Banner Security: A Functional View Presented by: Deb Brooks, Florida Atlantic University March 20, 2007 A Community of Learning
Objective This session is designed to assist the Functional Security Officer in Human Resources with: Initial set-up of the Banner HR security system. Offer pointers for on-going maintenance. Go over security issues of specific interest to THE AUDITOR. 2
Getting Started Agenda BANSECR Banner HR Security The Auditor is coming! The Auditor is coming! Questions 3
A Community of Learning Getting Started
The Ideal Banner Security Officer Banner access must be handled with care. The correct access can help avoid errors and will definitely help with the maintenance of data integrity for your institution. The Ideal Banner Security Officer will be: Familiar with departmental processes. Familiar with departmental and university hierarchy. Organized. Comfortable in Banner or, if new to Banner, comfortable navigating various types of software. A problem solver, have the ability to research problems to eventual solution. Don t forget to designate a back up! 5
Approvals and Security Committee The Approval and Security Committee will meet regularly to determine university policy regarding naming conventions and protocols, extraordinary access requests, and brainstorm security related problems to find solutions. The committee should include: IT representative in charge of higher level security issues Data Base Administrator(s) Security Officers for all Banner modules (HR, Finance, Student, Advancement) Internal Auditor 6
7
Security Request Form The Security Request Form is extremely important because it allows you to document the access that you are granting. You should design your form to meet your needs. Make sure to include all the control points that you have in place. For example: Contact information for the employee and supervisor Type of employee requesting access Class access requested Form/object access requested Employee class requested Higher level authorization 8
A Community of Learning BANSECR
BANSECR Banner security is maintained through BANSECR, which is an Oracle ID that runs the GSASECR form. This system runs independent of Banner and does not appear on any Banner menu. There is a BANSECR system for every instance of Banner that runs at your institution. For example, production, test, training. Security has to be set up on BANSECR separately for each Banner instance. It is to the advantage of the institution for BANSECR security to be controlled by a minimal number of employees. At FAU it is controlled by an IT representative that determines the appropriate BANSECR defaults and access for Security Officers to limit control. Because BANSECR is shared by all Security Officers, care should be taken to develop protocols. 10
11
Users The Users tab on GSASECR has multiple functions. It can be used to create, alter, delete, or modify a user account, or obtain a summary of user objects. When setting up a user account remember to use a standard protocol for user account names and passwords. Beware of the copy feature! If you have users with access to various modules of Banner be careful with the copy feature because it is easy to copy access to a different module in error. The ability to lock and unlock accounts is very useful. There are several ways an account can lock up so be wary when asked to unlock an account and re-set a password. The lock feature is good if there has been a change in status of a user and you are not sure if access needs to be modified. 12
Users.continued You should limit granting direct access to objects. Direct access is difficult to maintain and does not offer as much control of object access. Pay close attention to roles when granting access to objects. Different objects are set up with different defaults. Be very aware when granting access to determine whether the user should have query access or maintenance access. Be aware that if a user is enrolled in several classes that define the same object with different role suffixes, the maintenance privilege will always take precedence over the query privilege. 13
14
Classes Banner classes are groups of objects (screens) and are used to control access. They are grouped based on module and function. Delivered classes are developed by SCT Sungard. Before using a delivered class make sure that the objects in a given class sync with the functionality of your unit. You may customize classes based on your University s organization and department functionality. If you choose to customize classes, develop a naming protocol. 15
Classes.continued The class structure in BANSECR is a very useful tool for Security Officers. For example, you can add one object to a class and it will automatically add the object to all users with access to that class. The alternative would be to grant direct access to each individual user, which would be labor intensive and make maintenance difficult. Remember when setting up a user using classes, they must have access to common utilities. 16
17
Objects Use of the Objects tab in BANSECR is infrequent but very necessary. Reports that are accessed through Banner are assigned object names and have to be added to the object list in order to grant access to users through classes or direct access. Be careful when you add an object that you assign the appropriate default role. When you have upgrades be aware that you may have to add objects in BANSECR. The objects list is a good place to look when troubleshooting access issues. 18
Banner HR Security A Community of Learning
PTRUSER A User must be set up in PTRUSER in order to access Banner HR objects. Access to institutional codes, employee class codes, and org codes cannot be granted until the user is set up in GSASECR and in PTRUSER. Take care in granting master access to employer (if applicable), employee classes, and department orgs. Take care in granting Superuser and Administrative access to web based programs. 20
PSAECLS PSAORGN 21
PSAEMPR, PSAECLS, and PSAORGN The PSAEMPR form allows you to limit access to specific institution codes. The PSAECLS form allows you to limit access to specific employee classes or groups. This is useful if you want to limit one group to view only student employees and one to view all non-student employees. The PSAORGN form allows you to identify specific org codes representing home orgs and timekeeping orgs to specific people. This is very important when determining who should see which Human Resources records. Remember that the org defined in the labor distribution is not an HR security access org. 22
GOAEACC The GOAEACC form does not necessarily have to be maintained by the Security Officer. However, because the Security Officer is aware of User changes they are the most logical candidate to maintain this form. At FAU we found that it was only useful to maintain the GOAEACC form when we started using electronic processing such as EPAFs. 23
The Auditor is Coming!!! A Community of Learning
Higher Level Set Up for Bansecr The first line of access control is controlling who has access to Bansecr and to the related behind the scenes tables in Banner. This access should be limited to as few people as possible and should be controlled at the IT level of your institution. Access should be controlled at the IT level. Controls should be in place to track who is granted access and to maintain the access. 25
Access Control The Security Officer needs to have a very good understanding of the different overall roles and functions of different level jobs at the university. They also need to be aware of who is authorized to approve access levels in different departments. The Auditor is going to review access granted to make sure that there is no conflict of interest. The person who inputs the employee so that they can get paid is not the same person who authorizes payment. When setting up the classes in BANSECR be very aware of maintenance access vs. query access to powerful screens. 26
Access Control.continued Control access to validation and rule tables carefully. Controlling PSAORGN and PSAECLS access is key. Emphasize to your population that their activity can be tracked. There should be no User ID and Password sharing! Try to limit access to individual objects. It is much harder to police and control individual vs. class access. 27
Employee Status Changes Create a procedure for handling access with regard to employee status changes. It can be tricky when you have multiple Banner products in use. At FAU we have designated Security Officer that coordinates status changes using reports. You will need to terminate access on terminated employees in a very timely manner. When an employee is promoted, reclassified, or reassigned to a different position in the University, their access may require modification. When employee s are on Leave of Absence, lock their accounts. 28
Documentation Documentation is your best friend when the Auditor comes. Require request documents including higher level authorization and approvals. If you make modifications based on e-mail requests, require that they route the requests through the appropriate authority and save all the e-mails. Keep all files current and orderly. Create reports regarding access so that you can track all access issues. 29
A Community of Learning Questions????
Thank You! Deb Brooks Florida Atlantic University brooks@fau.edu Please complete the online class evaluation form SunGard, the SunGard logo, Banner, Campus Pipeline, Luminis, PowerCAMPUS, Matrix, and Plus are trademarks or registered trademarks of SunGard Data Systems Inc. or its subsidiaries in the U.S. and other countries. Third-party names and marks referenced herein are trademarks or registered trademarks of their respective owners. 2007 SunGard. All rights reserved. 31