SFS - User Profile Provisioning
Guidelines for Security Authorization staff to follow when provisioning SFS accounts.
Provisioning occurs on a daily basis and is initiated when the UW-Madison Office of Cybersecurity receives a SFS Security Authorization Forms. Security Authorizations staff should work with SFS Security Operations staff if there are questions about any requests.
Detailed Steps Restoring Access
- SFS User Request Authorization Form is received by Security Authorizations Office, often by fax, email, in-person, or mail.
If the form is digitally signed, validate the digital signatures. Instructions for validation of digital signatures can be found here: [Link for document 69059 is unavailable at this time.] .Print a physical (paper) copy of the form (if applicable) & any related documents (e.g. emails).Stamp the date received on top-right corner of form.Update the tracking sheet (Excel Document located on the ERP Security Shared Drive).Verify the requester's/employee’s Job Appointment Status in HRS.
- Forms should be sent in by a Business Unit Administrator (BU Admin) or other authorized personnel (e.g. Module Steward, UWSA Support). Forms received from other individuals are not acceptable.
- Current list of BU Admins can be found HERE.
- Current list of Module Stewards can be found HERE.
- Confirm it is the current authorization form (current roles, etc.) Current form can be found HERE.
Validate that the UDDS listed on the form is correct.
- Requester should have an active job appointment or Person of Interest appointment.
- If there is an issue with the job appointment reach out to the requester’s BU Admin.
- Current list of BU Admins can be found HERE.
Confirm that all of the correct approvals have been obtained (User, BU Admin, Module Steward).
- If not listed, lookup the user and add the UDDS.
- If there are issues with the user’s UDDS, reach out to that user’s BU Admin.
Add roles to the user’s profile as requested.
- Supervisor signature is NOT required/scrutinized, but the other three must be reviewed
- BU Admins cannot sign for their own access. Another BU Admin from that campus must sign as the BU Admin.
- Detailed policies regarding approvals can be found HERE.
- If there are issues with the signatures, scan the paper copy of the form (if necessary) and send electronic copy to the BU Admin requesting that they fix the issue.
Ensure Primary Permission List (PPL) is correct
- IMPORTANT: All allowable roles to add in SFS environments will begin with 'UW_UNV', 'UW_UWS', or 'UW_TEC'. This signifies the role is customized by SFS Security and UWSA Support staff. If users request a role that does not begin with 'UW_UNV', 'UW_UWS', or 'UW_TEC' please consult with SFS Security staff.
- Additional details on the meaning of 'UW_UNV', 'UW_UWS', and 'UW_TEC' can be found here: [Link for document 66253 is unavailable at this time.] .
- ALL Environments = SFDEV, SFQA, SFTRAIN, SFPRREL1, SFPRREL2, SFS (Prod).
- Do NOT provision access in SFDEMO (or any demo environment).
- During an upgrade, coordinate user access requests with SFS Security leads.
Confirm Process Profile is UW_PROCESS_PROFILE or change it to the correct value.
- The primary permission list should match the user’s Business Unit.
- This information should be listed on form (BU).
- There are rare cases when a user has a dual appointment or needs their PPL set to a different BU on a temporary basis. Those should be handled through UW System Central support and SFS Security leads.
Send a note to the BU Admin, User & Supervisor.
- Existing users should have it already configured correctly.
Initial and date the bottom right corner of the form when completed. Update tracking sheet with details of request and completion. File the SFS Authorization Form in the user’s file folder in the filing cabinet.
- Outline the access added (see Sec Auth templates for details about content)
- It may be wise to add a note to the BU Admin about updating the user’s user preferences, especially for new users. This is a BU Admin responsibility and if not configured correctly, can result in user's inability to access certain pages or data for a specific BU.
If Security Authorizations receives a request to “restore” a user’s access (e.g. if it was removed because of job appointment complications), do not take any action without consulting the SFS Security leads. In most cases, these requests are made when a user’s appointment ended one day and restarted the following (but the user did not change jobs, departments, or business units). In those cases, it’s OK to restore the access. Print any supporting documentation (e.g. email) and add it to the user’s file. In the cases where the user has moved to another BU (therefore has different approvers) or they've transferred jobs within a BU (and are now in a different UDDS and have a different supervisor), they need to submit a formal request containing the roles they need in their new position.