Introduction
Target Audience: Banner Security Managers and Business Analysts in the various business offices across campus.
Fine-grained access security lets the University restrict a user’s access to data stored in Banner. This is done based on the value of a specific data element. As an example, ISU currently utilizes FGA (fine-grained access) for student holds. Various departments manage specific hold codes on student accounts. FGA is used to ensure one department cannot update a hold applied by a different department.
Security Managers within departments utilizing FGA are able to determine who is allowed access to the data controlled by fine-grained access. They are able to assign (or remove) the appropriate business profiles (groups) via Banner Administrative page GOAFBPR.
Argos reports are available to departmental Security Managers to assist in auditing which users have access to the different business profiles.
Requesting Assistance
If you feel you are restricted from viewing or updating data that you need, please contact a Security Manager in your department.
If your department does not have a Security Manager, please submit a Banner – Report an Issue request and it will be routed to the appropriate resource. Be sure to include justification for the request.
If your department needs modification of current fine-grained access, or additional FGA, please submit a Banner change request.
Currently Implemented
Indiana State has currently implemented fine-grained access on four fields. Three types of FGA have been used to meet University needs.
- The first type allows/prevents the updating of specific data values.
- This type of access is controlled by adding data predicates and assigning these to specific business profiles, which must be done by ICS.
- Departmental Security Managers have the ability to assign users to the appropriate business profiles.
- On SOAHOLD, Hold Type is restricted by code, i.e. only ORR can update the ‘TR’ hold type.
- On SOATEST, Test Code is restricted by code, i.e. only Admissions can update the ‘MTA’ test code.
- On TVAAUTH, Authorization Code is restricted by code, i.e. ORR can only update the codes ‘FRP’ and ‘FRW’.
- The second type allows/prevents the viewing of the entire social security number, i.e. “masking” of the first 5 digits of the SSN.
- A masking rule is created on each Banner table/column that contains SSN, and assigned to a specific business profile. This must be done by ICS.
- At implementation, each department determined if SSN needed to be masked on their Banner Administrative pages.
- By default, new users will be put into the appropriate business profiles that prevent them from viewing the full SSN.
- A user who is determined to need access to view the full SSN will be able to view the full SSN on all Banner Administrative pages.
- Allowing a user the ability to view the full SSN is done by adding them to the BP_UNMASK_SSN business profile, and removing them from all other SSN profiles.
- A process runs nightly to add users to the appropriate profiles depending on which Banner Admin pages they have access to. If the user is in the BP_UNMASK_SSN profile, they will not be added to any other profiles.
- The third type allows/prevents users of Banner Communication Management viewing or modifying populations and templates.
- This type of access is configured similarly to the first type of FGA.
- Data predicates are added on the folder table and business profiles are used to restrict access
- On GCRFLDR, GCRFLDR_NAME is restricted by department, i.e. only AR users can view/modify items categorized with the GCRFLDR_NAME = 'CM_Bursar'.
Many business profiles have been created to accommodate the combinations of data and user access. These can be viewed within Banner, or via Argos reports.
Updating User Accounts
Security managers who currently manage fine-grained access can update a specific user account by logging into Banner and navigating to GOAFBPR. Select the Business Profile the user should be added to, press Go, and then insert the user’s Banner account ID.
Result set for BP_ATHLETICS_USERS, use the Insert button to add users to this profile.
Additional Information
A current list of departmental security managers can be found here.
Argos Data Blocks
FGA_SECURITY_VIEW – this data block will select from the view BANINST1.FGA_SECURITY_VIEW. It allows the user to modify the where clause to extract the needed report. Fields that can be queried are: University ID, Banner account, business profile, or Banner table.
SSN_MASK_SECURITY_VIEW - this data block will select from the view BANINST1.SSN_MASK_SECURITY_VIEW. It allows the user to modify the where clause to extract the needed report. Fields that can be queried are: table, form, or business profile.
FGA_User_MissingBP – this data block will select any users who are missing from a business profile for the Banner form selected. The user first selects from the list of Banner forms displayed (SOAHOLD, SOATEST, TVAAUTH). The report runs for the select form. The SQL for this report should not be modified.
FGA_User_MissingBP_SSN – this data block will select any users who have access to at least one SSN form and are not in any SSN business profiles. Users who are allowed to view the full SSN will be assigned the BP_UNMASK_SSN profile. The SQL for this report should not be modified.
List of access provided by each business profile
Test Scores:
BP_TEST_SCORE_COLL_BUS - (sortest_tsrc_code = 'SCED' AND sortest_tesc_code IN ('800','810','2633','2622'))
BP_TEST_SCORE_COLL_ED - (sortest_tsrc_code = 'SCED' AND sortest_tesc_code BETWEEN '0010' AND '9999' AND sortest_tesc_code NOT IN ('800', '810', '2622'))
BP_TEST_SCORE_EVERY_CODE - sortest_tesc_code LIKE ('%')
BP_TEST_SCORE_SCHOOL_OF_MUSIC - sortest_tesc_code IN ('MUST','MUSP','MRAR','KBPE','MQJ','MUSA')
BP_TEST_SCORE_VIEW_ONLY - sortest_tesc_code IN ('DUMMYXXX')
Holds:
BP_ADMISSIONS_USERS - SPRHOLD_HLDD_CODE IN ('AF','AH','EP','FE','FH','IX','LP','PR','CT','GP','OO','LS','FD','DA')
BP_HOLDS_ALL_CODES - SPRHOLD_HLDD_CODE LIKE ('%')
BP_AR_USERS - SPRHOLD_HLDD_CODE IN ('AR','FL','IF','MN','TD','UC','UG','W1','W2','W3','W4','WA','WC','WG','WO','WR')
BP_ATHLETICS_USERS - SPRHOLD_HLDD_CODE IN ('AT')
BP_CGPS_USERS - SPRHOLD_HLDD_CODE IN ('CT','GP','GS')
BP_COLLEGE_OF_TECH - SPRHOLD_HLDD_CODE IN ('TH')
BP_DEAN_OF_STUDENTS_USERS - SPRHOLD_HLDD_CODE IN ('IW','TB')
BP_INTERNATIONAL_USERS - SPRHOLD_HLDD_CODE IN ('IX')
BP_MUSIC_USERS - SPRHOLD_HLDD_CODE IN ('MR','MU')
BP_NSTP_USERS - SPRHOLD_HLDD_CODE IN ('OO')
BP_NURSING_USERS - SPRHOLD_HLDD_CODE IN ('MX')
BP_OIT_USERS - SPRHOLD_HLDD_CODE IN ('LR')
BP_ORR_USERS - SPRHOLD_HLDD_CODE IN ('IM','MI','PH','RA','RH','TR','AT','IW','TB','SJ','TD','T9','UA','UC','XI')
BP_SCHOLARSHIP_OFFICE_USERS - SPRHOLD_HLDD_CODE IN ('LS')
BP_STUDENT_CONDUCT_USERS - SPRHOLD_HLDD_CODE IN ('SJ')
BP_TITLE_9_OFFICE_USERS - SPRHOLD_HLDD_CODE IN ('T9')
BP_UNIVERSITY_COLLEGE_USERS - SPRHOLD_HLDD_CODE IN ('UA')
BP_HOLDS_VIEW_ONLY_USERS - SPRHOLD_HLDD_CODE IN ('DummyCode')
BP_EXT_LEARN_USERS - SPRHOLD_HLDD_CODE IN ('DA')
AR Auth:
BP_TVRAUTH_ALL_CODES - TVRAUTH_TYPE_CODE LIKE ('%')
BP_TVRAUTH_FERPA_CODES - TVRAUTH_TYPE_CODE IN ('FRP','FRW','GG')
BP_TVRAUTH_VIEW_ONLY - TVRAUTH_TYPE_CODE = 'DUMMYXXX'
Banner Communication Management Folders:
BP_BCM_ALL_FOLDERS - GCRFLDR_NAME IS NOT NULL
BP_BCM_BURSAR_FOLDERS - GCRFLDR_NAME LIKE '%Bursar%'
BP_BCM_GEN_FOLDERS - GCRFLDR_NAME LIKE '%General%'
BP_BCM_OIT_FOLDERS - GCRFLDR_NAME LIKE '%OIT%'
BP_BCM_SCHOLAR_OFF_FOLDERS - GCRFLDR_NAME LIKE '%Scholarship%'
BP_BCM_FINAID_FOLDERS - GCRFLDR_NAME LIKE '%Financial Aid%
BP_BCM_REG_FOLDERS - GCRFLDR_NAME LIKE '%Registrar%
Banner Pages with SSN Masking applied:
APACHLD
APACRVW
APAIDEN
APASBIO
FOAIDEN
FTMVEND
GUIALTI
GUITINH
SAAQUIK
SHAETOR
SPAIDEN
SPAPERS
SRAQUIK
Users who need to view the full SSN should be added to the BP_UNMASK_SSN profile, otherwise they will be added to the profile corresponding to the Banner page name.