1 Banner Security: A Functional View Presented by: Deb Brooks, Florida Atlantic University March 20, 2007 A Community of Learning
2 Objective This session is designed to assist the Functional Security Officer in Human Resources with: Initial set-up of the Banner HR security system. Offer pointers for on-going maintenance. Go over security issues of specific interest to THE AUDITOR. 2
3 Getting Started Agenda BANSECR Banner HR Security The Auditor is coming! The Auditor is coming! Questions 3
4 A Community of Learning Getting Started
5 The Ideal Banner Security Officer Banner access must be handled with care. The correct access can help avoid errors and will definitely help with the maintenance of data integrity for your institution. The Ideal Banner Security Officer will be: Familiar with departmental processes. Familiar with departmental and university hierarchy. Organized. Comfortable in Banner or, if new to Banner, comfortable navigating various types of software. A problem solver, have the ability to research problems to eventual solution. Don t forget to designate a back up! 5
6 Approvals and Security Committee The Approval and Security Committee will meet regularly to determine university policy regarding naming conventions and protocols, extraordinary access requests, and brainstorm security related problems to find solutions. The committee should include: IT representative in charge of higher level security issues Data Base Administrator(s) Security Officers for all Banner modules (HR, Finance, Student, Advancement) Internal Auditor 6
8 Security Request Form The Security Request Form is extremely important because it allows you to document the access that you are granting. You should design your form to meet your needs. Make sure to include all the control points that you have in place. For example: Contact information for the employee and supervisor Type of employee requesting access Class access requested Form/object access requested Employee class requested Higher level authorization 8
9 A Community of Learning BANSECR
10 BANSECR Banner security is maintained through BANSECR, which is an Oracle ID that runs the GSASECR form. This system runs independent of Banner and does not appear on any Banner menu. There is a BANSECR system for every instance of Banner that runs at your institution. For example, production, test, training. Security has to be set up on BANSECR separately for each Banner instance. It is to the advantage of the institution for BANSECR security to be controlled by a minimal number of employees. At FAU it is controlled by an IT representative that determines the appropriate BANSECR defaults and access for Security Officers to limit control. Because BANSECR is shared by all Security Officers, care should be taken to develop protocols. 10
12 Users The Users tab on GSASECR has multiple functions. It can be used to create, alter, delete, or modify a user account, or obtain a summary of user objects. When setting up a user account remember to use a standard protocol for user account names and passwords. Beware of the copy feature! If you have users with access to various modules of Banner be careful with the copy feature because it is easy to copy access to a different module in error. The ability to lock and unlock accounts is very useful. There are several ways an account can lock up so be wary when asked to unlock an account and re-set a password. The lock feature is good if there has been a change in status of a user and you are not sure if access needs to be modified. 12
13 Users.continued You should limit granting direct access to objects. Direct access is difficult to maintain and does not offer as much control of object access. Pay close attention to roles when granting access to objects. Different objects are set up with different defaults. Be very aware when granting access to determine whether the user should have query access or maintenance access. Be aware that if a user is enrolled in several classes that define the same object with different role suffixes, the maintenance privilege will always take precedence over the query privilege. 13
15 Classes Banner classes are groups of objects (screens) and are used to control access. They are grouped based on module and function. Delivered classes are developed by SCT Sungard. Before using a delivered class make sure that the objects in a given class sync with the functionality of your unit. You may customize classes based on your University s organization and department functionality. If you choose to customize classes, develop a naming protocol. 15
16 Classes.continued The class structure in BANSECR is a very useful tool for Security Officers. For example, you can add one object to a class and it will automatically add the object to all users with access to that class. The alternative would be to grant direct access to each individual user, which would be labor intensive and make maintenance difficult. Remember when setting up a user using classes, they must have access to common utilities. 16
18 Objects Use of the Objects tab in BANSECR is infrequent but very necessary. Reports that are accessed through Banner are assigned object names and have to be added to the object list in order to grant access to users through classes or direct access. Be careful when you add an object that you assign the appropriate default role. When you have upgrades be aware that you may have to add objects in BANSECR. The objects list is a good place to look when troubleshooting access issues. 18
19 Banner HR Security A Community of Learning
20 PTRUSER A User must be set up in PTRUSER in order to access Banner HR objects. Access to institutional codes, employee class codes, and org codes cannot be granted until the user is set up in GSASECR and in PTRUSER. Take care in granting master access to employer (if applicable), employee classes, and department orgs. Take care in granting Superuser and Administrative access to web based programs. 20
21 PSAECLS PSAORGN 21
22 PSAEMPR, PSAECLS, and PSAORGN The PSAEMPR form allows you to limit access to specific institution codes. The PSAECLS form allows you to limit access to specific employee classes or groups. This is useful if you want to limit one group to view only student employees and one to view all non-student employees. The PSAORGN form allows you to identify specific org codes representing home orgs and timekeeping orgs to specific people. This is very important when determining who should see which Human Resources records. Remember that the org defined in the labor distribution is not an HR security access org. 22
23 GOAEACC The GOAEACC form does not necessarily have to be maintained by the Security Officer. However, because the Security Officer is aware of User changes they are the most logical candidate to maintain this form. At FAU we found that it was only useful to maintain the GOAEACC form when we started using electronic processing such as EPAFs. 23
24 The Auditor is Coming!!! A Community of Learning
25 Higher Level Set Up for Bansecr The first line of access control is controlling who has access to Bansecr and to the related behind the scenes tables in Banner. This access should be limited to as few people as possible and should be controlled at the IT level of your institution. Access should be controlled at the IT level. Controls should be in place to track who is granted access and to maintain the access. 25
26 Access Control The Security Officer needs to have a very good understanding of the different overall roles and functions of different level jobs at the university. They also need to be aware of who is authorized to approve access levels in different departments. The Auditor is going to review access granted to make sure that there is no conflict of interest. The person who inputs the employee so that they can get paid is not the same person who authorizes payment. When setting up the classes in BANSECR be very aware of maintenance access vs. query access to powerful screens. 26
27 Access Control.continued Control access to validation and rule tables carefully. Controlling PSAORGN and PSAECLS access is key. Emphasize to your population that their activity can be tracked. There should be no User ID and Password sharing! Try to limit access to individual objects. It is much harder to police and control individual vs. class access. 27
28 Employee Status Changes Create a procedure for handling access with regard to employee status changes. It can be tricky when you have multiple Banner products in use. At FAU we have designated Security Officer that coordinates status changes using reports. You will need to terminate access on terminated employees in a very timely manner. When an employee is promoted, reclassified, or reassigned to a different position in the University, their access may require modification. When employee s are on Leave of Absence, lock their accounts. 28
29 Documentation Documentation is your best friend when the Auditor comes. Require request documents including higher level authorization and approvals. If you make modifications based on requests, require that they route the requests through the appropriate authority and save all the s. Keep all files current and orderly. Create reports regarding access so that you can track all access issues. 29
30 A Community of Learning Questions????
31 Thank You! Deb Brooks Florida Atlantic University Please complete the online class evaluation form SunGard, the SunGard logo, Banner, Campus Pipeline, Luminis, PowerCAMPUS, Matrix, and Plus are trademarks or registered trademarks of SunGard Data Systems Inc. or its subsidiaries in the U.S. and other countries. Third-party names and marks referenced herein are trademarks or registered trademarks of their respective owners SunGard. All rights reserved. 31
SuccessFactors Admin: Recruiting Management Admin Guide v1204 (One Admin) For SuccessFactors v12 (One Admin) Last Modified 07/17/2012 2012 SuccessFactors, Inc. All rights reserved. Execution is the Difference
TheFinancialEdge End of Year Guide 121213 2013 Blackbaud, Inc. This publication, or any part thereof, may not be reproduced or transmitted in any form or by any means, electronic, or mechanical, including
Work.com Implementation Guide Salesforce, Summer 15 @salesforcedocs Last updated: June 20, 2015 Copyright 2000 2015 salesforce.com, inc. All rights reserved. Salesforce is a registered trademark of salesforce.com,
Pearson Inform v4.0 Educators Guide Part Number 606 000 508 A Educators Guide v4.0 Pearson Inform First Edition (August 2005) Second Edition (September 2006) This edition applies to Release 4.0 of Inform
Tactical Plan for Business Intelligence at WMU Three Year Status Report: October 2013 Business Intelligence Mission Statement Accurately, clearly and efficiently assist the university community, including
4. Client-Level Administration Introduction to Client Usage The Client Home Page Overview Managing Your Client Account o Editing Your Client Record View Account Status Report Domain Administration Page
User Guide A guide to online services available through Sircon for Education Providers DOC CX 08/13/10 02/02 v5 Contents Contents Contents... 2 Introduction... 4 About this Guide... 4 Getting Started...
Menu Profitbuilder Pro Online Frequently Asked Questions ` Table of Contents TOP FAQ S WHAT IS MENU PROFITBUILDER PRO?......4 1. What Is The Difference Between The Old MPP And The New Online Version?...
FileMaker Server 13 FileMaker Server Help 2010-2013 FileMaker, Inc. All Rights Reserved. FileMaker, Inc. 5201 Patrick Henry Drive Santa Clara, California 95054 FileMaker and Bento are trademarks of FileMaker,
MyTax Illinois Help General use information... 5 Install Adobe Reader... 5 Enable Pop-ups in My Browser... 5 Determine Your Current Browser... 6 Change Browser Font Size... 6 Browsers that You Can Use...
ProfileUnity with FlexApp Technology Help Manual Introduction This guide has been authored by experts at Liquidware Labs in order to provide information and guidance concerning ProfileUnity with FlexApp.
Import Guide 021312 2009 Blackbaud, Inc. This publication, or any part thereof, may not be reproduced or transmitted in any form or by any means, electronic, or mechanical, including photocopying, recording,
Grant Management System Training Guide Module 9 Notification Center Home Dashboard Ver 6.1 Updated: 2.13.2014 Prepared by: Table of Contents Module 9: Notification Center on the Home Dashboard This module
Using the Corrections and Transport System (CTS) with SAP BW 1 Overview Connecting Systems BEx Development Classes Executing the Transport Object Versions Transporting a Role Transports in the source system
Getting Started Guide Cloud Server powered by Mac OS X Getting Started Guide Page 1 Getting Started Guide: Cloud Server powered by Mac OS X Version 1.0 (02.16.10) Copyright 2010 GoDaddy.com Software, Inc.
Version 10.3 End User Help Files GroupLink Corporation 2014 GroupLink Corporation. All rights reserved GroupLink and everything HelpDesk are registered trademarks of GroupLink Corporation. The information
ImageNow Administrator Getting Started Guide Version: 6.6.x Written by: Product Documentation, R&D Date: June 2011 ImageNow and CaptureNow are registered trademarks of Perceptive Software, Inc. All other
Table of Contents Basic vs. Full Service...2 Full Service related...3 Full Service Discounts...4 Full Service Approved Vendors...5 Full Service Permits...5 Full Service Reports...6 Barcodes...9 Mailing
Cumulus 8.1 Administrator Guide Copyright 2010, Canto GmbH. All rights reserved. Canto, the Canto logo, the Cumulus logo, and Cumulus are registered trademarks of Canto, registered in the U.S. and other
OS X Support Essentials 10.10 Exam Preparation Guide Updated January 2015 1 Contents About This Guide... 3 Exam Details... 4 Recommended Exam Preparation... 4 Part One: Installation and Configuration...
If you are navigating using only the keyboard or using an assistive device and need help, visit our Navigation Instructional page for alternative views and navigation. Warning: If you select this link,
Getting Started Guide StarTeam Borland Software Corporation 100 Enterprise Way Scotts Valley, California 95066-3249 www.borland.com Borland Software Corporation may have patents and/or pending patent applications
Standards for Internal Control in New York State Government October 2007 Thomas P. DiNapoli State Comptroller A MESSAGE FROM STATE COMPTROLLER THOMAS P. DINAPOLI My Fellow Public Servants: For over twenty
Sales CRM and Lead Management System Administration Guide Administration Guide v6.3t Table of Contents Introduction to Administration 5 Administration Functions Defined 7 Campaign Management 12 Message
Apple Deployment Programs Apple ID for Students: Parent Guide As a parent or guardian, you want the best learning environment for your student. One that makes learning relevant for each student and allows