security administration application user guide

Security Administration Application User Guide

Integrated Statewide Record System (ISRS) User Guide Security Administration Application

Last Updated 5/2/2018

1

Contents Introduction .................................................................................................................................................. 2

Types of Security Users ................................................................................................................................. 3

Security ......................................................................................................................................................... 3

How to Access Security Administration ........................................................................................................ 3

Navigation ..................................................................................................................................................... 4

Security Rights ............................................................................................................................................... 5

Web Security Search ................................................................................................................................. 5

Uniface Security Search ............................................................................................................................ 5

How to search for Uniface Security Roles ..................................................................................................... 6

Activate Uniface Account .............................................................................................................................. 7

Add or Remove Security ............................................................................................................................... 7

Add Security .............................................................................................................................................. 8

Remove Security ....................................................................................................................................... 9

Ending all Uniface Security ...................................................................................................................... 11

Incompatible Security ................................................................................................................................. 11

Users with Incompatible Security ........................................................................................................... 11

Users With Incompatible Security Search ............................................................................................... 12

My Incompatible Security ....................................................................................................................... 13

Comments ................................................................................................................................................... 13

Approval Manager ...................................................................................................................................... 14

Activate a Uniface Account ..................................................................................................................... 14

How to Add Security for an Individual .................................................................................................... 14

Approve or Deny Security Requests ....................................................................................................... 18

Additional Security Requirements .......................................................................................................... 19



2

Recertification ......................................................................................................................................... 20

User Maintenance ................................................................................................................................... 20

Search for a Person or Non-Person ......................................................................................................... 20

Approval Manager Audit Query .............................................................................................................. 21

View Request History .............................................................................................................................. 21

Approval Manager Search ........................................................................................................................... 21

Search by Approval Group ...................................................................................................................... 22

Search Web Roles ................................................................................................................................... 22

Search Uniface Groups ............................................................................................................................ 23

Institutional Security Manager ................................................................................................................... 23

How to find an Institutional Security Manager ....................................................................................... 23

How to add an Approval Manager .......................................................................................................... 24

How to end an Approval Manager Assignment ...................................................................................... 25

Approval Manager Audit Query .............................................................................................................. 25

Supervisors .................................................................................................................................................. 25

Glossary of Terms........................................................................................................................................ 26

Other Resources .......................................................................................................................................... 27

Need Help? .................................................................................................................................................. 27

Introduction The Security Administration application is a web based application that allows online requesting and approval of security roles for users. It has the following goals:

• Allow a college/university to process their own security eliminating paper forms. • Allow users to request security and designated persons (Approval Managers) to approve

or deny the request. Approval Managers may activate Uniface security and enter Uniface or Web security on behalf of the user.

• Allow security to be granted for a fixed period of time, for example, when someone is filling in for a co-worker.

• Provide a process where Approval Managers may review and recertify security on an annual basis.

• Provide information when a user is being given incompatible security roles. • Provide an audit trail showing security requests and who approved or denied the

request.



3

Types of Security Users There are different types of security users, defined as follows:

• Security Administrator (at the Minnesota State System Office): These employees enter Institutional Security Managers into the system from a paper form signed by the president of a college/university. They can also assign System Office employees to special system-wide roles. If necessary, these employees may act as an Approval Manager or Security Manager for any institution.

• Institution Security Manager: These employees are appointed by the president of their college/university and manage Approval Manager access for their campus or university by adding and end dating Approval Groups assigned as necessary.

• Approval Manager: These employees at an institution manage security for their Approval Group. The can enter security for users and approve or deny requests from users. They are responsible for recertifying security by December 31st each calendar year.

• HR Multi-Institution Managers (at the System Office): When Human Resource security is given to a person that is not a current employee of the college/university, the System Office Human Resource unit must approve the request. After the college/university Approval Manager approves the request, the System Office Human Resource unit must also approve the request.

• ISRS User: Minnesota State employees, students, or users of 3rd party products who need access to the ISRS system to do their job.

• Supervisors: Faculty and staff supervisors may review and if necessary, end security roles for their employees by going to Supervisor View under the Supervisor tab on Employee Home.

Security All employees who have access to Employee Home will have access to the Security Administration application. An Approval Manager for the Approval Group where the Web Role or Uniface Group exists will approve or recertify security requests. The Institutional Security Manager (ISM) at your institution assigns Approval Managers to each Approval Group.

NOTE: Students do not have access to Employee Home.

How to Access Security Administration 1. Go to the Employee Home page at:

https://eservices.minnstate.edu/employee/public/secure 2. Enter your StarID and password and click on Login. 3. Select the Security Administration link under the Employee Applications

https://eservices.minnstate.edu/employee/public/secure



4

Navigation Dashboard - The dashboard allows all users to view their current web or uniface security. Click on either Web or Uniface under Dashboard on the menu to access the page. When you initially log in, or upon returning to the dashboard, the security list is collapsed; you can expand it by clicking the expansion arrow . Your current, pending, and future Web Roles and your Approval Groups (if applicable) will by displayed.

If you select My Web Roles you will see a list of all of the web roles that are currently active. Above that list are icons that will allow you to Add Web Roles, Remove Web Roles, or View All Web Request History. See the sections below for details on each of these options.

Approval managers will have a section titled My Work on the dashboard page. In this section, they will see pending requests made by users, and a link to approve or deny the request. In addition, an approval manager will have a My Approval Groups section that provides a list of all of the uniface groups or web roles that they have

been assigned as an approval manager.

Security Rights-Allows you to search for web roles or uniface groups and to view related groups, screens, reports or web permissions, depending on the search parameters used. See the below Security Rights section for detailed information.

Incompatible Security- Some roles or groups are incompatible with other roles or groups because they would allow a user to perform unauthorized acts without detection. For example a Cashier may not have Tuition Waiver security. A user that has these two security groups could take receipts, steal them, and conceal the act with a Tuition Waiver. The System Office business units, along with representatives from the college and universities determine which Web Roles



5

and Uniface Groups are incompatible and why. In some cases, you are not permitted to have the incompatible security. In other cases, you would receive a warning when granting them. All users of the system can view incompatible roles and groups. See the Incompatible Security section for additional details.

Approval Managers – Allows you to search for approval managers for web roles or uniface groups. You may search by Approval Group, Web Role name or Uniface Group name.

All users of the system can search for an Approval Manager.

Security Rights

Web Security Search The Web option allows you to view web roles and web permissions. A Web Permission is a specific business function that a user can perform within an ISRS Web application such as entering a Payment Voucher.

You may enter all or part of a Web Role, Permission or Report Name/Number in the Role, Permission or Report Name/Number filter. This filter allows you to enter any part of a Web Role, Permission or Report Name or Number. The system always assumes a wildcard (*) at the end of the entry, but you may also enter a wildcard character anywhere within the name. Clicking search will return Web Roles that match the name entered. This search will also include any Web Roles that contain Web Permissions or Web Reports that match the name entered. If an Approval Group was selected, the search results will also be limited to the Approval Group selected.

Uniface Security Search The Uniface option allows you to access the Uniface Group Search page to view Uniface Groups and their corresponding permissions, screens and reports. You can also find a Uniface Group and view the Screens and Reports within the group.

To search for a Uniface Group, select Uniface under the Security Rights menu. On the Uniface Group Search page, the Approval Group filter allows you to limit the results to the selected Approval Group. Clicking search will return all Uniface Groups in the selected Approval Group.

You can also enter all or part of a Uniface Group, Uniface Screen or Uniface Report in the Group, Screen or Report Name/Number filter. This filter allows you to all or part of a Uniface Group, Screen Title, Screen Number, Report Name or Report Number. The system always assumes a wildcard (*) at the end of the entry, but you may also enter a wildcard character anywhere within the name. Clicking search will now return Uniface Groups that match the name entered. This search will also include any Uniface Groups that contain Uniface Screen



6

Titles, Screen Numbers, Report Names or Report Numbers that match the name entered. If an Approval Group was selected, the search results will also be limited to the Approval Group selected.

How to search for Uniface Security Roles To look up the security roles needed for a particular Uniface screen, complete the following steps in the Security Administration application:

1. Go to Security Rights in the left navigation and select Uniface. 2. In the Group, Screen, Report Name/Number: field type in the screen you are working

with, in this example it is the ST1100UG. 3. Click on Search. 4. A list of Uniface Group Numbers will display. For each item in the list, if you click on the

arrow under the Screens/Reports column, you will see a list of screens and reports you have access to if you have that security, along with the type of security (update, view only, etc) for the screens. Since the ST1100UG in this example is a tabbed screen, the level of access for the screen/reports, will give you the same access for all of the screen tabs.



7

NOTE: The binocular icon on the page will allow you to see who the Approval Manager(s) for the Web Role or Uniface Group.

Activate Uniface Account The process to request and obtain Uniface security for certain ISRS administrative applications changed to a web-based process on November 16, 2017. The new process will require the StarID owner or an Approval Manager to log into the Security Administration web application and activate a Uniface account and request security groups.

NOTE: The previous process, which included a paper form that was submitted via email to SO-ACCOUNTLIFECYCLETEAM, is no longer in effect and that form has been removed from the website. The link on the website will direct a person to log into the Security Administration application, as outlined below.

NOTE: Students will not have access to Security Administration. Approval managers will need to complete the following steps for student employees. Follow these steps to request a Uniface account:

1. Access the Security Administration application at https://admin.mnstate.us/security-admin/ .

2. Log in with StarID/password. NOTE: If you have associations with more than one institution, you will need to select the appropriate institution where security is needed.

3. Select Uniface under the Dashboard heading. 4. If the message “No Uniface Accounts Found. Click here to create one.” appears on the

screen. click on the here option to request a Uniface account. 5. A message will appear on the screen to indicate that the account was created. 6. You may then request security for one or more Uniface Groups.

NOTE: Before requested Uniface Groups become active the approval manager(s) at your institution must approve the request. Once approval has been granted, you will receive an e-mail notification. You may log into the Uniface desktop application after approval has been granted.

Add or Remove Security Any user may request that security be added or removed from an account at any time. This request is made using the Add or Remove icons on the Uniface or Web Dashboard. These same steps may be completed by an approval manager at the institution.

https://admin.mnstate.us/security-admin/

https://admin.mnstate.us/security-admin/



8

Add Security These are the steps any ISRS User or an approval manager would follow to enter a request for security.

1. Select Web or Uniface from your Dashboard menu.

• For Uniface security expand your Uniface Accounts list by clicking the triangle after 'My Uniface Accounts', then expand the list of security for your current Uniface Account by clicking the triangle after the account name or your StarID.

• For Web security expand the list of your security by clicking the triangle after My Web Roles. To Add security click the green icon above or below the list of your current security to open the security Search screen. If you know the Approval Group where the security is, select it from the list, otherwise leave it to the default of All. If you know the security name, screen number, report name or number, enter all, or part, of it in the field displayed and click Search.

2. From the search results list, click the check box before each security name you are requesting.

3. Click the 'Add checked security' link found above and below the results list to open the Request to Add security screen.

4. If there are any Incompatible Security combinations, a message is displayed for your information. If this message is a Warning, you may continue. If it is an Error, you cannot have both security items listed in the message and you must remove one from your request list, or remove it from your current security list.

Available Options

• Change the Start Date to a later date if desired. The Start Date cannot be after the End Date.

• Change the End Date to an earlier date if desired. The End Date can not be before the Start Date. The End Date may not be set to a later date.

• Click the green plus icon to request additional security to the list. • Click the triangle in the Comments column to add a comment to your request.

5. When all security is in the list, and no Error messages are displayed, click Save to submit the request(s).

6. If there are Warning messages, a verification box is displayed where you must select either Yes or No to proceed.



9

7. At this point, an email is sent to all Approval Manager(s) responsible for the Groups in your request. You can use the Approval Managers menu to find out who the Approval Manager(s) are for any Approval Group. The email will be sent to the first address found for each Approval Manager from the follow email address types:

• S - Institutionally Managed Staff/Faculty for the institution where the request occurred.

• W - Work email address. • T - Institutionally Managed Student email address for the institution where the

request occurred. • P - Personal email address. • ALL T - ALL Institutionally Managed Student addresses for institutions other than

where the request occurred. If there is more than one institution, then it will be sent to ALL since it will be sent to an address that belongs to an institution other than where the request occurred.

8. Your Dashboard will be opened with your security requests having a Pending status. If the Approval Manager approves the request and the Start Date has passed, the security request will change to an Active status.

Remove Security An employee may remove security for their own Uniface or Web security records by completing the steps below. In the event that the employee is unable to remove security, the Approval managers at the institution have the ability to remove some or all of an employee or student’s security at any time. When a role changes or an employee leaves, the approval manager is tasked with removing security for the roles they manage for that person. There is a UT007CP Staff Changes report that is sent to approval managers every two weeks to alert them to staffing changes such as a separation.

In addition, faculty and staff supervisors may review and if necessary, end security roles for their employees by going to Supervisor View under the Supervisor tab on Employee Home. All current and future ISRS security rights for each employee they supervise are displayed. Supervisors should regularly review ISRS access levels of each of their employees and, if necessary, end date some or all of them. If a supervisor ends security rights, the employee and the Approval Manager will receive an email that the rights have been ended. See the Supervisor Tools Quick Resource Guide for additional supervisor information.

These are the steps any ISRS User (employee or student employee) or an approval manager would follow to submit a request to remove security.

1. Select Web or Uniface from your Dashboard menu.

https://mnscu.sharepoint.com/sites/isrsproducts/Documents/Supervisor%20Tools%20QRG.docx?d=we8fad7948ec943a79d140890cc3619a8&csf=1



10

• For Uniface security expand your Uniface Accounts list by clicking the triangle after 'My Uniface Accounts', then expand the list of security for your current Uniface Account by clicking the triangle after the account name or your StarID. To remove security click the red icon to open the Request To Remove Security page.

• For Web security expand the list of your security by clicking the triangle after My Web Roles. To remove security click the red icon above or below the list of your current security to open the Request to Remove Web Security Roles page. If you know the Approval Group where the security is, select it from the list, otherwise leave it to the default of All. If you know the security name, screen number, report name or number, enter all, or part, of it in the field displayed and click Search.

2. Enter either an End Date, or click the End Now box. Using an End Date will leave the security active until the end of the date entered. Using the End Now option will remove the security as soon as the request is approved.

Optional: Click the triangle in the Comments column to add a comment to your request.

3. When all security you want to remove has an End Date or has the End Now box checked, select the Remove button to submit the request(s).

4. A verification window is displayed where you must select either OK or Cancel to proceed.

5. At this point, an email is sent to all Approval Manager(s) responsible for the Approval Group(s) in your request. The email will be sent to the first address found for each Approval Manager from the following email address types:

• S - Institutionally Managed Staff/Faculty for the institution where the request occurred.

• W - Work email address. • T - Institutionally Managed Student email address for the institution where the

request occurred. • P - Personal email address. • All T - ALL Institutionally Managed Student addresses for institutions other than


6. Your Dashboard will be opened with your Delete type request(s) having a Pending status. If the Approval Manager approves the request and the End Date has passed, the security will drop off your security list.



11

NOTE: If a user has entered a request and an Approval Manager has not acted upon it, the user can delete the pending request. They will see a delete icon next to any Pending request in the list of current security.

Ending all Uniface Security When all of a user's Uniface security is ended, their Uniface Account is automatically disabled. An Inactive Uniface Account message is then displayed on the Uniface Dashboard.

To regain access, the employee or an approval manager must reactivate the Uniface account.

NOTE: There are 2 ways to avoid having an employee's Uniface account deactivated when they continue to need Uniface security (i.e. employee position change):

1. Do not use the End Now option when ending the user’s security. This allows you to add a new Uniface Groups before the end of the day. As long as the employee has 1 active Uniface Group, their Uniface account will remain active.

2. Add at least 1 new Uniface Group to the user, before ending their existing security. Be sure not to use the End All Now so you don’t end the new security too.

Incompatible Security Some roles or groups are incompatible with other roles or groups because they would allow a user to perform unauthorized or illegal acts without detection. The System Office business units, along with representatives from the college and universities determine which Web Roles and Uniface Groups are incompatible and why. The Users With Incompatible Security search and Your Incompatible Security screens are used by Institution Security Managers and Approval Managers to identify potential risks.

Users with Incompatible Security To view users with incompatible security, select Incompatible Security from the menu. You can limit the search to a particular Approval Group or view Incompatible Security for all Approval Groups. The results are displayed in a table which shows the Web Role or Uniface Group, the

http://www.its.mnscu.edu/isrs/doc/Security/ViewUserIncompatibleRoles.html



12

Incompatible Web Role or Uniface Group, severity (Not Allowed or Warning), and the reason they are incompatible.

Incompatible Security privileges present a risk to a college/university internal control system, and must be managed carefully. If a user is granted incompatible security, then the mitigating controls to prevent the risk should be documented to the security request.

You can search by All, Mitigation, or No Mitigation. The default is All.

• All = all incompatible security. This includes incompatible security that has a mitigating control and ones that do not have a mitigating control. You can enter, update, or delete a mitigating control from here.

• Mitigation = incompatible security which has a mitigating control. You can update or delete a mitigating control from here.

• No Mitigation = incompatible security which does not have a mitigating control. These incompatibilities should either be eliminated or you should establish a mitigating control for them. You can enter a mitigating control from here.

The results of this search include User Name, the names of the two incompatible Web Roles or Uniface Groups, the level of incompatibility (Warning or Not Allowed), a link to the incompatiblity reason (binocular icon), and the risk level of the incompatibility. If there is a mitigating control, you can view, update or delete it. If there is not a mitigating control, you can enter a mitigating control. Only an Approval Manager may maintain a mitigating control. The search results may be downloaded into Excel for further processing and record keeping if desired.

Approval Managers should view this query often and take action if there are any incompatibilities without documented mitigating controls.

NOTE: This report needs to look at all security rights for all users within the selected Approval Group or entire institution. As a result, running it for All Approval Groups may take additional time for the results to return. If it seems to be taking too long (more than a minute), you may want to try again, limiting your search to a specific Approval Group.

NOTE: For ERROR level incompatibilities, you are not able to enter mitigating controls. For these combinations, one security group/role should be removed. It is redundant to have the combination.

Users With Incompatible Security Search This query is available to Approval Managers, Institution Security Managers, and the Security Administrators. Click on the User Incompatible Security under the Incompatible Security Menu. You can choose to limit the results to records that have a mitigating control, no mitigating



13

control, or all records (ones with and without a mitigating control), a single Approval Group or show all Incompatible Security for the entire college/university, or by a specific person.

The characters << >> around either the User Name, User Id or Tech ID indicate a problem with the user's Uniface account. A bubble icon is displayed next to these records that when hovered over, will display what the issue is and how to resolve it. Approval Managers should review these individuals and either inactivate the users Uniface security or follow the message instructions to resolve the issue.

My Incompatible Security Click on this menu item to see any incompatible security rights that are in place to you. All users of the system may view their own Incompatible Security rights.

Comments Comments allow you to document other information about a security request. Comments may be used to note the reason for a security request or an approval manager may note the reason that a request was denied. The view and edit comments page is accessed by clicking on its icon

from any page that displays your Web roles or Uniface groups such as the Dashboard or Add a Role page.

In order to preserve the integrity of the comments, they may only be added or deleted in certain circumstances. Any user can enter a comment when requesting security. This person can add another comment, edit or delete their comments until the Approval Manager has approved or denied the request, or added a comment of their own. Once one of these actions occur, the user can only view comments. The Approval Manager can continue to add, edit, or delete their own comments except in one case. If the request requires review by the System Office Human Resource unit, the Approval Manager can no longer add, edit, or delete comments once the Human Resource staff approve or deny the request or add a comment. No one can edit or delete the comments entered by another person.



14

Approval Manager An Approval Manager must be set up for the Approval Group where a Web Role or Uniface Group exists. The Institutional Security Manager (ISM) at your institution assigns Approval Managers to each Approval Group.

NOTE: The Security Administration system does not allow Approval Managers to approve their own security. This means an alternate Approval Manager for the Approval Group must approve security for them. If there are no alternate Approval Managers for the group, the Institutional Security Manager will need to assign one to the Approval Group so the approval may be completed

Activate a Uniface Account As an approval manager, you may activate Uniface security and enter Uniface or Web security on behalf of the user. Students/graduate assistants do not have access to employee home to request security through the security administration application. Follow these steps to activate a student's Uniface account:

1. Access the Security Administration application at Employee Home or directly at https://admin.mnstate.us/security-admin/ . 2. Log in with StarID/password. NOTE: If you have associations with more than one institution, you will need to select the appropriate institution where security is needed. 3. Go to User Maintenance, and select Uniface under the Dashboard heading. 4. Search for the student by entering name or Tech ID, uncheck Display Employees Only if searching for a student. 5. Select the student from the search results. 6. Click the arrow next to Uniface. If the message “No Uniface Accounts Found. Click here to create one.” appears on the screen. click on the here option to create a Uniface account. 7. A message will appear on the screen to indicate that the account was created. 8. You may then enter security for applications where you are an approval manager.

How to Add Security for an Individual 1. On the Security Admin Home page under User Maintenance, click Uniface if the

security is for the ISRS Uniface system. Click Web if the security is in any of the ISRS Web based administration systems (i.e. Accounting, Communications).

2. If the individual is not at your institution, change the Search Institution drop down list to the one where the individual works:

3. If the individual is a person in the system, you can search either by



15

their name or their Tech ID at the selected institution. Click the desired search Option:

4. On the User Search Page, enter the last name of the individual needed and click Search. If the individual is NOT an employee (i.e. student worker or contractor), remove the check in the Display Employees Only to search all individuals:

5. Click (Select) next to the person’s name:

6. Expand the users “Web Roles” (or Uniface Groups) section by clicking the black triangle after their Tech ID, then click Add Web Roles (or Add Uniface Groups):



16

7. On the Web Roles Search (or Uniface Group Search) page, enter all or part of the

Web Role (or Uniface Group) you need to add security for. The system will assume a wildcard (*) character at the end of your entry. You can also enter a permission name, report name or report number. When searching for Uniface Groups, you can enter a Uniface Screen Name or Number. Click Search:

8. You can also limit the search to a specific Approval Group. This is done by selecting the Approval Group from the drop down list. Note: The drop down will only display the Approval Groups that you are the Approval Manager for.

9. Check each Web Role (or Uniface Group) to add security, then click the Add checked Web Roles link. Click the balloon icon to display a long description of the Web Role (or Uniface Group) click the black triangle to display a list of all permissions, screens or reports the security provides.



17

10. On the Request to Add Web Roles (or Request to Add Uniface Group) screen, verify and/or change the Start and End dates for the assignment. The End Date for all security defaults to December 31 for the current year (or next year if Recertification is active). You may not extend the end date, but you can shorten it if desired. You can add a comment to the security if desired by clicking the black triangle after the End Date.

When you are ready, click the Save button:

11. If there are no incompatibilities, a confirmation message is displayed. Since you are the Approval Manager, the request is automatically approved:



18

12. If any Incompatible Security combinations are created by this request, a

warning message is displayed when confirming the start/end dates and a Mitigating Control is required to added the security. To continue, click the Enter Mitigating Controls button:

13. Enter the Mitigating Control and click Save:

Approve or Deny Security Requests When an employee submits their security request it is set to a pending status waiting for approval or denial by an Approval Manager. This process allows the Approval Manager to make the decision regarding approval of the request and record their reasoning in the comments field.

On both the Uniface and Web Dashboard is a section titled "My Work" that displays a list of users with pending security requests within your Approval Groups. Complete the following steps to approve or deny requests.



19

1. Click on a user's Approve/Deny link to display the Security Role Maintenance page where you take action on requests from this user.

2. If the request causes an incompatibility with either a current role or another request, it will be indicated on this page with a yellow icon and you will be required to enter a mitigating control when approving the request.

3. Choose Approve or Deny for each request. 4. You can add a comment to the request by clicking the green plus icon. 5. Click on Save to process your changes.

An email is sent to the user informing them that the requests have been approved or denied. The e-mail will be sent to the first address found for each user from the following email address types:

• S (Institutionally managed Staff/Faculty) address type for the institution where the request occurred. If there is no S (Institutionally managed Staff/Faculty) address at that institution, then the system look for a S (Institutionally managed Staff/Faculty) at any institution and send it to ALL S address types. If there is more than one institution, then it will be sent to ALL since it will be sent to an address that belongs to an institution other than where the request occurred.

• W (Work) address (this e-mail type isn’t institution specific). • T (Institutionally managed Student) for the institution where the request occurred. • P (Personal) (this e-mail type isn’t institution specific). • ALL T (Institutionally managed Student) address types for institutions other than


NOTE: If an invalid email address is found it will not stop the approval process, but the following message will be displayed so the approver knows the requestor was NOT notified: "The person does NOT have a valid e-mail on file. The person will NOT be notified of this security change." If no email address is found, the following message will display: "This person does NOT have an e-mail on file. The person will NOT be notified of this security change."

Additional Security Requirements Some Uniface Security Groups require additional security before the user can use the Uniface modules. If a request is for one of these groups, a message is displayed and the email to the user is delayed until the additional security has been added through the Uniface Generic Security or PCS security screens.

Three Uniface modules require additional security granted using the UT0201UG (Generic Security User Profile Maintenance) screen in Uniface. These include:

• Cost Allocation (CA)

• Consumable Inventory (CI)



20

• Student Payroll (PR)

Only users with the Generic Security Update (GENSECU) Uniface Group can make changes to a user's Uniface account on the Generic Security User Profile Maintenance (UT0201UG) screen. When a user's Uniface account has been updated on the UT2010UG screen, an email is sent to them informing them that their CA, CI or PR security has been granted.

The Purchasing Control System (PCS) also requires additional security which is granted on the PC0004UG (PC User Profile Maintenance) screen.

Only users with the Business Manager (BUSMGR), Purchasing Head (PURHEAD), or Super User (SUPERUSR) Uniface Groups in the Security Admin system and on the PC0004UG screen may make changes to a user's Uniface account on the PC0004UG screen. When a user's Uniface account has been updated on the PC0004UG screen, an email is sent to the user informing them that their PCS security has been granted.

Recertification ISRS security recertification is an annual process that begins November 1st and ends on December 31st. Approval Managers at each institution must complete the recertification process for each user to extend their security for another year. Users who are not recertified through this process will be unable to perform their assigned business functions on January 1.

User Maintenance User maintenance allows you to search for a user by Institution, Name, Tech ID, or you may search for a non-person, for example a contractor who is not an institutional employee. The results of your search will be returned at the bottom of the page and will include the person or non-person name, tech id, federal tax id (non-person only), and the college/university associated with the user.

Search for a Person or Non-Person Approval Managers, Institution Security Managers, and Security Administrators perform processes for many different persons. They must first search for the person or non-person they which to process. A non-person could be contractors or institution application accounts which

https://connect.mnscu.edu/sites/isrsproducts/Purchasing/Documents/PC-UserProfileMaintenance(PC0004UG).docx

http://www.its.mnscu.edu/isrs/doc/Security/SearchPersonNonPerson.html



21

access ISRS through one of its web services. Users that are not Approval Managers, Institution Security Managers, or Security Administrators will not use this search.

Clicking on either Uniface or Web under the User Maintenance menu will bring you to the corresponding User Search page.

Since you can grant security to persons from other college/universities in the event you are sharing services, the institution drop-down list contains all the college/universities but defaults to your own.

Approval Manager Audit Query The system tracks the addition of new Approval Managers and changes to their end dates in an audit table. This process allows Approval Managers, Institution Security Managers, and Security Administrators to view changes for audit or information purposes.

Click on the Audit Data section in the left navigation menu. You can search for data by Date Range or the Tech ID of the user that made the update. The query will return the results sorted by update date in descending order. The operation column tells you the action taken.

• Insert is the addition of the Approval Manager. • Update means that the end date was changed.

View Request History The Request History View page allows a user to view all of their past requests and their status. If the System Office business unit has removed a role, the role will appear with a strikethrough to indicate that it is no longer an active role.

Approval Manager Search The Approval Managers screen allows you to find people that approve security for a particular Web Role or Uniface Group. You can search by Approval Group, Web Role name or Uniface Group name. All users of the Security Administration application can search for an Approval Manager.



22

Search by Approval Group Select either Web or Uniface from the Approval Manager menu and the Approval Manager Search screen opens. Next, select the Approval Group from the list displayed and click Search.

A list of all Web Roles or Uniface Groups is displayed. Click on the triangle under Approval Manager Name to find out who the Approval Manager is. Since the Approval Manager is the same for all Web Roles or Uniface groups, you only need to look at one of the search results.

Search Web Roles To search for an Approval Manager by part of a Web Role, Permission or Report Name/Number, select Web from the Approval Manager menu. The Approval Manager Search window is displayed.

Enter all or a part of the Role, Permission or Report name/number in the field provided. You do not need to select an Approval Group when searching by Web Role, Permission or Report name/number. The system assumes a wildcard at the end of the user entry but you can add a wildcard (*) at the beginning as well. Next click Search and you will see a list of all roles meeting your search criteria. Click on the triangle under the Approval Manager Name for the Role needed to see who the Approval Manager is. Unlike searching by Approval Group, when you



23

search by a Web Role, you may find roles under different Approval Groups, so it is important to select the desired Web Role name to find the correct Approval Manager.

Search Uniface Groups To search for an Approval Manager by part of a Uniface Group Name, Group Number, Screen Name, Screen Number, Report Name or Report Number, select Uniface from the Approval Manager menu. The Approval Manager Search window is displayed. Enter all or a part of the Group, Screen or Report name or number in the field provided, for example CN_02*. You do not need to select an Approval Group when searching by Group, Screen or Report.. The system assumes a wildcard at the end of the user entry but you can add a wildcard (*) at the beginning as well. Next click Search and you will see a list of all Uniface Groups meeting your search criteria.

Click on the triangle under the Approval Manager Name for the desired Group to see who the Approval Manager is. Unlike searching by Approval Group, when you search by a Uniface Group, Screen or Report, you may find roles under different Approval Groups, so it is important to select the desired Uniface Group name to find the correct Approval Manager.

Institutional Security Manager Institution Security Managers are responsible for adding and removing Approval Managers. On their Dashboard page is a table showing current Approval Managers with links to Add Approval Managers or Remove Approval Managers. Changes to end dates are audited and you can view them using the Audit Data query.

How to find an Institutional Security Manager An Approval Manager or Institutional Security Manager may search to find all Institutional Security managers by completing the following steps.

http://www.its.mnscu.edu/isrs/doc/Security/RoleManagerAuditData.html



24

1. Go to Security Rights>User Security Summary. 2. Select Search by Web Role. 3. Enter UT_SECURITY_INST_MGMT in the Role, Permission, or Report Name/Number

field, then click on Search.

4. A list of Institutional Security Managers will be displayed.

How to add an Approval Manager 1. Select either Uniface or Web in the User Maintenance section of the menu. 2. Search by name, Tech Id, or use the non-person search. 3. Select the person or non-person from the search results. 4. Click on the Add Approval Manager Groups icon to add an Approval Group for the

person.

5. Select the Approval Group you wish to add from the drop-down list. 6. Click on the Search button to set up the approval and set the dates. You will also see a

listing all the Web Roles and Uniface Groups in the Approval Group. 7. Select the Start date and End date for the Approval Manager assignment. The default

Start Date is the current date and the default End Date is 12/31/9999. You can change the dates if you only want a temporary assignment.

8. Click on the Submit button to add the Approval Group.



25

How to end an Approval Manager Assignment After you have searched for the person, you remove an Approval Group from an Approval Manager by end dating it. Complete steps to find the approval manager under User Maintenance, then:

1. Go to User Approval Groups. 2. Select Remove Approval Groups.

3. Click on the Remove Approval Manager icon and you will see the list of Approval Groups

with an editable End Date field. 4. Enter the End Date for the Approval Group that you no longer want the Approval

Manager to administer. Alternately, you can check the End Now box to end the Approval Manager assignment as of the current date and time.

5. Click on the Save Button to remove the Approval Group from the Approval Manager.

Approval Manager Audit Query The system tracks the addition of new Approval Managers and changes to their end dates in an audit table. This Institutional Security Managers may view changes for audit or information purposes. See the Approval Manager Audit Query section above for more information.

Supervisors Faculty and staff supervisors may review and if necessary, end security roles for their employees by going to Supervisor View under the Supervisor tab on Employee Home. All current and future ISRS security rights for an employee are displayed. Supervisors should regularly review ISRS access levels of



26

each of their employees and, if necessary, end date some or all of them. If a supervisor ends security rights, the employee and the Approval Manager will receive an email that the rights have been ended. See the Supervisor Tools Quick Resource Guide for additional supervisor information.

Pending requests cannot be ended by the supervisor, if you attempt to end pending requests, you will receive an error message. Contact the approval manager who has the ability to end those requests. NOTE: New security requests must be submitted by an employee or approval manager using the ISRS Security Administration application, accessed from Employee Home.

Glossary of Terms Approval Group: A collection of related security roles or Uniface groups. These are typically organized by ISRS functional modules.

Approval Manager (AM): A person at the institution level responsible for adding, removing, approving and recertifying security for a specific Approval Group. The Approval Manager should be familiar with the functions performed by institution staff so that each individual has appropriate security.

Incompatible Security: Two or more Web Roles or Uniface Groups that have been identified as potential risk areas for theft or fraud if an individual has both roles or groups at the same time.

Institutional Security Manager (ISM): The person identified by the President of each institution who is responsible for assigning Approval Managers.

Mitigating Control: A process performed by institution staff to mitigate the risks associated with someone having incompatible security roles or groups. A description of the Mitigating control is entered in the Security Administration system by the Approval

https://mnscu.sharepoint.com/sites/isrsproducts/Documents/Supervisor%20Tools%20QRG.docx?d=we8fad7948ec943a79d140890cc3619a8&csf=1



27

Manager when the security is added or approved.

Recertification: An annual process performed by Approval Managers to certify that all security assignments they are responsible for are valid. The Recertification process extends an individual’s security through the end of the following calendar year.

Uniface Group: A set of permissions assigned to an individual that authorizes them to perform specific tasks or tasks in the Uniface application.

Web Role: A set of permissions assigned to an individual that authorizes them to perform a specific task or tasks in a Web Administrative application.

Other Resources User Security Summary Report

Recertification Quick Resource Guide for Approval Managers

Need Help? For additional assistance, please submit a ticket titled Security Administration via the Minnesota State IT Service Desk portal: servicedesk.MinnState.edu .

Minnesota State is an affirmative action, equal opportunity employer and educator.

https://mnscu.sharepoint.com/sites/isrsproducts/_layouts/15/WopiFrame.aspx?sourcedoc=%7BC2FA5D01-9FA1-4186-8B78-1A85F155EB16%7D&file=UserSecuritySummaryReport.docx&action=default

https://mnscu.sharepoint.com/sites/isrsproducts/Documents/Security%20Recertification%20QRG.docx?d=wfe87dbeeffd748b1978e8d9d20c8a7ca&csf=1

http://servicedesk.minnstate.edu/CherwellPortal/MNSO#0