Elizabeth City State University Banner Security System



Similar documents
IT User Account Password Guidelines

Banner Security: A Functional View

How To Add Security Roles On Banner Har Account On A Pc Orca (For A Free Download) On A Microsoft Powerbook (For Free) On An Ipa 2.5 (For An Ipad) On Pc Ora (For

Information Security Operational Procedures Banner Student Information System Security Policy

INSTUCTIONS FOR SUBMITTING SERVICE REQUESTS THROUGH THE FAMIS WORK ORDER SYSTEM

Information Security Operational Procedures

City of Madison. Information Services. Crystal Enterprise Polices, Standards, and Guidelines

Personal and Small Business Login Guide

NMSU Online Staff Evaluation User Guide for

Using STAGES. Logging into STAGES. Verifying your User Profile

Ariba Frequently Asked Questions (FAQ)

Sage 100 ERP (MAS90 / MAS200) How to Set up Security in Sage 100 ERP

Bahamas Tax Information Exchange Portal Documentation

Denver Public Schools - East High School

Document Services Online Customer Guide

Change Management Procedures Re: The Peoplesoft Application at Mona

Virtual Cabinet Document Portal User Guide

Access Control and Audit Trail Software

Active Directory User Management System (ADUMS)

Oracle FLEXCUBE Security Management System User Manual Release Part No E

Information System Audit Report Office Of The State Comptroller

CORE Oklahoma. State of Oklahoma Department of Corrections Employee Self Service Manual

Information Security

Expense Module Security

Network and Workstation Acceptable Use Policy

Interskill LMS Admin Guide

Provider OnLine. Log-In Guide

Cognos Security Policy. A look at the security policy that is in place for the ODS/Cognos Reporting Environment at the College of Charleston

Achieving PCI COMPLIANCE with the 2020 Audit & Control Suite.

Campus Solutions Self Service: Student Quick Reference Guide

Internal User Guide. AECsoft USA, Inc 1776 Yorktown Ste 435 Houston, TX

How do I contact someone if my question is not answered in this FAQ?

Banner Employee Self-Service Web Time Entry. Student Workers User s Guide

Frequently Asked Questions

The Initial Registration Process. During the initial registration process, this guide assumes the user has been provided a login ID.

eva Purchasing & Banner Receiving Manual

Sam Houston State University Procurement Card Program

Responsible Access and Use of Information Technology Resources and Services Policy

Sage HRMS 2014 Sage Employee Self Service

Partner Portal User Procedures

ProgressBook CentralAdmin User Guide

How to Use ADP Self Service

Managing Your Network Password Using MyPassword

Section 10: Fair Credit Reporting Act (FCRA) Policy

User Manual for ADP Manager Self Service

LANGSTON UNIVERSITY STUDENT QUICK GUIDE FROM THE REGISTRAR S OFFICE

Division of IT Security Best Practices for Database Management Systems

PCI Home Quick-Start Guide

YubiKey Authentication Module Design Guideline

Chapter 7. Banner Introduction Menu Navigation Tables Automated Clearing House Forms

Information Technology Services technology immersion for new employees

SCT Banner Human Resources Salary Planner Training Workbook May 2005 Release 7.1

Single Sign On for TouchNet Products Workbook. Information Technology Services

U.S. Bank Secure Mail

Expense Reports Training Document. Oracle iexpense

The City of New York

Directory and Messaging Services Enterprise Secure Mail Services

Set My University of Melbourne Identity Management Password for the First Time

Sage Abra HRMS. Abra HRMS Security Considerations

For further support information, refer to the Help Resources appendix. To comment on the documentation, send an to

PREPARED BY: AUDIT PROGRAM Author: Lance M. Turcato. APPROVED BY: Logical Security Operating Systems - Generic. Audit Date:

ACHieve Access 4.3 User Guide for Corporate Customers

City of Chesapeake Employee Self Service (ESS) User Guide

MICHIGAN AUDIT REPORT OFFICE OF THE AUDITOR GENERAL THOMAS H. MCTAVISH, C.P.A. AUDITOR GENERAL

Solihull Metropolitan Borough Council. IT Audit Findings Report September 2015

CJIS Online Overview. CJIS Security Awareness Training & Testing Software

LOGO. Monthly Timesheets. Approver Training

SEER Enterprise Shared Database Administrator s Guide

Statewide Financial System

Password Management FAQ

Thank you for visiting the Online Course Proposal Web Tutorial for new and existing courses for Brown University Faculty and Staff.

The United States Office Of Personnel Management eopf System Administrator Training Manual for eopf Version 4.0.

Āku Mahi My Employment Details

WPI Procurement Card Guide

Hourly Time Reporting & Absence Management

Department of Public Utilities Customer Information System (BANNER)

RIT. Oracle Manager Self-Service Manual Revised 2/12/14. Contents

Time Reporting System

Transcription:

Elizabeth City State University Banner Security System GUIDELINES Version: 1.0 Banner Security Coordinators

Table of Contents PURPOSE OF THIS DOCUMENT...3 THOSE AFFECTED BY THIS DOCUMENT...3 REQUESTING ACCESS TO BANNER...3 ECSU BANNER SECURITY STRATEGY...3 ECSU BANNER SECURITY STRUCTURE...3 GENERIC ROLE CLASSES... 4 JOB FUNCTION ROLE CLASSES... 4 ECSU ROLES IN BANNER SECURITY ADMINISTRATION... 4 NAMING CONVENTION FOR SECURITY CLASSES... 5 SQL ACCESS FOR DBA STAFF...5 BANNER SECURITY ADMINISTRATOR...6 ORACLE DBA ACCESS...6 APPENDIX A - REQUESTING ACCESS TO BANNER...7 BANNER ACCESS REQUEST FORM... 8 PASSWORD PROTECTION... 8 APPEALS PROCEDURE... 8 APPENDIX B HOW SECURITY WORKS IN BANNER...9 QUERY VS. MAINTENANCE ROLE...10 SECURITY LEVELS...10 Banner System Security Guidelines 2 Revised 3/8/06

Purpose of this Document The purpose of this document is to list procedures for setting up and managing security within the Banner System at Elizabeth City State University. Those Affected by this Document This document affects all Module Security Administrators and anyone requesting access to the Banner system. Requesting Access to Banner Users who wish to request access to Banner must follow the procedures outlined in Appendix A. ECSU Banner Security Strategy The purpose of this section is to document how Banner Security is set up at ECSU. Appendix B provides a brief primer on how security works in Banner. ECSU Banner Security Structure There are three levels of security in the Banner environment that require administration. Level 1 is the table level Oracle Security where data is accessed via SQL or ODBC connections. Level 2 involves granting query or maintenance access to Banner data via Banner forms and processes. Level 3 security lies within each module and results in further restricting access to information, for example, restricting access to financial data only in certain Funds and Organizations or preventing access to salaries over a certain amount. Level 1 security administration is performed by the Administrative Computing Database Administrator (DBA). Level 2 security administration is a joint effort between functional users assigned as the Module Security Administrators and Banner Security Administrator. The Module Security Administrators, who best understands the Banner forms, define the role classes for that particular module. The Banner Security Administrator maintains Banner user accounts and role classes. Level 3 Module Security Administrators, for each module, will administer the functional areas. They are also responsible for approving access within the form level to users. Banner System Security Guidelines 3 Revised 3/8/06

Generic Role Classes An ECSU Generic Role Class is defined in Banner that contains the necessary forms and processes within it for a user to log in. This class will be assigned to all Banner users. In each Module, the Module Security Administrators have defined generic query classes that will be assigned to all users requiring access to that module. Examples, Finance Module, the generic class is BAN_GEN_ALL_USER_Q_M. By assigning a user to this generic module role class, the user is able to view some forms in the particular module. Job Function Role Classes Module Security Administrators have defined role classes for users based on their job functions. It is in these classes that maintenance access is granted to specific forms. For example, in the Finance Module, a person responsible for entering and updating vendor information will be assigned to BAN_FIN_PUR_M_C class. When a user needs access to a form to do his or her job in Banner, the user will always be assigned to a role class that has that form in it. ECSU will avoid assigning direct form access to a user. ECSU Roles in Banner Security Administration This table summarizes roles and responsibilities involved in requesting access for users to the Banner System: End User Supervisor Module Security Administrator Banner Security Administrator Banner Training Attend Banner Basic Navigation Training Read the Data Standards Document Ensure that the user has successfully completed the Banner Basic Navigation Training Ensure that the user has successfully completed applicable module training Banner Request Form Complete the Banner Access Request Form and submit it their to Supervisor Verify accuracy of the Banner Access Request Form Submit the Banner Access Request form to the appropriate Module Security Administrator Verify that the Banner Access Request Form is from a reliable source Assign Role Classes to a user Send the request to the Banner Security Administrator Verify the Banner Access Request form is from a reliable source Update security, notify Module Security Administrator and user of completed request File request Banner System Security Guidelines 4 Revised 3/8/06

Banner Security Administration Design and maintain role classes within module of responsibility Set up proper modulelevel security as appropriate (such as Fund/Org security) Periodically review the security log table for security breaches Reset Passwords for locked accounts Keep abreast of security changes in future Banner upgrades Notification Follow-up on the status of the request If request denied, inform supervisor of reasons why the access was denied Notify the Module Security Administrator and the user that the request is complete or denied Naming Convention for Security Classes A group of objects can be put together as a unit to form a class as explained in Appendix B. The class name can not be longer than 30 characters. In order to identify the Security Classes at a glance, a naming convention was developed: 1. All class names will start with BAN_ 2. The next 3 to 4 characters will be used to identify the Banner Module: ADV_ (Advancement) FIN_ (Finance) FA_ (Financial Aid) GEN_ (General) HR_ (Human Resource) STUD_ (Student) 3. The next 20 characters should be used to identify the function of the class 4. The last 2 characters will be _M for maintenance classes and _Q for query classes Example: BAN_FIN_AP_CHECKS_M A person who is assigned to this class will be responsible for writing checks in Finance Accounts Payable. SQL Access for DBA staff Access via SQL will be prohibited in Banner to anyone other than the Administrative Computing DBA staff. Any exception must be approved by the Director of Administrative Computing. SQL access to the Banner production database tables and views will be restricted to DBA staff only for these reasons: Banner System Security Guidelines 5 Revised 3/8/06

It is a required security measure It prevents the system from being bogged down by reporting requests Banner Security Administrator will have a minimum of query only access to all forms of the Banner Application for troubleshooting purposes will have select only access to all Banner production tables for troubleshooting purposes If the Banner Security Administrator requires Maintenance access to a particular form he or she will need to follow the procedure for Requesting Access to Banner to get it. Oracle DBA Access Maintenance SQL access to the Banner database tables in production will be limited to the Oracle DBAs. Maintenance via SQL to the production tables should be a last resort in fixing data problems and only be done after all attempts to fix data via Banner forms have been exhausted. The Sungard SCT Unified Digital Campus (UDC) or the Oracle DBA must validate that SQL is the best alternative for correcting a data problem. The procedure for any SQL maintenance to tables in production will require: A request form from the user, signed by the supervisor. SQL script written and tested by the assigned Administrative Computing Applications Developer Validation received by UDC or the Oracle DBA that the SQL script will not adversely affect the functionality of the Banner application The SQL script verified for accuracy by the user in a test database. Upon approval by the Director of Administrative Computing, the Oracle DBA will then apply the SQL script to the production database. Banner System Security Guidelines 6 Revised 3/8/06

` Appendix A - Requesting Access to Banner Before requesting access to Banner, an individual should discuss with his or her supervisor whether the need to access Banner is valid. If both the individual and supervisor agree Banner access is needed, then the procedure defined here must be followed. 1. The user completes Basic Banner Navigation Training. It is the supervisor s responsibility to verify that the user has had the proper training for tasks to be performed in specific to Banner modules, such as Advancement, Finance, Student, or Human Resource. 2. The user reviews and agrees to abide by the rules and procedures documented in this document, the Banner Data Standards Document and the code of responsibility form. 3. The user completes the Banner Access Request form available online at http://www.ecsu.edu, Faculty and Staff, Banner, and forwards to supervisor for approval. By signing this form, the user verifies he has completed Basic Banner Navigation training and read the Banner Data Standards Document. 4. The supervisor approves the request by signing the Banner Access form. The supervisor sends the request to the appropriate Module Security Administrator: Advancement Module Security Administrator Finance Module Security Administrator Financial Aid Module Security Administrator Human Resources Module Security Administrator Student Module Security Administrator 5. The Module Security Administrator: Verifies the request is from a reliable source Determines what roles and classes the user should be assigned to Completes and approves the form If access is requested to data outside the responsibility of a Module Security Administrator, forwards documents to appropriate Module Security Administrators If approved, sends the request to the Banner Security Administrator If not approved, notifies the supervisor stating why the request was denied 6. Banner Security Administrator will: Establish the user in Banner Assign roles and classes as approved by the Module Security Administrator(s) File the hardcopy original by name 7. When request is completed, an email will be sent to the appropriate Module Security Administrator stating the user has been established in production and has been assigned to the requested security classes. The user will receive a letter with user id and initial password. 8. Module Security Administrator will assign further security for the user as appropriate: In the Finance module set up FUND/ORG security on FOMPROF form In the HR module set up parameters on the PTRUSER form Banner System Security Guidelines 7 Revised 3/8/06

Banner Access Request Forms The Banner Access Request Forms are currently available online at http://www.ecsu.edu, Faculty and Staff, Banner. Password Protection Each individual is responsible for safeguarding his or her user id and password. A user should never share or loan their user id and password with anyone else. The user should immediately reset their password after initial login, by using form GUAPSWD. Passwords must contain at least one digit, at least one special character, and one letter in either upper or lower case and must have a minimum length of eight (8) characters. Passwords will expire every 45 days. The following is a list of the valid special characters that may be used: # $ ( ) * +, - / : = > < ;? & Appeals Procedure If a user is denied access to the system, the user can appeal the decision by writing a request for review of the decision to the Director of Administrative Computing. The request for review should include the following information: A description of the specific data access requested, Justification for access to the data, and The name of the Module Security Administrator who denied access The Director of Administrative Computing will contact the Module Security Administrator for a written explanation of why access was denied. The Director of Administrative Computing will consider the information and either uphold the Module Security Administrator s decision to deny access, or overrule the Module Security Administrator and permit access. The Director of Administrative Computing decision will be final. The Director of Administrative Computing written decision and justification will be kept in the office of Administrative Computing permanently. Copies will be forwarded to the user, the user s supervisor, and the Module Security Administrator. Banner System Security Guidelines 8 Revised 3/8/06

Appendix B How Security works in Banner A Banner user needs access to forms and processes to be able to perform his/her job. Based on the users job function he or she might need look only access, we ll call query access, or update access, we ll call maintenance access to certain forms and processes. The method of giving the query or maintenance access to the user is to give access to individual forms to each user. In Banner there are hundreds of forms and we have many users. Needless to say, the task of giving individual access to forms to each user is highly inefficient. SCT has come up with the idea of combining forms into a unit called Class. A group of forms can be put into a Class. Each form in the Class can be set to query mode or maintenance mode. In addition to forms, processes can be included in the class. A class cannot include another class. Each user can be enrolled in appropriate class based on his/her job function. The user can be enrolled in multiple classes. For example a user that needs to enter and maintain vendor information can be enrolled in this class: BAN_FIN_VENDORMAINT_M Object Description Access Type Object Type FARVALP Vendor Alphabetical Listing M Job FARVHST Vendor History M Job FARVNUM Vendor Numerical Listing M Job FOACLAU Clause Entry M Form FOAIDEN Person Identification Form - Finance M Form FOAPERS Finance General Person M Form BAN_FIN_VENDORQUERY_Q Object Description Access Type Object Type FOATELE Telephone Form - Finance Q Form FPAAGRD Agreement Processing Q Form FPRVCAT Vendor Products Catalog Report Q Job FPVVPRD Vendor Products Validation Q Form FTMVEND Vendor Maintenance Q Form If this same user is responsible for Accounts Payable functions, then he/she can be enrolled in BAN_FIN_ACCOUNTSPAY_M class as well. There is no limit to how many classes the user can be enrolled in. However, to simplify the task of maintaining users and classes; it is better to keep the number of classes to a minimum. There are certain classes in which all users should be enrolled. SCT delivers class definitions for each Banner product. However these classes are very broad. There are only two classes provided for each product: BAN_module_M and BAN_module_Q, where module is Finance, Student, etc. If these classes are used then the user will have maintenance to all the forms in the module, which defeats the purpose of having security for individual users. During implementation Administrative Computing in conjunction with the functional users, have developed our role classes and assigned those classes to users based on their job functions. A Banner class should be built at the lowest level that you will be assigning to an end-user. This method will simplify adding new Banner objects to site defined classes during future Banner upgrades. Banner System Security Guidelines 9 Revised 3/8/06

Query vs. Maintenance Role A form in a class can be given maintenance access or query access. If a user, who is enrolled in multiple classes, have both query (Q) and maintenance (M) access to the same form, the user will end up with maintenance access. Security Levels Once user ids and classes are established, the Banner Security Administrator creates user accounts, create or modify classes and assign users to classes. The next level of security lies within each module, for example, users can be restricted to view or maintain data only pertaining to certain funds or organizational codes. There are three stages of security that a user must pass in order to get access to the system: The user ID must be defined. The user ID must be assigned to Role Class(s) Module Security Administrator must establish the user profile (PTRUSER, FOMPROF, etc.) Once a user is defined in Banner and assigned classes by the Module Security Administrator, the Banner Security Administrator will be responsible for setting up the security for each user within their area. Banner System Security Guidelines 10 Revised 3/8/06

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information