HRS Access Guide - Row Security, Roles, and Security Templates
This document provides in-depth information about the Row Security Permissions List, Roles, and Security Templates, which all determine what users are able to do in HRS, EPM, and UWBI.
Row Security Permissions List
The Row Security Permissions List (displayed in HRS as "Row Security Perm. List" and often shortened to just "row security") determines the data that the user can access within the HRS pages they're authorized to use based on their roles. The row security level begins with UW_DP_ and then ends with a business unit or UDDS. Examples of valid row security values include:
- UW_DP_A022045
- UW_DP_A0220
- UW_DP_A02
- UW_DP_UWMSN
A user only has one row security value at a time, which applies to all positions and roles. A user's row security is carried through all HRS Security requests until it is changed by entering a new value into a request, which then replaces the previous value. Because users only have one security row value, that value must be broad enough to cover all units in which the user is working, but should still be the narrowest possible value so the user does not have access to data that they don't need.
Row Security examples
- A user only needs to see data within the A022045 subdepartment. In this case the user should have a row security value of UW_DP_A022045.
- A user needs to access data within the A022010 and A022045 subdepartments and does not need to access data outside of A0220. In this case the user should have a row security value of UW_DP_A0220.
- A user needs to access data within the A0210 and A0220 departments and does not need to access data outside of A02. In this case the user should have a row security of UW_DP_A02.
- A user needs to see data within the A01 and A02 divisions. In this case the user should have a row security level of UW_DP_UWMSN.
Note: row security does not apply to EPM or UWBI (OBIEE) access, only HRS.
Roles
The sections or pages that a user can see in HRS, EPM, and UWBI/OBIEE are determined by the roles that the user has.
Role Areas
Roles include abbreviations for relevant functional areas, which can help you determine appropriate roles for different needs.
- AM -- Absence Management - includes access to information about leaves taken, balances, entitlements, etc.
- BI -- Business Intelligence - includes access to reporting functions such as PayCheck, Commitment Accounting, OBIEE/UWBI, etc.
- BN -- Benefits - includes access to various elements of employee benefits
- DB -- Database - includes access to data tables/views (EPM only)
- FI -- Finance - includes access to information about funding, budgets, salary cost transfers, etc.
- HR -- Human Resources - includes access to information about persons, jobs, positions, etc.
- IR -- Interactive Reporting - includes access to data tables/views (EPM only)
- PY -- Payroll - includes access to information about additional payrolls, direct deposites, paychecks, retro pay, taxes, etc.
- TL -- Time and Labor - includes access to information about timesheets, supervisors, payroll coordinators, schedules, etc.
HRS roles
Roles determine the pages and features that the user can access within HRS, with specific data access determined by their row security permissions list. There are many roles and often roles have some degree of overlap with other roles, so working with roles can be confusing and overwhelming. To make it easier, it is recommended to use security templates to set up new users and then request additional individual roles as additional needs are identified.
Download the UW-Madison HRS Role Catalog
EPM roles
Some technical users might also need access to the Enterprise Performance Management (EPM) data warehouse, which stores data entered into HRS to use in custom queries and applications. EPM access requires the EPM ODBC Data Access (UW_UNV_EPM_ODBC_ACCESS) role in addition to specific roles that provide access to different sets of data tables. Learn more about EPM on the UWSS Data Warehouse site (requires NetID login).
Download the UW-Madison EPM Role Catalog
UWBI/OBIEE roles
There are two primary roles for UWBI/OBIEE - non-sensitive and sensitive. Sensitive access includes non-sensitive access, so it is not necessary for a user to have both roles.
- BI HRS Qry-Non-Sensitive (UW_UNV_EPM_ALL_QRY_LBRY_NS) - access to all non-sensitive UWBI/OBIEE reports
- This role is included in HR, Payroll, and Finance security templates and is appropriate for most users.
- BI HRS Queries-Sensitive (UW_UNV_EPM_HR_QRY_LBRY_S) - access to both sensitive and non-sensitive UWBI/OBIEE reports
- This role requires justification in the request comment for why the user needs to access sensitive data. This role is typically only given to HR staff at the division level, but exceptions may be made if a user has a specific business need for it.
Security Templates
Security templates are pre-configured sets of roles designed for common user types. The table below summarizes the update, view, and UWBI/OBIEE access included in each template.
Template Name | Update Access | View Access | UWBI/OBIEE Access |
---|---|---|---|
Division HR |
|
|
|
Division Payroll |
|
|
|
Division Finance |
|
|
|
Department HR |
|
|
|
Department Payroll |
|
|
|
Department Finance |
|
|
|
View Only |
|
|
|
These templates are the result of many discussions between OHR and HRS users from throughout campus. Selecting a template automatically adds a set of roles to the request that HRS users in that template's functional area identified as universal needs.
Download the UW-Madison HRS Security Templates Guide
We want your input! If you have any feedback about these templates, email the OHR HRIS team!