In order to perform job duties, it is often necessary for an employee to have the ability to obtain information from central campus financial systems. When appropriate for the job functions, the ability to enter transactional data or to approve transactions for processing and recording may also be required.
Sound business practices and strong internal controls call for all system users to understand the responsibilities associated with system access. Systems are typically designed with a variety of roles with each one providing specific permissions. For example, one role may allow the ability to view data and generate reports, while another role may grant access to edit data. It is important that system users, their managers, and the Department Security Administrators have an understanding of the capabilities associated with specific roles.
When an employee’s job duties require access to a central campus financial system, a process for requesting, reviewing, approving, granting and maintaining access is needed. Departmental DSA’s are responsible for implementing a standardized process for their units using the responsibilities and tools below for guidance.
Responsibilities
REQUESTING ACCESS
Employee Responsibilities:
- Recognize job duties that require the need to view system information or to execute transactions
- Submit a request to their supervisor specifying the business need for particular access to a system
- After the request is approved and the access is granted, obtain training or other instruction on how to appropriately use the system access to perform job duties
- Notify their supervisor when a system role is no longer needed
- Understand and act within campus and university data handling policies
APPROVING ACCESS
Supervisor / Manager Responsibilities:
- Recognize that an employee’s job duties require the need to view system information or to execute transactions
- Determine which system role and its corresponding permissions are appropriate for the employee’s job duties
- As a best practice, the role granted to the employee should not have permissions beyond what is needed for the assigned job duties. For example, an employee who needs to view accounts payable transactions should not be granted unnecessary privileges to edit voucher data
- Consider whether granting system access will conflict with system access for other assigned duties
- Maintain separation of duties so that the transaction-based roles of requestor, approver, and implementer are independent and not performed by the same individual
- For example, no employee should have sufficient system access that enables them to be the sole individual to execute a transaction from start to finish
- If separation of duties cannot be achieved, mitigating controls must be in place
- Submit a request to the Department Security Administrator (DSA) specifying why system access is needed and that the access is approved
- Provide the employee with the training and other instruction on how to appropriately use the system access to perform their job duties
- Establish and execute effective oversight of activities and transactions to mitigate identified risks
- Periodically review each employee’s system access roles for appropriateness
- Notify the Department Security Administrator (DSA) when an employee’s role or access to a system should be deleted due to separation from the University or a change in job duties
- Understand and act within campus and university data handling policies
IMPLEMENTING AND MANAGING ACCESS
Department Security Administrator (DSA) Responsibilities:
Implementing
- Develop a standardized process for requesting, approving, and granting access
- Receive requests for individuals to be granted particular roles in a system
- Based on general knowledge of the employee’s job duties, consider whether the requested role(s) and corresponding privileges are appropriate
- Consider whether granting system access will conflict with other system access
- Ensure requests document justification of the business need
- Direct questions regarding appropriateness and possible separation of duty to the employee’s supervisor or manager
- Ensure requests are approved by the employee’s supervisor or manager
Managing
- On a periodic basis but no less frequently than once a year, review system access reports with supervisors and managers to identify:
- Users with conflicting roles / administrative roles
- Users who are submitting and approving the same transaction
- Active users who have separated from the university
- Take proactive steps to administer updates/changes to the role assignments for departmental employees
- Maintain records that document changes to access rights and their related approvals
- Follow the best practice that a DSA’s job responsibilities do not require access to the central campus systems for which they administer user privileges
- If an exception is needed to grant access to themselves, ensure supervisor or manager approval is documented
- Periodically review their own system roles with immediate supervisor or manager and obtain signed approval for continued access
- Understand and act within campus and university data handling policies