9.2 Security - Using Shell Roles to Identify Access Outside ctcLink
Purpose: Use this document as a reference to understand how to utilized third party "Shell" roles for tracking access to systems outside of ctcLink. "Shell" roles will need to addressed in 4 stages to ensure comprehensive management of third party access as outlined below.
Audience: Security staff
Only Local Security Administrators with the ZZ Local Security Admin role and ZD Local Security Admin view-only role have access to Distributed User Profiles.
If you need assistance with the above security roles, please contact your local college supervisor or IT Admin to request role access.
Navigation: NavBar > Navigator > PeopleTools > Security > User Profiles > Distributed User Profiles
As part of the SASI project for Work Package 6, the SBCTC Security Team has created 21 unique "shell" roles in HCM to identify Third Party Application Access.
Problem Statement for "Shell" Roles for Third Party Access Notices
There was no centralized way to keep track of employee access to third party applications outside of ctcLink. Often different groups administer that access to those applications, and it makes it difficult from an offboarding perspective to know what third party applications an employee has access to. In order to keep our systems as secure as possible, there was a need to flag access to third party applications from a centralized source and ctcLink is the recommended source.
The requirement was to provide a means when offboarding an employee to inform staff they need to also offboard that employee in other third party software products, such as Legacy Transcripts, LegacyLink (and any other third-party applications that can be identified).
LSAs have to remember to offboard in many locations and software products. To keep our SBCTC systems data as secure as possible, we need to make sure we offboard in all locations and products. If a user has a security role that relates to a Third-Party software that also has access rights managed within the external application itself, that access must be removed at the time when ctcLink is access is addressed.
A set of ZZ 3P security roles are especially helpful when Offboarding an employee to ensure that no Third Party Application access is missed during the access removal process. These roles contain no page access, rather they are meant to be used as your local security administrators Onboard staff and grant them access to Third Party Applications. The roles themselves do not grant access, nor does their removal eliminate access, they are a reminder that access to that external system was granted and must be removed at separation. These roles will simply track the access to applications outside of ctcLink that employee were granted. If that access is removed in the third party system, the "shell" role should also be removed in ctcLink.
Below is the list of existing "Shell" security roles:
| Role Name | Role Long Description |
|---|---|
| ZZ 3P 25Live LYNX | 25Live/LYNX - Academic and Event Scheduling program |
| ZZ 3P CampusCE | CampusCE |
| ZZ 3P Canvas | Canvas access to our project and training courses |
| ZZ 3P CyberSource | CyberSource - colleges manage their own CyberSource users |
| ZZ 3P dataLink | An Oracle database that contains the ctcLink replicated college specific ctcLink data |
| ZZ 3P Email List Admin | Email ListServ admin |
| ZZ 3P Google Drive | Google Drives |
| ZZ 3P LACES | Literacy, Adult and Community Education System |
| ZZ 3P metaLink | metaLink - A web-based application used to deliver a data dictionary for each of the ctcLink tables |
| ZZ 3P NelNet | NelNet |
| ZZ 3P OAAP | Online Admissions Application Portal (OAAP) |
| ZZ 3P Oracle Support | Oracle support |
| ZZ 3P QARS | QARS - Quality Assurance Reporting System |
| ZZ 3P RunnerTech | Clean Address - CTC Type Employees only |
| ZZ 3P Solar Winds | Solar Winds - Ticket System |
| ZZ 3P SQL Server | SQL Server access |
| ZZ 3P Tableau | Tableau |
| ZZ 3P Tickler | Tickler - A web-based application used to remind the colleges of the dates we are taking snapshots for the data warehouse |
| ZZ 3P WABERS | WABERS - Washington Basic Education Reporting System |
| ZZ 3P WCTCS Portal | WCTCS Portal (Legacy Web Admissions) |
| ZZ 3P WinSCP | WinSCP |
A key challenge for this solution to be effective will be for colleges to locally develop a business practice when access to third party applications is granted, especially if that access is granted outside of the purview of the Local Security Administrator. Every college will define their own processes; however here are some ways this may be addressed:
- If the college has an automated sign-off process for onboarding staff (for example SignNow), add all third party systems that will need to be identified using a "shell" role and ensure the LSA is provided notification of the access approval so they can track it in the "shell" role method.
- Request periodic reports (monthly or quarterly) of all third party access administrators so granted access is synchronized to the ZZ 3P role application.
- If using a ticketing system for access requests, ensure the LSA is part of the notification thread for any third party access grants.
- Develop a standard communication method for periodic changes (later access grants or removals) to continue synchronization of access status.
- Develop a standard communication method to all third party access administrators when offboarding an employee so they can confirm that they have followed up with removing the access.
Don't see a role for an important Third Party Application? You can request the addition of other third-party roles by submitting a Service Desk ticket to SBCTC with the third party application name and a brief detail about the third party application. All roles are prefaced with ZZ 3P and are limited in character length.
End of procedure.
0 Comments
Add your comment