Purpose

To control the primary level of data access of users of the system.

SubSystem

Security

Person block

The Person block displays personal details that have already been recorded in the System, for a person. Additional information may be added in this block to record the person as a System user. The buttons (from the sub block), invoke restriction forms that allow the user's access to be restricted to data for particular organisational units or data for particular correspondence types.

A validation prevents the password being updated if the user has a username matching one of the database schema owner users (eg. SIS_OWNER, CC_OWNER, COFI_OWNER, etc). In addition, the ability to inactivate the person as an Oracle user will be prevented for these particular users.

Having established a person as a system user, it is necessary to grant them access to the areas of the system that they are entitled to use. This is accomplished by assigning Security Roles to them. Security Roles define the primary levels of access to the system and are created and maintained by the Database Administrator. Security Roles also give a system user access to specific menu items that have been granted to their Security Role (see SECF0063).

Access can be further controlled by the use of the Auto Enable check box. If the check box is deselected for a role grant, the user is only able to access data applicable to that role by using Callista forms, jobs and reports. If the check box is selected for the role grant, the user has the same data access via Callista but is also able to access that data using applications other than Callista (eg. third party reporting tools).

Note that a person can be a non-oracle user and still be granted roles using this form (but not the corresponding oracle role). When inserting/deleting person_role_grant records, the form will only attempt to grant/revoke the corresponding oracle role if the person is an active oracle user.

The Person block contains:

• Person ID
• Oracle Username
• Password
• Active Oracle User check box

  Restrictions sub block contains:

  • Organisational Unit button (SECF0032)
  • Note Type button (SECF0021)
  • Correspondence Type button (SECF0033)
  • Appeal Type (SECF0090)

The Person Role Grant block contains:

• Security Role
• Description
• Include deleted grants check box
• Auto Enable check box
• Creation Date
• Deletion Date
• Notes.

Rules/Notes:

If a Person record exists with the Oracle Username field matching one of the database Schema Owner Usernames, the following actions will be prevented:

• Any attempt to key into the Username field on the form will be prevented and the error message described in the Validations section will be raised.
• Any attempt to uncheck the Oracle User checkbox will be prevented and the error message described in the Validations section will be raised.

The manner in which the database Schema Owners are identified can probably be no more elaborate than returning all of the distinct owners who own any objects in the database.

Each Restrictions navigation button is only available to users who have Security Access to the form that it navigates to.

Validations include:

• When the Active Oracle User checkbox is unchecked, validate that the Person does not have any object grants in the database via the Person Object Role.
  

To record a person as a System user using the Maintain System Users form:

• Execute a query to locate the record of the person to be recorded as a user.
• Enter the person's username in the Oracle Username field.
• Enter a password for the person.
• Save.
• Select the Active Oracle User checkbox.

Rules/Notes:

The password field may be used to create a temporary password for users who have lost their password.

To grant a Security Role to a System user using the Maintain System Users form:

• Ensure that the correct user record is displayed in the Person block.
• Select the appropriate Security Role from the list of values in the Security Role field. (The creation time and date will be entered automatically.)
• Select or deselect the Auto Enable checkbox as appropriate.
• Enter any notes regarding this role grant in the Notes field.
• Save.

Rules/Notes:

When a user is granted a security role their access to particular note types may be affected by note type restrictions applied to that role in SECF0041.

If their is a conflict in these restrictions (i.e. Note Types from within the same Note Type Group have different Restricted Select values) then a warning will display and log records will be created that can be viewed in GENF0001.

If there is an overlap in restrictions (i.e. Different Note Type Restrictions applied to a Note Type) then no warning is displayed, but log records (overlap) are created and can be viewed in GENF0001.

A warning is displayed if the context Person is not an active oracle user and the role contains grants to forms, jobs, self serve applications and/or SSF menus.

Assigning a Security Role to a system user gives them access to specific menu items that have been granted to the Security Role (see SECF0063).

• Ensure that the correct user record is displayed in the Person block.
• Select the Security Role to be deleted.
• Delete record.
• Save.

Rules/Notes:

When a security role is removed from a user the system redetermines their effective note type restrictions. Warnings and Log records are generated as described in the previous Rules/Notes section.

To inquire on the Security Roles granted to an individual user using the Maintain System Users form:

• Locate the required user record in the Person block. (Security Roles granted to the user will be displayed in the Person Role Grant block.)

If the Include Deleted Grants checkbox is selected, all of the Security Roles which have ever been granted to the user will be displayed.

The deletion time and date for deleted Security Roles will also be displayed. If the Include Deleted Grants checkbox is not selected, only those Security Roles currently granted to the user will be displayed.

Selecting or deselecting the Include Deleted Grants checkbox does not have immediate effect. The records in the Person Role Grant block must be requeried for the displayed records to be reflected in the change.