SFS - User Profile Provisioning
Guidelines for Security Authorization staff to follow when provisioning SFS accounts.
Overview
Provisioning occurs on a daily basis and is initiated when the UW-Madison Office of Cybersecurity receives a SFS Security Authorization Forms. Security Authorizations staff should work with SFS Security Operations staff if there are questions about any requests.
Detailed Steps
If the form is digitally signed, validate the digital signatures. Instructions for validation of digital signatures can be found here: [Link for document 69059 is unavailable at this time] . Print a physical (paper) copy of the form (if applicable) & any related documents (e.g. emails). Stamp the date received on top-right corner of form. Update the tracking sheet (Excel Document located on the ERP Security Shared Drive). Verify the requester's/employees Job Appointment Status in HRS. Validate that the UDDS listed on the form is correct. Confirm that all of the correct approvals have been obtained (User, BU Admin, Module Steward). Add roles to the users profile as requested. Ensure Primary Permission List (PPL) is correct Confirm Process Profile is UW_PROCESS_PROFILE or change it to the correct value. Send a note to the BU Admin, User & Supervisor. Initial and date the bottom right corner of the form when completed. Update tracking sheet with details of request and completion. File the SFS Authorization Form in the users file folder in the filing cabinet.
Restoring Access- SFS User Request Authorization Form is received by Security Authorizations Office, often by fax, email, in-person, or mail.
- Forms should be sent in by a Business Unit Administrator (BU Admin) or other authorized personnel (e.g. Module Steward, UWSA Support). Forms received from other individuals are not acceptable.
- Current list of BU Admins can be found HERE.
- Current list of Module Stewards can be found HERE.
- Confirm it is the current authorization form (current roles, etc.) Current form can be found HERE.
- Requester should have an active job appointment or Person of Interest appointment.
- If there is an issue with the job appointment reach out to the requesters BU Admin.
- Current list of BU Admins can be found HERE.
- If not listed, lookup the user and add the UDDS.
- If there are issues with the users UDDS, reach out to that users BU Admin.
- Supervisor signature is NOT required/scrutinized, but the other three must be reviewed
- BU Admins cannot sign for their own access. Another BU Admin from that campus must sign as the BU Admin.
- Detailed policies regarding approvals can be found HERE.
- If there are issues with the signatures, scan the paper copy of the form (if necessary) and send electronic copy to the BU Admin requesting that they fix the issue.
- IMPORTANT: All allowable roles to add in SFS environments will begin with 'UW_UNV', 'UW_UWS', or 'UW_TEC'. This signifies the role is customized by SFS Security and UWSA Support staff. If users request a role that does not begin with 'UW_UNV', 'UW_UWS', or 'UW_TEC' please consult with SFS Security staff.
- Additional details on the meaning of 'UW_UNV', 'UW_UWS', and 'UW_TEC' can be found here: [Link for document 66253 is unavailable at this time] .
- ALL Environments = SFDEV, SFQA, SFTRAIN, SFPRREL1, SFPRREL2, SFS (Prod).
- Do NOT provision access in SFDEMO (or any demo environment).
- During an upgrade, coordinate user access requests with SFS Security leads.
- The primary permission list should match the users Business Unit.
- This information should be listed on form (BU).
- There are rare cases when a user has a dual appointment or needs their PPL set to a different BU on a temporary basis. Those should be handled through UW System Central support and SFS Security leads.
- Existing users should have it already configured correctly.
- Outline the access added (see Sec Auth templates for details about content)
- It may be wise to add a note to the BU Admin about updating the users user preferences, especially for new users. This is a BU Admin responsibility and if not configured correctly, can result in user's inability to access certain pages or data for a specific BU.
If Security Authorizations receives a request to restore a users access (e.g. if it was removed because of job appointment complications), do not take any action without consulting the SFS Security leads. In most cases, these requests are made when a users appointment ended one day and restarted the following (but the user did not change jobs, departments, or business units). In those cases, its OK to restore the access. Print any supporting documentation (e.g. email) and add it to the users file. In the cases where the user has moved to another BU (therefore has different approvers) or they've transferred jobs within a BU (and are now in a different UDDS and have a different supervisor), they need to submit a formal request containing the roles they need in their new position.