Security Role Function Grants

SECF0063 - Maintain Security Role Function Grants

Purpose	To assign System menu, Self Service Application and SSF menu form and job access to individual Security Roles. When users are granted Security Roles they inherit the Function Grants for those roles, as defined in this form.
Subsystem	Security
Normally Run By	Administration Specialist
Anticipated Frequency	At the beginning of the Course Year, or as required
Structure	Blocks	Security Role
		Security Role Menu Grant
	Buttons	Form Grants (Overlay)
		Job Grants (Overlay)
		Self Serve Application Grants (Overlay)
		SSF Menu Grants (Overlay)
		Copy From ... (Overlay)
		Reconcile Object Grants (SECJ0070)
		Advanced Functions (Overlay)
		Note Type Restrictions (SECF0041)

A Database Administrator (DBA) creates user roles for use in Callista. A user role specifies the full range of functionality potentially available to users granted that role. The Security Administrator can define the access of a user role by individually specifying in this form the menus, forms, jobs, reports, Self Serve Applications and SSF Menus that the role can access. Selecting the Reconcile Object Grants button initiates a process which checks that the role has the necessary Object Grants for all of its Function Grants. Any Object Grants which are missing are added while any which are no longer required are deleted. Object Grant reconciliation can also be performed as an after hours batch job using SECJ0070.

Note:

If a form calls another form by either a button or an iconic button (e.g. the Record Admission Enquiry form (ADMF1200) calls the Find Course Form (ADMF1220)) or
If a form calls a report either automatically or by a button (e.g. the Basic Course Details form (CRSF1210) calls the Rollover Exception Report (CRSR0630) automatically, the Academic History report (ENRR08M0) is called via a button in INQF1200 (the Student Course Attempt Inquiry screen))

then a role being granted the 'calling' form should also be granted the 'called' function. Failure to grant the called function to the role will result in errors occurring when the calling form is used by users granted the role.

The Grant Menu Structure process grants the user role a menu structure containing all of the sub-menus, forms, jobs and reports under the selected menu. Menu structures are maintained in SECF0061.

Further details are contained in the Callista Technical Documentation.

Security Role Block

This block displays information identifying the Security Role to which menu and form access is granted via this form. This block can be queried to locate the Security Role to which menus, forms and or jobs are to be granted.

The granting of a menu and sub-menus alone will not give access to the items (forms and jobs) in those menus. Security Roles must also be granted access to the relevant forms/jobs. Even then, access may be limited if the Security Roles do not have the necessary data level access.

Each time a Security Role is updated, as the final operation, either the Reconcile Object Grants button should be selected or job SECJ0070 should be run to perform the reconciliation. This ensures that the role has the correct Object Grants for the functions granted to it. The process automatically adds any missing Object Grants and deletes any that are no longer required. Reconciliation of Object Grants provides further information on the subject.

Security Role Menu Grant Block

This block is used to record and display System menus granted to the displayed Security Role(s). Menus may be granted individually, or whole menu structures, including sub menus, forms and jobs may be granted in a single operation using the Grant Menu Structure function.

Form Grants Button

This block is used to record and display the forms to which access has been granted for the displayed Security Role.

Job Grants Button

This block is used to record and display the jobs to which access has been granted for the displayed Security Role.

Self Serve Application Grants Button

This block is used to record and display the Self Serve Application to which access has been granted for the displayed Security Role when the user has access to Callista Connect.

SSF Menu Grants Button

This block is used to record and display the SSF Menus to which access has been granted for the displayed Security Role when the user has access to Callista Connect.

Copy (Menu, Form and Job Grants) From (One Security Role to Another) Button

This function permits the copying of the menu, form and Job Grants of one Security Role to another Security Role. The recipient role will then have access to those menus, forms and jobs copied from the other Security Role and any additional menus, forms and jobs explicitly recorded in this form.

Note Type Restrictions Button

This button navigates to SECF0041 where Note Type Restrictions can be applied to this role.

General

This Form allows Menus, Forms and Jobs, including the required database object privileges, to be assigned to a Role when users have access to Callista Connect. When users are granted the Role, they inherit access to the Menus, Forms and Jobs defined for the Role.

This Form will be enhanced as follows:

Allow SSF Menus grants to be defined for a Role
Allow Self Serve Applications grants to be defined for a Role

Enhance the Reconcile Object Grants process to cater for Self Serve Applications.

When the Role is granted to a user, the user will inherit access to the SSF Menus and Self Serve Applications. These enhancements are only applicable when the Callista Connect product is installed. These functions enable staff members to access Callista Connect applications. The enhancements required to support staff access to Callista Connect applications have direct impact on a number of different areas, including, the Callista Connect Parser, the Callista Connect Administration Tool, the Callista Connect Manager, the Callista SMS, and internal processes.

For further information on Staff Connect, see Staff Connect Introduction.

System Advance Functions

Sector restrictions function for System Advanced Functions. This is to cater for the fact that some System Advanced Functions are only available for specific sectors.

The security policy ensures that when the Form is being run at an institution that is cross-sector, all of the valid System Advanced Functions are displayed in the LOV. When the form is being run at an institution that is HE sector, only the valid System Advanced Functions for HE are displayed in the LOV. When the form is being run at an institution that is VET sector, only the valid System Advanced Functions for VET are displayed in the LOV.

This form is accessed from the main menu.

The Security Role block contains:

Security Role
Creation Date
Description
Buttons
- Form Grants
  - Form Grants
  - Form (LOV)
  - Title
  - Grant Query Only check box
  - Back button
- Job Grants
  - Job Name (LOV)
  - Short Title
  - Override Priority check box
  - Back button
- Self Serve Application Grants
  - Self Serve Application (LOV)
  - Description
  - Back button
- SSF Menu Grants
  - SSF Menu Code (LOV)
  - Description
  - Default SSF Menu check box
  - Search Menu check box
  - Back button
- Copy From ...
  - Person ID
  - Oracle Username
  - Copy button
  - Cancel button
- Reconcile Object Grants (SECJ0070)
- Advanced Functions
  - Advanced Function (LOV)
  - Description
  - Back button
- Note Type Restrictions (SECF0041)

The Security Role Menu Grant block contains:

Menu code
Title
Default Menu check box
Button
- Grant Menu Structure

Rules/Notes:

Form Grants
This block is used to record and display forms granted to a person in addition to those granted as a result of the person's Security Role(s). Use the Back button to exit this block.

Job Grants
This block is used to record and display jobs granted to a person in addition to those granted as a result of the person's Security Role(s). Use the Back button to exit this block. Self Serve Application Grants
This block is used to record and display Self Serve Applications granted to a person in addition to those granted as a result of the person's Security Role(s). Use the Back button to exit this block. SSF Menu Grants
This block is used to record and display the Self Serve Facility (SSF) menus granted to a person in addition to those granted as a result of the person's Security Role(s). Use the Back button to exit this block.

Copy From ...
This function permits the copying of the menu, form and Job Grants of one person to another person. The recipient will then have access to functionality specified by their own Security Role grants, those menus, forms and jobs copied from the other person and any additional menus, forms and jobs explicitly recorded in this form.

Advanced Functions
This function allows addition and deletion of system defined Person Advanced Function records for a user. If a 'Person Name Update Restriction' is given to the user, they will not be able to update a person's name in any SMS form. Initially, the only available 'Advanced Function' will be 'Person Name Update Restriction'. The only exception to this restriction will be cases where the creator of a person record attempts to change the Person Name on the same day that the record was created.

The Grant Menu Structure button opposite copies data ready for SECJ0070. Once copied the following message is shown: "Grants successfully copied. Please requery detail to see the changes. Database Object Grants should be reconciled via the Reconcile Object Grants button"

The Note Type Restrictions button will only be available to users who have security access to SECF0041.

To grant access to a menu, for the displayed Security Role, using the Maintain Security Role Function Grants form:

Locate the Security Role for which access is to be granted by querying in the Security Role block
Navigate to the Security Role Menu Grant block
Enter Insert mode
Select the menu to be granted from the list of values (or key a valid value) in the Menu Code field of a blank record
If this menu is to be the default menu for the Security Role, select the Default Menu check box
Save

Rules/Notes:

All required menus including sub-menus must be granted via this form.

Only one menu can be flagged as the default menu.

To grant access to a menu and all its menu substructure including sub menus, forms and jobs, for the displayed Security Role, using the Maintain Security Role Function Grants form:

Locate the Security Role for which access is to be granted by querying in the Security Role block
Navigate to the Security Role Menu Grant block
Select the menu whose structure is to be granted, from the displayed Menu Grants or
Grant the menu whose structure is to be granted using the method detailed above
Select the menu whose structure is to be granted, then select the Grant Menu Structure function button
All sub menus, forms and jobs of the selected menu will be granted.
Select the Reconcile Objects button or run SECJ0070

Rules/Notes:

On executing the Grant Menu Structure function, the granted menu structure is automatically saved.

To display the granted sub-menus it is necessary to re-query the Security Role Menu Grant block. To display the granted forms and jobs, it is necessary to navigate to the Form Grant and Job Grant blocks and re-query.

To grant a Security Role access to a form, using the Maintain Security Role Function Grants form:

Ensure the correct Security Role record is displayed in the Security Role block
Select the Form Grants button to display the Security Role Form Grant block
Enter Insert mode
Select the form to be granted from the list of values (or key a valid value) in the Form field of a blank record
If access is to be granted to the form for inquiry use only, select the Grant Query Only check box
Repeat steps 4 and 5 to grant more forms to the Security Role.
Save
Select the Back button
Select the Reconcile Objects button or run SECJ0070

Rules/Notes:

Only forms with their Query Only Mode Valid indicator set (in SECF0060) can be granted as 'query only' in this form.

To remove a Security Role's access to a form, using the Maintain Security Role Function Grants form:

Ensure the correct Security Role record is displayed in the Security Role block
Select the Form Grants button to display the Security Role Form Grant block
Select the form for which access is to be deleted
Delete record
Save
Select the Back button
Select the Reconcile Objects button or run SECJ0070

Rules/Notes:

To grant a Security Role access to a job, using the Maintain Security Role Function Grants form:

Ensure the correct Security Role record is displayed in the Security Role block
Select the Job Grants button to display the Security Role Job Grant block
Enter Insert mode
Select the job to be granted from the list of values (or key a valid value) in the Job Name field of a blank record
If a person with this Security Role has the authority to override the System priority of this job, select the Override Priority check box
Repeat step 4 and 5 to grant more jobs to the Security Role
Save
Select the Back button
Select the Reconcile Objects button or run SECJ0070

Rules/Notes:

To remove a Security Role's access to a job, using the Maintain Security Role Function Grants form:

Ensure the correct Security Role record is displayed in the Security Role block
Select the Job Grants button to display the Security Role Job Grant block
Select the job for which access is to be deleted
Delete record
Save
Select the Back button
Select the Reconcile Objects button or run SECJ0070

Rules/Notes:

To grant a Security Role access to a Self Serve Application, using the Maintain Security Role Function Grants form:

Ensure the correct Security Role record is displayed in the Security Role block
Select the Self Serve Application Grants button to display the Security Role Self Serve Application Grant block
Enter Insert mode
Select the Self Serve Application to be granted from the list of values (or key a valid value) in the Self Serve Application Name field of a blank record
If a person with this Security Role has the authority to override the System priority of this Self Serve Application, select the Override Priority check box
Repeat step 4 and 5 to grant more Self Serve Applications to the Security Role
Save
Select the Back button
Select the Reconcile Objects button or run SECJ0070

Rules/Notes:

A function for Callista Connect users.

When creating a Role Self Serve Application Grant, the Self Serve Application must be mapped to a System Self Serve Application that is not closed.

To remove a Security Role's access to a Self Serve Application, using the Maintain Security Role Function Grants form:

Ensure the correct Security Role record is displayed in the Security Role block
Select the Self Serve Application Grants button to display the Security Role Self Serve Application Grant block
Select the Self Serve Application for which access is to be deleted.
Delete record
Save
Select the Back button
Select the Reconcile Objects button or run SECJ0070

Rules/Notes:

See Rules/Notes on 'Advanced Functions' button above for conditions to deny a person access to update a person's name in any SMS form.

To grant a Security Role access to a SSF Menu, using the Maintain Security Role Function Grants form:

Ensure the correct Security Role record is displayed in the Security Role block
Select the SSF Menu Grants button to display the Security Role SSF Menu Grant block
Enter Insert mode
Select the SSF Menu to be granted from the list of values (or key a valid value) in the SSF Menu Name field of a blank record
If this menu is to be the default SSF Menu for this Security Role, select the Default SSF Menu check box
Repeat step 4 to grant more SSF Menus to the Security Role
Save
Select the Back button
Select the Reconcile Objects button or run SECJ0070

Rules/Notes:

A function for Callista Connect users.

When creating a Role SSF Menu Grant, the Web Element must have a System Web Element Type of Menu.

The Web Element must not be closed when creating a Role SSF Menu Grant.

One and only one Role SSF Menu Grant must be set as the Default SSF Menu for the Role.

To remove a Security Role's access to a SSF Menu, using the Maintain Security Role Function Grants form:

Ensure the correct Security Role record is displayed in the Security Role block
Select the SSF Menu Grants button to display the Security Role SSF Menu Grant block
Select the SSF Menu for which access is to be deleted
Delete record
Save
Select the Back button
Select the Reconcile Objects button or run SECJ0070

Rules/Notes:

To copy menu, form and Job Grants from one Security Role to another, using the Maintain Security Role Function Grants form:

Ensure the recipient Security Role record is displayed in the Security Role block
Select the Copy From button to display the Copy From block
Execute a query in the Security Role field to locate the Security Role whose grants are to be copied
Select the Copy button. The menu, form and Job Grants of the Security Role queried in step 3 will be copied to the recipient Security Role and be automatically saved
Select the Reconcile Objects button or run SECJ0070

Rules/Notes:

On executing the Copy function, the records copied to the recipient are automatically saved.

To display the copied Menu Grants it is necessary to re-query the Security Role Menu Grant block. Navigating to the Security Role Form or Job Grant blocks will automatically re-query these blocks.

Last Modified on 13 September, 2006