Person Function Grants

SECF0062 - Maintain Person Function Grants

Purpose	To assign System menu, Self Serve application, SSF menu, form, job and web page access to individual users. Function grants to individual users should only be considered when it is not practical to provide the necessary grants via security roles.
Subsystem	Security
Normally Run By	Administration Specialist
Anticipated Frequency	At the beginning of the Course Year, or as required
Structure	Blocks	Person
		Person Menu Grant
	Buttons	Find Person (ADMF1211)
		Form Grants (Overlay)
		Job Grants (Overlay)
		Self Serve Application Grants (Overlay)
		SSF Menu Grants (Overlay)
		Copy From (Overlay)
		Reconcile Object Grants (SECJ0070)
		Web Page Grants (Overlay)
		Web Resource Grants (Overlay)
		Advanced Functions (Overlay)

A person is granted access to functions beyond those made available by the role(s) they have been granted, by recording those functions in this form. For forms, jobs and ssf applications they also need to reconcile their Object Grants. Selecting the Reconcile Object Grants button initiates a process which checks that the person has the necessary access to the database for all of its grants for forms, jobs and ssf applications. Any object grants that are missing are added, while any that are no longer required are deleted. Object grant reconciliation can also be performed as an after hours batch job using SECJ0070. This job reconciles the grants of all users, in a single run.

Note If a form calls another form by either a button or an iconic button (e.g. the Record Admission Enquiry form (ADMF1200) calls the Find Course Form (ADMF1220)) or a form calls a report either automatically or by a button (e.g. the Basic Course Details form (CRSF1210) calls the Rollover Exception Report (CRSR0630) automatically, the Academic History report (ENRR08M0) is called via a button in INQF1200 (the Student Course Attempt Inquiry screen) then a person being granted the 'calling' form should also be granted the 'called' function. Failure to grant the called function to the user will result in errors.

Person block

This block displays information identifying the person to whom menu, form, job and web page access is granted in this form. If the person's identification number or Oracle username are known, query directly in this block. If not, select the Find Person icon and use the Find Person form (ADMF1211) to locate the correct person record. A query in this block will return all person records that satisfy the query criteria, not just person records that have been registered as Oracle users in the Maintain System Users form (SECF0021).

Each time a person's form, job or ssf application grants are updated, as the final operation, the Reconcile Object Grants button should be selected. This ensures that the person has the correct access to database objects for the functions granted to them. The process automatically adds any missing object grants and deletes any which are no longer required. The job SECJ0070 can be run (usually after hours) to reconcile the grants of all system users, ensuring that none are overlooked by the reconciliation process. Reconciliation of Object Grants provides further information on the subject.

Person Menu Grant block

This block is used to record and display System menus granted to a person in addition to those granted as a result of the person's security role(s).

This Form also allows Menus, Forms and Jobs, including the required database object privileges, to be assigned to a Person, when using Callista Connect. This Form will be enhanced as follows:

Allow SSF Menus grants to be defined for a Person
Allow Self Serve Applications grants to be defined for a Person

These enhancements are only applicable when the Callista Connect product is installed.

These functions enable staff members to access Callista Connect applications. The enhancements required to support staff access to Callista Connect applications have direct impact on a number of different areas, including, the Callista Connect Parser, the Callista Connect Administration Tool, the Callista Connect Manager, the Callista SMS, and internal processes.

For further information on Staff Connect, see Staff Connect Introduction.

This form is accessed from the main menu.

The Person Block contains:

Person ID
Oracle Username
Auto Enable check box
If checked, then the privileges granted to the user via this form will be enabled for the user when connecting to the database outside the Callista application. If unchecked, then the privileges granted to the user via this form will only be enabled for the user inside the Callista application.
Buttons
- Find Person (ADMF1211)
- Form Grants
  - Form Grants
  - Form (LOV)
  - Title
  - Grant Query Only check box
  - Back button
- Job Grants
  - Job Name (LOV)
  - Short Title
  - Override Priority check box
  - Back button
- Self Serve Application Grants
  - Self Serve Application (LOV)
  - Description
  - Back button
- SSF Menu Grants
  - SSF Menu Code (LOV)
  - Description
  - Default SSF Menu check box
  - Search Menu check box
  - Back button
- Copy From ...
  - Person ID
  - Oracle Username
  - Copy button
  - Cancel button
- Reconcile Object Grants (SECJ0070)
- Web Page Grants
- Web Resource Grants
- Advanced Functions
  - Advanced Function (LOV)
  - Description
  - Back button

The Person Menu Grant block contains:

Menu code
Title
Default Menu check box
Administrator check box

Rules/Notes:

Note: If the context person has not been registered as Oracle users in the Maintain System Users form (SECF0021), then the Form Grants, Job Grants, SSF Application Grants, SSFMenu Grants and Reconcile Object Grants buttons will be disabled and the Auto Enable checkbox will also be disabled.

Form Grants
This block is used to record and display forms granted to a person in addition to those granted as a result of the person's security role(s). Use the Back button to exit this block.

Job Grants
This block is used to record and display jobs granted to a person in addition to those granted as a result of the person's security role(s). Use the Back button to exit this block.

Self Serve Application Grants
This block is used to record and display Self Serve Applications granted to a person in addition to those granted as a result of the person's security role(s). Use the Back button to exit this block.

SSF Menu Grants
This block is used to record and display the Self Serve Facility (SSF) menus granted to a person in addition to those granted as a result of the person's security role(s). Use the Back button to exit this block.

Copy From ...
This function permits the copying of the menu, form and job grants of one person to another person. The recipient will then have access to functionality specified by their own security role grants, those menus, forms and jobs copied from the other person and any additional menus, forms and jobs explicitly recorded in this form.

Web Page Grants
This block is used to record and display the Web Pages granted to a person in addition to those granted as a result of the person's security role(s). Use the Back button to exit this block.

Web Resource Grants
This block is used to record and display the Web Resources granted to a person in addition to those granted as a result of the person's security role(s). Use the Back button to exit this block.

Advanced Functions
System-defined Advanced Functions can be added or removed for a user in this form.
e.g. If a NAME-UPD Advanced Function is granted to a user, that user will not be able to update a person's name in any SMS form. The only exception to this restriction will be cases where the creator of a Person record attempts to change the Person Name on the same day that the record was created.
Some system Advanced Functions are VET specific and some are HE specific. Cross sector installations of Callista will have all Advanced Functions available for selection in this form.
Note that granting the VENUE_OVRD Advanced Function to a user, will allow that user to allocate further students to Activity Offerings in Venues, when the designated maximum number of students for that venue has been reached. This Advanced Function should only be granted to users that will appreciate the Occupational Health and Safety implications of such an action. Allocation of students to Activity Offerings can be performed in ENRF4200. A user with the VENUE_OVRD Advanced Function is able to select the Exceed Real Limit check box in this form.
The maximum number of students in an Activity Offering is designated in CRSF2800.
Granting the CLASH-OVRD Advanced Function to a user will allow that user to deselect the No Clashes Allowed checkbox in ENRJ4700 and allow them to select the Clashes Override checkbox in ENRF4200 and ENRF4250.

For a summary of Advanced Functions available in Callista - go to the Advanced Functions page.

The Advanced Function VIEW-COMC cannot be applied to a user. This Advanced Function can only be applied at the Security Role level (see SECF0063).

To grant a person access to a menu, using the Maintain Person Function Grants form:

Locate the Person record for which access is to be granted by either querying directly in the person block or selecting the Find Person icon
Navigate to the Person Menu Grant block
Enter Insert mode
Select the menu to be granted from the list of values (or key a valid value) in the Menu Code field of a blank record
If this menu is to be the default menu for the person, select the Default Menu check box
Do not select any Administrator check box without reading the relevant rule, opposite
Save
Select the Back button
Select the Reconcile Objects button or run SECJ0070

Rules/Notes:

All required menus including sub-menus should be granted via this form only where it is not practical to provide the necessary grants via security roles.

Only one menu can be flagged as the default menu. A default menu set here will override any default menus inherited via security roles.

Granting a person access to a particular menu does not necessarily ensure access to forms and jobs under the menu's structure. The forms and jobs must be specifically granted to either a role granted to the person or via a person form/job grant.

Selecting any Administrator check box, grants the user the ability to:

access every form and job in the system.
set the default printer for a user with report run privileges.
give a user the ability to submit a standing request when scheduling Callista jobs.

The Form Grants button - overlay contains:

Form
Title
Grant Query Only check box
Back button

To grant a person access to a form, using the Maintain Person Function Grants form:

Ensure the correct person record is displayed in the Person block
Select the Form Grants button to display the Person Form Grant block
Enter Insert mode
Select the form to be granted from the list of values (or key a valid value) in the Form field of a blank record
If access is to be granted to the form for inquiry use only, select the Grant Query Only check box
Repeat step 4. To grant more forms to the person
Save
Select the Back button
Select the Reconcile Objects button or run SECJ0070

Rules/Notes:

A person will only have access to those forms specified here and by their security role grant(s).

A person may be granted forms without necessarily being granted menus containing those forms. In such cases, the forms can be selected via the Go To and Alpha List facilities.

Only forms with their Query Only Mode Valid indicator set (in SECF0060) can be granted as 'query only' in this form.

To remove a person's access to a form, using the Maintain Person Function Grants form:

Ensure the correct person record is displayed in the Person block
Select the Form Grants button to display the Person Form Grant bloc.
Select the form for which access is to be deleted
Delete record
Save
Select the Back button
Select the Reconcile Objects button or run SECJ0070

Rules/Notes:

See Rules/Notes on 'Advanced Functions' button above for conditions to deny a person access to update a person's name in any SMS form.

The Job Grants button - overlay contains:

Job Name
Short Title
Override Priority check box
Back button

To grant a person access to a job, using the Maintain Person Function Grants form:

Ensure the correct person record is displayed in the Person block.
Select the Job Grants button to display the Person Job Grant block.
Enter Insert mode.
Select the job to be granted from the list of values (or key a valid value) in the Job Name field of a blank record.
If the person has the authority to override the System priority of this job, select the Override Priority check box.
Repeat step 4 and 5 to grant more jobs to the person.
Save.
Select the Back button.
Select the Reconcile Objects button or run SECJ0070.

Rules/Notes:

A person will only have access to those jobs specified here and by their security role grant(s).

A person may be granted jobs without necessarily being granted menus containing those jobs. In such cases, the jobs can be selected via the Go To and Alpha List facilities.

To remove a person's access to a job, using the Maintain Person Function Grants form:

Ensure the correct person record is displayed in the Person block.
Select the Job Grants button to display the Person Job Grant block.
Select the job for which access is to be deleted.
Delete record.
Save.
Select the Back button.
Select the Reconcile Objects button or run SECJ0070.

Rules/Notes:

The Self Serve Application Grants button - overlay contains:

Self Serve Application
Description
Back button

To grant a person access to a Self Serve Application, using the Maintain Person Function Grants form:

Ensure the correct person record is displayed in the Person block.
Select the Self Serve Application Grants button to display the Person Self Serve Application Grant block.
Enter Insert mode.
Select the Self Serve Application to be granted from the list of values (or key a valid value) in the Self Serve Application field of a blank record.
Repeat step 4 to grant more Self Serve Applications to the person.
Save.
Select the Back button.
Select the Reconcile Objects button or run SECJ0070.

Rules/Notes:

You cannot create a Person Self Serve Application Grant for a deceased person.

When creating a Person Self Serve Application Grant, the Self Serve Application must be mapped to a System Self Serve Application that is not closed.

To remove a person's access to a Self Serve Application, using the Maintain Person Function Grants form:

Ensure the correct person record is displayed in the Person block.
Select the Self Serve Application Grants button to display the Person Self Serve Application Grant block.
Select the Self Serve Application for which access is to be deleted.
Delete record.
Save.
Select the Back button.
Select the Reconcile Objects button or run SECJ0070.

Rules/Notes:

The SSF Menu Grants button - overlay contains:

SSF Menu Code
Description
Default SSF Menu check box
Search Menu check box
Back button

To grant a person access to a SSF Menu Grants, using the Maintain Person Function Grants form:

Ensure the correct person record is displayed in the Person block.
Select the SSF Menu Grants button to display the Person SSF Menu Grant block.
Enter Insert mode.
Select the SSF Menu to be granted from the list of values (or key a valid value) in the SSF Menu Code field of a blank record.
If this menu is to be the default menu for this reason, select the Default SSF Menu check box.
Select the Search Menu check box if Staff Connect functionality.
Repeat step 4 to grant more SSF Menus to the person.
Save.
Select the Back button.
Select the Reconcile Objects button or run SECJ0070

Rules/Notes:

You cannot create a Person SSF Menu Grant for a deceased person.

The Web Element must have a System Web Element Type of Menu when creating a Person SSF Menu Grant.

The Web Element must not be closed when creating a Person SSF Menu Grant.

The Search Menu check box allows users to identify which SSF Menu will be utilized by the Enter Search Results Application if user has Staff connect functionality. User can only select one menu as the search menu

Only one Menu can be set as the default.

To remove a person's access to a SSF Menu, using the Maintain Person Function Grants form:

Ensure the correct person record is displayed in the Person block.
Select the SSF Menu Grants button to display the Person SSF Menu Grant block.
Select the SSF Menu for which access is to be deleted.
Delete record.
Save.
Select the Back button.
Select the Reconcile Objects button or run SECJ0070.

Rules/Notes:

The Copy From button - overlay contains:

Person ID
Oracle Username
Copy button
Cancel button

To copy menu, form, web page and job grants from one person to another, using the Maintain Person Function Grants form:

Ensure the recipient person record is displayed in the Person block.
Select the Copy From button to display the Copy From block.
Enter the person ID or Oracle username of the person whose records are to be copied in the relevant field.
Execute the query.
Select the Copy button. The menu, form, web pages and job grants of the person queried in steps 3 and 4 will be copied to the recipient and be automatically saved.
Select the Reconcile Objects button or run SECJ0070.

Rules/Notes:

The person ID or Oracle username of the person whose records are being copied must be known in order to perform this function.

On executing the Copy function, the records copied to the recipient are automatically saved.

To display the copied menu grants it is necessary to re-query the Person Menu Grant block. Navigating to the relevant Grant blocks will automatically re-query these blocks.

If the context person does not have an oracle username, then the 'Copy From' process only copies across Person Menu Grants, Person Web Page Grants and Advanced Functions. If the 'copy from' person has grants to inappropriate objects, then a dialog box is displayed warning the user of this and asking them if they wish to continue. If they do continue, then only the appropriate grants will be copied across.

The Web Page Grants button - overlay contains:

Web Page
Description
Grant Query Only check box
Back button

To grant a person access to a web page, using the Maintain Person Function Web forms form:

Ensure the correct person record is displayed in the Person block.
Select the Web Page Grants button to display the Person Web Page Grant block.
Enter Insert mode.
Select the web page to be granted from the list of values (or key a valid value) in the Web Page Name field of a blank record.
Repeat to grant more web pages to the person.
Save.
Select the Back button.

Rules/Notes:

A person will only have access to those web pages specified here and by their security role grant(s).

A person may be granted web pages without necessarily being granted menus containing those jobs. In such cases, the jobs can be selected via the Go To and Alpha List facilities.

Web Pages are defined in SECF0080.

To remove a person's access to a web page, using the Maintain Person Function Grants form:

Ensure the correct person record is displayed in the Person block.
Select the Web Page Grants button to display the Person We Page Grant block.
Select the web page for which access is to be deleted.
Delete record.
Save.
Select the Back button.

Rules/Notes:

The Web Resource Grants button - overlay contains:

Web Resource
Description
Grant Query Only check box
Back button

To grant a person access to a web resources, using the Maintain Person Function Web forms form:

Ensure the correct person record is displayed in the Person block.
Select the Web Resource Grants button to display the Person Web Resource Grant block.
Enter Insert mode.
Select the web resource to be granted from the list of values (or key a valid value) in the Web Resource Name field of a blank record.
Repeat to grant more web pages to the person.
Save.
Select the Back button.

Rules/Notes:

A person will only have access to those web resources specified here and by their security role grant(s).

A person may be granted web resources without necessarily being granted menus containing those resources. In such cases, the resources can be selected via the Go To and Alpha List facilities.

Web Resources are defined in SECF0081.

To remove a person's access to a web resource, using the Maintain Person Function Grants form:

Ensure the correct person record is displayed in the Person block.
Select the Web Resource Grants button to display the Person Web Resource Grant block.
Select the web resource for which access is to be deleted.
Delete record.
Save.
Select the Back button.

Rules/Notes:

Last Modified on 30-May-2012 9:18 AM

History Information

Release Information	Project	Change to Document
15.0	1747 - 11g Product Structure	Added details for Web Resource Grants.
13.0.0.2	1580 - Communication	Added note about Advanced Function VIEW-COMC
13.0.0.2	1578 - CAPS part 3	Added link to Advanced Functions page
12.0.0.2	1595 - Security 2009	Removed restriction on query that previously returned only person records that have been registered as Oracle users in the Maintain System Users form.
11.1.0.3	CAPS - Pt 1	Added new CAPS Advanced Functions
11.0.0.2	1450 - Attend Enhancements	Modified Advanced Functions section in Person Block Rules/Notes
11.0.0.0.0.0	1416 - Apprentice Management	Added references to Web pages