Financial Records System Manual

Chapter 23 - System Security: How Do We Control Access to All of This?
The purpose of security is to allow the University to be able to restrict operator access to specific General and Subsidiary Ledger accounts. The account's security code is made up of a combination of certain codes or attributes. These codes are established when an account is created. When data for an account is requested, the security system checks the operator's security code values against the security code values on an account. A determination is then made as to whether or not the operator may access or update the account. Access is denied and a message displayed if a user attempts to access an account outside their security setup.

The components of the security code are:

  1. Division
  2. School (or College)
  3. Department
  4. Sub-department
  5. Executive Level (or Vice President)
  6. Fund Group
  7. Account Purpose
  8. User Security
Each operator has a single security code entered on the Operator's Security Record. This code may be viewed on Screen 880.

The security code may contain a masking character (an asterisk *). This signifies a "wild card", or any character in that position is a match.

Examples:

Exec. Fund Acct.
Operator Division School Department Sub-dept. Level Group Purp. Security
0100 ** ** ***** ** ** ** ** ******
0101 ** ** 13*** ** ** ** ** ******
0102 ** ** 1372* ** ** ** ** ******
0103 ** ** 1372* ** ** ** ** JSmith
0104 ** ** 2028* ** ** ** ** ******
0105 ** ** ***** ** ** ** ** ******
0106 ** ** ***** ** ** 53 ** ******

Accounts
130267 ** 10 1001* ** E* 13 ** ******
131300 ** 13 1301* ** E* 13 ** ******
136598 ** 13 1372* ** E* 13 ** JSmith
227290 ** 13 1372* ** E* 22 ** ******
228880 ** 20 2028* ** F* 22 ** ******
539447 ** 20 2033* ** F* 53 ** ******


  1. Operator 0100 (General Accounting) has access to all accounts, as this operator's security is set up with asterisks in every field.

  2. Operator 0101 (Dean's Office - Engineering) has access to accounts 131300, 136598 and 227290, as the operator's security value for department matches the department values on these accounts.

  3. Operator 0102 (Civil Engineering Operator A) has access to accounts 136598 and 227290, as the operator's security value for department matches the department values on these accounts.

  4. Operator 0103 (Civil Engineering Operator B) has access to account 136598 only. The operator's security values for department AND User Security matches the values on this account. Although the department value for account 227290 matches, the operator is denied access because the User Security values do not match.

  5. Operator 0104 (Computer Center) has access to account 228880 as the values for department match.

  6. Operator 0105 (Provost's Office) has access to accounts 130267, 131300, 136598 and 227290, as the values for Executive Level match.

  7. Operator 0106 (Contracts and Grants Office) has access to account 539447 as the values for fund group match.

A second element of security is screen security. Operators may be given access to some or all of the screens, thereby controlling the type of information and the input capabilities of a particular operator. Three levels of access can be defined.

    A     Allow (Inquiry and Input)
    I     Inquiry Only
    D     Deny

Each screen or group of screens can be coded to allow or disallow access to it.

The typical campus user might be set up with the following access:
1. A007 Input User Option Subcodes
2. A010 Input Budget Transactions
3. A011 Input Encumbrances
4. A014 Input Journal Entries
5. A030 Open and Close a Batch
6. A09B Departmental Attributes
7. I0** Inquiry to All Other 000 Level Screens
8. A1A2 Vendor Search
9. I1A3 Inquiry to AP Vendor Data
10. I113 Inquiry to Vendor Analysis
11. I114 Inquiry to Outstanding Checks
12. I115 Inquiry to Outstanding Vouchers
13. I118 Inquiry to Invoice List
14. D1** Denied Access to All Other 100 Level (Accounts Payable) Screens
15. I1A4 Vendor Remit to Address
16. A22N Input to PO Notepad
17. I220 Inquiry for Purchase Orders
18. I224 Inquiry for Purchase Orders
19. I228 Inquiry to Purchase Order Lines
20. I239 Inquiry to Receiving Data
21. A282 Inquiry to Active Purchase Order List
22. I284 Inquiry to Invoice Data
23. I29A Inquiry to PO Headers
24. D2** Denied Access to All Other 200 Level (Purchasing) Screens
25. D3** Denied Access to All 300 Level Screens
26. D4** Denied Access to All 400 Level Screens
27. I880 Inquiry to User Security
28. D*** Denied Access to All Other Undefined Screens

If duties in your office are segregated, screen access can also be controlled. For example, if one individual is responsible for journal entries, but not purchase requisitions, access can be denied to all purchasing (200 level) screens. If another individual is responsible for purchase requisitions only, screen access to the 200 level screens would be allowed, with access to all other screens denied. If other individuals need inquiry access only, access would be provided to the appropriate inquiry screens, with access to all other screens denied.

These two elements of security provide the account manager with effective controls of the accounts they manage. Access can be allowed or denied to particular accounts with the first element of security, and access allowed or denied to a particular accounting function with the second. If access to an unauthorized account or screen is attempted, the system does not allow the user to complete the requested action. The messages "account access denied" or "screen access denied" are also displayed.

Each operator is assigned a unique accessor ID (assigned by Information Systems), and operator number and password (assigned by Business & Financial Services). Each individual in your office who requires access to the FRS System should have their own unique accessor ID, operator number and password. Your accessor ID (U*****), and operator number act as a signature in the system. For each transaction that is posted, FRS maintains a file of who processed the transaction, where the terminal or PC is located and when the transaction was posted. It is thus extremely important that access codes not be shared and passwords not written on sticky notes and taped to the PC!!!

Each user requiring access to the FRS System must complete the Application for FRS/CIS/FRS Data Warehouse. This should be forwarded to the Security Coordinator in Business & Financial Services, 122 Johnson Hall. In obtaining access to the FRS System, users agree to maintain a secure environment and ensure appropriate use of terminal applications within the policies and procedures of the University. Misuse will result in revocation of your access, without notice. As individuals leave your office, it is imperative that their password be deleted as soon as possible. This includes individuals transferring to another department on campus.