Security Audit PeopleSoft

PeopleSoft

Security Audit

Version 1.0 | Updated May 9, 2017

Contents

Overview ... 1

Recommended Process to Audit Security ... 5

Query and Excel Tips ... 8

Q1. Which users have access to which information?... 10

Q2. Are any users locked out? ... 18

Q3. Is Finance workflow/routing set up as desired? ... 19

Q4. Are Requesters and Buyers set up correctly? ... 20

Q5. Are users’ Finance User Preferences set up as desired? (HEAT Ticket) ... 22

Q6. Are the “Reports To” set up correctly? ... 23

Q7. Is PAF approval routing set up as desired? (PAF Districts Only)... 24

Overview

Why Audit?

Your organization is responsible for its PeopleSoft users. Conduct an audit of security for the following reasons:

 To know which employees (users) have access to which information.

 To identify if any changes need to be made to users’ roles (addition/removal).

 To ensure that terminated employees do not have roles assigned.

 To verify that workflow/routing is set up as desired.

About PeopleSoft Users and Roles

In order to use PeopleSoft, employees need to be set up as users with the appropriate roles. This is done by the SDCOE Customer Resource Center (CRC).

When your organization originally went live with PeopleSoft, you submitted to the CRC a spreadsheet of all users (separate lists for Finance and HCM). On your spreadsheet you included the employee's name, ID, email address, and roles to assign. These users were loaded into Production and validated by the CRC. On the day of Go Live, they were able to log in and work.

Since Go Live, you have hired new employees. After you enter job data in HCM, each night two scheduled jobs run to create user accounts and assign two basic roles: M_EMPLOYEE and M_EE_XXX. The next day the employee can log into PeopleSoft Employee Self-Service (ESS). If the employee will use Finance or HCM, an authorized staff member needs to submit a HEAT ticket with the requested role assignments. The CRC will make the requested change.

Also since Go Live, your employees’ employment statuses have changed – they have changed positions, they were terminated, they moved from your district to another PeopleSoft district in the county, and so on. There are no automatic processes to inactivate users or remove roles. An authorized staff member from your organization needs to submit a HEAT ticket with the direction to inactivate a user or add/remove roles.

The CRC will make the requested change.

For more information about PeopleSoft Security, please refer to http://crc.sdcoe.net/resources/security.

User Profiles Screen

The CRC manages data entered on the User Profiles screen.

General Tab

1

^{User ID} Same value as Empl ID. The User ID is used to log into PeopleSoft Portal and ESS.

2

Description This is the employee's name but is not the same field as the name in Personal Information; the value may or may not be the same.

3

^Account Locked Out?

Only the CRC can lock accounts. Typically the only employees with locked accounts are those who should not be allowed to access even PeopleSoft Employee Self- Service (ESS) to view a paycheck.

4

^Password Used to log into PeopleSoft Portal and ESS.

Roles Tab

8

^Roles

Roles define which screens, reports, and queries the user can access.

Basic roles that every employee is given:

 M_EMPLOYEE: A dynamic role. Gives to access to view paycheck

 M_EE_XXX: A dynamic role. The permissions in this role are district-specific. XXX = District #

– 099 has it configured so employees use ESS for Absence Requests, Personal Information, Benefits Information Viewing, and Travel & Expenses

– 033 has Benefits Information Viewing only

– 022 has Personal Information and Absence Requests

Roles can be added and removed by the CRC using the plus/minus signs. Users who need to

Sample HEAT tickets based on User Profile

 Description: “The employee’s name doesn’t show correctly in PeopleSoft” or “The employee doesn’t want her middle name to show in PeopleSoft.” Likely the user is seeing their name pulling from the User Description (not what’s entered in Personal Information). The CRC can change this if desired.

 Roles: “I can’t get to the Job Data screen.” This indicates that the necessary role is not assigned to the user.

 Primary and Row Security:

- “I can get to the Job Data screen but I can’t find anyone.” This indicates that the role is assigned but the permission list is not.

- “I am responsible for resetting passwords for my district and I can’t find Employee 123456.”

This might be because Employee 123456 changed districts or is employed at multiple districts and the employee’s Primary Permission List is set to the other district. You can only find users with the same Primary Permission List as you. The CRC can update the user’s Permission List values.

Recommended Process to Audit Security

The recommended process for auditing PeopleSoft security for your organization includes five parts.

1. Identify how often you plan to audit security. At minimum, it is recommended that you audit security annually.

2. Develop your guiding questions and identify how you will find the answers. The table below lists recommended guiding questions and suggested queries.

Application Questions Query To Use

BOTH FINANCE

& HCM

Q1. Which employees (users) have access to which information? Examples:

 Who’s assigned to each role? Investigate by role.

 Which roles does each employee have? Do any changes need to be made? Are there any terminated employees who still have roles assigned? Investigate by employee.

 Are all users’ Primary Permission Lists correct?

 Is the HCM user’s Row Security correct?

 Who can see SSNs?

 Who can perform password resets?

 Who can access FAR queries in HCM?

 Are staff assigned the correct Payroll roles?

 Who has SecureAuth (VPN) access?

Q2: Are any users locked out? Should they be?

M_USER_ROLES in Finance (M_KK_INQUIRY role is required to run this)

M_USER_ROLES in HCM

(M_HR_SPECIALIST role is required to run this)

FINANCE ONLY

Q3. Is Finance workflow/routing set up as desired? M_WF_ALL_ROUTING in Finance

Q4. Are Requesters and Buyers set up correctly? M_PO_BUYERS in Finance M_PO_REQUESTERS in Finance Q5. Are users’ Finance User Preferences set up as

desired? (Must request an export from CRC) Submit a HEAT ticket.

HCM ONLY

Q6. Are the “Reports To” set up correctly?

 Do any “Reports To” need to be fixed?

 Is HCM routing of TB and AM set up as desired?

M_POSITION_REPORTS_TO in HCM

Q7. Is PAF approval routing set up as desired?

For PAF Districts only.

M_WF_PAF_ROLES_AND_ROUTING in HCM

Includes employees with access to PAF

3. Determine who will perform the audit.

4. Review the Finance and HCM roles at http://crc.sdcoe.net/resources/security so you know what they include.

Finance HCM

 Download Finance Roles v5.0 xlsx.

 This document lists the majority of the Finance roles by module and includes Role Name, Role Description, Explanation of Role, and Who Should Have It.

 For Requesters and Buyers, it includes information about their User Preferences.

 Here are some common Finance roles.

"INQUIRY" means Read Only.

- M_SEC_CF_NOCASH: Provides ChartField security to enter transactions (if you don’t have this role you can navigate to a page to which you have access but you can’t save an entered ChartField)

- M_KK_INQUIRY: To view budget screens and reports

- M_PO_REQUESTER: To create requisitions

- M_PO_INQUIRY: To view POs

- M_GL_CREATE_JOURNALS: To create GL journal entries

- M_QUERY VIEW: To run queries based on your role assignment

 Download HCM Roles v5.0.xlsx.

 This document lists the majority of the HCM roles by module and includes Role Name and Role Description.

 It also maps each role to a training course (except for the Payroll roles).

 Here are some common HCM roles. "RDO"

means Read Only; in HCM each role has an RDO version.

- M_HR_SPECIALIST: To enter personal data and job data (and more)

- M_HR_SPECIALIST_RDO: To view personal data and job data (and more) - M_HR_PERSONAL_DATA: To enter

personal data but not job data

- M_PAYROLL_ADMINISTRATOR: All access that Payroll Specialist has, but includes access to the Payroll Query Tree, DBT, and Combo Code Table.

- M_TL_TIMEKEEPER: Data entry for Timekeepers.

- M_QUERY VIEW: To run queries based on your role assignment

NOTE: To view which components are in a role, run the M_SEC_ROLE_NAVIGATION query in Finance or HCM (see sample screenshots on the next page).

 Search for the roles that begin with “M_” only.

 You must enter values for both prompts (you cannot leave one blank). You can enter a % to return all values.

M_SEC_ROLE_NAVIGATION

Sample results for M_AP_CLERK role:

Sample results for M_HR_SPECIALIST role:

5. Conduct the audit. Document your findings and organize follow-up items. Here are two examples of follow- up items:

 A spreadsheet of employees who need specific roles added/removed

 A spreadsheet of employees who need Primary Permission List and/or Row Security values changed

Query and Excel Tips

Saving Your File

 Save your Excel file to a “Security Audit” folder. Rename the file so it includes the date that you downloaded it.

 If desired, click Convert to convert the file to the newest version of Excel (.xlsx).

Pivot Tables

 This guide shows you how to use pivot tables to help you analyze the data. Here are some basic directions to view the data in the same way shown in the screenshots in this guide.

- Export the desired PeopleSoft query to Excel.

- Delete Row 1 of the results (the row that contains the total number of records retrieved).

- Click Insert > Pivot Table. Click Yes to insert a pivot table on a new worksheet.

- Use the 4 boxes at the bottom-right to configure your pivot table. Samples are provided in this guide.

 If you want to easily format your pivot table for readability so it has shaded lines, click somewhere within your pivot table results, then click the Design tab. From the PivotTable Styles area, select Pivot Style Light 8. This is good for grayscale printing.

 If you want the pivot table results to display going down (Compact Form) rather than across (Outline Form), click somewhere within your pivot table results, then click the Design tab. Click Report Layout and select Show in Compact Form.

 Double-click results of pivot tables (any numeric value) to open those results in another worksheet. Get in the practice of renaming worksheets to keep track of the results.

 Duplicate a worksheet that has a configured pivot table. You can hold down Control and drag the sheet to the left or right to duplicate. Or, right-click and select Move or Copy; be sure to click Create a copy.

After it is duplicated you can configure the pivot table in a different way, rename the tab, and save the results on that worksheet.

 Take notes in the spreadsheet to track your findings.

Q1. Which users have access to which information?

Applications to Review: Finance and HCM

Queries to use: In both PeopleSoft HCM and Finance you can run the query called M_USER_ROLES to audit Roles, Primary Permission List, Row Security, and Locked Out Status. If the employee is set up in both HCM and Finance, you will need to run the query in both environments to view those roles. You must have the M_HR_SPECIALIST role to run this query in HCM and the M_KK_INQUIRY role to run it in Finance.

Sample Results:

Audit items:

A. Who’s assigned to each role? Investigate by role.

B. Which roles does each employee have? Do any changes need to be made? Are there any terminated employees who still have roles assigned? Investigate by employee.

C. Are all users’ Primary Permission Lists correct?

D. Is the HCM user’s Row Security correct?

A. Who’s assigned to each role?

Review the users assigned to each role using Role Name. Here you will investigate by role.

 Filter by Cell B1 (Role Name) to review each role.

 Values greater than 1 indicate multiple Empl Records

 Active vs Inactive:

- If Active only: The employee is active within your organization and has this role.

- If Inactive only: The employee is inactive and has this role. Verify in Job Data that employee is terminated. Submit a HEAT ticket to request that the role is removed.

- If Active and Inactive: The employee has multiple Empl Records and at least 1 is still active.

 Remember, in HCM, “WF” roles are workflow roles. Even though WF PAF roles show up here, it's better to run the

M_WF_PAF_ROLES_AND_ROUTING query (see p.24).

B. Which roles does each employee have?

Review each employee’s roles. Do any changes need to be made? Are there any terminated employees who still have roles assigned? The suggested way to set this is up is to create one long list of employees.

C. Are all users’ Primary Permission Lists correct?

The Primary Permission List controls which district’s data an employee sees. This is found in Column E (Prim Perm List). Check that this value is not blank. Check that it set to your organization’s number. For example, for District 20 it should be M_SEC_BU_02000.

 Filter the results by Prim Perm List not equal to your district #.

 See the sample below for guidance on interpreting results.

Sample Results:

Prim Perm List Active Inactive

Grand

Total Findings

M_SEC_BU_00100 3 3

Melody B. 3 3 Locked out. Active at District 1, on paid leave at District 20.

Should find out why employee is locked out.

M_SEC_BU_00600 48 16 64

Amy M. 2 2 Active at 6, 9, and 20 and not a power user. No change

needed because not a power user.

M_SEC_BU_01700 6 9 15

Kendra F. 2 2 4 Active and inactive records at District 20, active in District 17.

No change needed because not a power user.

M_SEC_BU_09900 8 15 23

Jessica J. 2 2 Active at District 20 and 99. No change needed because not a power user.

D. Is the HCM user’s Row Security correct?

For HCM users only, Row Sec Prm Lst (Column F) should be set to your district #. For example, users at District 20 would have M_TL_020_ALL (where ALL means all departments).

 Filter the results by Row Sec List not equal to your district # to see active and inactive employees with district numbers other than yours. This example shows districts other than District 20 (like 21, 42, and 47).

 See the sample below for guidance on interpreting results.

Sample Results:

Row Security Active Inactive

Grand

Total Findings

M_TL_021_ALL 2 27 29

Laura G. 2 2 4 Works in both - low # indicates not a power user so setup is fine

M_TL_042_ALL 6 6

Setup: Same as previous

 If your organization has multiple permission lists within your district, do a second filter for all values that include your district number to make sure employees are set up correctly.

 This example shows 20_130, 20_140, and so on.

E. Who can see SSNs?

Review the HCM query results to check that the correct staff can view Social Security Numbers (referred to as National ID in PeopleSoft). The following 14 HCM roles can see SSNs:

1. M_CRED_DISTRICT 2. M_CRED_DISTRICT_RDO 3. M_HR_PERSONAL_DATA 4. M_HR_PERSONAL_DATA_RDO 5. M_HR_SPECIALIST

6. M_HR_SPECIALIST_RDO 7. M_HR_JOB_EDIT_ONLY 8. M_HR_JOB_RDO

9. M_PAYROLL_SPECIALIST 10. M_PAYROLL_SPECIALIST_RDO 11. M_PAYROLL_ADMINISTRATOR 12. M_PAYROLL_ADMINISTRATOR_RDO 13. M_PAYROLL_CBO

14. M_PAYROLL_CBO_RDO

Alternative roles to use if the employee should not access SSNs:

 M_HR_JOB_DATA: Job Data but no access to Personal Information screen

 M_HR_JOB_EMPL_DATA: Employment Data link on Job Data screen only

 M_HR_JOB_BENEFITS: Benefits Program Participation link on Job Data screen only

 M_HR_PERSON_CONTACT: Contact Information tab on Personal Information screen only

 M_HR_PERSON_REGIONAL: Regional tab on Personal Information screen only

F. Who can perform password resets?

Check the M_SECURITY_LEVEL1 role on the HCM query. These are staff who can perform password resets using the Distributed User Profile screen in Portal (not HCM or Finance).

G. Who can access FAR queries in HCM?

Check the M_FINANCIAL_QUERY role on the HCM query. These are staff who can access FAR queries in HCM.

H. Are staff assigned the correct Payroll roles?

Employees should only be assigned 1 Payroll role – SPECIALIST, ADMINISTRATOR, or CBO. Exception: If the user is given CBO and needs to override rates on the Timesheet, he/she will also need ADMINISTRATOR.

Level Role Description

1 M_PAYROLL_SPECIALIST M_PAYROLL_SPECIALIST_RDO

Enter additional pay; set up and enter/stop general deductions; set up direct deposits; enter reversals and paysheet adjustments; review and validate all queries and reports after pre calcs and before payroll confirm; update employee tax information; process off-cycle warrants.

Read only access to Job Data and Personal information.

Add/ Update access to Time Reporter Data and General Deductions Table.

2 M_PAYROLL_ADMINISTRATOR M_PAYROLL_ADMINISTRATOR_RDO

All access that Payroll Specialist has, but includes access to the Payroll Query Tree, Department Budget Table and Combo Code Table.

IMPORTANT: This is the only role that overrides rates on the Timesheet page.

3 M_PAYROLL_CBO M_PAYROLL_CBO_RDO

All access that Payroll Administrator has, but includes access to Chartfield Configuration, Payroll Query Tree, Department Budget Table and Combo Code Table. Read- only access to the Federal/State Tax Table.

I. Who has SecureAuth (VPN) access?

A limited number of employees are granted SecureAuth (VPN) access to the SDCOE Secure Web Portal in order to use PeopleSoft from home and other locations. Users must submit a form to request this special access. Approved users must provide a text-capable cell phone number for one-time identity verification and register the device they will use for access. The device must be owned by the district. A fingerprint of the computer is registered and used as part of the authentication each time the user logs in. For more information about SecureAuth, please go to http://crc.sdcoe.net/resources/vpn.

Check the M_REMOTE_USER role on the HCM query. These are staff who have SecureAuth (VPN) access.

Q2. Are any users locked out?

Application to Review: HCM (HCM controls users who are locked out in Finance) Query to use: M_USER_ROLES in HCM

Audit items: Check User Locked Out (Column J). If “Yes” this indicates a user account is locked. Only the CRC can lock accounts. Typically the only employees with locked accounts are those who should not be allowed to access even PeopleSoft Employee Self-Service (ESS) to view a paycheck.

Filter Cell B1 by Yes. Which users are locked out? Should they be locked out? Is there anyone else who needs to be locked out?

Q3. Is Finance workflow/routing set up as desired?

Application to Review: Finance

Query to use: In PeopleSoft Finance you can run the query called M_WF_ALL_ROUTING to review approvers and routing. It returns User, Description, Role Name, Role Description, and Routing.

Sample Results:

Audit items:

 Filter by Column E (Routing) to look at workflow for Sites or Resources.

 Filter by Column B (Description) to look at workflow by employee. This is useful when you need to assign routing to someone else.

Q4. Are Requesters and Buyers set up correctly?

Application to Review: Finance Queries to use:

 M_PO_BUYERS in Finance

 M_PO_REQUESTERS in Finance Buyers Sample Results:

 Review your list of Buyers. Use the Status column to see who is an active Buyer.

 Inactive = Buyer status was inactivated. If an employee cannot create POs but has the M_BUYER role, check their status. If Inactive, they cannot create POs.

Requesters Sample Results

 Review your list of Requeters. Use the Status column to see who is an active Requester.

 Inactive = Requester status was inactivated. If an employee cannot create requisitions but has the M_REQUISITIONS role, check their status. If Inactive, they cannot create reqs.

 Check Ship To, Location, and so on.

Q5. Are users’ Finance User Preferences set up as desired? (HEAT Ticket)

The CRC sets up all Finance users with User Preferences. For your reference, this is a screenshot of the Define User Preferences screen used by the CRC.

Audit item: If you would like to audit Finance user preferences, please submit a HEAT ticket with the following description: “Please run a report of Finance user preferences for security audit purposes.” You will receive a file and specific instructions on how to interpret the results.

Q6. Are the “Reports To” set up correctly?

Application to Review: HCM

Query to use: In PeopleSoft HCM you can run the query called M_POSITION_REPORTS_TO to review HCM routing of TB and AM. It returns information about the Employee (ID, Name, Empl Record, Dept ID, Position) and who he/she reports to (Position, Supervisor ID, Name, Empl Record, Status, Title).

Sample Results:

Audit items:

 Do any “Reports To” need to be fixed?

 Is HCM routing of TB and AM set up as desired?

Q7. Is PAF approval routing set up as desired?

(PAF Districts Only)

This audit is only for organizations that use the Personnel Action Form (PAF).

Application to Review: HCM

Query to use: In PeopleSoft HCM you can run the query called M_WF_PAF_ROLES_AND_ROUTING to review PAF roles and routing. It includes employees with access to PAF.

Sample Results:

Audit items:

 Review routing of PAFs.

 If desired, use this query to see which employees have access to PAF screens.