Person Function Grants

SECF0062 - Maintain Person Function Grants

Purpose	To assign System menu, Self Serve application, SSF menu, form and job access to individual users. Function grants to individual users should only be considered when it is not practical to provide the necessary grants via security roles
Subsystem	Security
Normally Run By	Administration Specialist
Anticipated Frequency	At the beginning of the Course Year, or as required
Structure	Blocks	Person
		Person Menu Grant
	Buttons	Find Person (ADMF1211)
		Form Grants (Overlay)
		Job Grants (Overlay)
		Self Serve Application Grants (Overlay)
		SSF Menu Grants (Overlay)
		Copy From (Overlay)
		Reconcile Object Grants (SECJ0070)
		Advanced Functions (Overlay)

A person is granted access to functions beyond those made available by the role(s) they have been granted, by recording those functions in this form and selecting the Reconcile Object Grants button. Selecting the Reconcile Object Grants button initiates a process which checks that the person has the necessary access to the database for all of its function grants. Any object grants that are missing are added, while any that are no longer required are deleted. Object grant reconciliation can also be performed as an after hours batch job using SECJ0070. This job reconciles the grants of all users, in a single run.

Note:

if a form calls another form by either a button or an iconic button (e.g. the Record Admission Enquiry form (ADMF1200) calls the Find Course Form (ADMF1220)) or
if a form calls a report either automatically or by a button (e.g. the Basic Course Details form (CRSF1210) calls the Rollover Exception Report (CRSR0630) automatically, the Academic History report (ENRR08M0) is called via a button in INQF1200 (the Student Course Attempt Inquiry screen))

then a person being granted the 'calling' form should also be granted the 'called' function. Failure to grant the called function to the user will result in errors.

Person block

This block displays information identifying the person to whom menu and form access is granted in this form. If the person's identification number or Oracle username are known, query directly in this block. If not, select the Find Person icon and use the Find Person form (ADMF1211) to locate the correct person record. A query in this block will only return person records that have been registered as Oracle users in the Maintain System Users form (SECF0021).

Each time a person's function grants are updated, as the final operation, the Reconcile Object Grants button should be selected. This ensures that the person has the correct access to database objects for the functions granted to them. The process automatically adds any missing object grants and deletes any which are no longer required. The job SECJ0070 can be run (usually after hours) to reconcile the grants of all system users, ensuring that none are overlooked by the reconciliation process. Reconciliation of Object Grants provides further information on the subject.

Person Menu Grant block

This block is used to record and display System menus granted to a person in addition to those granted as a result of the person's security role(s).

This Form also allows Menus, Forms and Jobs, including the required database object privileges, to be assigned to a Person, when using Callista Connect. This Form will be enhanced as follows:

Allow SSF Menus grants to be defined for a Person
Allow Self Serve Applications grants to be defined for a Person

These enhancements are only applicable when the Callista Connect product is installed.

These functions enable staff members to access Callista Connect applications. The enhancements required to support staff access to Callista Connect applications have direct impact on a number of different areas, including, the Callista Connect Parser, the Callista Connect Administration Tool, the Callista Connect Manager, the Callista SMS, and internal processes.

For further information on Staff Connect, see Staff Connect Introduction.

System Advance Functions

Sector restrictions function for System Advanced Functions. This is to cater for the fact that some System Advanced Functions are only available for specific sectors.

The security policy ensures that when the Form is being run at an institution that is cross-sector, all of the valid System Advanced Functions are displayed in the LOV. When the form is being run at an institution that is HE sector, only the valid System Advanced Functions for HE are displayed in the LOV. When the form is being run at an institution that is VET sector, only the valid System Advanced Functions for VET are displayed in the LOV.

This form is accessed from the main menu.

The Person Block contains:

Person ID
Oracle Username
Auto Enable check box
If checked, then the privileges granted to the user via this form will be enabled for the user when connecting to the database outside the Callista application. If unchecked, then the privileges granted to the user via this form will only be enabled for the user inside the Callista application.
Buttons
- Find Person (ADMF1211)
- Form Grants
  - Form Grants
  - Form (LOV)
  - Title
  - Grant Query Only check box
  - Back button
- Job Grants
  - Job Name (LOV)
  - Short Title
  - Override Priority check box
  - Back button
- Self Serve Application Grants
  - Self Serve Application (LOV)
  - Description
  - Back button
- SSF Menu Grants
  - SSF Menu Code (LOV)
  - Description
  - Default SSF Menu check box
  - Search Menu check box
  - Back button
- Copy From ...
  - Person ID
  - Oracle Username
  - Copy button
  - Cancel button
- Reconcile Object Grants (SECJ0070)
- Advanced Functions
  - Advanced Function (LOV)
  - Description
  - Back button

The Person Menu Grant block contains:

Menu code
Title
Default Menu check box
Administrator check box

Rules/Notes:

Form Grants
This block is used to record and display forms granted to a person in addition to those granted as a result of the person's security role(s). Use the Back button to exit this block.

Job Grants
This block is used to record and display jobs granted to a person in addition to those granted as a result of the person's security role(s). Use the Back button to exit this block.

Self Serve Application Grants
This block is used to record and display Self Serve Applications granted to a person in addition to those granted as a result of the person's security role(s). Use the Back button to exit this block.

SSF Menu Grants
This block is used to record and display the Self Serve Facility (SSF) menus granted to a person in addition to those granted as a result of the person's security role(s). Use the Back button to exit this block.

Copy From ...
This function permits the copying of the menu, form and job grants of one person to another person. The recipient will then have access to functionality specified by their own security role grants, those menus, forms and jobs copied from the other person and any additional menus, forms and jobs explicitly recorded in this form.

Advanced Functions
This function allows addition and deletion of system defined Person Advanced Function records for a user. If a 'Person Name Update Restriction' is given to the user, they will not be able to update a person's name in any SMS form. Initially, the only available 'Advanced Function' will be 'Person Name Update Restriction'. The only exception to this restriction will be cases where the creator of a person record attempts to change the Person Name on the same day that the record was created.

To grant a person access to a menu, using the Maintain Person Function Grants form:

Locate the Person record for which access is to be granted by either querying directly in the person block or selecting the Find Person icon
Navigate to the Person Menu Grant block
Enter Insert mode
Select the menu to be granted from the list of values (or key a valid value) in the Menu Code field of a blank record
If this menu is to be the default menu for the person, select the Default Menu check box
Do not select any Administrator check box without reading the relevant rule, opposite
Save
Select the Back button
Select the Reconcile Objects button or run SECJ0070

Rules/Notes:

All required menus including sub-menus should be granted via this form only where it is not practical to provide the necessary grants via security roles.

Only one menu can be flagged as the default menu. A default menu set here will override any default menus inherited via security roles.

Granting a person access to a particular menu does not necessarily ensure access to forms and jobs under the menu's structure. The forms and jobs must be specifically granted to either a role granted to the person or via a person form/job grant.

Selecting any Administrator check box, grants the user the ability to:

access every form and job in the system.
set the default printer for a user with report run privileges.
give a user the ability to submit a standing request when scheduling Callista jobs.

The Form Grants button - overlay contains:

Form
Title
Grant Query Only check box
Back button

To grant a person access to a form, using the Maintain Person Function Grants form:

Ensure the correct person record is displayed in the Person block
Select the Form Grants button to display the Person Form Grant block
Enter Insert mode
Select the form to be granted from the list of values (or key a valid value) in the Form field of a blank record
If access is to be granted to the form for inquiry use only, select the Grant Query Only check box
Repeat step 4. To grant more forms to the person
Save
Select the Back button
Select the Reconcile Objects button or run SECJ0070

Rules/Notes:

A person will only have access to those forms specified here and by their security role grant(s).

A person may be granted forms without necessarily being granted menus containing those forms. In such cases, the forms can be selected via the Go To and Alpha List facilities.

Only forms with their Query Only Mode Valid indicator set (in SECF0060) can be granted as 'query only' in this form.

To remove a person's access to a form, using the Maintain Person Function Grants form:

Ensure the correct person record is displayed in the Person block
Select the Form Grants button to display the Person Form Grant bloc.
Select the form for which access is to be deleted
Delete record
Save
Select the Back button
Select the Reconcile Objects button or run SECJ0070

Rules/Notes:

See Rules/Notes on 'Advanced Functions' button above for conditions to deny a person access to update a person's name in any SMS form.

The Job Grants button - overlay contains:

Job Name
Short Title
Override Priority check box
Back button

To grant a person access to a job, using the Maintain Person Function Grants form:

Ensure the correct person record is displayed in the Person block
Select the Job Grants button to display the Person Job Grant block
Enter Insert mode
Select the job to be granted from the list of values (or key a valid value) in the Job Name field of a blank record
If the person has the authority to override the System priority of this job, select the Override Priority check box
Repeat step 4 and 5 to grant more jobs to the person
Save
Select the Back button
Select the Reconcile Objects button or run SECJ0070

Rules/Notes:

A person will only have access to those jobs specified here and by their security role grant(s).

A person may be granted jobs without necessarily being granted menus containing those jobs. In such cases, the jobs can be selected via the Go To and Alpha List facilities.

To remove a person's access to a job, using the Maintain Person Function Grants form:

Ensure the correct person record is displayed in the Person block
Select the Job Grants button to display the Person Job Grant block
Select the job for which access is to be deleted
Delete record
Save
Select the Back button
Select the Reconcile Objects button or run SECJ0070

Rules/Notes:

The Self Serve Application Grants button - overlay contains:

Self Serve Application
Description
Back button

To grant a person access to a Self Serve Application, using the Maintain Person Function Grants form:

Ensure the correct person record is displayed in the Person block
Select the Self Serve Application Grants button to display the Person Self Serve Application Grant block
Enter Insert mode
Select the Self Serve Application to be granted from the list of values (or key a valid value) in the Self Serve Application field of a blank record
Repeat step 4 to grant more Self Serve Applications to the person.
Save
Select the Back button
Select the Reconcile Objects button or run SECJ0070

Rules/Notes:

You cannot create a Person Self Serve Application Grant for a deceased person.

When creating a Person Self Serve Application Grant, the Self Serve Application must be mapped to a System Self Serve Application that is not closed.

To remove a person's access to a Self Serve Application, using the Maintain Person Function Grants form:

Ensure the correct person record is displayed in the Person block
Select the Self Serve Application Grants button to display the Person Self Serve Application Grant block
Select the Self Serve Application for which access is to be deleted
Delete record
Save
Select the Back button
Select the Reconcile Objects button or run SECJ0070

Rules/Notes:

The SSF Menu Grants button - overlay contains:

SSF Menu Code
Description
Default SSF Menu check box
Search Menu check box
Back button

To grant a person access to a SSF Menu Grants, using the Maintain Person Function Grants form:

Ensure the correct person record is displayed in the Person block
Select the SSF Menu Grants button to display the Person SSF Menu Grant block
Enter Insert mode
Select the SSF Menu to be granted from the list of values (or key a valid value) in the SSF Menu Code field of a blank record
If this menu is to be the default menu for this reason, select the Default SSF Menu check box
Select the Search Menu check box if Staff Connect functionality.
Repeat step 4 to grant more SSF Menus to the person
Save
Select the Back button
Select the Reconcile Objects button or run SECJ0070

Rules/Notes:

You cannot create a Person SSF Menu Grant for a deceased person.

The Web Element must have a System Web Element Type of Menu when creating a Person SSF Menu Grant.

The Web Element must not be closed when creating a Person SSF Menu Grant.

The Search Menu check box allows users to identify which SSF Menu will be utilized by the Enter Search Results Application if user has Staff connect functionality. User can only select one menu as the search menu

Only one Menu can be set as the default.

To remove a person's access to a SSF Menu, using the Maintain Person Function Grants form:

Ensure the correct person record is displayed in the Person block
Select the SSF Menu Grants button to display the Person SSF Menu Grant block
Select the SSF Menu for which access is to be deleted
Delete record
Save
Select the Back button
Select the Reconcile Objects button or run SECJ0070

Rules/Notes:

The Copy From button - overlay contains:

Person ID
Oracle Username
Copy button
Cancel button

To copy menu, form and job grants from one person to another, using the Maintain Person Function Grants form:

Ensure the recipient person record is displayed in the Person block
Select the Copy From button to display the Copy From block
Enter the person ID or Oracle username of the person whose records are to be copied in the relevant field
Execute the query
Select the Copy button. The menu, form and job grants of the person queried in steps 3 and 4 will be copied to the recipient and be automatically saved
Select the Reconcile Objects button or run SECJ0070

Rules/Notes:

The person ID or Oracle username of the person whose records are being copied must be known in order to perform this function.

On executing the Copy function, the records copied to the recipient are automatically saved.

To display the copied menu grants it is necessary to re-query the Person Menu Grant block. Navigating to the Person Form or Job Grant blocks will automatically re-query these blocks.

Last Modified on 13 September, 2006