Top of SEC Index Table of Contents Feedback

SECF0063 - Maintain Security Role Function Grants

Purpose

To assign access to various system menus and elements to individual Security Roles. Also, if required, to apply various restrictions to those roles.
When users are granted Security Roles they inherit the Function Grants for those roles, as defined in this form.

Subsystem Security
Normally Run By Administration Specialist

Anticipated Frequency

At the beginning of the Course Year, or as required.

Structure

Blocks

Security Role

Security Role Menu Grant

Buttons

Form Grants (Overlay)
Job Grants (Overlay)
SSF Application Grants (Overlay)
SSF Menu Grants (Overlay)
Web Page Grants (Overlay)
Web Resource Grants (Overlay)
Copy From ... (Overlay)
Advanced Functions (Overlay)
Note Type Restrictions (SECF0041)
Reconcile Object Grants (SECJ0070)
Appeal Type Restrictions (SECF0091)
Encumbrance Type Restrictions (SECF0093)
Communication Category Restrictions (SECF0073)
Proposal Type Restrictions (SECF0095)

 

A Database Administrator (DBA) creates user roles for use in Callista. A user role specifies the full range of functionality potentially available to users granted that role. The Security Administrator can define the access of a user role by individually specifying in this form the Menus, Forms, Web Resources, Jobs, Reports, Self Serve Applications and SSF Menus that the role can access.

Note: Web Page Grants should not be selected in post-15.0 Callista Release environments. The corresponding Web Resource Grant records should be selected instead.

Selecting the Reconcile Object Grants button initiates a process that checks that the role has the necessary Object Grants for all of its Form, Job and SSF Application Grants. Any Object Grants that are missing are added, while any that are no longer required are deleted. Object Grant reconciliation can also be performed as an 'after hours' batch job using SECJ0070.

Note:
If a form calls another form, by either a button or an iconic button, or a form calls a report, automatically or by a button, then a person being granted the 'calling' form should also be granted the 'called' function. Failure to grant the called function to the user will result in errors. For example Record Admission Enquiry form (ADMF1200) calls the Find Course Form (ADMF1220) or  the Basic Course Details form (CRSF1210) calls the Rollover Exception Report (CRSR0630) automatically, the Academic History report (ENRR08M0) is called via a button in INQF1200,the Student Course Attempt Inquiry screen.

The Grant Menu Structure process grants the user role a menu structure containing all of the sub-menus, forms, jobs and reports under the selected menu. Menu structures are maintained in SECF0061.

Further details are provided in the Security techncial information in the Callista Product Centre (wiki.callista.com.au/display/CPC).

Security Role Block

This block displays information identifying the Security Role to which menu and form access is granted via this form. This block can be queried to locate the Security Role to which menus, forms and or jobs are to be granted.

The granting of a menu and sub-menus alone will not give access to the items (forms and jobs) in those menus. Security Roles must also be granted access to the relevant forms/jobs. Even then, access may be limited if the Security Roles do not have the necessary data level access.

Each time form, job, web resource or SSF application grants for a Security Role are updated, as the final operation, either the Reconcile Object Grants button should be selected or job SECJ0070 should be run to perform the reconciliation. This ensures that the role has the correct object grants allocated to it. The process automatically adds any missing Object Grants and deletes any that are no longer required. Reconciliation of Object Grants provides further information on the subject.

Security Role Menu Grant Block

This block is used to record and display System menus granted to the displayed Security Role(s). Menus may be granted individually, or whole menu structures, including sub menus, forms and jobs may be granted in a single operation using the Grant Menu Structure function.

  • Form Grants Button
    This block is used to record and display the forms to which access has been granted for the displayed Security Role.
  • Job Grants Button
    This block is used to record and display the jobs to which access has been granted for the displayed Security Role.
  • SSF Application Grants Button
    This block is used to record and display the Self Serve Application to which access has been granted for the displayed Security Role when the user has access to Callista Connect.
  • SSF Menu Grants Button
    This block is used to record and display the SSF Menus to which access has been granted for the displayed Security Role when the user has access to Callista Connect.
  • Web Page Grants Button
    This block is used to record and display the Web Pages to which access has been granted for the displayed Security Role.
    Note: Web Page Grants should not be selected in post-15.0 Callista Release environments. The corresponding Web Resource Grant records should be selected instead.
  • Web Resource Grants Button
    This block is used to record and display the Web Resources (pages) to which access has been granted for the displayed Security Role. (The term 'Web Resource' refers to ADF pages introduced in Release 15.0. They are defined in SECF0081.)
  • Copy (Menu, Form and Job Grants) From (One Security Role to Another) Button
    This function permits the copying of the menu, form and Job Grants of one Security Role to another Security Role. The recipient role will then have access to those menus, forms and jobs copied from the other Security Role and any additional menus, forms and jobs explicitly recorded in this form.
  • Note Type Restrictions Button
    This button navigates to SECF0041 where Note Type Restrictions can be applied to this role.
  • Appeal Type Restrictions Button
    This button navigates to the Maintain Security Appeal Type Restriction (SECF0091) form where Appeal Type restrictions can be applied to this role.
  • Encumbrance Type Restrictions Button
    This button navigates to the     Maintain Security Role Encumbrance Type Restrictions form (SECF0093) from where the Encumbrance Type restrictions can be applied to the displayed security role.
  • Communication Category Restrictions Button
    This button navigates to the     Maintain Security Role Communication Category Restrictions form (SECF0073) from where the Communication Category restrictions can be applied to the displayed security role.
  • WS Method Grants Button
    This button navigates to the Maintain Role Web Service Method Grants form (SECF0099) from where Web Service restrictions can be applied to the displayed security role.

General

This form allows menus, forms, jobs, web resources and SSF Applications, including the required database object privileges, to be assigned to a Role. When users are granted the Role, they inherit access to the menus, forms, web pages and jobs defined for the Role.

This form is accessed from the main menu.

 

The Security Role block contains:

  • Security Role
  • Creation Date
  • Description

    Buttons

    • Form Grants
      • Form Grants
      • Form (LOV)
      • Title
      • Grant Query Only check box
      • Back button
    • Job Grants
      • Job Name (LOV)
      • Short Title
      • Override Priority check box
      • Back button
    • Self Serve Application Grants
      • Self Serve Application (LOV)
      • Description
      • Back button
    • SSF Menu Grants
      • SSF Menu Code (LOV)
      • Description
      • Default SSF Menu check box
      • Search Menu check box
      • Back button
    • Web Page Grants
      • Web Page
      • Description
      • Grant query Only check box
      • Back button
    • Web Resource Grants
      • Web Resource
      • Description
      • Grant query Only check box
      • Back button
    • WS Method Grants (SECF0099)
    • Copy From ...
      • Person ID
      • Oracle Username
      • Copy button
      • Cancel button
    • Reconcile Object Grants (SECJ0070)
    • Advanced Functions
      • Advanced Function (LOV)
      • Description
      • Back button
    • Note Type Restrictions (SECF0041)
    • Appeal Type Restrictions (SECF0091)
    • Encumbrance Type Restrictions (SECF0093)
    • Communication Category Restrictions (SECF0073)
    • Proposal Type Restrictions (SECF0095)

The Security Role Menu Grant block contains:

  • Menu code
  • Title
  • Default Menu check box

    Button

    • Grant Menu Structure

Rules/Notes:

Web Page Grants
Note: Web Page Grants should not be selected in post-15.0 Callista Release environments. The corresponding 'Web Resource Grant' records should be selected instead (see below).

Web Resource Grants
The term 'Web Resource' refers to ADF pages introduced with Release 15.0 and later. They are defined in SECF0081 and should be selected for ADF pages rather than the corresponding web page grant.

WS Method Grants
This block is used to record and display Web Service Method Grants.
Note: Web Service Methods Grants are copied to another Role only if that Role has access to the 'Maintain Person Web Service Method Grants' (SECF0099) form.

Advanced Functions
System-defined Advanced Functions can be added or removed for a Security Role in this form.
For a summary of Advanced Functions available in Callista - go to the Advanced Functions page.

For example, if a NAME-UPD Advanced Function is granted to a Security Role, users with that role will not be able to update a Person's name in any SMS form. The only exception to this restriction will be cases where the creator of a Person record attempts to change the Person Name on the same day that the record was created.

Some System Advanced Functions are VET specific and some are HE specific. Cross-sector installations of Callista will have all Advanced Functions available for selection in this form.

Note that granting the VENUE_OVRD Advanced Function to a user role, will allow a user with that role to allocate further students to Activity Offerings in Venues, when the designated maximum number of students for that venue has been reached. This Advanced Function should only be granted to roles whose users that will appreciate the Occupational Health and Safety implications of such an action. Allocation of students to Activity Offerings can be performed in ENRF4200. A user whose role has been granted the VENUE_OVRD Advanced Function is able to select the Exceed Real Limit check box in this form.
The maximum number of students in an Activity Offering is designated in CRSF2800.

Granting the CLASH-OVRD Advanced Function to a Security Role will allow a user with that Security Role to deselect the No Clashes Allowed checkbox in ENRJ4700 and allow them to select the Clashes Override checkbox in ENRF4200 and ENRF4250.

Applying the VIEW-COMC Advanced Security Function to a Security Role is equivalent to selecting the 'View Only all Communication Categories' check box in SECF0073. It automatically:

  • removes all individual Communication Category restrictions except for 'View' (in SECF0073) from the security role, and
  • adds the COM-TT-CR Advanced Function to the security role.

The Grant Menu Structure button copies data ready for SECJ0070. Once copied the following message is shown: 'Grants successfully copied. Please requery detail to see the changes. Database Object Grants should be reconciled via the Reconcile Object Grants button.'

The Note Type Restrictions button is only available to users who have security access to SECF0041.

The Appeal Type Restrictions button is only available to users who have security access to the Maintain Security Appeal Type Restriction (SECF0091) form.

The Encumbrance Type Restrictions button is only available to users who have security access to the Maintain Security Role Encumbrance Type Restrictions form (SECF0093). SECF0093 is used to control the type and level of access a role has in managing encumbrance processes. For more information, see SECF0093.

The Proposal Type Restrictions button is only available to users who have security access to the Maintain Proposal Type Restrictions form (SECF0095). SECF0095 is used to control the type of proposal that a user with a particular security role can create.
To grant access to a menu, for the displayed Security Role, using this form:
  • Locate the Security Role for which access is to be granted by querying in the Security Role block.
  • Navigate to the Security Role Menu Grant block.
  • Enter Insert mode.
  • Select the menu to be granted from the list of values (or key a valid value) in the Menu Code field of a blank record.
  • If this menu is to be the default menu for the Security Role, select the Default Menu check box.
  • Save.

Rules/Notes:

All required menus including sub-menus must be granted via this form.

Only one menu can be flagged as the default menu.

When system users log in they will only see menu items that have been granted to their Security Role.

To grant access to a menu and all its menu substructure including sub menus, forms and jobs, for the displayed Security Role, using this form:

  • Locate the Security Role for which access is to be granted by querying in the Security Role block.
  • Navigate to the Security Role Menu Grant block.
  • Select the menu whose structure is to be granted, from the displayed Menu Grants, or
  • Grant the menu whose structure is to be granted using the method detailed above.
  • Select the menu whose structure is to be granted, then click on the Grant Menu Structure button.
  • All sub menus, forms and jobs of the selected menu will be granted.
  • Click on the Reconcile Object Grants button or run SECJ0070.

Rules/Notes:

On executing the Grant Menu Structure function, the granted menu structure is automatically saved.

To display the granted sub-menus it is necessary to re-query the Security Role Menu Grant block. To display the granted forms and jobs, it is necessary to navigate to the Form Grant and Job Grant blocks and re-query.

To grant a Security Role access to a form, using this form:

  • Ensure the correct Security Role record is displayed in the Security Role block.
  • Click on the Form Grants button to display the Security Role Form Grant block.
  • Enter Insert mode.
  • Select the form to be granted from the list of values (or key a valid value) in the Form field of a blank record.
  • If access is to be granted to the form for inquiry use only, select the Grant Query Only check box.
  • Repeat to grant more forms to the Security Role.
  • Save.
  • Click on the Back button.
  • Click on the Reconcile Object Grants button or run SECJ0070.

Rules/Notes:

Only forms with their Query Only Mode Valid indicator set (in SECF0060) can be granted as 'query only' in this form.

To remove a Security Role's access to a form, using this form:

  • Ensure the correct Security Role record is displayed in the Security Role block.
  • Click on the Form Grants button to display the Security Role Form Grant block.
  • Select the form for which access is to be deleted.
  • Delete record.
  • Save.
  • Click on the Back button.
  • Click on the Reconcile Object Grants button or run SECJ0070.

Rules/Notes:

To grant a Security Role access to a job, using this form:

  • Ensure the correct Security Role record is displayed in the Security Role block.
  • Click on the Job Grants button to display the Security Role Job Grant block.
  • Enter Insert mode.
  • Select the job to be granted from the list of values (or key a valid value) in the Job Name field of a blank record.
  • If a person with this Security Role has the authority to override the System priority of this job, select the Override Priority check box.
  • Repeat to grant more jobs to the Security Role.
  • Save.
  • Click on the Back button.
  • Click on the Reconcile Object Grants button or run SECJ0070.

Rules/Notes:

To remove a Security Role's access to a job, using this form:

  • Ensure the correct Security Role record is displayed in the Security Role block.
  • Select the Job Grants button to display the Security Role Job Grant block.
  • Select the job for which access is to be deleted.
  • Delete record.
  • Save.
  • Click on the Back button.
  • Click on the Reconcile Object Grants button or run SECJ0070.

Rules/Notes:

To grant a Security Role access to a Self Serve Application, using this form:

  • Ensure the correct Security Role record is displayed in the Security Role block.
  • Click on the Self Serve Application Grants button to display the Security Role Self Serve Application Grant block.
  • Enter Insert mode.
  • Select the Self Serve Application to be granted from the list of values (or key a valid value) in the Self Serve Application Name field of a blank record.
  • If a person with this Security Role has the authority to override the System priority of this Self Serve Application, select the Override Priority check box.
  • Repeat to grant more Self Serve Applications to the Security Role.
  • Save.
  • Click on the Back button.
  • Click on the Reconcile Object Grants button or run SECJ0070.

Rules/Notes:

A function for Callista Connect users.

When creating a Role Self Serve Application Grant, the Self Serve Application must be mapped to a System Self Serve Application that is not closed.

To remove a Security Role's access to a Self Serve Application, using this form:

  • Ensure the correct Security Role record is displayed in the Security Role block.
  • Click on the Self Serve Application Grants button to display the Security Role Self Serve Application Grant block.
  • Select the Self Serve Application for which access is to be deleted.
  • Delete record.
  • Save.
  • Click on the Back button.
  • Click on the Reconcile Object Grants button or run SECJ0070.

Rules/Notes:

See Rules/Notes on the 'Advanced Functions' button above for conditions to deny a person access to update a person's name in any SMS form.

To grant a Security Role access to a SSF Menu, using this form:

  • Ensure the correct Security Role record is displayed in the Security Role block.
  • Click on the SSF Menu Grants button to display the Security Role SSF Menu Grant block
  • Enter Insert mode.
  • Select the SSF Menu to be granted from the list of values (or key a valid value) in the SSF Menu Name field of a blank record.
  • If this menu is to be the default SSF Menu for this Security Role, select the Default SSF Menu check box.
  • Repeat to grant more SSF Menus to the Security Role.
  • Save.
  • Click on the Back button.
  • Click on the Reconcile Object Grants button or run SECJ0070.

Rules/Notes:

A function for Callista Connect users.

When creating a Role SSF Menu Grant, the Web Element must have a System Web Element Type of Menu.
The Web Element must not be closed when creating a Role SSF Menu Grant.
One and only one Role SSF Menu Grant must be set as the Default SSF Menu for the Role.
To remove a Security Role's access to a SSF Menu, using this form:
  • Ensure the correct Security Role record is displayed in the Security Role block.
  • Click on the SSF Menu Grants button to display the Security Role SSF Menu Grant block
  • Select the SSF Menu for which access is to be deleted.
  • Delete record.
  • Save.
  • Click on the Back button.
  • Click on the Reconcile Object Grants button or run SECJ0070.
 Rules/Notes:

To grant a Security Role access to a Web Page, using this form:

Note: Web Page Grants should not be selected in post-15.0 Callista Release environments. The corresponding Web Resource Grant records should be selected instead.

Rules/Notes:

To grant a person access to a Web Resource, using this form:

  • Ensure the correct Person record is displayed in the Person block.
  • Click on the Web Resource Grants button to display the Person Web Resource Grant block.
  • Enter Insert mode.
  • Select the Web Resource to be granted from the list of values (or key a valid value) in the Web Resource Name field of a blank record.
  • Repeat to grant more Web Resources to the person.
  • Save.
  • Click on the Back button.

Rules/Notes:

Web Resources are defined in SECF0081. These may be ADF pages, forms, jobs or Staff Connect applications.

Sub-menus consisting of only Web Resources will display in the ADF menu (see ADF menus), providing they have menu access granted to them via their user or security role.

A Person may be granted Web Resources without necessarily being granted menus containing those jobs. In such cases, the jobs can be selected via the Go To and Alpha List facilities.

To remove a person's access to a Web Resource, using this form:

  • Ensure the correct Person record is displayed in the Person block.
  • Select the Web Resource Grants button to display the Person Web Resource Grant block.
  • Select the web resource for which access is to be deleted.
  • Delete record.
  • Save.
  • Click on the Back button.
 Rules/Notes:

To copy menu, web resource, form and job Grants from one Security Role to another, using this form:

  • Ensure the recipient Security Role record is displayed in the Security Role block.
  • Select the Copy From button to display the Copy From block.
  • Execute a query in the Security Role field to locate the Security Role whose grants are to be copied.
  • Select the Copy button. The menu, form and Job Grants of the Security Role queried in step 3 will be copied to the recipient Security Role and be automatically saved.
  • Select the Reconcile Object Grants button or run SECJ0070.

Rules/Notes:

On executing the Copy function, the records copied to the recipient are automatically saved.

To display the copied Menu Grants it is necessary to re-query the Security Role Menu Grant block. Navigating to the Security Role Form, Web Resource or Job Grant blocks will automatically re-query these blocks.

 

Last Modified on 17-Aug-2015 5:06 PM

History Information

Release Information Project Change to Document
18.0.0.2 2011 - Calipso 41512 Updated tech info link to CPC wiki site.
18.0 2088 - Communications Security Added a note about the COM-TT-CR and VIEW-COMR advanced functions.
17.1 2010 - API Improvements (Security) Added the WS Method Grant button and description.
16.1.0.3, 17.0.0.3, 17.1.0.2 and 18.0 2110 - Calypso 38937 Added web resources to 'Copy From' instructions.
16.1.0.0.1 1917 - UI Consolidation Changes throughout this help page relating to 11g menus and web resources.
15.0.0.2 1842 - Support Calipso 36395

Added notes about Web Resources and Web Pages, and access to menu items.
15.0

1762 - CAPS -User Interface

 Added details for Proposal Type button
15.0

1747 - 11g Product Structuree

 Added details for Web Resource Grants
13.0.0.2 1580 - Communication Added a new Communication Categories Restrictions button and related notes.
13.0.0.2 1578 - CAPS part 3 Added link to Advanced Functions page
13.0 1581 - Auto Encumbrances Added a new Encumbrance Type Restrictions button and related note.
11.1.0.3 CAPS - Pt 1 Added new CAPS Advanced Functions
11.1 1448 - ESOS Added Appeal Type Restrictions button
11.0.0.2 1450 - Attend Enhancements Modified Advanced Functions section in Security Role Block Rules/Notes
11.0.0.0.0.0 1416 - Apprentice Management Added references to Web pages