Define Security Group permissions - A summary of the activity
|
|
|
|
|
Through this activity, you can define access permissions to all the users of a security group.
Data Level Security: Data Level Security deals with facilitating access permissions different users should have to employee details while ensuring the necessary restrictions and safeguards to prevent indiscriminate user access and manipulation or misuse of sensitive employee information.
Through this activity, you can set access permissions for a user allowing him/her to work with only a restricted set of employee details, which is relevant. The access permissions to employee details are given to a user based on his/her user-role combination and not on an individual basis. Thus the same user can have different access permissions for his/her different login roles, business process chains etc.
Note that an organization can exercise the choice to have data level security permissions or otherwise. You can set access permissions to employee details through this activity only if the choice has been made to have data level security permissions.
User-Role Specific Access Permissions: The login-role specific access permissions implies that for a specific login role, a user should have access permissions to the employee details of only the required set of employees.
For a login user-role-business process chain combination, you can set access permissions to employee details based on the following variables:
The rule based on which you want to set access permissions.
Employees, either reporting or all.
Level of span of control.
The employment unit.
Department, for example, Human Resources, Marketing etc.
Job code.
The job level range.
Grade set and grade codes.
Work location and business unit.
When you specify values for the details listed above, it achieves the twin purposes of channeling access permissions to the targeted set of employees while at the same time preventing indiscriminate user access to sensitive employee information. For example, if you set the permissions for all employees who are reporting to the selected user for a specific login role-business process chain combination, the user will have access permissions to the employee details of only those reporting employees. Further, you can specify values for the employment unit, department, job level from and to etc., details to reduce the generic nature of access permissions to a more specific and exclusive target set of employees.
Access Permission Type and Level of Span of Control: The access permission type indicates if the permissions given to the user relate only to viewing the employee details or the full permissions to add, edit or delete the information as per need. For example, the same user may have read-only access permissions to all employees in a department for a specific login role and full permissions in the case of all reporting employees for another login role. The degree and type of access permissions are conditioned by the components deployed in the login organization unit and the activities mapped to the login role of the user.
Level of span of control indicates the extent to which the access permissions set to the user should reach, for example, one level, two levels etc., down the administrative hierarchy in the organization.
The system also gives the flexibility to exclude access permissions to view, add or edit one’s own details as well as include or exclude one or more employees from the set of employees for whom permissions are set for the user. Moreover it is also possible to exclude a particular combination of employment unit, work location, department, job, position, grade set-grade, job level and business unit while granting access permissions to the user for other combinations of these entities.
Rule Based Access Permissions: The employee assignment set on which the user should have permissions could also be arrived at by defining a security rule. An example of a simple security rule could be :
“User named ‘Margaret’ for her login role as ‘Administrator’ for the Business Process chain ‘Leave’ has permissions on all employees with Job level greater than or equal to 5.”
This rule would give Margaret, permissions to confirm leave (Provided the application security has enabled ‘Confirm Leave’ as a left pane activity for the login role ‘Administrator’) for all leave applications raised by employees with Job Levels greater than 5 defined in all the Employee Information Component-Org. Units, which are interacting with the Security Definition component.
Stored Procedure Builder: You can also define a new as per need using the stored procedure builder. All features applicable to a stored procedure builder would be available here.
Adding employees as exceptions: This feature facilitates granting access permissions to the user with regard to employees who are not part of the employee set that pertains to the specified employment unit, Work Location, Department, Job, Position, Grade Set-Grade, Job Level and Business Unit combination. The date till which the user should have permissions on the employee assignments can also be specified.
Modifying employee list: Through the modify employee list feature, you can view the entire list of all employees for whom access permissions have been set for the user. The basis by which the employee assignment is mapped to the user, either by exception or by Regular permissions will also be displayed. The employees could be made inactive from the list or the date till which the user has permissions on the employee assignment can be specified.
Refresh Security Details: You can use this feature to repopulate the employee list for a particular user.
The typical situations, which need refreshing security details:
Addition or deletion of Org. Unit, Work Location, Department, Job, Position, Grade Set-Grade, Job Level and Business Unit combination masters: Based on the interactions of Org. structure/Unit Structure – Employment Information – DLS components, the user will have access to only those employee assignments, which come under his/her purview as per the exploded list of employees based on the current records in the multiline. Whenever employee assignments are created by using a new master, for a new Work Location, Department, Job, Position, Grade Set-Grade, Job Level and Business Unit, then the ‘Refresh Security Details’ task has to be initiated.
A transfer or Promotion or a change in any of these employee assignment parameters Org. Unit, Work Location, Department, Job, Position, Grade Set-Grade, Job Level and Business Unit would necessitate refreshing security details.
Change in the Position-Level of a particular Position. Based on the interactions of Org. structure/Unit Structure – Employment Information – DLS components, the user will have access permissions to only those employee assignments, which come under his/her purview as per the current exploded list of employees. A message in the respective component will intimate the user to refresh security details whenever there is such a change.
Change in the value of the DLS parameter –‘Data Level Security Permissions –Enabled’ YES/NO.
Getting familiar with the pages inside
|
Go to page… |
…to carry out task |
|
|
Define Security Group Permissions |
Defining the access permissions for the security group |
|
|
View Users of the Group |
Viewing the details of the users who constitute the security group. |
|
|
Maintain Stored Procedure |
Defining a new rule based on which access permission should be given to users of the security group. |
|
|
Business Rules Security Permissions |
Setting the security permissions for business rules |
|
Prerequisites
What you can do in this activity