CSMA SecurityGuidelines

TableofContents

Thisdocumentcontainsthefollowingtopics:

Topic / SeePage
Overview / 2
CSMA Users / 3
CSMAOLTPResponsibilities / 4
HDWResponsibilitiesforCSMAUsers / 7
ValueRangesAssignedtoCSMAResponsibilities / 9
MakingChangestoCSMASecurity / 12
AppendixA:OracleResponsibilityNamingConventions / 14

IntroductionSinceCSMAusesOracleforms,reports,menus,andfunctions,CSMAsecurityisbasedonthesameOracleresponsibilitystructuresusedbytheotherHarvardOraclefinancialapplications(GeneralLedger,AccountsPayableandReceivable andCashManagement)andbyHarvard’scustomdatawarehouse(HDW).

HowCSMA

securityworks

CSMAsecuritycontrolsuseraccesstotheapplicationinthefollowingways:

  • UsersarelimitedtocertainCSMAapplicationscreens,forms,andactionsbyrole(approver,requestor,orsystemadministrator).
  • Usersarelimitedtocertainactionsbasedontheirrole.Forexample,onlyusersfromFinancial Accounting and Repoting (FAR) areabletosubmitrequeststoadd,modifydesignatedattributes,disable,orre-enableactivityvaluesintheConstructioninProgress(CIP)range.
  • Withintheirrole,usersmaybelimitedtocertainsegmenttypes(ORG,FUND,ACTIVITY,SUBACTIVITY,orROOT).Withinthesesegmenttypes,usersmaybelimitedbyrangeofvaluestowhichtheyhavebeengrantedaccess.

ReportsrunoutoftheOLTPsystemarelimitedaccordingtothesegmenttypesandrangeofvaluespermittedbytheuser’srole.

Additionalsecuritymeasures

AdditionalsecuritycontrolsuseraccesstocustomCSMAreportsintheHDWasfollows:

  • SecurityisenforcedonlyonselectedreportsthatreferenceCSMArequestattributesotherthanthevalue,description,andcurrentCSMAstatus.Securityinthesereportsislimitedaccordingtothesegmenttypesandrangeofvaluespermittedbytheuser’sreportingresponsibility.
  • HDWreports(developedorenhancedforCSMA)thatdonotreferenceCSMArequestinformation,orthatreferenceonlythevalue,description,orcurrentCMSAstatus,havebeenmadeavailabletoanyuserwithanactiveHDWreportingresponsibility.

UserIDsandpasswords

UnlikethecurrentCoAMaintenanceWebRequestsystem,CoAauthorizedrequestorsandapproverswillaccesstheCSMAformsandfunctionsusingthesameuserID(theirHarvardIDnumber)andpasswordthattheyusetoaccesstheOracleApplications.

CSMAwillappearasaresponsibility(orresponsibilities,dependingontheuser)thattheusercanselectfromalistontheirOraclepersonalhomepage.

E-mailaddresses

InorderforCSMAuserstoreceivee-mailcopiesofnotifications1,eachusermusthaveavalide-mailaddressassociatedwiththeiremployeerecordintheOracleemployeetable.

Client Serviceswillmakesureane-mailaddressisenteredwhenaCSMAuserissetup.UsersshouldnotifyClient Servicesimmediately()iftheire-mailaddresschangestoensureuninterruptedreceiptofCSMAmessages.

1Only designated notificationsgeneratean e-mail copy;pleaserefertothe CSMAUser Guide for detailson which onesdo so.

IntroductionHarvardcustomCSMAresponsibilitieswillcontroltheCSMAforms,functions,andreportsthatmaybeaccessedbyaCSMAuser,aswellasthesegmenttypesandrangesofvaluesfromwhichtheymaysubmitrequests.

Oracleresponsibilitynamingconvention

PleaserefertotheOracleResponsibilitiesNamingConventionmatrixonpages14-15ofthisdocumentforanoverviewofallOraclenamingconventions.

ExampleofOraclenamingconvention

ThenamesforHarvard’scustomOracleGeneralLedgerResponsibilitiesareconstructedasfollows:

Continued on next page

CSMA

responsibilitynamingconvention

CSMAresponsibilitynameswillbeconstructedalongsimilarlines,withtwomajordifferences:

1. BecauseCSMAresponsibilitiescontrolaccesstoORG,OBJECT2,FUND,ACTIVITY,andROOTsegmentvalues(SUBACTIVITYaccessisderivedfromtheparentvalue),thefourthsectionabove(inourexample,M4531)willreflectanysegmentorrangelimitationsoverandabovethestandardOBJECTsegmentrestriction.

2. SinceobjectcoderestrictionsarestandardforallCSMAtubusers,thefifthsegmentwillbeusedasanindicationofthemenuassignedtotheresponsibility.Alltubauthorizedrequestorswillbeassignedastandardrequestormenu,whichincludestheabilitytoinitiaterequests.Approverswillbeassignedamenuthatdoesnotallowaccesstotherequestsubmissionfunctions.

ExampleofCSMAOLTP

namingconvention

CSMAOLTPnamingconventionsfortubauthorizedrequestorswillappearasfollows:

Continued on next page

2OnlyClient Services willhave access to submitOBJECTcode requests atCSMAgo-live;therefore, alltub ARresponsibilities will be setuptoexcludethissegment.

Responsibilityprofiles

Tocontroluseraccessandtodirectrequeststothebackgroundenginesthatroutenotifications,eachCSMAresponsibilitywillbeassignedaprofile“attribute.”Theseattributeswillspecificallydesignatecertainresponsibilitiesforallowedactionsasfollows:

1. FAR–OnlyusersfromFinancial Accounting and Reportingwillbeassignedthisprofile,whichwillgrantthemsoleaccesstoadd,updatedesignatedattributes,anddisablevaluesintheCIPactivityranges.

2.OSR–OnlytheGMASfeedwillbeassignedthisprofile,whichwillgrantthemsoleaccesstoadd,update,anddisabletransactionalchildvaluesinthesponsoredfund,activity,andsubactivityranges.

Responsibilityprofileconsiderations

Alltubauthorizedrequestorresponsibilitieswillbeassignedtheprofilesetting“AR”andCSMAapproverswillbeassignedtheirowncodeasappropriatetodistinguishthemfromtheothers.

Pleasenote:WhiletheprofilesettingwillpreventtubAuthorizedRequestorsfrominitiatingchartrequestsforvaluesintherangesnoted,itwillnotpreventuserswithotherprofilesettingsfromviewingorreportingonrequestssubmittedbytheOFAAorOSR-profiledresponsibilities,aslongasthevaluesfallwithintherangesofvaluesallowedbytheirARresponsibility.

IntroductionHarvardcustomHDWresponsibilitiesforCSMAuserswillcontrolthereportsthatmaybeaccessedandexecutedbyaCSMAuser,aswellasthesegmenttypesandrangesofvaluesonwhichtheymayreport.

HDWnamingconvention

NamingconventionforHDWCSMA

users

ThenamesforHarvard’scustomOracleDataWarehouse(HDW)responsibilitiesareconstructedasfollows:

HDWresponsibilitynamesforCSMAuserswillbeconstructedalongsimilarlineswithtwomajordifferences:

1.Thestring“HDW-CSMA”identifiesallresponsibilitiesthatcontainCSMA-specificreports.

2.BecauseHDWCSMAresponsibilitiessecureaccesstoorg,object3,fund,

activity,androotsegmentvalues(subactivityaccessisderivedfromtheparentvalue),thethirdsectionabovewillreflectanysegmentorrangelimitationsoverandabovethestandardobjectsegmentrestriction.

3. SinceobjectcoderestrictionsarestandardforallCSMAtubusers,thefourthsectionhasbeenappropriatedtoindicatethesegmentsthatmaybereportedonusingtheresponsibility.

Continued on next page

3OnlyClient Services will be allowed tosubmitobjectcode requests atCSMAgo-live;therefore, alltub ARresponsibilities will be setuptoexcludethissegment.

ExampleofHDWCSMA

namingconvention

TheHDWCSMAnamingconventionfortubauthorizedrequestorswillappearasfollows:

IntroductionCSMAusesthesameflexfieldsecurityrule(FSR)functionalityemployedbyHarvard’sotherOraclefinancialapplicationstosecuretheCoAsegmentsandrangesofsegmentvaluesthatmaybesubmittedorreporteduponbyCSMAusers.

CSMAflexfieldsecurityrules

EachCSMAresponsibilitywillbeassignedfiveflexfieldsecurityrules,oneforeachCSMA-independentsegmenttype(org,object,fund,activity,androot).AlltubauthorizedrequestorresponsibilitieswillbeassignedanOBJECTFSRthatexcludesallvaluesintheobjectsegmentranges.TheothersegmentrestrictionswillbedeterminedbytherangeofvaluestobeallowedbyanindividualCSMATubAuthorizedRequestorresponsibility.

Assignedrangesacrossresponsibilities

InordertoaccommodateCSMAback-endprocessesthatforwardnotificationstotubARswhenarequestisinitiatedbyanapprover(RSOorOFAA)againstavalueinthattubAR’srange,eachCSMAFSRassignedtoaCSMATubAuthorizedRequestorresponsibilitymustrepresentauniquerangeofvaluesthathasnotbeenassignedtoanyotherCSMAARresponsibility.

Continued onnext page

TubAuthorizedRequestorresponsibilitiesexample

Supposeatubhasthefollowingtwoauthorizedrequestors:

UserA:canonlyrequestfacultyrootvaluesforthattub

UserB:canrequestavaluefromanytub-ownedsegmentorrangeincludingfacultyrootvalues.

TheCSMATubAuthorizedRequestorresponsibilitiesforthattubwouldbesetupasfollows:

Responsibility / SegmentFSRsAssigned / SegmentRangesAllowedbyFSR
HRVD^CSMA^TUB^
FacRoot^Req / ORGOBJECTFUNDACTIVITYROOT / NoneNoneNoneNone
Onlyfacultyroots
HRVD^CSMA^TUB^
AllNoFacRoot^Req / ORGOBJECTFUNDACTIVITYROOT / TuborgrangeNone
TubfundrangesTubactivityranges
Bldgrootsandparents

UserAwouldonlybeassignedoneCSMAresponsibility:HRVD^CSMA^TUB^FacRoot^Req

UserB,ontheotherhand,wouldbeassignedtworesponsibilities:

HRVD^CSMA^TUB^FacRoot^Req and

HRVD^CSMA^TUB^AllNoFacRoot^Req

AndUserBwouldneedtoselecttheappropriateresponsibilitydependingonthevalueforwhichtheyweregoingtosubmitarequest.

Continued onnext page

ParentrangesAppropriaterangesofparentvalues,derivedfromthechildranges,willbeassignedtoCSMAresponsibilitiesviathesegmentFSRs.Aswiththechildvalues,parentrangesmustbeuniquelyidentifiedwithasingleCSMATubAuthorizedRequestorresponsibility.

Inadditiontothestandardfinancialparentranges(super,mega,giga,tera)4,eachtubhasbeenassignedarangeofallocationparents5.WhilerelativelyfewtubshavereceivedapprovalfromGeneralAccountingtocreateandruntheOraclestandardmassallocationsthatwoulduseallocationparents,rangesofthesevaluesforeachsegmentexcepttub,object,andsubactivityhavebeenassignedtoeachtubinanticipationofthatneed.

FSRnamingconvention

CSMA-associatedflexfieldsecurityruleswilladheretothefollowingnamingconvention:

4Themega,giga,andtera rangeswillonlybesetupfortheorgsegment.Financialparentsforthefund,activity, and root segmentsonly go as highasthesuper-parent level.

5Harvard has designated a small subsetof parentvalues foruse withcertain massallocation functions intheGeneralLedger. These parentvalues, whichbegin with theletter“A,” arenotused,asinthefinancialparentstructure,as part of a hierarchicalroll-up:instead,they areused toidentify and group individualvalues thatparticipateinspecific massallocations.The“child”valuesreportingtotheAllocationparentsdo not necessarily formpartof a contiguousrange ofvalues,andin factmayhave verylittleincommonwitheach other, otherthanthe fact that theyparticipateinthesamemassallocation.

IntroductionTheprimarytubauthorizedrequestormaysubmitchangestoUsers,Responsibilities,andRangesofValues,asfollows.

Makinguserchanges

ForexistingOracleusers:ToaddordeleteaCSMAresponsibilityforanexistingOracleuser,.

FornewOracleusers:ToaddanewAuthorizedRequestorwhodoesnotyethaveanOracleuserID,pleaseemailthecompletedAuthorizedRequestorRequestformasaboveandnoteonitthedateonwhichtheUserSecurityformthatestablishedtheemployeeasanOracleuserwassenttoClient Services().

Changinguserresponsibilities

BecauseCSMAresponsibilitiesarebasedontheorganizationoftubAuthorizedRequestorsandtherangesoftubvaluesassignedtothem,mostchangestoCSMAresponsibilitieswillimplychangestothesestructures.Therefore,thebestwaytocommunicatethesechangesisviatheAuthorizedRequestorRequestform.Client ServiceswillevaluatethechangesyouhaveproposedonthatformandwillcontactyoutoconfirmtheCSMAsecuritychangesthatwillbenecessarytoimplementyourrequest.

Continued on next page

Changingrangesofvalues

MovingtubrangesbetweenCSMAresponsibilities:

Asabove,changingrangesassignedtoyourtub’sCSMAresponsibilitiesimplieschangestothestructureandrangeassignmentsforyourAuthorizedRequestors.ThesechangesshouldbecommunicatedtoClient ServicesviatheAuthorizedRequestorRequestform.

Addingnewranges:

Rangesoforg,fund,activity,androotvalueswereassignedtoeachtubduringtheimplementationoftheOraclefinancialsystems.TheserangesarereflectedinmoresystemareasthanjustCSMAFSRsandvalidationtables.Theyarestoredincross-validationrules,parenthierarchies,transactionalandreportingsecurity,andelsewherethroughouttheOraclesystems.Therefore,changestotheserangeassignmentsmustbeevaluatedforimpacttothesevariousareasonacase-by-casebasis.

Becauseoftheindividualnatureofthesechanges,Client Serviceshasnotdevelopedaformalrequestprocessforaddingnewranges;rather,theprimaryTubAuthorizedRequestorshouldinitiatediscussionsbyforwardingdetailsontheproposednewrange(includingthesegment,beginningandendingvaluesfortherange,andabriefdescriptionofthereasonfortherequest)toClient .

OracleResponsibilityNamingConventions
Application / Custom / Application / Tub / Segment(s)orCSMARange(s) / ObjCodeorCSMA
Segment(s) / Other
GL / HRVD / GL / Tub Name / Org(s) orParent Org Value / Obj Code
BUD / HRVD / BUD / Tub Name / Org(s) orParentOrgValue / Obj Code
AR / HRVD / AR / Tub Name / Org(s) orParent Org Value / Obj Code / Role (INV or COL)
HDW / HDW / Tub Name / SegmentIdentifier(s)(Org, Fund,Act, Root)
+
SegmentorParent Value(s) / Obj Code / AccessFlag(s)
HCOM/WVR / TubName^Number / ORG(s)or Parent Org Value
CSMA / HRVD / CSMA / Tub Name / CSMA Range(s) / Role(Reqor Appr)
HDW-CSMA / HDW-CSMA / Tub Name / CSMA Range(s) / CSMASegmentIdentifier(s)(Org, Fund,Act,SAct,Root) / AccessFlag (C )
OracleResponsibilityNamingConventionsExamples
GL / HRVD^GL^CADM^55632^BIE
HRVD^GL^CADM^S5563^BIE
BUD / HRVD^BUD^CADM^55630^IE-S
HRVD^BUD^CADM^M5630^IE-S
AR / HRVD^AR^CADM^M5563^R^INV
HRVD^AR^CADM^M5563^R^COL
HDW / HDW^CADM^O55632^BIE^PS
HDW^CADM^OM5563,F414510^BIE^PSH
HDW^CADM^OS5563,R65231^IE-S^SH
HCOM/WVR / CADM^610^55672
CSMA / HRVD^CSMA^CADM^VPF^Req
HDW-CSMA / HDW-CSMA^HMS^ALL^OFASR^C