Atlas User Access Standards

Atlas User Access Standards

1.  This document explains user access to UNDP’s ERP (Enterprise Resource Planning) system, hereafter referred to by its application name Atlas. This administrative software package is comprised of several specialized and fully integrated applications/systems: Financial System, Human Resources System, and all modules within these systems.

2.  The integrated Atlas software system supports data processing worldwide. Access to Atlas is restricted to UNDP staff, and designated SC holders whose official duties require such access. The UNDP staff member’s department head (Resident Representative or authorized delegate for field offices) is responsible for determining that Atlas access is required to perform official duties and that Atlas access is updated or terminated as necessary. UNDP staff is not permitted to obtain an Atlas user account to transact or maintain data outside the scope of their job duties. UNDP staff granted an Atlas user account must abide by the ICT Resources Use policy.

Confidentiality

3.  Atlas users agree to confine their use of all information in the UNDP records, and to which UNDP has not given public access, solely to purposes connected to the execution of the related task(s). ERP users agree in particular not to disclose any information in UNDP records to which they are given access, but that is not publicly available, to anyone except persons authorized by statute to receive such information and the appropriate authorities at UNDP and other persons designated by those authorities. ERP users understand that any violation of this agreement on their part will result in the immediate termination of their access to UNDP's confidential records and potentially other administrative actions as per UNDP policy.

Scope

4.  This policy applies to every UNDP department.

Governance

5. The UNDP Chief Information Security Officer (CISO) and the UNDP Comptroller enforce the Internal Control Framework (ICF) and Atlas access utilizing third party tools, auditing techniques, and other applicable methods. The Oversight – Business Transaction Activity Monitoring tool is used for real time transaction monitoring and permissions validation. Any special rights which might not be in line with ICF such as Super User accounts and access to multiple business units, must be cleared through department heads and also verified and approved by the appropriate and impacted business units as well as the CISO.

Atlas Permissions

6.  ARGUS (Atlas Role Generation & User Provisioning System) controls access profile requests and permissions for the Atlas application. UNDP departments and field offices have designated ARGUS requesters and approvers for Atlas access rights. ARGUS allows access based on predetermined roles and profiles that have been developed after careful consideration and classification of user and department duties. ARGUS approvers will verify the proper approvals are in place and submit the request within the ARGUS system for processing and provisioning.

7.  Please note that the ARGUS system processes profile requests as overrides to existing profile settings. The ARGUS system does not apply changes to profiles retroactively. For more information on the ARGUS system please refer to the ARGUS User Guide.

8.  All requests for UNDP staff access to Atlas require authorization from a department head and must be raised via the ARGUS system. Any requests that do not conform to the roles supported by ARGUS or for any special requests, approval must be obtained by OFA and request must be processed by the department head. Subsequently, a request must be submitted to

Customized Screen Access

9. Atlas user accounts may include the ability to view and update data in one or more of the various PeopleSoft application areas. Access is role-based and specific screen access is determined by the UNDP staff member’s department head. If a staff member's job duties require the use of screens, beyond the standard setup for an application area, the request must be adequately justified and may require that Atlas Security Team obtain additional approvals by the impacted areas before processing the request.

Specialized HQ Roles

10. Specialized HQ Profiles exist in the following areas: Treasury, Accounts, General Operations, Sourcing and Operations Office, and Information Management and Technology Office (Atlas development users, Help Desk users, and third-party users, such as UN Information and Computing Center or other vendors). Permissions are assigned by the Atlas Security Team.

Vendor Consultant Access

11. Temporary staff members such as vendor consultants whose duties require access to Atlas may be granted short-term specified period access. If temporary access needs to be extended or terminated before the access period expires, the department head is responsible for submitting a request to Atlas Security Team via the email system. Vendor consultants and consultants are generally not permitted approval rights in Atlas, but any permissions must be approved by the Chief Information Security Officer (CISO).

Atlas Quality Assurance and Testing

12. Atlas user accounts may optionally have access to the test environment. This access will normally be identical to the access provided in the production environment. The UNDP staff member’s supervisor will need to identify when access to the test environment is required.

Business Units

13.  UNDP staff members can only update data pertaining to their business unit. UNDP staff members may access multiple business units only if their specific duties require and upon approval by the Department Head and the Office of Finance and Administration.

Interns

14.  Interns are not permitted approval rights in Atlas.

Non-UNDP Staff

15.  The Atlas External access module provides limited functionality and has been developed for Atlas access to partners and other non-UNDP staff. External Access system (module in Atlas) is used to create external users in Atlas.

16.  When any functionality above and beyond the one afforded by the Atlas External access module is required for non-UNDP Staff authorization of the appropriate department head (RR or authorized delegate for field offices) is required, for each application area in Finance to which access is requested. All such requests need to be explicitly forwarded for approval by the Department Head or Resident Representative. Upon approval by him/her, the request needs to be forwarded to the business owner of External Access, currently the Center for Business Solutions, with justification for approval (forward to ). All such requests need to be of limited duration and the end of the access needs to be clearly stated on the request submission.

Note: Atlas user accounts do not include PeopleSoft Administrator accounts (e.g. UNICC).

Reporting

17. Reporting access privileges are granted and are native to the above mentioned Atlas security profiles. Atlas Security team is responsible for granting, administering, and revoking access rights to Atlas Query Manager using the predefined approval mechanisms.

User Access Guidelines

Establishment of Atlas User Accounts

18. Once approved, Argus Security System automatically establishes an Atlas user account based on the pre-defined profiles defined in Atlas. The Atlas user name and password are email automatically by Argus after completion of the creation of user profile in Atlas. It is the responsibility of each staff member to reset the original password and ensure that they retain exclusive control of user name and password at all times in accordance with the UNDP ICT Usage and Password Policies.

Sharing of Atlas User Accounts

19. Each UNDP staff member must have a unique user name in order to access Atlas. Staff members are not permitted to share usernames or log-in to the system using another individual’s password and access code. UNDP staff members filling a vacant position should never be given another staff member’s access or a previous staff member's access codes. Likewise, vendor consultants and interns are not permitted to access Atlas using a UNDP staff member's ERP user account.

Password Expiration Guidelines

20. New Atlas users will have to change their original password upon signing on to the system. Subsequently passwords on all ERP user accounts automatically expire every 60 days as per the ICT Usage policy. Ten prior to the expiration date, users are directed to an Atlas webpage prompting them to change their password.

Inactive Atlas User Accounts

21. Atlas user accounts are automatically deactivated for non-use every 180 days. Prior to the planned deactivation date, users will receive an e-mail notification. Once an Atlas user account has been deactivated, the staff member's department head will need to request a new user account for the staff member if Atlas access is required at a later date.

Staff Transferring to another Position within a Department

22. The department head is responsible for reviewing a staff member's Atlas access if the staff member transfers to another position within the same department and for ensuring that appropriate requests are submitted to change or cancel the staff member's existing Atlas account. Requests to change or cancel the staff member’s existing access to Atlas are processed directly via the ARGUS system.

Employees Transferring to another Department or Division

23. If a staff member transfers to another department or division at UNDP, the current department head is responsible for processing the request via the ARGUS system to cancel the staff member's existing Atlas user account. If Atlas access is required in the new position, the staff member's new department head is responsible for submitting a request for a new Atlas user account.

Exiting Staff Members

24. UNDP staff members who are terminating employment at UNDP will be required to sign out through the Office of Human Resources as part of the exit process prior to their last day of employment. Requests to remove (suspend) an account should be processed via the authorized ARGUS requesters through the ARGUS system as expeditiously as possible.

Segregation of Duties and Role Allocation

25.  The UNDP Internal Control Framework (ICF) is the governing document for allocation of roles and responsibilities to individual staff members. These roles should be allocated in such a way that conflicts of interest are deterred and common accounting rules are applied. The UNDP Chief Information Security Officer (CISO) in association with the UNDP Comptroller determines the allocation of roles in a way that the ICF is enforced and no conflicts arise.

26.  The ICF outlines a segregation of duties to minimize the risk of fraud and to promptly detect fraud. These requirements include (unless otherwise agreed to by the Director, Office of Finance Resources and Management):

a)  Staff should have only one Atlas profile, consistent with defined roles

b)  ARGUS should be used to create/revise/delete Atlas profiles for staff and contractors. ARGUS enforces the requirement that each staff member can have only one Atlas profile (General User, Finance/Treasury, Buyer, Manager Level 1, Manager Level 2, Senior Manager, etc.). This ensures that staff who approve non-PO payment vouchers (Approving Managers) cannot create non-PO payment vouchers (Finance/Treasury) and staff who create POs (Buyers) cannot approve POs (Approving Managers)

c)  ARGUS allows combining Project Manager and Approving Manager profiles for staff that are required to approve purchase orders and requisitions (but not on the same transaction). In most offices, only 3-4 staff will have both profiles, such as the RR, DRR, Country Director, and Disbursing Officer

User Roles

27.  A user profile refers to a business/functional role or a work stream. . Functions/roles do not fundamentally change, but employees do. Employees move from business role to business role in one location or the other. A user profile is a prescribed static grouping that can be easily identified for a new or different employee in any location. Once identified, a user profile in PeopleSoft security terms becomes simply the “name” of that person.

28.  Every Atlas user has a profile. This profile is assigned to the user at the time of the user setup within Atlas. This is how the system views that person and what security roles he or she has been allowed.

29.  The underlying principle to manage user profiles is to keep the concept simple,. It is also important to adhere to the Internal Control Framework, which does not include a detailed list of roles/permissions for each profile. The ICF describes minimum requirements for segregation of duties and how this is achieved via Atlas profiles. The concept is unique and not the standard PeopleSoft, the underlying ERP for Atlas, approach of defining User Profiles. At a detail or system level, there are many security roles (the add/update/display/correct permissions in PeopleSoft), but these are grouped into Profiles. A Profile may contain multiple PeopleSoft Roles and some roles may be assigned to different profiles.

30.  There are several key influences on the structure of the profiles and their assignment to the Atlas users, which are derived from the Internal Control Framework Guideline.

a)  The separation of duties between creating and approving functions: i.e., a user cannot raise a PO and make the approval of the payment

b)  The separation of duties between Vendor Maintenance and payment approval

c)  The separation of duties between Buyer functions basically related to Vendors

(maintenance and update) and approval of Vendors

d)  The separation of duties between the HR functions and Position administrator functions

31.  While working with ARGUS during the new user creation and modification of existing users, users should notice the rules that enforce the adherence to Internal Control Framework v.3. In short, a user can be assigned only one basic FIN profile. In HR there is a little difference in that you can select multiple profiles. However, the HR Manager profile selection will not allow you to select other profiles and vice-versa.

32.  The latest mapping between Atlas profiles to PeopleSoft business processes is given in Appendix A. Please refer to this for more information on the access assigned to each profile. This mapping is continuously reviewed from different perspectives and updated. Every time an updated mapping is available, ARGUS uses that mapping and this User Guide would be appropriately updated.

33.  Please refer to the link on Atlas Profiles Capabilities on the ARGUS pages. Clicking on this link will open an Excel Spread sheet with various Atlas Profiles and their capabilities with respect to the Atlas access for every business process.

Definition of Roles and Corresponding Profiles

34.  The ICF is structured around roles. Roles correspond generally to Atlas profile types, but they do not map one-to-one. Three of the roles – project manager, approving manager, and operations manager – also exercise an authority for UNDP expenditure transactions. The requirement for three authorities is considered especially important from an internal control perspective. Additionally, there are profiles for HQ and for CO locations. The following table maps typical correspondences between ICF-defined roles and Atlas profiles. Note that exceptions occur (and are allowed) based on organization size, external access requirements, or other circumstances. Please refer to the matrix below on the “User Roles and Atlas Profiles” based on the Operational Guidelines to ICF (2013 version).