Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Table of Contents

The following row-based security has been implemented with the Employee Activity Hub (EAH) on top of standard Activity Hub security.

  • UCPath transactors: EAH data access mirrors role and row-level security access in UCPath.
  • EAH data consumers and EAH report developers who are not UCPath transactors: data access must be requested and approved as part of an exception provisioning process.
  • Labor Ledger data: all approved EAH data consumers and report developers have access to all rows.

EAH users who need access to department data beyond the default access outlined above to perform their job must fill out a Request Form specifying the additional departmental access needed.

How to Request Access

Access forms to use are based on the type of access you need. You may need to submit more than one request:Image Removed

  1. Running an EAH based report without row-level security that has been built by your local report developer: ask your developer what Active Directory (AD) group your DSA should add you to in order to gain access to the report.
  2. Running HR/Payroll reports found at reportsbah.ucsd.edu: fill out the UCPath Reports Access Request form to request:
    1. Access to HR/Payroll reports. Repeat for each group.
    2. DOPE and UCPath-Oracle Salary Reconciliation access.
    3. Additional departmental access.
  3. Building reports in Cognos or Tableau using EAH: complete the Employee Activity Hub Report Developer Access Request.
    1. EAH Report Developers can request additional departmental access via this form.
  4. Running an EAH report built by your local report developer that relies on row-level secured view(s): fill out Employee Activity Hub Report Consumer Access Request and request your report developer add you to the AD group that has access to their reports.
    1. EAH Report Consumers can request additional departmental access via this form.
  5. Running the HR/Payroll report and developing EAH reports: fill out both #2 and #3 from above.
  6. Running local EAH reports and developing EAH reports: fill out both #3 and #4 from above.
  7. Running HR/Payroll reports, running local reports and develop EAH reports: fill out #2, #3 and #4.
  8. Requesting access to employee data from additional departments: fill out the Employee Activity Hub Row Level Access Request.
  9. Developing data integration: read this page and follow the steps: https://ucsdcollabcollab.atlassianucsd.netedu/wiki/display/AH/How+to+Get+Activity+Hub+Data

...

  1. .  You will also need to fill out the Employee Activity Hub Row Level Access Request in order to see departmental data.

Questions

What is the outcome of reports blended with EAH data?

If you use EAH data in your report, the type of join used in the report will drive what the consumer will see. 

...

If your report uses a row-level secured view, the consumer will need to complete a Reports Access Request specifying which additional departmental access they need.

Questions

When will these changes be applied to UAT?

November 9, 2020

...

Where do I request access?

Access to EAH will depend on what your client is looking for. Here are the different options.
1. Access to existing HR/Payroll reports found on the Business Analytics Hub (BAH = https://bah.ucsd.edu/hr-payroll/index.html) can be requested via the 'Request Access' link found on the same page. You'll need to 'Request Access' to each Category (aka Category Tab) on that page.
2. Access to existing EAH reports not found on BAH will need to be requested directly from the developers who built the report. If you can provide BIa with the report link we can point you toward the report developer.
3. Access to build your own EAH report can be requested via the Employee Activity Hub Report Developer Access Request form = https://support.ucsd.edu/its?id=sc_cat_item&sys_id=1c57e401db8a1c5006037a131f961939&sysparm_category=4c4a24f0db982740a7907aa9bf9619a8.
4. If you have access to the reports they want but need to see additional departments within those report they can request access to additional departments via the Employee Activity Hub Row Level Access Request form = https://support.ucsd.edu/its?id=sc_cat_item&sys_id=1c26e456db101450dbd6f2b6af96199c&sysparm_category=4c4a24f0db982740a7907aa9bf9619a8.

When was this security implemented?

November 16, 2020

What EAH views do not require row-level security?

The EAH

...

Quick Start Guide summary page has a table with a column that indicates if the view has row-level security.

Will I be able to see people who are not 100% in my requested department?

EAH view without row-level security:  Yes, you will see all people.

...

Note:  In order to maintain one row per person for specific views, such as EAH-AbsenseDetail-View, only the primary position for the employee will be seen.  It may appear that you are seeing employees outside of your department, but if you look at those employees in EAH-Workforce-View you will see your approved department listed as non-primary for those specific employees.

How will

...

The consumer can now use reports built from Labor Ledger views to see results for all of campus.

...

this impact the data integration processes? 

It will not.  The existing scenarios will remain the same.

  • Scenario:  I use Cognos / Tableau to preview the data that will be in my data integration.  What will I see? 
    • If you are not a transactor or do not have a UCPath inquiry role, your reports – new or old - will not return data on July 20, 2020.  You will need to request access to the data via the forms (links) so that you can see the data in Cognos/Tableau.  We recommend that you request access to ITS only - access to all of UCSD is not necessary to test most UCPath scenarios.  Please work with Continuity Planning to fill out the form in order to gain more than ITS access.
  • Scenario:  I have a data integration that is currently working. 
    • The current column groups are machine to machine using Nifi and therefore will continue to point at non-secured views and therefore your data integration will continue to see all of the rows.  The assumptions is that your end application implements appropriate security.
  • Scenario:  Machine to machine using API. 
    • An API can use the generic AD account, but one of the parameters passed should be the AD account of the person physically using the application and this parameter will engage the security.  When the API pulls data there needs to be a WHERE clause to identify the person physically using the application in order to engage the EAH security.
  • Scenario: Machine to machine using Nifi.
    • Nifi can use the generic account and target application is expected to set the appropriate security.  Example: Batch Jobs


What is my EAH Access?

Run this report to see what departments you have access to in EAH and UCPath: EAH Security report.

See what Active Directory (AD) groups you are a member of with these instructions: How to View Active Directory Group Membership

  • You have EAH Report Developer access if you are a member of EAH-Developers AD group.
  • You have access to a group of HR/Payroll reports from bah.ucsd.edu if you are a member of an AD group that starts with EAH-Cognos

Do you have further questions about your data integration processes?

Email busintel@ucsd.edu.

Do you have further questions about the Employee Activity Hub security policy?

Email UCPathReports@ucsd.edu

...