26012 Managing & Auditing Security During Implementation And Beyond 03172009
1.
2. Managing & Auditing Security During Implementation and Beyond Denise Goin Senior Consultant
3.
4. The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, and timing of any features or functionality described for Oracle’s products remains at the sole discretion of Oracle. Safe Harbor
9. Delivered Tools for Security- Queries Where are they? Small selection of the more commonly used queries from all of the Security pages in one place.
33. Campus Row Level Security Academic Structure- Permission List Name of Page Table Module Notes Service Indicator Display SCC_SI_DISP_ROLE AS Where service indicators are restricted to a specific PL Enrollment Security OPRCLASS_DEF_SA AS Contains access by permission list to enrollment security Self-Serv Enrollment Perm List SA_SS_ENRL_PL AS If allowing self service to enrollment for students, this would be used so you can include the permission list in the “base” self-service access Demographic Data Access RUNCNTL_MSK_CFG AS This is a combination of setup data and the runcontrol information for setting up DDA masking. If you audit this table, you can track changes as well as who ran it and when.
34. Campus Row Level Security Academic Structure- USERID Name of Page Table Notes Academic Institution Security SCRTY_TBL_INST Basic Institution level access. This is a base to the Career, program and plan/ Institution/Career Security SCRTY_TBL_CAR For each userid, and each institution they are granted access to, set up the careers that userid is allowed to have access to. Academic Program Security SCRTY_TBL_PROG Academic Program is set up for all combinations of Userid with Institution and Career. Academic Plan Security SCRTY_TBL_PLAN Academic Plan is built for each combination of Userid and Institution Academic Org Security SCRTY_TBL_ACAD Each Userid might have multiple Academic Org entries. You can grant level at the highest level of the ACAD Org tree, or down to more specific nodes Admissions Action Security SCRTY_ADM_ACTN This defines what kinds of admissions actions a user can do, not per institution, so whatever they are granted, applies to all institutions they have access to. Program Action Security SCRTY_PROG_ACTION This defines what kinds of Program actions a user can perform, not per institution, so whatever they are granted, applies to all institutions they have access to. Recruiting Center Security SCRTY_RECR_CENTER This defines the recruiting center the user will have access to, this is based on each institution the userid has been set up for. Application Center Security SCRTY_APPL_CENTER This defines the application center the user will have access to, this is based on each institution the userid has been set up for.
35. Campus Row Level Security Academic Structure- USERID Name of Page Table Notes Service Indicator Security SCRTY_TBL_SRVC Where service indicator place and release security is still set, as in previous releases Student Group Security SCRTY_TBL_STGP This is part of the new security for 9.0, and is where you assign student groups to a userid, for each of their institution. A user might have access to different student groups at different universities Transcript Type Security SCRTY_TSCRPT Old- this is for universities upgrading, that are not switching to the new 9.0 transcript process Transcript Report Security SSR_SCRTY_TSRPT New- 9.0 this is for the new transcript process. SEVIS School Code Security SEV_SCHLCD_SCTY SEVIS is only by USERID, so this security would be applied to all institutions they are set up for. SEVIS Pgm Sponsor Security SEV_PRG_SP_SCTY SEVIS Program Sponsor is only by USERID, so this security would be applied to all institutions they are set up for. Test ID Security SAD_TEST_SCTY Test ID security is only by USERID, so this security would be applied to all institutions they are set up for. Population Update Security SCCPU_SRTY_TBL Population update security is only by Userid. Every record they are allowed to update, they will be allowed to update at all institutions. Advisement Report Security SAA_SCRTY_AARPT Advisement report security is set up by the combination of Userid and Institution, so they can be granted different reports for each institution if that is needed.
36. Campus Row Level Security Student Financials- USERID Name of Page Table Notes Business Unit SEC_UNITSF_OPR Both of these records are part of the Business Record security by userid. SEC_UNITSF_OPR is the parent record. Business Unit SEC_CSHOFF_OPR Company SEC_COMPANY_OPR Grant a user ID access to the transactions for particular companies Credit Card and Bank Account SEC_CC_OPR This security should be granted to only a few people in the institution. User IDs and permission lists to which you do not grant credit card security access can view only the last four digits of the credit card number. Institution Set SEC_ISET_OPR If you select no security for institution sets on the Security Options page, you do not need to complete the pages listed in this section, because all user IDs and permission lists have access to all institution sets. Item Type SEC_ITEM_SU_OPR Both of these records are used to assign security for Item Types. If you select no security for item types on the Security Options page, you do not need to complete this security Item Type SEC_ITEM_OPDATA
37. Campus Row Level Security Student Financials- USERID Table Name of Page Notes Origin IDs SEC_ORIGIN_OPR If you select no security for origin IDs on the Security Options page, you do not need to complete the pages listed in this section because all user IDs and permission lists have access to all origin IDs SetID SEC_SETID_OPR If you select no security for setIDs on the Security Options page, do not complete the pages listed in this section, because all user IDs and permission lists have access to all setIDs. Student Institution Set (Self Service Institution Set Override) ISET_OPR The User Profiles Management feature assigns institution sets to user IDs. You use the Self Service Institution Set Override page to change the institution set assigned by the User Profiles Management feature. By overriding the institution set on this page, instead of on the User Defaults 2 page, you can view a history of the changes. You must first set up institution sets and then assign a user ID to an institution set. A user ID must be assigned an institution set by the User Profiles Management Application Engine process (USERPROFILE) to have an institution set appear in the Calculated Value field on the Self Service Institution Set Override page.
38. Campus Row Level Security Student Financials- Permission List Name of Page Table Notes Business Unit SEC_UNITSF_CLS Both of these records are part of the Business Record security by Permission List. SEC_UNITSF_OPR is the parent record. SEC_CSHOFF_OPR Company SEC_COMPANY_CLS Set up a Permission List to use to grant access to the transactions for particular companies Credit Card and Bank Account SEC_CC_CLS This security should be granted to only a few people in the institution. User IDs and permission lists to which you do not grant credit card security access can view only the last four digits of the credit card number. Institution Set SEC_ISET_CLS If you select no security for institution sets on the Security Options page, you do not need to complete the pages listed in this section, because all user IDs and permission lists have access to all institution sets.
39. Campus Row Level Security Student Financials- Permission List Name of Page Table Notes Item Type SEC_ITEM_SU_CLS Both of these records are used to assign security for Item Types. If you select no security for item types on the Security Options page, you do not need to complete this security Item Type SEC_ITEM_CLDATA Origin ID SEC_ORIGIN_CLS If you select no security for origin IDs on the Security Options page, you do not need to complete the pages listed in this section because all user IDs and permission lists have access to all origin IDs SetID SEC_SETID_CLS If you select no security for setIDs on the Security Options page, do not complete the pages listed in this section, because all user IDs and permission lists have access to all setIDs.
47. We (security) were given the inch in bundle 11, lets go for the mile. If you have any comments, suggestions for changes, customizations you have had to do to meet your business’s security needs, especially changes that many of you are making, please feel free to pass them on to me, and I will pass them onto the appropriate development teams.
Since these are the same, can have auditing created in once product/environment and migrated between products with no impact. Saves time PSoperdefn- what is included? What does the rowsecclass and primary permission list do in different environments? (Campus, HR) Why the view for the role user? PSAUTHITEM is different from the rest, as it is still a work record, not easily audited.
Tough integration point here, Campus needs access to the tree manager to set up ACAD_ORG, which also opens up the dept_security tree to be touched. Same tool to edit either tree.
Here we want to provide data security (row level security) to a group of users to only see employees in these departments.
By assigning the 2 parent nodes for Benefits and Human resources, we grant access to the nodes that fall beneath them in the department security tree.
How many of you have used Security Sets already? For what kind of users security?
If needs HR data, use either a rowsecclass permission list, if the access is contained within a single node, or under a node in the dept_security If the HR data crosses nodes, but does not roll up, for instance employees in a paygroup at different colleges, departments, locations, as long as there is a commonality in the job record (such as paygroup) you can isolate those employees and grant access to a user profile using the rowsecclass field on the oprdefn page.
Make sure that only the correct page for transcript security is visible in your environments. Don’t leave them both visible, as it may end up causing confusion as to which one to use.
Depending on the security option that you select for companies on the Security Options page, you grant access to companies using permission lists or user IDs. If you select no security for companies on the Security Options page, you do not need to complete the pages listed in this section because all user IDs and permission lists have access to all companies If you select no security for credit cards on the Security Options page, all users can view the entire credit card number To set up self-service institution set overrides, use the Student Institution Set component (ISET_OPR). The User Profiles Management feature assigns institution sets to user IDs. You use the Self Service Institution Set Override page to change the institution set assigned by the User Profiles Management feature. By overriding the institution set on this page, instead of on the User Defaults 2 page, you can view a history of the changes. Grant permission lists access to business units on the Permission List - Business Unit page, if you are securing item types by permission list. Grant user IDs access to business units on the User ID - Business Unit page, if you are securing item types by user ID. Set up the item type tree in Student Financials.
Depending on the security option that you select for companies on the Security Options page, you grant access to companies using permission lists or user IDs. If you select no security for companies on the Security Options page, you do not need to complete the pages listed in this section because all user IDs and permission lists have access to all companies If you select no security for credit cards on the Security Options page, all users can view the entire credit card number To set up self-service institution set overrides, use the Student Institution Set component (ISET_OPR). The User Profiles Management feature assigns institution sets to user IDs. You use the Self Service Institution Set Override page to change the institution set assigned by the User Profiles Management feature. By overriding the institution set on this page, instead of on the User Defaults 2 page, you can view a history of the changes. Grant permission lists access to business units on the Permission List - Business Unit page, if you are securing item types by permission list. Grant user IDs access to business units on the User ID - Business Unit page, if you are securing item types by user ID. Set up the item type tree in Student Financials.
I wish I could take credit for these changes, but although I have certainly griped enough, they don’t really do anything just to please me