Business Intelligence & Reporting. Application Access Guidelines

Transcription

1 Business Intelligence & Reporting Application Access Guidelines

2 DOCUMENT CONTROL DOCUMENT REFERENCE File Name: UTD Business Intelligence & Reporting Application Access Guidelines VERSION CONTROL All revisions made to this document are listed below in chronological order. Version Date Author(s) Notes 1.0 7/30/12 Charles Yorek Original Draft 1.1 8/20/12 Michael Winship Added Responsibilities 1.2 8/27/12 Michael Winship Incorporated revisions provided by Steven Jestis 1.3 8/29/12 Steven Jestis Version 1.3 approved 1.4 9/12/12 Charles Yorek Incorporated revisions provided by Dr. Sue Taylor 1.4 9/26/12 Dr. Sue Taylor Version 1.4 approved /2/12 Dr. Andrew Blanchard Version 1.4 approved Page 1

3 CONTENTS Document Reference... 1 Version Control... 1 Access Guidelines Charge... 3 Access Guidelines PURPOSE Statement... 3 Application Governed by Access Guidelines... 3 Responsibilities... 3 Approvers Responsibilities... 3 Department Trusted Requestors Responsibilities... 4 Business and Analytics Reporting Department Responsibilities... 4 Peoplesoft Access Team responsibilites... 4 Guidelines History... 4 Access Guidelines Approval... 5 Page 2

4 ACCESS GUIDELINES CHARGE EAS - Business and Analytics Reporting (BA&R) Department ACCESS GUIDELINES PURPOSE STATEMENT The purpose of these guidelines is to provide minimum requirements necessary for employees to be granted access to the University s online reporting applications. The guidelines ensure that employee logins and access needs are authorized and granted in a legitimate, documented manner. When these guidelines are followed, risk to the University s business operations and reporting due to unauthorized access and inaccurate or misused data is reduced. APPLICATION GOVERNED BY ACCESS GUIDELINES Oracle Business Intelligence Enterprise Edition (OBIEE) RESPONSIBILITIES Access Guidelines Notes: Individual roles and responsibilities are defined below. However, the following responsibilities are shared by all: Know security and privacy responsibilities and participate in security and privacy awareness program activities. (e.g., FERPA Training, etc.) Read, understand and comply with private data requirements, safeguards and standards. Read, understand and comply with enterprise data and systems security and privacy policies, procedures, safeguards, guidelines and standards. Report suspected security incidents as stated under the Information Security Office (ISO) policies and procedures. APPROVERS RESPONSIBILITIES In conjunction with IR and the University privacy and security community, provide data access guidelines and privacy training and resources to University staff and faculty. Ensure access to the reporting application and data is limited to those individuals with a University business need and access level is appropriate for the work to be performed. Develop consistent roles and responsibilities for Trusted Requestors. Determine the sensitivity and criticality of the data based on University, legal definitions and contractual obligations. Review relevant security management reports as stated under the UTD Business Intelligence - Application Access Procedures Procedures for Monitoring/Reviewing Employee Functional & Technical Roles. Ensure that a process is in place to retain or purge information according to University records retention schedules. Page 3

5 DEPARTMENT TRUSTED REQUESTORS RESPONSIBILITIES Department Trusted Requestors are responsible for the content and use of the University s business data that is entrusted to Departmental missions; therefore, Department Trusted Requestors are responsible for approving requests for access to reporting related to their data. Signatories who will approve PSEC requests are the Department Head, the Trusted Requestors, and additionally for Module PSEC requests, the Module Owner. The Trusted Requestor, and the Module Owner (additionally for Module requests) is the employee, for whom the Department Head has given permission, to request, approve, review, or complete, the Employee User Information and/or the Module access details for the PSEC request. The Department Head is responsible for verifying that the access requested is appropriate for the employee s job duties. The Department Head shall approve the Trusted Requestor s PSEC request, when necessary. The Module Owner is employed by the Department responsible for the Module s data, and is responsible for approving all requests to access Module data. After the OBIEE Access Request Form has been approved by the requesting department s Trusted Requestor and/or Department Head, the Module Owner shall review the requested Module access details, determine the appropriate access classes to be given, and approve the request. Issues pertaining to Module access may arise between the requesting department signatories and the Module Owner. Access issues shall be resolved, with assistance from the PeopleSoft Access Team, by the requesting department and the department responsible for the Module s data. Escalation path for this issue should be resolved with the Division Head, CIO and/or University President when necessary. BUSINESS AND ANALYTICS REPORTING DEPARTMENT RESPONSIBILITIES The Manager of BA&R shall approve and permit only authorized people to access the servers that store the University s proprietary application source code to reduce the risk of access incidents. The BA&R Department shall maintain the roles and access rights that users have to reporting within OBIEE according to the needs of the business. The BA&R Department shall support 1 the movement of OBIEE objects, dashboards, and reports, between environments at the request of the business. PEOPLESOFT ACCESS TEAM RESPONSIBILITES The PeopleSoft Access Team shall process only completed PSEC requests that have been approved by each required department signatory. For the OBIEE Access Request Form, the employee shall be given only the access roles that are related to the Functional and Technical requests to perform their jobs. GUIDELINES HISTORY Issued: August 7 th, By a set of Release Management Procedures Page 4

6 ACCESS GUIDELINES APPROVAL The purpose of this document is to validate access guidelines and obtain approval. Validation of the access guidelines is essential to the subsequent steps and overall success of the effort. The approval signatures indicate validation and authorization of the access guidelines. EAS APPROVALS BA&R OBIEE Security Guidelines Approval Steven Jestis, Manager Business Intelligence & Reporting Date OBIEE Application Access Approval.png Dr. Sue Taylor, AVP/Director Enterprise Application Services Date OBIEE Application Access Approval.png Dr. Andrew Blanchard, Vice President and CIO Date Page 5