企业应用服务(EAS)应用访问策略

Policy Purpose and Benefit

本政策的目的是规范员工访问大学的在线业务应用程序. 该策略确保员工的登录和访问需求得到合法的授权和授予, documented manner. When this Policy is followed, 减少未经授权访问和不准确或滥用数据对大学业务运营和报告造成的风险.

Applications Governed by this Policy

1. 本政策适用于员工对所有当前和未来企业管理软件应用程序的访问.
2. 横幅是大学的主要行政应用. Banner Modules include Recruit/Admissions, Student, Financial Aid, Accounts Receivable, Advancement, Human Resources / Payroll, Finance / Grants, and General.

Other Policies

其他策略对应用程序访问有直接影响: Banner Data Acceptable Use Policy, Password Policy, and Requirements for Secure Computing.

Access Request Forms

1. 此策略通过基于职位的配置或访问请求表单强制执行. 受益的位置具有与位置一起存储的适当访问权限.  在雇佣员工时，自动发放访问权限.  当员工离职或调任其他职位时，该权限将被取消.  新的受益职位需要由数据管理员审查，以确定适当的访问权限.  一旦获得批准，访问将存储在新位置.  All other positions require an Access Request Form. 
2. There are two types of Access Request Forms. User Access Request Forms are used to create, terminate, or reinstate employee logins to applications. Module Access Request Forms are used to define, or redefine, 根据员工的工作职责，给予他们详细的应用程序访问范围.
3. 访问请求表单的内容因应用程序的不同而有所不同, but all share a common, easy to use format. For applications closely connected to Banner, such as BDMS and Data Transfer, 横幅模块访问请求表格用于请求访问.
4. For more information regarding access, visit Access Request Forms.

Requirements for User Login Access

在将用户访问请求表格提交给EAS之前，必须满足两个要求. The employee must have a signed Confidentiality Obligation on record.

Department Responsibilities

1. Departments are responsible for the content and usage of the University’s business data that is entrusted to their individual missions; therefore, 各部门负责启动访问请求表单工作流程.
2. Signatories who shall progressively complete, approve, 部门经理签署查阅申请表, the Division Head/Budget Officer, and additionally for Module Access Request Forms, the Module Signatory.
3. The Department Manager 被提交查阅申请表的雇员的主管是谁. The Department Manager shall complete, or review, the Employee User Information, the Module access details, and sign the Access Request Form.
4. The Division Head/Budget Officer 负责核实所要求的访问权限是否适合员工的工作职责. 部门主管/预算官应批准部门经理的请求并签署《正规赌博十大平台排行》.
5. The Data Steward/Module Signatory is employed by the Department responsible 获取模块的数据，并负责批准所有访问模块数据的请求. 在模块访问申请表由请求部门的部门经理和部门主管/预算官签署后, 模块签署方应审查所要求的模块访问详细信息, 确定要给出的适当的安全类, and sign the form.
6. 对于Banner财务/补助金模块访问请求表格，如果需要查看补助金，请使用 Grant Principal Investigator 批准部门经理的要求并在表格上签字.
7. 查看Banner人力资源/薪资模块访问申请表, if accessing master organizations is required, the Director of Human Resources shall also sign the form.
8. 有关模块访问的问题可能出现在请求部门签署者和模块签署者之间. 访问问题应由提出请求的部门和负责模块数据的部门解决.

EAS Responsibilities

1. EAS应遵循身份管理指南，授予并记录对管理应用程序的授权访问. 请参阅下面的“了解身份管理”一节。.
2. The EAS Staff 本署只处理已填妥并经各有关部门签署人签署的查阅申请表. For Module Access Request Forms, 员工只应获得模块签署人列出的安全等级. ERP培训和支持专员应在每一张处理过的访问申请表上签名并印上图像.
3. To reduce the risk of security incidents, EAS助理副校长应批准并只允许授权人员访问存储学校专有应用程序源代码的服务器.

Understanding Identity Management

1. 身份管理(IdM)是一种IT方法，其目标是促进和控制员工对关键在线应用程序的访问.
2. 在IdM中，“身份”一词不仅仅指员工的登录身份. IdM also defines software identities, such as reports, processes, and forms, and service identities, such as security classes. See the section below, “Understanding Security Classes.”
3. 授权访问由已分配给给定员工登录标识的软件和服务标识控制.
4. A key feature of IdM is the use of a centralized directory for storing these identity sets. EAS IdM目录物理地存储在Banner应用程序中，并从访问请求表单更新. 可以在任何时候方便地查询EAS IdM Directory，以报告当前雇员登录数量及其当前分配的安全类.

Understanding Security Classes

安全类定义了Module数据访问的特定范围, for example, “access to update Banner Student Registration.一个特定的安全级别可以分配给一组共享共同工作职责的员工, for example “maintain Registration data.” Thus, 安全类促进对访问的有效管理，因为不必为每个单独的用户重复创建它们.

Policy reviewed June 2020 by Rohini Ananthakrishnan.