Top of SEC Index Table of Contents Feedback

SECF0062 - Maintain Person Function Grants

Purpose

To assign system menu, Staff Connect application, SSF menu, form, job and web resource access to individual users.
 Function grants to individual users should only be considered when it is not practical to provide the necessary grants via security roles.

Subsystem Security
Normally Run By Administration Specialist

Anticipated Frequency

At the beginning of the Course Year, or as required

Structure

Blocks

Person

Person Menu Grant

Buttons

 

Find Person (ADMF1211)

Form Grants (Overlay)
Job Grants (Overlay)
Self Serve Application Grants (Overlay)
SSF Menu Grants (Overlay)

Copy From (Overlay)

Reconcile Object Grants (SECJ0070)
Web Page Grants (Overlay)
Web Resource Grants (Overlay)
WS Method Grants (SECF0097)
Advanced Functions (Overlay)

 

A person can be granted access to functions beyond those made available by the Security Role(s) (see SECF0063) to which they have been granted, by recording those functions in this form.

When granting access to new functions the user’s Object Grants need to be reconciled. Clicking on the Reconcile Object Grants button initiates a process that checks that the person has the necessary access to the database objects for all forms, jobs, ADF pages and Staff Connect applications granted to them. If the process identifies any object grants that are missing they will be added, while any that are no longer required are deleted. Object grant reconciliation can also be performed as an after-hours batch job using SECJ0070. This job reconciles the grants of all users, in a single run.

Note:  If a form calls another form, by either a button or an iconic button, or a form calls a report, automatically or by a button, then a person being granted the 'calling' form should also be granted the 'called' function. Failure to grant the called function to the user will result in errors. For example Record Admission Enquiry form (ADMF1200) calls the Find Course Form (ADMF1220) or  the Basic Course Details form (CRSF1210) calls the Rollover Exception Report (CRSR0630) automatically; or  the Academic History report (ENRR08M0) is called via a button in the Student Course Attempt Inquiry screen (INQF1200).

Person block

This block displays information identifying the person to whom menu, form, job and web page access is granted. If the person's identification number or Oracle username are known, query directly in this block. If not, select the Find Person icon and use the Find Person form (ADMF1211) to locate the correct person record. A query in this block will return all person records that satisfy the query criteria, not just person records that have been registered as Oracle users in the Maintain System Users form (SECF0021).

Each time a person's security grants are updated, as the final operation, the Reconcile Object Grants button should be selected. This ensures that the person has the correct access to database objects for the functions granted to them. The process automatically adds any missing object grants and deletes any which are no longer required. The job SECJ0070 can be run (usually after hours) to reconcile the grants of all system users, ensuring that none are overlooked by the reconciliation process. Reconciliation of Object Grants provides further information on the subject.

Person Menu Grant block

This block is displayed on entry to this form and is used to record and display System menus granted to a person in addition to those granted as a result of the Person's security role(s) (in SECF0063).
By clicking on buttons in the Person block, different information will display here. e.g. Click on the Form Grants button to display Person Form Grants.
Click on the Back button brring back the Person Menu Grant block.

This form is accessed from the main menu.

 

Person Block:

  • Person ID
  • Oracle Username
  • Auto Enable check box
    If checked, then the privileges granted to the user via this form will be enabled for the user when connecting to the database outside the Callista application. If unchecked, then the privileges granted to the user via this form will only be enabled for the user inside the Callista application.

    Buttons

    • Find Person (ADMF1211)
    • Form Grants
      • Form Grants
      • Form (LOV)
      • Title
      • Grant Query Only check box
      • Back button
    • Job Grants
      • Job Name (LOV)
      • Short Title
      • Override Priority check box
      • Back button
    • Self Serve (SSF) Application Grants
      • Self Serve Application (LOV)
      • Description
      • Back button
    • SSF Menu Grants
      • SSF Menu Code (LOV)
      • Description
      • Default SSF Menu check box
      • Search Menu check box
      • Back button
    • Copy From ...
      • Person ID
      • Oracle Username
      • Copy button
      • Cancel button
    • Reconcile Object Grants (SECJ0070)
    • Web Page Grants
      • Web Page
      • Description
      • Query Only check box
      • Back button
    • Web Resource Grants
      • Web Resource
      • Description
      • Query Only check box
      • Back button
    • WS Method Grants (SECF0097)
    • Advanced Functions
      • Advanced Function (LOV)
      • Description
      • Back button

Person Menu Grant block:

  • Menu code
  • Title
  • Default Menu check box
  • Administrator check box

Rules/Notes:

Note: If the context person has not been registered as Oracle users in the Maintain System Users form (SECF0021), then the various Grants buttons and the Auto Enable checkbox will be disabled.

Form Grants
This block is used to record and display forms granted to a person in addition to those granted as a result of the person's security role(s) (in SECF0063). Use the Back button to exit this block.

Job Grants
This block is used to record and display jobs granted to a person in addition to those granted as a result of the person's security role(s) (in SECF0063). Use the Back button to exit this block.

Self Serve Application Grants
This block is used to record and display Self Serve Applications granted to a person in addition to those granted as a result of the person's security role(s) (in SECF0063). Use the Back button to exit this block.

SSF Menu Grants
This block is used to record and display the Self Serve Facility (SSF) menus granted to a person in addition to those granted as a result of the person's security role(s) (in SECF0063). Use the Back button to exit this block.

Copy From ...
This function permits the copying of the menu, Form and Job Grants from one Person to another Person. The recipient will then have access to functionality specified by their own Security Role grants (SECF0063) - those menus, forms and jobs copied from the other Person; and any additional menus, forms and jobs explicitly recorded in this form for the Person.

Web Page Grants
Web Page Grants (ADF pages) should not be selected in post-15.0 Callista Release environments. The corresponding Web Resource Grant records (see definition, below) should be selected instead. Use the Back button to exit this block.

Web Resource Grants
This block is used to record and display Web Resources granted to a person in addition to those granted as a result of the person's Security Role(s) (SECF0063). Use the Back button to exit this block.
Web Resources are defined in SECF0081.

WS Method Grants navigates to 'Maintain Person Web Service Method Grants' (SECF0097) from where Web Service method grants can be applied to the context Person.
Note: Web Service Method grants can be copied to another Person (via 'Copy From'), only if the Person logged in has access to the 'Maintain Person Web Service Method Grants' (SECF0097) form.

Advanced Functions
System-defined Advanced Functions can be added or removed for a user in this form. Use the Back button to exit this block.

For a summary of Advanced Functions available in Callista - go to the Advanced Security Functions page.

For example, if a NAME-UPD Advanced Function is granted to a user, that user will not be able to update a person's name in any SMS form. The only exception to this restriction will be cases where the creator of a Person record attempts to change the Person Name on the same day that the record was created.

Some system Advanced Functions are VET specific and some are HE specific. Cross sector installations of Callista will have all Advanced Functions available for selection in this form.

Note that granting the VENUE_OVRD Advanced Function to a user, will allow that user to allocate students to Activity Offerings in Venues, despite the designated maximum number of students for that venue has been reached. This Advanced Function should only be granted to users that will appreciate the Occupational Health and Safety implications of such an action. Allocation of students to Activity Offerings can be performed in ENRF4200. A user with the VENUE_OVRD Advanced Function is able to select the Exceed Real Limit check box in this form.
The maximum number of students in an Activity Offering is designated in CRSF2800.
Granting the CLASH-OVRD Advanced Function to a user will allow that user to deselect the No Clashes Allowed checkbox in ENRJ4700 and select the Clashes Override checkbox in ENRF4200 and ENRF4250.

The Advanced Function VIEW-COMC cannot be applied to a user. This Advanced Function can only be applied at the Security Role level (see SECF0063).

To Grant a Person Access to a Menu (using this Form):

  • Locate the Person record for which access is to be granted by either querying directly in the person block or selecting the Find Person icon.
  • Navigate to the Person Menu Grant block.
  • Enter Insert mode.
  • Select the menu to be granted from the list of values (or key a valid value) in the Menu Code field of a blank record.
  • If this menu is to be the default menu for the person, select the Default Menu check box.
  • Do not select any Administrator check box without reading the relevant rule, opposite.
  • Save.
  • Select the Back button.
  • Select the Reconcile Objects button or run SECJ0070.

Rules/Notes:

All required menus including sub-menus should be granted via this form only where it is not practical to provide the necessary grants via Security Roles in SECF0063.

Only one menu can be flagged as the default menu. A default menu set here will override any default menus inherited via security roles (see SECF0063).

Granting a person access to a particular menu does not necessarily ensure access to forms and jobs under the menu's structure. The forms and jobs must be specifically granted to either a Security Role (SECF0063) granted to the person or via a person form/job grant.

Selecting any Administrator check box, grants the user the ability to:

  • access every form and job in the system.
  • set the default printer for a user with report run privileges.
  • give a user the ability to submit a standing request when scheduling Callista jobs.

The Form Grants Button - overlay contains:

  • Form
  • Title
  • Grant Query Only check box
  • Back button

To Grant a Person Access to a Form (using this form):

  • Ensure the correct person record is displayed in the Person block.
  • Select the Form Grants button to display the Person Form Grant block.
  • Enter Insert mode.
  • Select the form to be granted from the list of values (or key a valid value) in the Form field of a blank record.
  • If access is to be granted to the form for inquiry use only, select the Grant Query Only check box.
  • Repeat step 4. To grant more forms to the person.
  • Save.
  • Select the Back button.
  • Select the Reconcile Objects button or run SECJ0070.
 Rules/Notes:

A person will only have access to those forms specified here and by their security role grant(s) (see SECF0063).

A person may be granted forms without necessarily being granted menus containing those forms. In such cases, the forms can be selected via the Go To and Alpha List facilities.

Only forms with their Query Only Mode Valid indicator set (in SECF0060) can be granted as 'query only' in this form.

To Remove aPperson's Access to a Form (using this form):

  • Ensure the correct person record is displayed in the Person block.
  • Select the Form Grants button to display the Person Form Grant block.
  • Select the form for which access is to be deleted.
  • Delete record.
  • Save.
  • Select the Back button.
  • Select the Reconcile Objects button or run SECJ0070.

Rules/Notes:

See Rules/Notes on 'Advanced Functions' button above for conditions to deny a person access to update a person's name in any SMS form.

The Job Grants button - overlay contains:

  • Job Name.
  • Short Title.
  • Override Priority check box.
  • Back button.

To Grant a Person Access to a Job (using this form):

  • Ensure the correct person record is displayed in the Person block.
  • Select the Job Grants button to display the Person Job Grant block.
  • Enter Insert mode.
  • Select the job to be granted from the list of values (or key a valid value) in the Job Name field of a blank record.
  • If the person has the authority to override the System priority of this job, select the Override Priority check box.
  • Repeat previous two steps to grant more jobs to the person.
  • Save.
  • Select the Back button.
  • Select the Reconcile Objects button or run SECJ0070.

Rules/Notes:

A person will only have access to those jobs specified here and by their security role grant(s) (see SECF0063).

A person may be granted jobs without necessarily being granted menus containing those jobs. In such cases, the jobs can be selected via the Go To and Alpha List facilities.

To Remove a Person's Access to a Job (using this form):

  • Ensure the correct person record is displayed in the Person block.
  • Select the Job Grants button to display the Person Job Grant block.
  • Select the job for which access is to be deleted.
  • Delete record.
  • Save.
  • Select the Back button.
  • Select the Reconcile Objects button or run SECJ0070.

Rules/Notes:

The Self Serve Application Grants button - overlay contains:

  • Self Serve Application
  • Description
  • Back button

To Grant a Person Access to a Self Serve Application (using this form):

  • Ensure the correct person record is displayed in the Person block.
  • Select the Self Serve Application Grants button to display the Person Self Serve Application Grant block.
  • Enter Insert mode.
  • Select the Self Serve Application to be granted from the list of values (or key a valid value) in the Self Serve Application field of a blank record.
  • Repeat this step to grant more Self Serve Applications to the person.
  • Save.
  • Select the Back button.
  • Select the Reconcile Objects button or run SECJ0070.

Rules/Notes:

You cannot create a Person Self Serve Application Grant for a deceased person.

When creating a Person Self Serve Application Grant, the Self Serve Application must be mapped to a System Self Serve Application that is not closed.

To Remove a Person's Access to a Self Serve Application (using this form):

  • Ensure the correct person record is displayed in the Person block.
  • Select the Self Serve Application Grants button to display the Person Self Serve Application Grant block.
  • Select the Self Serve Application for which access is to be deleted.
  • Delete record.
  • Save.
  • Select the Back button.
  • Select the Reconcile Objects button or run SECJ0070.

Rules/Notes:

The SSF Menu Grants button - overlay contains:

  • SSF Menu Code
  • Description
  • Default SSF Menu check box
  • Search Menu check box
  • Back button

To Grant a Person Access to a SSF Menu Grants (using this form):

  • Ensure the correct person record is displayed in the Person block.
  • Select the SSF Menu Grants button to display the Person SSF Menu Grant block.
  • Enter Insert mode.
  • Select the SSF Menu to be granted from the list of values (or key a valid value) in the SSF Menu Code field of a blank record.
  • If this menu is to be the default menu for this reason, select the Default SSF Menu check box.
  • Select the Search Menu check box if Staff Connect functionality.
  • Repeat step 4 to grant more SSF Menus to the person.
  • Save.
  • Select the Back button.
  • Select the Reconcile Objects button or run SECJ0070

Rules/Notes:

You cannot create a Person SSF Menu Grant for a deceased person.

The Web Element must have a System Web Element Type of Menu when creating a Person SSF Menu Grant.

The Web Element must not be closed when creating a Person SSF Menu Grant.

The Search Menu check box allows users to identify which SSF Menu will be utilized by the Enter Search Results Application if user has Staff connect functionality. User can only select one menu as the search menu

Only one Menu can be set as the default.

To Remove a Prson's Access to a SSF Menu (using this form):

  • Ensure the correct person record is displayed in the Person block.
  • Select the SSF Menu Grants button to display the Person SSF Menu Grant block.
  • Select the SSF Menu for which access is to be deleted.
  • Delete record.
  • Save.
  • Select the Back button.
  • Select the Reconcile Objects button or run SECJ0070.

Rules/Notes:

The Copy From button - overlay contains:

  • Person ID
  • Oracle Username
  • Copy button
  • Cancel button

To Copy Menu, Form, Web Page/Web Resource and Job Grants from one Person to Another (using this form):

  • Ensure the recipient person record is displayed in the Person block.
  • Select the Copy From button to display the Copy From block.
  • Enter the person ID or Oracle username of the person whose records are to be copied in the relevant field.
  • Execute the query.
  • Select the Copy button. The menu, form, web pages and job grants of the person queried in steps 3 and 4 will be copied to the recipient and be automatically saved.
  • Select the Reconcile Objects button or run SECJ0070.

Rules/Notes:

The person ID or Oracle username of the person whose records are being copied must be known in order to perform this function.

On executing the Copy function, the records copied to the recipient are automatically saved.

To display the copied menu grants it is necessary to re-query the Person Menu Grant block. Navigating to the relevant Grant blocks will automatically re-query these blocks.

 

The Web Page Grants button - overlay contains:

  • Web Page
  • Description
  • Grant Query Only check box
  • Back button

Rules/Notes:

Web Page Grants should not be selected in post-15.0 Callista Release environments. The corresponding Web Resource Grant records (see below) should be selected instead.
The Web Resource Grants button - overlay contains:
  • Web Resource
  • Description
  • Grant Query Only check box
  • Back button

To Grant a Person Access to a Web Resource (using this form):

  • Ensure the correct person record is displayed in the Person block.
  • Select the Web Resource Grants button to display the Person Web Resource Grant block.
  • Enter Insert mode.
  • Select the web resource to be granted from the list of values (or key a valid value) in the Web Resource Name field of a blank record.
  • Repeat to grant more web pages to the person.
  • Save.
  • Select the Back button.

Rules/Notes:

Web Resources are defined in SECF0081.

A Person only has access to Web Resources specified in this form, and those to which their Security Role(s) has been granted access in SECF0063.

A Person may be granted Web Resources without necessarily being granted menus containing those resources. In such cases, the resources can be selected via the Go To and Alpha List facilities.

Sub menus containing web resources are accessible via the ADF Menu. These may include forms and Staff Connect pages as well as ADF pages (see ADF Menus).

Non-Menu Accessible Web Resources:

The Menu Access indicator in SECF0081 is used to indicate whether a Web Resources is to be accessible directly from Menus/Sub-Menus (see SECF0061) or whether it is to be accessed indirectly from within other Web Resources.
Appropriate grants (Role or Person-based) must still be registered for non-menu accessible Web Resources that are accessed indirectly via another Web Resource (page). In the absence of such grants an attempt to access a Web Resource indirectly from within another will result in a permissions error.

To Remove a Person's Access to a Web Resource (using this form):

  • Ensure the correct person record is displayed in the Person block.
  • Select the Web Resource Grants button to display the Person Web Resource Grant block.
  • Select the web resource for which access is to be deleted.
  • Delete record.
  • Save.
  • Select the Back button.
  

 

Last Modified on 13-Apr-2015 3:58 PM

History Information

Release Information Project Change to Document
17.1 2010 - API Improvements (Security) Added the WS Methods Grants button and description.
16.1.0.0.1 1917 - UI Consolidation Changes throughout this help page relating to 11g menus and web resources.
15.0.0.2 1842 - Support Calipso 36395

Added notes about Web Resources and Web Pages, access to menu items re: Security Roles, & non-menu accessible Web Resources.
15.0 1747 - 11g Product Structure Added details for Web Resource Grants.
13.0.0.2 1580 - Communication Added note about Advanced Function VIEW-COMC
13.0.0.2 1578 - CAPS part 3 Added link to Advanced Functions page
12.0.0.2 1595 - Security 2009 Removed restriction on query that previously returned only person records that have been registered as Oracle users in the Maintain System Users form.
11.1.0.3 CAPS - Pt 1 Added new CAPS Advanced Functions
11.0.0.2 1450 - Attend Enhancements Modified Advanced Functions section in Person Block Rules/Notes
11.0.0.0.0.0 1416 - Apprentice Management Added references to Web pages