For the most part, we can tell if a change is warranted.  If we have
questions, we email the division head.  We look at cost center
(department) and job code (before & after the change) - not title - and
err on the side of caution.  We'll proactively disable if the change is
obvious or we're unsure or can't get an answer right away.  No
reinstatement or changes are made without a signed reqeust form - thank
you SOX  ;-((  

The cross reference is a possibilty but since our HR system supports any
number of user-defined 'personal property' we'll probably use that -
same concept but more integrated.  Less than 10% of our employees have
system access.  Again, we don't add or change anyone without all the
proper paperwork.

If we miss someone on the termination list, our fallback is a monthly
report of profiles unused in > 60 days.  Once they hit 90, they're
disabled.  Lastly is annual (at least) audits of system access by user
by application.


mcunning@xxxxxxx 03/16/2007 11:10:54 AM >>>
This sounds like exactly what we are doing, trying to figure out what HR
is doing. We give ourselves notice of a title change but right now our
network admins don't do anything with it because they say they don't
know what to do. From a title change they can't tell if the person
actually changed jobs or not. When you say you "take appropriate action"
is that calling someone to find out what happened and then making
whatever changes are necessary? 

p.s. In order to be sure thet SSMITH is  Sally Smith and not Sam
Smithfield, We created a cross reference table that mapped userid to an
employee number so we don't have to guess what two go togeather. We scan
all userids weekly and look at the linked HR records and see if the
person is still employed just as a double check of the e-mail
notifications our HR office sends out. We also do the opposite and scan
HR files and look for active emplyees who don't have accounts (in our
standards all employees get an account) and report those as problems
also. Sometimes (rarely but it heppens) the HR notification of a new
hire does not come out until after someone has been at work for a week
or more. We are also scanning Active Directory LDAP accounts to match
them up to iSeries userids (standard is both userids will be the same)
and HR files and tell our network admins what accounts they should
disable/delete.

________________________________

From: midrange-l-bounces@xxxxxxxxxxxx on behalf of Roger Harman
Sent: Fri 3/16/2007 2:14 PM
To: midrange-l@xxxxxxxxxxxx
Subject: Re: User authority controls



When I started here, they used the concept of naming a user profile by
the job type.  I converted to using names a few years ago and everyone
has loved it.  Besides matching the network & email naming, it just
makes life easier.   Can you remember who RMBY11 (Retail Merchandise
Buyer #11) is?  I can't, but I can easily know who SSMITH is.

As to job changes....  we run a SQL report over the HR transaction
database nightly.  We look for job code changes and cost center changes
and match the name to user profiles.  If we get a hit, we take
appropriate action.  The job change may have no effect on their access
or we may disable the profile if they've moved, say, from Merchandise to
Foods - particularly important for Time & Attendance access.

BTW... we also run a daily termination list and match it to user
profiles (iSeries and network) and disable those.

We review both manually since there is a good possibility of false
positives - SSMITH user profile may be Sally Smith but it was Sam Smith
who left the company.  I hope to improve the process by adding a
notation for computer access to the HR record to eliminate the false
positives - track it like we do special licenses, company issued
property, etc.




mcunning@xxxxxxx 03/16/2007 8:30:15 AM >>>
We have a good handle on authority setup for new employees and on
removing authority for  employees who are leaving. What we struggle with
are those employees who change jobs within the college. Sometimes those
are people leaving one department and going to another, sometimes those
are people just getting a title change. Our HR office is very good at
telling us who new hires are and who is leaving but not so good at jobs
changers. I am curious to know how you handle these people from an
authority control perspective. One idea we had was to look for any title
changes and treat them as if they left the college and are coming back
in as a new employee. Disable their account and revoke all authority
then grant just the base level of authority to the new job until we hear
from that persons new supervisor. Of course this then requires going
into all the systems where mcunning has an account and disabling it.
Another thought was to stop creating accounts based on someone's name
but use their position instead. So my userid would not be MCUNNING but
ITSDIR. ITSDIR is granted authority not MCUNNING. When MCUNNING changes
jobs the ITSDIR account would be disabled and my new job account would
be enabled. When the new ITSDIR comes on board we reactivate that
account. We use to use this method a long time ago but our users
revolted because it is sometimes very hard to turn a title into 10
characters and have it make sense. Try coming up with 10 characters for
Director or Desktop  Computing/Academic Computing/Media Services.

As an Amazon Associate we earn from qualifying purchases.

This thread ...

Replies:

Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.