Banner Security: A Functional View

31  Download (0)

Full text


A Community of Learning

Banner Security:

A Functional View

Presented by: Deb Brooks, Florida Atlantic University

March 20, 2007 Course ID 363



This session is designed to assist the

Functional Security Officer in Human

Resources with:

9 Initial set-up of the Banner HR security


9 Offer pointers for on-going maintenance.

9 Go over security issues of specific interest




ƒ Getting Started


ƒ Banner HR Security

ƒ The Auditor is coming! The Auditor is coming!

ƒ Questions



The Ideal Banner Security Officer

Banner access must be handled with care. The correct

access can help avoid errors and will definitely help with the maintenance of data integrity for your institution.

The Ideal Banner Security Officer will be:

• Familiar with departmental processes.

• Familiar with departmental and university hierarchy. • Organized.

• Comfortable in Banner or, if new to Banner, comfortable

navigating various types of software.

• A problem solver, have the ability to research problems

to eventual solution.

Don’t forget to designate a back up!


Approvals and Security Committee

The Approval and Security Committee will meet regularly to determine university policy regarding naming

conventions and protocols, extraordinary access

requests, and brainstorm security related problems to find solutions.

The committee should include:

• IT representative in charge of higher level security


• Data Base Administrator(s)

• Security Officers for all Banner modules (HR, Finance,

Student, Advancement)




Security Request Form

The Security Request Form is extremely important

because it allows you to document the access that you are granting. You should design your form to meet your needs.

Make sure to include all the control points that you have in place. For example:

• Contact information for the employee and supervisor • Type of employee requesting access

• Class access requested

• Form/object access requested • Employee class requested


A Community of Learning



Banner security is maintained through BANSECR, which is an Oracle ID that runs the GSASECR form. This system runs

independent of Banner and does not appear on any Banner menu.

There is a BANSECR system for every instance of Banner that runs at your institution. For example, production, test, training. Security has to be set up on BANSECR separately for each

Banner instance.

It is to the advantage of the institution for BANSECR security to be controlled by a minimal number of employees. At FAU it is controlled by an IT representative that determines the

appropriate BANSECR defaults and access for Security Officers to limit control.

Because BANSECR is shared by all Security Officers, care should be taken to develop protocols.





The Users tab on GSASECR has multiple functions. It can be

used to create, alter, delete, or modify a user account, or obtain a summary of user objects.

When setting up a user account remember to use a standard protocol for user account names and passwords.

Beware of the copy feature! If you have users with access to various modules of Banner be careful with the copy feature

because it is easy to copy access to a different module in error. The ability to lock and unlock accounts is very useful. There are several ways an account can lock up so be wary when asked to unlock an account and re-set a password. The lock feature is good if there has been a change in status of a user and you are not sure if access needs to be modified.




You should limit granting direct access to objects. Direct access is difficult to maintain and does not offer as much control of object access.

Pay close attention to roles when granting access to

objects. Different objects are set up with different defaults. Be very aware when granting access to determine whether the user should have query access or maintenance access.

Be aware that if a user is enrolled in several classes that define the same object with different role suffixes, the maintenance privilege will always take precedence over the query privilege.




Banner classes are groups of objects (screens) and

are used to control access. They are grouped based

on module and function.

Delivered classes are developed by SCT Sungard.

Before using a delivered class make sure that the

objects in a given class sync with the functionality of

your unit.

You may customize classes based on your

University’s organization and department

functionality. If you choose to customize classes,

develop a naming protocol.



The class structure in BANSECR is a very useful tool

for Security Officers. For example, you can add one

object to a class and it will automatically add the

object to all users with access to that class. The

alternative would be to grant direct access to each

individual user, which would be labor intensive and

make maintenance difficult.

Remember when setting up a user using classes, they

must have access to common utilities.





Use of the Objects tab in BANSECR is infrequent but very necessary.

Reports that are accessed through Banner are assigned object names and have to be added to the object list in order to grant access to users through classes or direct access.

Be careful when you add an object that you assign the appropriate default role.

When you have upgrades be aware that you may have to add objects in BANSECR.

The objects list is a good place to look when troubleshooting access issues.


A Community of Learning



A User must be set up in PTRUSER in order to access Banner HR objects.

Access to institutional codes, employee class codes, and org codes

cannot be granted until the user is set up in GSASECR and in PTRUSER.

Take care in granting master access to employer (if applicable), employee classes, and department orgs.

Take care in granting Superuser and Administrative access to web based programs.







The PSAEMPR form allows you to limit access to specific institution codes.

The PSAECLS form allows you to limit access to specific employee classes or groups. This is useful if you want to limit one group to view only student employees and one to view all non-student employees.

The PSAORGN form allows you to identify specific org codes representing home orgs and timekeeping orgs to specific people. This is very important when determining who should see which Human Resources records.

Remember that the org defined in the labor distribution is not an HR security access org.




The GOAEACC form does not necessarily have to be

maintained by the Security Officer. However, because the Security Officer is aware of User changes they are the

most logical candidate to maintain this form.

At FAU we found that it was only useful to maintain the GOAEACC form when we started using electronic

processing such as EPAFs.



Higher Level Set Up for Bansecr

The first line of access control is controlling who has

access to Bansecr and to the related behind the

scenes tables in Banner. This access should be

limited to as few people as possible and should be

controlled at the IT level of your institution.

Access should be controlled at the IT level.

Controls should be in place to track who is granted

access and to maintain the access.


Access Control

The Security Officer needs to have a very good

understanding of the different overall roles and functions of different level jobs at the university. They also need to be aware of who is authorized to approve access levels in different departments.

The Auditor is going to review access granted to make sure that there is no conflict of interest. The person who inputs the employee so that they can get paid is not the same person who authorizes payment. When setting up the classes in BANSECR be very aware of maintenance access vs. query access to powerful screens.



Access Control….continued

Control access to validation and rule tables carefully.

Controlling PSAORGN and PSAECLS access is key.

Emphasize to your population that their activity can

be tracked. There should be no User ID and Password


Try to limit access to individual objects. It is much

harder to police and control individual vs. class



Employee Status Changes

Create a procedure for handling access with regard to

employee status changes. It can be tricky when you have multiple Banner products in use. At FAU we have

designated Security Officer that coordinates status changes using reports.

You will need to terminate access on terminated employees in a very timely manner.

When an employee is promoted, reclassified, or

reassigned to a different position in the University, their access may require modification.

When employee’s are on Leave of Absence, lock their accounts.




Documentation is your best friend when the Auditor comes.

Require request documents including higher level authorization and approvals.

If you make modifications based on e-mail requests, require that they route the requests through the

appropriate authority and save all the e-mails. Keep all files current and orderly.

Create reports regarding access so that you can track all access issues.



Thank You!

Deb Brooks

Florida Atlantic University

Please complete the online class evaluation form

Course ID 363

SunGard, the SunGard logo, Banner, Campus Pipeline, Luminis, PowerCAMPUS, Matrix, and Plus are trademarks or registered trademarks of SunGard Data Systems Inc. or its subsidiaries in the U.S. and other countries. Third-party names and marks referenced herein are trademarks or registered trademarks of their respective owners.

© 2007 SunGard. All rights reserved.




Related subjects :