3
SIS Security Inventory
2Overview
3Academic Structure
3Institution
3Career
4Program
4Plan
5Sub plan
6Admissions Actions
7Application Centers
8Recruiting Centers
93C Group
10Service Indicators
12Test ID
13Demographic Data
14Mass Change
16Search Match
17Authentication Process
19Primary Permission List
22Query Security
23HR Row Level Security
25eReports
26Segregation of Duties
27ODS
28Prerequisites
29Academic Organization
30Program Actions
32Enrollment Security
34Transcript Type
35Equation Engine
36Student Financials
37Business Unit
37Item Types
38Origin
39Component Interfaces
40Security Views
Overview
There are 2 different groups of users
1) Central. ~ 200 Users.
2) College (external). ~ 900 Users.
The access requirement for the central users are diverse and
need to be collected via the user upload spreadsheet.
The college users are similar enough that templates have been
created to match the various users types. There are 2 groups of
template users:
i. Graduate Professional (GP). There are 17 templates.
ii. Undergraduate Admissions and First Year Experience (UAFYE).
20 templates.
We may be able to bundle these templates into roles.
Notes
The GP and UAFYE templates have been created in HC8CFG 1/2/2008.
We will need a custom page to clone a user and all of their
associated security.
Academic StructureWave: Alpha
Admin: Centralized
Status: WIPYou secure the academic structure by user ID. Give
each user ID access to the academic institutions, academic careers,
academic programs, and academic plans that the user needs to work
with in the systemDefinition Data:
1InstitutionPS_INSTITUTION_TBL1
2CareerPS_ACAD_CAR_TBL10
2ProgramPS_ACAD_PROG_TBL75
2|3PlanPS_ACAD_PLAN_TBL13,000
3|4Sub PlanPS_ACAD_SUBPLN_TBL196
Institution
Definition: PS_INSTITUTION_TBL
Security: PS_SCRTY_TBL_INST
Assignment Strategy
Everybody gets OSUSI
Career
Definition: PS_ACAD_CAR_TBLSecurity: PS_SCRTY_TBL_CAR
Assignment StrategyThe document CONV_OSU_PLAN_XREF.xls contains
a mapping of permacun (DEPT) values to careers and plans. We can
use this information to map from legacy data.
CONV_OSU_PLAN_XREF.xls
SIS_USER_REPORT_DEPT.xls
Program
Definition: PS_ACAD_PROG_TBLSecurity: PS_SCRTY_TBL_PROG
Plan
Definition: PS_ACAD_PLAN_TBLSecurity:
PS_SCRTY_TBL_PLANAssignment Strategy
These should map the same as Careers (see above).
Undergraduate admins dont need minors or secondary majors.
Sub planDefinition: PS_ACAD_SUBPLN_TBLSecurity: ?Where is the
security page located?Notes: Brian OBrien is creating a new
mainframe report to include all permicun codes and access levels
(AXDR 4, ADDR 4 are missing, maybe others).
Im creating a new document that catures all of the rules for
assiging academic structure security to college (external) users
(1/3/2008).Admissions Actions
Wave: Alpha
Admin: Distributed
Status: DoneBefore you assign security for admissions actions,
administrators must set up program actions. Program action codes
designate the status of a student in a program from the time he or
she is an applicant and throughout his or her academic career. For
example, a student must have a program action of Matriculate to
become a student, and a program action of Activate in any term in
which she wants to enroll. Admission Action security is the process
of granting end users the ability to assign these program actions
to students.
PS_ADM_ACTION_TBL
PS_SCRTY_ADM_ACTN
Notes: Admission actions have been collected for our template
users, and will be collected for all users that dont fit the
template.Application Centers
Wave: Alpha
Admin: DistributedStatus: DoneYou secure applicant data through
application centers. Access to applicant data is given to a user ID
by granting access to specified application centers. Undergraduate
Admissions and Law School Admissions are examples of Application
Centers.PS_ADM_APPLCTR_TBL
PS_SCRTY_APPL_CTR
Notes: Application Centers have been collected for our template
users and will be collected for individuals that dont fit the
template.Recruiting CentersWave: Alpha
Admin: Distributed
Status: DoneThe recruiting center helps to identify the
prospects and recruiters who belong to a particular recruiting
office. Access to prospect data is given to a user ID by granting
access to specified recruiting centers. If the user ID is not
associated with a particular recruiting center, the user ID cannot
access prospect data associated with that recruiting center.
PS_ADM_RECRCTR_TBL
There are 3 in DEVP
PS_SCRTY_RECR_CTR
Notes
Every user can not have all of them. Must be secured.
Recruiting Centers have been collected for our template users
and will be collected for individuals that dont fit the
template.
3C Group
Wave: Alpha
Admin: Centralized
Status: WIPPS_GRP_3C_TBL
PS_OPR_GRP_3C_TBL
After you define the groups you tie them to
a) Communication Categories
b) Checklist Codes
c) Comment Categories
Users can have multiple 3C groups, so there could be different
3C groups for each of the 3 types. Currently there are 13 groups.
Is that enough for production?
Assignment Strategy
Megan email 11/28/2007: We (the Admissions team) still need to
work on setting up the 3C security portion of this. Hopefully once
we have this set up, we will be able to define a mapping between
department (on the SPOM) and 3C group.Service IndicatorsWave: Alpha
(partial)Admin: CentralizedStatus: DoneService indicators provide
the ability to grant or limit access to services for an individual.
There are both positive and negative service indicators. Examples
of negative service indicators include no check cashing privileges,
enrollment verification or transcript holds, and denied
registration for classes. Service indicator security controls which
service indicators a user can remove or place on students.
Definition table:
PS_SRVC_IND_CD_TBL
Reason:
PS_SRVC_IN_RSN_TBL
Security table:
PS_SCRTY_TBL_SRVC
Row Level Security Issue:The department prompt on the Reason
code page will not be available to users unless they have the
appropriate Security by Dept Tree security:
All Data Security permission lists get Security by Dept Tree:
OSU level.
Notes: In Alpha wave users will need to view service indicators
only. Legacy system is still system of reference in Alpha. Only the
Deceased SI is required for Alpha wave (Megan email 12/2/2007).Test
ID
Wave: Alpha
Admin: DelgatedStatus: DoneThe ability to see test scores. This
could be entry exams as well a placement test for math and language
etc. User ID based security for test IDs now ensures users access
and process only the test data for which they have permission.
PS_SA_TEST_TBL
PS_SAD_TEST_SCTY
Low Risk.
Notes:None of the external users need TESTID security. For
central users the security data will be collected on the spread
sheet. Megan sent a short list of valid TESTIDs to choose from
(11/28/2007).Demographic Data
Wave: Alpha
Admin: CentralizedStatus: DoneWith DDA security, you can mask
the display of national ID and birth date data in search records,
prompt records, and on the Bio/Demo Data and the Relationships
pages if these pages have display-only security. You can mask the
entire fields or the first five characters of the national ID field
or the year of the birth date field. You can apply masking to one,
both, or neither field. This security is tied to a users Primary
Permission List.PS_RUNCNTL_MSK_CFGPS_PERS_MSK_CFG
This data is stored in a run control table. The AE Job MSK_CFG
updates PS_PERS_MSK_CFG
Notes Give each user the Primary Permission Lists that
corresponds with the requested search match security (SSN full,
partial, none).
If a high number of primary permission lists evolve we may need
to create a page to create them of the fly.
Mass Change
Wave: Alpha
Admin: CentralizedStatus: WIP.
User Profile Management
Mass change is also used for other functions in the system.
Security is controlled by the users Primary Permission List.
Batch processes for the creation of applicant accounts and the
adding/removing of roles as the student matriculates.
Definition: PS_MC_TEMPLATESecurity: PS_MC_OPR_SECURITY
Assignment Strategy The Admissions Team will handle the setup of
the mass change process for the creation of applicant accounts.
If the applicant already has an account (they are an employee)
then the applicant role will be added to their existing account.
The Data Security Team will not touch the Mass Change related roles
on any account.
After the applicant matriculates they will need the student
role. The Student Records Team will handle the setup and
configuration for that batch process.
The Data Security Team will make sure the roles and template
accounts are properly defined.
Per Megan Dugan:
The delivered Mass Change definitions that we will use
include:
1. Application Prog Update Select
2. Communication - Delete Temp
3. Userprofile Applicant
I believe that other modules will be using Mass Change
functionality as well. Im not sure how to indicate this in CFG or
how to communicate this business requirement to the Security
Team.Question: Will users require these mass change definitions or
only BATCHID?
Search Match
Wave: Alpha
Admin: CentralizedStatus: DoneSearch/Match enables you to define
criteria to check for duplicate or multiple ID records. Search
result codes specify the data which is returned in the grids on the
Search Results page for the potential matching IDs that it finds.
You can define field-level security for fields that you consider
sensitive. For example, you might allow some users to see the full
birth date, but restrict other users to see only the year (or
nothing at all), depending on the Primary Permission List in their
user profile.The exceptions link ties SM security to a Primary
Permission list.PS_HCR_SM_RSLT_EXC
Security tab.
HCR_SM_RESULT(page)
Notes:Create specific roles for each level of SSN masking
(SM_SSN_FULL, SM_SSN_PARTIAL, SM_SSN_NONE). The request form will
have a field to specify the level of access for each user.
The birth data masking will not need to be specified; it will be
the same as SSN
Full = MM/DD/YYYY
Partial = MM/DD/****
None = **/**/****
Authentication Process
Wave: Alpha
Admin: CentralizedStatus: WIP.Web Sever 1
Shibboleth enabled
Tuned for Admins.
SIS admins will authenticate with RSA.
Students can login here, but they wont know of the URL.(Redirect
students to web server 2?)Web Server 2
Shibboleth enabled
Tuned for Students (small cache size).
Students will authenticate with their name.n (Kerberos).
Redirect Admins to Web Server 1.
Web Server 3 Not Shib enabled
Current HR users & native PS authentication
Web Server 4 ?Buckeye link users
Shib enabled
Signon PeopleCode. Redirect Admins to Web Server 1
Dont allow HR users to authenticate with Kerberos ID
(No_Kerberos_Auth role).
Any user who requires RSA will have the RDA_Required role.
Removing that role allows the user to login with Kerberos only.
LDAP Store password for Applicants. (email + LDAP password to
authenticate)
Applicant passwords come from Mass Change batch process. The
temporary table must be preserved for LDIF file.
Notes Users who are both students and employees will be held to
their employee login restrictions and signon times. Mitch says the
signon times will be the same for students and admins.
Do all users have an active kerberos ID?
We need to configure HC8SEC to use Shib.
We want to use Shib for prerequisite entry in February.
Primary Permission List
Wave: Alpha
Admin: CentralizedStatus: WIPControls based on primary
permissions list.
1. Demographic Data (Masking the SSN and DoB).
2. Search Match result views (SSN and DoB).
3. Student Financials (Item Types)
4. Student Enrollment (Self Service Enrollment Access ID)
5. Definition Security (Trees)
6. Mass Change. (Not Used).
? What HR controls are tied to PPL ?
Since every user only gets one primary permission list, we will
need to create many permutations of the various controls. A naming
standard will be adopted that makes the security behind each of the
primary permission lists self evident. Each byte of the name will
represent one of the controls, and a unique character will be
assigned to each of the control values.
The level of security required for each control will determine
the number of primary permission lists we need to maintain. If
there are a great number of them, and we anticipate new ones in the
future, then we will need a utility for creating them.
Demographic Data.
There are 3 levels of access for masking the SSN. The Date of
Birth masking wont require its own byte, it can be tied to the SSN
masking byte.
CharSSNDoB
0Fully MaskedMasked
4Last 4 digits viewable.Masked
9All 9 digits viewable.Viewable.
Search Match
The ability to control which fields are displayed on a search
match is only relevant to the sensitive data, in this case the SSN
and DoB. There doesnt seem to be a reason to separate the masking
of the SSN on pages (Demographic Data) and the masking of SSNs in
search match. Therefore, we can use the same byte as Demographic
Data for Search Match.
Note: See Search Match section. This control will be
administered by roles.
Student Financials (Item Types)
In addition to item types there are 6 other controls that can be
tied to the primary permission list.
1. Setid
2. Business Unit
3. Credit Card/Check
4. Company
5. Institution Set
6. Origin
It may not be necessary to secure any of these by primary
permission list. Are there any users that require access to pages
with credit card data, but should not see credit card numbers?
Item types: Items are placed on a tree and secured either by
nodes on the tree or individual items. We can represent each unique
group of items by a unique letter.
Item types can be optionally controlled by primary permission
list. They can also be controlled by individual users.
Student Enrollment
Controlled by primary permission list for students only.
Enrollment security for administrators is tied to their userid.
Access IDs. Controls What and when. When you can enroll, drop
with permission, etc. It also controls the overrides that are
available.
Access Groups. Controls who (which groups of students an
administrator can enroll).
The primary permission list can only be tied to Access IDs, not
groups. That makes sense because students can only enroll
themselves, so there is no need to control which groups of students
are available.
Question: How many different Access IDs will need to be assigned
to students?
Guess: Undergrad, Grad, Law, Medicine
Definition Security
Controls which trees can a user update.
Security Admin: OS_QUERY_TREE
Configuration Mgnt: All trees.
?: Academic structure tree.
Data Permission Lists
Page: SCRTY_TABL_DEPT
High level node (OSU)
(Service Indicator Reasons dept prompt)
Alphabet Soup Approach
Primary PL IndicatorPrimary PL IndicatorDemographic Data
MaskingStudent Enrollment Access IDDefinition SecurityMass
Change
PP0UAA
4GQC
9LSU
MNN
N
Search Match
0No digits visible
4Last 4 digits visible
9All digits visible
Item Types (optional on PPL).
A?
B?
NNone
Student Enrollment Access IDs
UUndergraduate
GGraduate
LLaw students
MMedical students
NNone
Definition Security
AAll Trees
QQuery trees
SAcademic structure tree
NNo trees.
Mass Change
AApplication Prog Update Select
CCommunication - Delete Temp
UUserprofile - Applicant
NNone
Query Security
Wave: Alpha
Admin: Centralized
Status: WIPOverview: There will be a Public and Restriced role
for each of the 5 modules for a total of 10 roles. The roles will
all be prefixes with READ.
1. READ_AD_PUBLIC
2. READ_AD_RESTRICTED
3. etc. . .
The OS_QUERY_TREE will have a node that corresponds to each of
the 10 roles above. Records that are placed in the restriced access
groups (nodes) will be removed from every other node in every other
query tree so that the restricted node becomes the sole means of
access to that record. A record can be in more than one restriced
node, however.
The public nodes will contains records that are not sensitive,
but are required for query and are missing from the delivered query
tree for that module.
Ten new permssion lists will be created to hold the query
security for the new roles. The public permission lists will
receive the high level node of the PeopleSoft delivered query tree
for that module and the public node in the custom OS_QUERY_TREE for
that module. The restricted permssion lists will just have the
restricted node in OS_QUERY_TREE for that module.
Ten new Oracle roles will be created for each of the query roles
above. A process will be run that syncronizes the Oracle roles with
the PeopleSoft roles.
Notes
11th role: PSAMDIN PSURLDEFN : Contains FTP server
passwords.
Issues We need to identify which tables need to be
restricted.
HR Row Level Security
Wave: Alpha
Admin: Centralized
Status: Done.
In order for HR users to be able to create student employees
they need to be able to open student records. For that, they need
the POI security. Put this on WEBALL (or turn off that
security).
On/Off Switch:
Definition: PS_SCRTY_TYPE_TBL
Security: PS_SJT_CLASS
insert into PS_SJT_CLASS
select rowsecclass, SCRTY_SET_CD, SCRTY_TYPE_CD, SCRTY_KEY1,
SCRTY_KEY2, SCRTY_KEY3
from PS_SJT_CLASS a,
psoprdefn b
where rowsecclass != ' 'minusselect * from PS_SJT_CLASS;
Notes
Add the POI Type to WEBALL. Run SJT process.eReportsWave:
AlphaAdmin: Centralized
Status: WIPGlenn Donaldson has said that Hyperion will be used
for SIS Alpha wave.We will create 10 new folders, a Public and
Restricted folder for each module. New access groups will be
created for each of the 10 folders and those access groups will be
assigned to the appropriate permission lists.
Issues
Who will let us know which access groups (Hyperion Folders) go
with which permission lists?
Who will assign the reports to the 10 folders? We want to make
sure they (Bill?) are on the same page with us on this.
Segregation of Duties
Wave: AlphaAdmin: Centralized
Status: WIPCan we identify which SIS duties need to be
segregated, or is that too much burdon on the Application
Team?ODS
Wave: Alpha
Admin: Centralized
Status: WIPData Warehouse
1. Collect query security information for SIS (tables by
module).
2. Collect user names for table groups. Can this be mapped from
current ODS?
3. Map table names to ODS tables.
There are 2 Data Warehouse environments.
1. DWMART
2. ODS
This security is only for Query access.
HCOSU will have PS Query and Oracle.
DWHCRPT will have Oracle accounts only
DWDMOSU is an Oracle only environment (no PS).
Hyperion will have every HCOSU user. Access levels will be
controlled by a users access groups which will be tied to
permission lists. There will be 10 SIS folders, a Public and Secure
folder for each of the 5 modules.
Glenn will provide information on which users are in each of the
3 groups.
Query security will be controlled by 10 basic groups in each
environment. Each of the 5 modules will have a Restricted and
Public group. Only sensitive tables will be placed in the
Restricted groups. Glen Donaldson will provide the list of tables
(about 750 in all).
Note: No row level security in ODS.
Prerequisites
Wave: Pre Alpha
Admin: Centralized
Status: WIPAbout 200 users will need access to (a yet to be
named autonomous PeopleSoft system) to setup course prerequisites
in February. The effort will begin Feb-25 (Training)
August.Shibboleth (Kerberos) authentication requiredA new
environment will be setup for this effort. Send them a list of who
can create prerequisites now.
Create college user accounts
2/18/08 Provide security support during training2/25/08 -
3/10/08Academic Organization
Admin: CentralizedRow level security requires that
administrators specifically designate the data that users can see.
To do that, you use an academic organization security tree, which
is a security structure that graphically represents the hierarchies
of the University. Definition Data:
ACAD_ORGANIZATION tree.
Security Table:
PS_SCRTY_TBL_ACAD
Level 1Level 2Level 3
OSUSIARTS_SCIARTS_COL
ASC_E_DEAN
BIO_COL
HUM_COL
MPS_COL
SBS_COL
EXTENDEDLIMA_CAMP
MANSF_CAMP
MARN_CAMP
NEWRK_CAMP
HEALTH_SCIDEN_COL
MED_COL
NUR_COL
Large impact on course catalog
Need to go to D node for user security.
After you make a change to the academic organization tree you
have to run the process that updates the tree node numbers based on
the tree structure. We will need to collect this information
outside of the User Definition Worksheet.
Assignment Strategy
Map from fiscal ID.Program ActionsProgram actions control how a
student moves through the University.
A program action is a change to a persons program data. An
action reason indicates why a particular program action was taken,
or offers a further description of the program action. For example,
you can record that an applicant has withdrawn an application for
an academic program. The reason you enter could be After Decision
or Before Decision. Program Action security controls which actions
a user can apply to a student.
PS_PROG_ACTION_TBL
PS_SCRTY_PROG_ACTN
How many program actions will there be? Can everybody have them
all?
Enrollment Security
Enrollment security controls when access windows close for
various enrollment activities. It is tied the student's permission
lists.Student Records Chapter 8-4
Enrollment Security.
Controls when access windows close for various activities.
Access IDs. Controls What and when. When you can enroll, drop
with permission, etc. It also controls the overrides that are
available. Access Groups. Controls Who (which groups of students an
administrator can enroll). Access IDs can be tied to Access
Groups.
Controlled by primary permission list for students only.
Enrollment security for administrators is tied to their userid.
The primary permission list can only be tied to Access IDs, not
groups. That makes sense because students can only enroll
themselves, so there is no need to control which groups of students
are available.
PS_TIME_PERIOD_TBL
PS_ENRMT_OVRD_TBL
Access IDs
The What & When
PS_ENRL_ACCESS_STD
Access Groups
The Who
Create an enrollment group.
The security can be at the Institution, (Career or
Program or
Plan)
And Student Group level.
Grant either an access group or an access id to the user
(academic advisor)
PS_OPR_DEF_TBL_CSPS_ENRL_ACCESS_GRP
PS_ENRMT_OVRD_TBL
Question: How many different Access IDs will need to be assigned
to students?
Guess: Undergrad, Grad, Law, Medicine
How is it done now?
Transcript Type
PS_TRANSCRIPT_TYPE
PS_SCRTY_TSCRPT
Equation Engine
Unbelievably bad security design.
The Equation Engine is a powerful tool that enables you to
develop a variety of formulas that can be used to identify a
specific student population, establish the assignment of an award,
provide a calculated value, or provide a customization point in a
process. Equation Engine security controls which EE programs a user
can run, and it is administered on the main User Profile security
page. Security is controlled by trees and profile types.
ProfileTypeCorresponding TreeDescription
EQDEQTN_TBAUTH_TREEControls access to equation engine data
EQNEQTN_IDAUTH_TREEControls access to equations
EQSEQTN_SQAUTH_TREEControls access to callable SQL
EQXEQTN_XTAUTH_TREEControls access to external cobal code.
The primary tree seems to be EQTN_IDAUTH_TREE which controls
which equation engine programs a user can run. (Does the user need
access to the sql in the EE as well to run it?)
These trees are currently empty and need to be defined. All(?)
of the equation engine programs are in the public node at the top
of the tree. Everybody has access to the public nodes without
having to be granted the access. The nodes placed in these trees
become available within the opralias field for the corresponding
profile type. Granting access to a node does not grant access to
child nodes. Users can only have one node per profile type (i.e.
Tree).
Every user can be granted one node on the tree, and only one
node. Once a user is granted access to a node on the tree they gain
access to the equation engine programs in that node but they loose
access to everything in the public node.
It wont help to create extra trees, because the nodes are
granted as Access Types in the usermaint component. This is like an
emplid type, and just as a user can have only one emplid, they can
have only one equation engine profile type. There are 5 types, but
only 4 are being used. Nobody should have access to create equation
engine programs in production because it is basically a SQL tool.
Its dangerous to the data because users would be testing their SQL
in production, and its a security issue because users can create ad
hoc update SQL statements.
Plan Get rid of Public equations
Top node in tree will have all equations.
Lower nodes will have progressively fewer equations.
Maybe only 3 levels of nodes will be necessary.
Student Financials
PS_INSTALLATION_SF
PS_SEC_VIEW_NAMES
SF CategorySecurity Table
Business Unit PS_SEC_UNITSF_OPR
Company PS_SEC_COMPANY_OPR
Credit Card and Bank Account PS_SEC_CC_OPR
Institution Set PS_SEC_ISET_OPR
Item Type PS_SEC_ITEM_OPR
Origin IDs PS_SEC_ORIGIN_OPR
SetID PS_SEC_SETID_OPR
Student Institution SetPS_OPR_DEF_TBL_CS
Business Unit
Every primary permission list needs to be added here. Can every
user have OSUSI as the Business Unit?
Item Types
Item types are the basic work unit of the Student Financials
application. Each item type defines and describes a unique action.
Item type security controls which item types a user can apply to
students.
Definitions
ITEM_TYPE_TBLSecurity
PS_SEC_ITEM_OPDATAPS_SEC_ITEM_OPR
Administer by userid
Defined in tree.
There are over 5,000 item types.
Tree Name = ITEM_TYPE_TREEOrigin
Origins represent sources of charges or payments used during
group posting. Origin security limits the number of users who can
view and update the transactions with which an origin is
associated.
Definition:
PS_ORIGIN_TBL
Security:
PS_SEC_ORIGIN_OPR
00001 Financial Aid
00002 Lockbox
00003 Housing
00004 Fees & Deposits
00005 Payroll Deduction
00006 Office of Internat'l Affairs
00007 Ohio Attorney General
00008 Traffic and Parking
00009 Library
00010 UNITS
00011 Web PaymentsComponent Interfaces
Component interfaces allow external systems to
insert/update/delete data in PS components just as if the data was
being manipulated via the PIA. All PeopleCode fires. The user
account that invokes the component interface does not require a
permission list that has page access to the component. Therefore,
it is not safe to grant every user every component interface. A
savvy user could invoke CIs to directly manipulate the system.
Which CIs should be tied to which permission lists?
This is low risk and will not be restricted for the Alpha wave
roll out.Security Views
Component security is the process of adding row level security
functionality to particular pages. It is a process of design and
development and is quite technical in design and
implementation.This is really a setup page.
PS_ES_SECURITY_TBL
PS_ES_SECURITY_DTL
1 of 46
M:\PeopleSoft\SIS\Module_Security\SIS_Security_Inventory.doc6/18/2008