1104 PR.02 Reviewing User Access Security and Review Procedures

Revision Date: 
April 23, 2013

1.Overview

A sound internal control environment requires that only individuals with formally delegated signature authority are able to obligate the university with external parties and authorized administrators as well as their formal designees to approve financial transactions at the University.  The University relies on these as well as other internal control measures to protect the interests and manage the risks of the University.

The role of the TAC (Training & Access Coordinator) is assigned by the department Lead Administrator or can be assumed by the Lead Administrator although the Lead Administrator is ultimately responsible for access to department data.  The TAC is responsible for maintaining employee access to Oracle Financial Applications, Data Warehouse Reporting (DWH) and other Yale Systems.

TAC Responsibilities include

Ongoing Maintenance:

  • Determines what Oracle application access is required to perform job duties
  • May request Oracle application access for others in department
  • Approve or deny application training requests
  • Monitor access of others in the department
  • Modify or Terminate access when applicable

Annual Review:

A review and update (if necessary) of access and responsibilities at fiscal year-end is required. Procedure 1104 PR.01:  Signature Authority, Delegation of Approval Authority and Access for Financial Transactions includes three Appendices, which contain the responsibilities and access to applications that departments should review to verify delegation of authority and access to financial transactions.

  • Appendix A – Alphabetical glossary of responsibilities found in the Access Review Report (formerly BUG112a) (refer to Section 3 for views within the report
  • Appendix B – BMS Web Security and Menu Access Review Reports.  See Comment and Contact fields within appendix for access information
  • Appendix C – Other University and Medical School significant applications. See Comment and Contact fields within appendix for access information. Note that you will be notified by the process owner on a yearly basis only if they do not have an automatic process to remove access for terminated employees.

2. When to Add, Change, or Delete an Employee’s Access       

In addition to a mandatory annual review of access, there are several situations classified as on-going maintenance that require the TAC to review and modify an employee’s access

When a Lead Administrator or Department TAC leaves

The Lead Administrator is responsible to ensure that there is a backup plan in place should the TAC leave the department.  A TAC is responsible for removing their own access prior to moving to a new department.  Should the Lead Administrator leave the department, the TAC is responsible to ensure that the access is changed accordingly.

New Yale Employee joins your department

New employees need access to applications and/or YAS values within the applications to do their job.  It is the role of the TAC to request and/or approve the addition of access and add the responsibilities.

When an Employee’s role within my Department Changes

An employee’s role in the department may change.  They may need access to different applications or different values within the applications.  It is the role of the TAC to make these changes.

When an Employee transfers from my Department

When an employee transfers to another department within the University, it is the responsibility of the TAC in the department the employee is leaving to immediately review the employee’s access.  When  transferring to another department at Yale, it is assumed that the employee will be doing similar work in the new department as he (or) she was doing in the old department.  Because of this, it is the responsibility of the TAC in the original department (the department the person is transferring from) to delete access to all the organizations in his/her original department unless the employee will continue to work for them after the transfer out of the department. These changes must be done no later than the last day that the person is working in the department as the TAC will no longer have access to that employee once they transfer.   Remember:  DO NOT delete access to any Oracle applications, any job categories or any Oracle responsibilities.  Change Organizational Access only.

When an Employee transfers into my Department

When an employee transfers to another department within the University, it is the responsibility of the TAC in the department the employee is transferring into to immediately review the employee’s access. They are responsible for adding access to all the organizations in his/her department and to review all the Oracle applications, job categories, Oracle responsibilities and other Yale systems and adjust as appropriate.  Remember that adding the new organization(s) will activate all applications, responsibilities and job categories present.

When an Employee Terminates from the University

When an employee is terminating and leaving the University, it is the responsibility of the TAC in the department the employee is leaving, to immediately review all of their access.  No later than the last day of employment, the TAC must remove all access that is not automatically removed as identified below.

On a nightly basis, all responsibilities for terminated employees will be end dated except the following:

Automatic Removal:

  • All People Lists (except Travel Arrangers and Approvers) under START Maintain Lists are removed on a monthly basis by client accounts (oracle.access@yale.edu).
  • Travel Arrangers and Approvers access is removed from Orbitz by the travel office on a quarterly basis.
  • SciQuest Approver and Requisitioner roles are removed by the SciQuest department on a monthly basis.

TAC Responsible for removal:

  • STARS responsibilities including Hiring Manager, HR Generalist, HR Recruiter, and EEO User (the TAC should send an e-mail to stars@yale.edu to have responsibility removed)
  • Internet Expense (Internet Expense, Signing Limit 0, Signing Limit 1000, and Signing Limit 10,000) the TAC should go to Expense Management, click on the Request/Change Access form under Policies, Procedures, Guides & Forms, complete the form and send to yems@yale.edu.
  • Express Shipping User  (the TAC should remove through START Dashboard)
  • SciQuest Approver and Requisitioner roles are removed by the SciQuest department on a monthly basis however it is best practice for a department to remove this access immediately to avoid any possible issues in the future (the TAC should remove through START Dashboard)

When an Employee Retires from the University

When an employee is retiring from the University, it is the responsibility of the TAC in the department the employee is leaving, to immediately review all of their access.  If an employee is classified as a retiree or lay-off, they are not considered as terminated until they receive their last check and their HR record is end dated.  Client Accounts will NOT automatically remove the access and responsibilities of these employees.  In this case you must review their access and make the necessary changes prior to close of business on their last day in your department.

Important to note:  NetIDs are always active even after an employee has left Yale University, so that users may access their W2 form, benefits etc.  In addition, two responsibilities will remain active:  1) START Access for Myself and 2) Human Resource Self Service.  If an employee is terminated with cause and you wish to stop all access immediately and lock the NetID, please email client.accounts@yale.edu and call Client Accounts at 2-6627.

When an Employee Retires from the University yet will still remain on as a Casual

In rare cases, an employee may retire their full-time employment yet remain working for the department as a casual employee for a defined period-of-time.  The TAC should make sure that the access of the individual is updated to reflect their new role in the department before their last day as a full time employee.  Prior to the person retiring, the TAC is required to communicate with the START Administrator (nancy.scanlon@yale.edu) and Client Accounts [oracle.access@yale.edu] to advise them of the arrangement and approximate length of time that the individual will need access. 

Important to note:  Failure to contact the appropriate individuals may result in all access being removed once the employee retires. If this should happen, it is the responsibility of the department the casual is working for to process requests to reinstate any access the person should need to perform their casual employment position.

3.Reviewing Access

There are several ways to review access for employees in your department. 

Procedure 1104 PR.01-Appx A:  Signature Authority, Delegation of Approval Authority and Access for Financial Transactions

Appendix A:   Glossary of Responsibilities included in Access Review Report (formerly BUG 112a)

For Division, Department, or Organization-wide up-to-date access of employees in your department, run Access Review Report (formerly BUG112a) located in the Portal under the Review Tools folder.  This new report allows you to schedule it as well as provides you with the detailed information you will need to complete the Oracle and DWH Access review.

The home screen as shown above is a High-Risk Summary Report.  It includes access data with approval limits (if applicable) from START, SciQuest, ORACLE, iExpense and WIP by employee related to roles that are deemed to be of High-Risk by the University.

In addition, the report includes three additional dashboard screens, links to instructions for changing access and the ability to limit the data in the report to a specific individual.

The Access Reports Tab shown below provides access, roles and responsibilities to aid departments in the access review process.

Views include:

Financial Access Review

  1. Oracle Roles, Responsibilities and Access
  2. START People Lists
  3. SciQuest Access
  4. ER Approvers with Limits
  5. OK2Pay Internal Approval Limits Template:  This view may be printed, completed and filed in the business office to document disbursement approval limits for OK-to-Pay Invoices.  It is important to note that these limits are not enforced by Accounts Payable or by the Oracle system.  They are limits that are monitored ONLY by the department.
  6. View Access by Person
  7. Employees with Inactive Oracle Application Access: Show individuals that have access to Oracle but meet the following criteria:
    • Oracle Application Access is current/active;
    • Active NetID;
    • Have not logged into Oracle Application in over 18 months.
      • All ER Roles and Access
    • High-Risk Employee Review
      • Casuals, Consultants and Associates with Access
      • Students with Access
      • Employees on Leaves of Absence
      • Terminated Employees with Access

The Net ID/Employee List tab will provide a list of all employees along with their NetID and Home Organization information.

The Central Use Only tab contains views needed by Central areas such as GA User Support and Auditing.  A screen shot is shown below. Note that most pivots will not contain information if run at the department level.

Appendix B:  Medical School Application Inventory

If the Medical School is involved, please contact the process owners of systems or access for which you need to make changes.

Appendix C:  Other Systems/Approvals/Checklists

Communicate to process owners for other systems/approvals checklists with any changes.

4. How to change an Employee’s Access that is reflected in the Portal Access Review Report (formerly BUG112a)

The START Application (System Technology Access Request Tool) allows designated Training Access Coordinators (TAC) the ability to review, add, change or delete employee access to Oracle Applications and other Yale systems.  The majority of ORACLE Access and DWH Access may be obtained, modified or deleted via START.  In some cases, other procedures are needed and they are provided below.

When to Use START

  • Oracle Application Access:  See START Instructions in Section 5
  • Organizational Access:  See START Instructions in Section 5
  • Job Category Access: See START Instructions in Section 5
  • SciQuest Roles ITS Service Access for Pins, Email, Scheduling, and PPP
  • START Maintain People Lists

Central Responsibilities – Central responsibilities are normally granted to central operating units such as Accounts Payable or Payroll.  All additions, changes, or deletions to a Central Responsibility require the TAC to send an e-mail (with the person’s name, net id, and the exact name of the responsibilities to be added or removed) to oracle.access@yale.edu.

Data Warehouse and Oracle Responsibilities - To change a Data Warehouse or Oracle Responsibility, the TAC must send an e-mail (with the person’s name, net id, and the exact name of the responsibilities to be added or removed) to Client Accounts at oracle.access@yale.edu.  For example – a user has YUGL_Phase 2 Staging Manager w/no GC xfers (Approver role) but they should have YUGL Phase 2 Staging User (Preparer Role). 

Express Shipping:  Express Shipping responsibilities are deleted from the START Dashboard.  See START Instructions in Section 5.

Hiring Manager Responsibility or other STARS related responsibilities - To delete a “Hiring Manager”, the TAC must send an e-mail (with the person’s name, net id, and the exact name of the responsibilities, domain and YAS values to be removed) to stars@yale.edu

iExpense Responsibilities - To add or delete iExpense Responsibilities (Internet Expense, Signing Limit 0, Signing Limit 1000, and Signing Limit 10,000) the TAC do the following:

  • To Change the Limits only, go to Expense Management, click on the Request/Change Access form under Policies, Procedures, Guides & Forms.  Complete the form and send to yems@yale.edu.
  • To remove the Internet Expense responsibility, please use the START Dashboard (responsibility located under “Oracle Financial Planning Responsibilities”)

ITS Services:  The following services will end date automatically [Staff—21 days after last active date, Faculty—60 days after their last active date, and Students—on October 1st and April 1st]:

  • Yale Mail—Pantheon
  • Central Campus Backup (all except those on Quarrk/Med Services)

Oracle Access (not available for change in START): There is some Oracle Access that cannot be added/changed/deleted in START. This includes MEI General User, View Brio Portal, and View POAP Information to name a few.  To change an Oracle Responsibility not available in START, the TAC must send an e-mail (with the person’s name, net id, and the exact name of the responsibilities to be added/changed/removed to Client Accounts at oracle.access@yale.edu

START Maintain People Lists – START Maintain Lists is divided into two types of access; the access in Oracle to add or remove people from the START Maintain People Lists and the role of being on one of the START People Lists.  How you handle the access differs depending on what you want to change.

START People Lists (in START): If you need to add or delete a person to/from one of the START Maintain People Lists (Ex: Disbursement Approver, ITS Approver), you can do so directly in START provided you have the correct Oracle Responsibility (see START Maintain Lists for more information).  The Access Review Report provides you with the actual Lists that a person is on.  This information is NOT currently available on the START User Access Report).

Choose Maintain Lists option in START and click on the list you want to update.  You may make updates as follows:

  1. Add a new Organization if the one you are looking for is not on the list;
  2. Click on the Organization Name to add or delete multiple people to that specific Organization;
  3. Click on an Individual to add or delete multiple Organizations for that person.

If you are having problems, contact controllers.office@yale.edu

START Maintain Lists (in Oracle):  In order to have the ability to add or remove employees from the START People Lists, you must have the correct Oracle Responsibility.  This appears as “START Maintain Lists” on your Access Review Report as well as the START User Account Profile   (Note that the “Value” column will indicate which lists you have access to change).  To make changes, have your TAC send an e-mail (with the person’s name, net id, and the exact name of the responsibility and List Values to be changed) to oracle.access@yale.edu .  Do not confuse this with the START People Lists referenced above as changes to that are performed in START and NOT forwarded to User Access.

Medical School:  For ITS Service Access for Pins, Email, Scheduling, and PPP use START.

For all other ITS Service Access [(i.e. SM (Backup), Remote Access and Requests to Add/Modify or Delete Active Directory, File Shares, Med Shares etc you must complete the Computing Request Form and fax it to 203 -785-3606.

Travel related Access: 

Travel Policy Approvers (Orbitz) to add, modify or delete this access, go to the Maintain People Lists (see instructions above) and choose the Maintain Travel People List.

Travel Arrangers (Orbitz) access is granted to all employees.  Access is removed from terminated staff on a quarterly basis.  If you have a situation in which access is not removed within three months of the employee’s termination, please contact the travel office at 203-432-9011.

5. Basic START Instructions

Adding Oracle Access

New and existing employees can be granted access to any one of a number of Oracle applications through START. 

From the ORACLE E-Business Suite Navigator Page, click on “START Access for Others” and then “Access or Services for Others”.

You will be prompted to enter either the NetID of the person or Full Name [remember that NetIDs are all CAPITAL Letters].  Click the “Find” button.

Choose the employee by clicking on the NetID.  This will take you to the “Request Selection” screen also known as the Dashboard.

Click “Add” “Oracle Human Resources” and then the Submit button.  Another window will be opened and you will be redirected to X-Train to request the needed training. 

In START, you may navigate by choosing either “Main Menu” or “Log Out” icons at the top of the screen.

Please print your confirmation page and retain it until the access was successfully changed.

Organization Access

For an employee to be able to use an Oracle application, for that specific application, they must have access to one or more organizations.  There are also times when an employee no longer requires access to an organization.  The organization can be added or removed from an Oracle Application responsibilities.

Begin at the Dashboard of the person whose Organizational Access needs to be modified.

Click “Change” “Oracle Human Resources” and then the submit button.  Then click on the “Domain Name” or Application that you wish to update. 

From this screen, either you can delete Organizational Access by clicking on the “Delete” button next to the access you wish to remove, or you can add new Organization Access by clicking on the “Add” button.

If adding access, click on the “flashlight” first and find the Organization that you which to add.  You may add an Organization from any level of the hierarchy (Division, Dept, and Org).  Click on the Organization Name you wish to add.  Now you may click on the “Add” Button.  At this point, you can add more Organizations or Click on the ‘Finish” Button to process the request.  At this point, you will be prompted to choose your TAC’s Name and then submit your request.

Please print your confirmation page and retain it until the access was successfully changed.

Job Category Access

In order to use some Oracle applications, such as Oracle Human Resources, a person must have access to one or more job categories as well as one or more organizations.

Begin at the Dashboard of the person whose Organizational Access needs to be modified.

Click “Change” “Oracle Human Resources” and then the submit button.  Then click on the “Domain Name” or Access that you wish to update. 

From this screen, either you can delete Job Category Access by clicking on the “Delete” button next to the access you wish to remove, or you can add new Job Category.  To add a new Category, click on the drop down menu and choose the Job Category Access you want to add. Then click the “Add” button.

At this point, you can add more Job Categories or Click on the ‘Finish” Button to process the request.  You will be prompted to choose your TAC’s Name and then submit your request.

Please print your confirmation page and retain it until the access was successfully changed.

For further information refer to the following:

Need Help?

For further information, please contact controllers.office@yale.edu

The official version of this information will only be maintained in an on-line web format. Any and all printed copies of this material are dated as of the print date. Please make certain to review the material on-line prior to placing reliance on a dated