A Community of Learning
Banner Security:
A Functional View
Presented by: Deb Brooks, Florida Atlantic University
March 20, 2007 Course ID 363
Objective
This session is designed to assist the
Functional Security Officer in Human
Resources with:
9 Initial set-up of the Banner HR security
system.
9 Offer pointers for on-going maintenance.
9 Go over security issues of specific interest
3
Agenda
Getting Started
BANSECR
Banner HR Security
The Auditor is coming! The Auditor is coming!
Questions
5
The Ideal Banner Security Officer
Banner access must be handled with care. The correct
access can help avoid errors and will definitely help with the maintenance of data integrity for your institution.
The Ideal Banner Security Officer will be:
• Familiar with departmental processes.
• Familiar with departmental and university hierarchy. • Organized.
• Comfortable in Banner or, if new to Banner, comfortable
navigating various types of software.
• A problem solver, have the ability to research problems
to eventual solution.
Don’t forget to designate a back up!
Approvals and Security Committee
The Approval and Security Committee will meet regularly to determine university policy regarding naming
conventions and protocols, extraordinary access
requests, and brainstorm security related problems to find solutions.
The committee should include:
• IT representative in charge of higher level security
issues
• Data Base Administrator(s)
• Security Officers for all Banner modules (HR, Finance,
Student, Advancement)
7
Security Request Form
The Security Request Form is extremely important
because it allows you to document the access that you are granting. You should design your form to meet your needs.
Make sure to include all the control points that you have in place. For example:
• Contact information for the employee and supervisor • Type of employee requesting access
• Class access requested
• Form/object access requested • Employee class requested
A Community of Learning
BANSECR
Banner security is maintained through BANSECR, which is an Oracle ID that runs the GSASECR form. This system runs
independent of Banner and does not appear on any Banner menu.
There is a BANSECR system for every instance of Banner that runs at your institution. For example, production, test, training. Security has to be set up on BANSECR separately for each
Banner instance.
It is to the advantage of the institution for BANSECR security to be controlled by a minimal number of employees. At FAU it is controlled by an IT representative that determines the
appropriate BANSECR defaults and access for Security Officers to limit control.
Because BANSECR is shared by all Security Officers, care should be taken to develop protocols.
11
Users
The Users tab on GSASECR has multiple functions. It can be
used to create, alter, delete, or modify a user account, or obtain a summary of user objects.
When setting up a user account remember to use a standard protocol for user account names and passwords.
Beware of the copy feature! If you have users with access to various modules of Banner be careful with the copy feature
because it is easy to copy access to a different module in error. The ability to lock and unlock accounts is very useful. There are several ways an account can lock up so be wary when asked to unlock an account and re-set a password. The lock feature is good if there has been a change in status of a user and you are not sure if access needs to be modified.
13
Users….continued
You should limit granting direct access to objects. Direct access is difficult to maintain and does not offer as much control of object access.
Pay close attention to roles when granting access to
objects. Different objects are set up with different defaults. Be very aware when granting access to determine whether the user should have query access or maintenance access.
Be aware that if a user is enrolled in several classes that define the same object with different role suffixes, the maintenance privilege will always take precedence over the query privilege.
15
Classes
Banner classes are groups of objects (screens) and
are used to control access. They are grouped based
on module and function.
Delivered classes are developed by SCT Sungard.
Before using a delivered class make sure that the
objects in a given class sync with the functionality of
your unit.
You may customize classes based on your
University’s organization and department
functionality. If you choose to customize classes,
develop a naming protocol.
Classes….continued
The class structure in BANSECR is a very useful tool
for Security Officers. For example, you can add one
object to a class and it will automatically add the
object to all users with access to that class. The
alternative would be to grant direct access to each
individual user, which would be labor intensive and
make maintenance difficult.
Remember when setting up a user using classes, they
must have access to common utilities.
17
Objects
Use of the Objects tab in BANSECR is infrequent but very necessary.
Reports that are accessed through Banner are assigned object names and have to be added to the object list in order to grant access to users through classes or direct access.
Be careful when you add an object that you assign the appropriate default role.
When you have upgrades be aware that you may have to add objects in BANSECR.
The objects list is a good place to look when troubleshooting access issues.
A Community of Learning
PTRUSER
A User must be set up in PTRUSER in order to access Banner HR objects.
Access to institutional codes, employee class codes, and org codes
cannot be granted until the user is set up in GSASECR and in PTRUSER.
Take care in granting master access to employer (if applicable), employee classes, and department orgs.
Take care in granting Superuser and Administrative access to web based programs.
21
PSAECLS
PSAORGN
PSAEMPR, PSAECLS, and PSAORGN
The PSAEMPR form allows you to limit access to specific institution codes.
The PSAECLS form allows you to limit access to specific employee classes or groups. This is useful if you want to limit one group to view only student employees and one to view all non-student employees.
The PSAORGN form allows you to identify specific org codes representing home orgs and timekeeping orgs to specific people. This is very important when determining who should see which Human Resources records.
Remember that the org defined in the labor distribution is not an HR security access org.
23
GOAEACC
The GOAEACC form does not necessarily have to be
maintained by the Security Officer. However, because the Security Officer is aware of User changes they are the
most logical candidate to maintain this form.
At FAU we found that it was only useful to maintain the GOAEACC form when we started using electronic
processing such as EPAFs.
25
Higher Level Set Up for Bansecr
The first line of access control is controlling who has
access to Bansecr and to the related behind the
scenes tables in Banner. This access should be
limited to as few people as possible and should be
controlled at the IT level of your institution.
Access should be controlled at the IT level.
Controls should be in place to track who is granted
access and to maintain the access.
Access Control
The Security Officer needs to have a very good
understanding of the different overall roles and functions of different level jobs at the university. They also need to be aware of who is authorized to approve access levels in different departments.
The Auditor is going to review access granted to make sure that there is no conflict of interest. The person who inputs the employee so that they can get paid is not the same person who authorizes payment. When setting up the classes in BANSECR be very aware of maintenance access vs. query access to powerful screens.
27
Access Control….continued
Control access to validation and rule tables carefully.
Controlling PSAORGN and PSAECLS access is key.
Emphasize to your population that their activity can
be tracked. There should be no User ID and Password
sharing!
Try to limit access to individual objects. It is much
harder to police and control individual vs. class
access.
Employee Status Changes
Create a procedure for handling access with regard to
employee status changes. It can be tricky when you have multiple Banner products in use. At FAU we have
designated Security Officer that coordinates status changes using reports.
You will need to terminate access on terminated employees in a very timely manner.
When an employee is promoted, reclassified, or
reassigned to a different position in the University, their access may require modification.
When employee’s are on Leave of Absence, lock their accounts.
29
Documentation
Documentation is your best friend when the Auditor comes.
Require request documents including higher level authorization and approvals.
If you make modifications based on e-mail requests, require that they route the requests through the
appropriate authority and save all the e-mails. Keep all files current and orderly.
Create reports regarding access so that you can track all access issues.
31
Thank You!
Deb Brooks
Florida Atlantic University
brooks@fau.edu
Please complete the online class evaluation form
Course ID 363
SunGard, the SunGard logo, Banner, Campus Pipeline, Luminis, PowerCAMPUS, Matrix, and Plus are trademarks or registered trademarks of SunGard Data Systems Inc. or its subsidiaries in the U.S. and other countries. Third-party names and marks referenced herein are trademarks or registered trademarks of their respective owners.
© 2007 SunGard. All rights reserved.