RPM | REQUIREMENTS AND POLICIES MANUAL

Viewable by the world

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 52 Next »


Title:

OCFO Business and Financial Systems User Access Control

Publication date:

8/20/2021

Effective date:

8/20/2021

BRIEF

Policy Summary

Lawrence Berkeley National Laboratory's (Berkeley Lab's) Office of the Chief Financial Officer (OCFO) is responsible for managing the secure stewardship and control of its business and financial systems. This includes maintaining clearly defined roles and permissions, setting up and managing user accounts, and ensuring that users' access privileges and assigned roles are approved and consistent with business needs.

Who Should Read This Policy

Any Berkeley Lab employee responsible for managing user access for Laboratory business and financial systems

To Read the Full Policy, Go To:

The POLICY tab on this wiki page

Contact Information

OCFO Business Systems Analysis Group (BSG) Manager
Controller

Title:

OCFO Business and Financial Systems User Access Control

Publication date:

8/20/2021

Effective date:

8/20/2021

POLICY

A. Purpose

This document defines the policy and procedures for managing Office of the Chief Financial Officer (OCFO) business and financial systems user access controls, which include roles and permissions, user accounts, and access privileges that meet approved criteria and are consistent with business needs.

B. Persons Affected

Any Lawrence Berkeley National Laboratory (Berkeley Lab) employee responsible for managing user access for OCFO business and financial systems

C. Exceptions

None

D. Policy Statement

The OCFO is responsible for managing the secure stewardship and control of its business and financial systems listed below:

  • Financial Management System (FMS).
  • Electronic System for Research Administration (eSRA).
  • Payroll system: Payroll is processed through UCPath which is owned by the University of California (UC). The OCFO BSG team coordinates with LBNL's HR business systems team to obtain necessary access to the payroll module of UCPath for appropriate Laboratory employees.

This includes maintaining clearly defined roles and permissions, setting up and managing user accounts, and ensuring that users' access privileges and assigned roles are approved and consistent with business need.
OCFO employs this policy and a variety of security-enforcement mechanisms for controlling system user access. Consistent with the Berkeley Lab Requirements and Policies Manual (RPM) Security for Information Technology policy, these controls ensure that data resident in systems are sufficiently protected from unauthorized use, alteration, and manipulation, and that users, data owners, and system owners take appropriate precautions to secure business and financial systems and the data contained therein.
Division/department managers and supervisors are responsible for communicating changes in employee job responsibility and/or employment status to the OCFO System Module Owner, Business Systems Group Manager, or designee. For some OCFO systems, such as the PeopleSoft Financial Management System (FMS), basic roles are assigned automatically when a new employee is added to the UC-owned Human Resources system. FMS automatically locks the user's account when an employee is terminated or an employee's payroll status is leave of absence.
OCFO employs a risk-based approach to conducting regular reviews and validations of users' system access.

E. Roles and Responsibilities

Role

Responsibility

Business Systems Group Manager or Designee
  • Manages the OCFO business and financial system user access program consistent with this policy and related communication with stakeholders.
  • Ensures that changes to a user's access and privileges are authorized by the user's manager or supervisor.
  • For user roles that provide enhanced user access, ensures that access pre-conditions and criteria (such as completion of specific skills training determined by employee role) are completed by the new user, or that an exception to the access pre-conditions is granted by the user's manager or supervisor, before granting required access.
  • Supports system module owners in defining and documenting requirements for basic and enhanced user access and privileges. Where changes are required, communicates functional requirements to the Information Technology (IT) Business Systems unit.
  • Conducts and/or coordinates the regular reviews of user access and privileges in FMS and eSRA listed below:
    • Sensitive roles: reviews every six months.
    • All roles (including sensitive roles): reviews every 12 months.
  • Coordinates with IT in establishing and implementing automatic application time-outs.
  • Manages the use of anonymous accounts.

OCFO System Module Owner or Designee
  • Working with the Business Systems Group Manager or designee, defines requirements for user access and privileges related to a specific module. For user roles that provide enhanced user access, the System Module Owner establishes access criteria, such as completion of specific skills training, appropriate job titles, or other criteria consistent with business need.
  • Identifies roles that are incompatible due to a potential conflict of interest requiring separation of functional duties/responsibilities. Working with the Business Systems Group Manager or designee, ensures that no user has access to multiple roles that, when assigned to the same user, create a potential for conflicts of interest.
  • Reviews and approves requests for enhanced user access. Verifies pre-conditions are met and that the intended system usage is appropriate.
  • Submits approved system access and privilege changes via email or FMS Help Desk (AskUs) ticket to the Business Systems Group Manager or designee.
  • Where applicable, manages user access to division-specific information.
  • Periodically reviews and, as necessary, requests changes to basic and enhanced system access and privileges consistent with business requirements.
  • Participates in regular user access reviews to help confirm user access and privileges.

Supervisor of System Users (including employee and/or affiliate)
  • Requests enhanced user access via AskUs ticket, consistent with business need. Ensures that access pre-conditions and criteria (such as completion of specific skills training) are completed by the new user. Approves exceptions to access pre-conditions and criteria (such as completion of specific skills training) as appropriate.
  • If a user's assigned job responsibility, organization, or other condition changes, assesses whether a change to the user's systems access or privilege level is required. If so, requests this change via AskUs ticket from the System Module Owner (or designee).

ITBS (IT Division Business Systems)
  • Based on functional specifications and consistent with this policy, establishes, monitors, and maintains system parameters and controls in support of the requested system access and privileges.
  • Supports regular access reviews and confirms access and privileges assigned to IT staff.
  • Maintains the time limit for automatic application time-outs based on input from the Business Systems Group Manager.

F. Definitions/Acronyms

Term

Definition

Anonymous accounts

System accounts established to run automatic jobs/processes and/or background processes and/or to test and maintain system capabilities

Basic user access

Access to a system that is dynamically (automatically) assigned to all employees (e.g., access to FMS InquiryPayment Request)

Enhanced user access

Additional access to system capabilities that provide read/write permissions and/or read access to sensitive information

System Module Owner

Functional manager with assigned responsibility for a system component consistent with the OCFO Business System Ownership policy

User

Individual employee, affiliate, or system process authorized to access an information system

G. Recordkeeping Requirements

None

H. Implementing Documents

None

I. Contact Information

OCFO Business Systems Group (BSG) Manager
Controller

J. Revision History

Date

Revision

By whom

Revision description

Section(s) affected

Change type

8/20/2021

2

U.K.

Clarifications/minor updates

Brief, B,D,E,F,I

Minor

3/29/2018

1.2

U.K.

Clarifications made to the policy

D, E, F, H

Minor

3/25/2013

1.1

Axthelm

Review completed 12/17/2012, no changes

Pub & next review dates

Minor

1/2/2012

1

Axthelm

Reformat for wiki

All

Minor

DOCUMENT INFORMATION

Title:

Financial Management System (FMS) User Access Control

Document number

11.04.003.000

Revision number

2

Publication date:

8/20/2021

Effective date:

8/20/2021

Next review date:

8/1/2024

Policy Area:

Financial Business Systems

RPM Section (home)

Financial Management

RPM Section (cross-reference)

Section 11.49

Functional Division

OCFO

Prior reference information (optional)

RPM Section 11.49

Source Requirements Documents

None

Other Driving Requirements

Document Number

Title

Type

11.04.002.000

Business System Ownership

Policy

10.01.002.000

Security for Information Technology

Policy

Implementing Documents

None

ADDITIONAL INFORMATION

Title:

Financial Management System (FMS) User Access Control

Document number

11.04.003.000

Revision number

2

Publication date:

8/20/2021

Effective date:

8/20/2021

Next review date:

8/1/2024

Policy Area:

Financial Business Systems

RPM Section (home)

Financial Management

RPM Section (cross-reference)

Section 11.49

Functional Division

OCFO

Author name/contact info

Deputy Chief Financial Officer OCFO Business Systems Analysis (BSA) Manager

 

 

Revision 0 publication date

11/19/2010

Retirement date

n/a

Prior reference information (optional)

RPM Section 11.49

 

 

Inputs from more than one Functional Area?

No

List additional Functional Areas & contacts

 

 

 

Inputs from more than one Policy Area?

No

List additional Policy Areas & contacts

 

 

 

30-day notification needed?

No

30-day start date

n/a

30-day end date

n/a

 

 

LDAP protected?

No

 

 

Need TABL reminders?

No

Frequency

n/a

Brief reminder text:

n/a

 

 

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="d1870662-6a69-4474-8809-ec17155bc0c5"><ac:plain-text-body><![CDATA[

Approval Sheet for this revision received (date) [Note: author is responsible]

 

]]></ac:plain-text-body></ac:structured-macro>

Key labels/tags:

  • FMS, FMS user access, system access, business system access

New terms that need to be added to Glossary/Acronym list:

  • (list items not found and context (Policy Area name) – full definition would be included in Policy)

Implementing Documents restricted to department/functional use

(optional – these will be used for tracing between requirements and associated documents)

Document number

Title

Type

 

 

 

 

 

 

Side bars:
Side bar 1 location (cite by Policy Section # - for example: Section D.2.a)Sidebar 1 text:
Sidebar 2 locationSidebar 2 text:
Sidebar 3 locationSidebar 3 text:

  • No labels

Printed or exported copies of this LBNL policy are not official.
Users are responsible for working with the latest approved revision located in the online LBNL Requirements and Policies Manual.