Empl ID / Authorized OPR ID
    • Note: This process will only remove the Expense Delegation on the separated employee. If the employee was delegated authority to manage expenses for others, this will need to be removed manually.
    • Check the BFS_SEC_OPDF query that is recommended to be run prior to launching the offboarding automation process. In the report output, the Travel Expense Assignments tab will list these under the Finance Travel Expense Assignments as Authorized Operator section.
  • Notice that a Buyer Setup was found for separated employee, which will require later manual removal.
  • A list of navigational paths where additional manual removal is required, each beginning with "Employee found in" :
  • Content of the Email Notification triggered by the process.
CS Log Files

These 3 log files are generated and each contains specific information:

CTC_OFFBD_RPT - This log file shows process parameters and execution times.

  • Run Date/Time of the process launch.
  • Process Instance Number.
  • Operator ID of launched the process.
  • Run Control ID.
  • Company Code.
  • Empl ID of the separated employee.

CTC_OB_USER_ROLES - This log file contains the changes made on the CS pillar User Profile.

  • Security Roles Kept
  • Security Roles Deleted

AE_CTC_OFFBD_AE - This log file contains the majority of information related to the execution of the offboarding process.

  • Company Code, Employee ID and Academic Institution Code
  • ROLENAME(s) BEFORE Off Boarding
  • ROLENAME(s) to be removed for Off Boarding
  • ROLENAME(s) remaining after Off Boarding
  • Primary Permission List and Row Security Permission List Updates
    • Updated Primary and Row Security Permission List = CTC_PT_MASK_ALL
  • Secure Student Administration Access Updates:
  • Secure Student Financials Access Updates:
    • Displays the Company, Academic Institution and Business Unit
    • Deleted rows for menu item:  Business Unit - PS_SEC_UNITSF
    • Deleted rows for menu item:  Business Unit - SEC_CSHOFF_OPR
    • Deleted rows for menu item:  Company - PS_SSEC_COMPANY_OPR
    • Deleted rows for menu item:  Institution Set - PS_SEC_ISET_OPR
    • Insert Inactive Row for menu item:  Item Type - PS_SEC_ITEM_SU_OPR (Parent)
    • Deleted rows for menu item:  Origin IDs - PS_SEC_ORIGIN_OPR
    • Deleted rows for menu item:  SetID - PS_SEC_SETID_OPR
    • Updated value to blank for menu item:  Student Institution Set - PS_OPR_DEF_TBL_CS (ISET_OVRD)
    • Content of the Email Notification triggered by the process.

Overview of Program Functionality

Offboarding Automation Key Features

  • When executed, this process will remove security roles and some, not all secondary security.
  • Some secondary security, for example those employees tied to a department manager, must be manually addressed due to the need to identify the specific (interim or permanent) replacement when the change is made. (Visible in the offboarding log file.)
  • The process in Process Scheduler will display all Active Job(s) for that EMPLID.
  • The process upon completion generates log files with information that requires review to take next steps relevant to each pillar and can be saved for audit purposes. Review the above sections for details contained in each set of Pillar log files.
Behavior in Human Capital Management:
  • Removes user’s Row Level Security if CTC_XXX_TL_SUPERUSER exists to "blank out" the row level security value.
  • Process synchronizes HCM role deletions in other pillars (Portal, Finance, CS)
    • Meaning if a role exists and is named the same in HCM and another pillar that that role is removed from HCM, it will also be removed from all other pillars.
  • Log file displays active and inactive jobs for the employee.
    • If an active job record at another college exists, LSA must coordinate with the LSA at the other college when performing offboarding. The process will generate a warning message that the employee is active at another college and provide the option to cancel out.
Behavior in Finance:
  • Roles that have a corresponding Route Control Profile will be removed. If the employee has multiple jobs at various institutions and multiple Route Control Profiles associated with a role, it may be that this process should not be executed in the Finance Pillar and coordination with the LSA at the other college is advisable.
    • If the user displays that they have an active job at another college, run the BFS_SEC_OPDF BI Publisher report and review the Route Control tab for the employee in question to see if the user has roles associated with their Business Unit. View those Route Controls to determine if role removal will impact the other college.
  • Removal of Financial Gateway access.
  • Removal of Treasury Security, Commitment Control Security, Grants Security.
  • Log file displays secondary security in Finance that the LSA/Pillar Lead will need to address manually: Expenses Approvers, Expense Delegation, PCard Security, Requester/Buyer Setup, Department Manager security.
    • NOTE: The security for Commitment Control and Grants are removed for ALL colleges, if more than one college was setup for that user.
  • Removal of User Preference Definitions is performed separately using LaunchPad, which includes the removal of Process Groups.
Behavior in Campus Solutions:
  • Reduces masking in user’s Primary and Row Level Security to Mask ALL.
  • SACR Security for Academic Institution must be removed manually, the program does not automatically remove this.
  • SACR Security for Notification Consumer must be removed manually, the program does not automatically remove this.
  • Student roles for an employee who is also a student will NOT be removed.
  • Process synchronizes CS role deletions in Portal.
    • Meaning if a role exists and is named the same in CS and Portal that that role is removed from CS and Portal.
  • Clears SACR Security relative to the specific college executing the process.
    • Global SACR Security values WILL be removed (e.g. Enrollment Security, Test ID Security).  
      • Coordination with another college were employee has job related CS access is important!

For the best results, the LSA should run the BI Publisher Reports (e.g., BFS_SEC_OPDF) to capture the complete picture of the individual’s security BEFORE performing any offboard activities.

Colleges should retain the log file from the automated offboarding execution upon completion.

AFTER the process was run, if a college did not retain the log file, you can also execute the Query: QXX_SEC_ROLE_OFFBOARDING (where XX is HC for HCM, FS for FSCM and CS for CS) on demand as needed. The process can be run to view the role set from BEFORE (B) or AFTER (A) the offboard process was run. When run as an HTML, a drill down link is provided.

After the process has completed, the audit query (available in each pillar) can be run to see the roles that were removed and kept.on the user profile:

Clicking the Drilldown Link will execute the process to display the role names BEFORE (B) and AFTER (A) is noted in the Change Type column.

End of procedure.

0 Comments

Add your comment

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.