EAH Access for Developers and Consumers

The following row-based security has been implemented with the Employee Activity Hub (EAH) on top of standard Activity Hub security.

  • UCPath transactors: EAH data access mirrors role and row-level security access in UCPath.
  • EAH data consumers and EAH report developers who are not UCPath transactors: data access must be requested and approved as part of an exception provisioning process.
  • Labor Ledger data: all approved EAH data consumers and report developers have access to all rows.

EAH users who need access to department data beyond the default access outlined above to perform their job must fill out a Request Form specifying the additional departmental access needed.

How to Request Access

Access forms to use are based on the type of access you need. You may need to submit more than one request:

  1. Running an EAH based report that has been built by your local report developer: ask your developer what Active Directory (AD) group your DSA should add you to in order to gain access to the report.
  2. Running HR/Payroll reports found at bah.ucsd.edu: fill out the UCPath Reports Access Request form to request:
    1. Access to HR/Payroll reports. Repeat for each group.
    2. DOPE and UCPath-Oracle Salary Reconciliation access.
    3. Additional departmental access.
  3. Building reports in Cognos or Tableau using EAH: complete the Employee Activity Hub Report Developer Access Request.
    1. EAH Report Developers can request additional departmental access via this form.
  4. Requesting access to employee data from additional departments: fill out the Employee Activity Hub Row Level Access Request.
  5. Developing data integration: read this page and follow the steps: https://collab.ucsd.edu/display/AH/How+to+Get+Activity+Hub+Data.  You will also need to fill out the Employee Activity Hub Row Level Access Request in order to see departmental data.

Questions

What is the outcome of reports blended with EAH data?

If you use EAH data in your report, the type of join used in the report will drive what the consumer will see. 

  • If your report contains data from more than one Activity Hub, the consumer running the report will need access to all Activity Hubs included in the report.
  • If your report blends EAH data without row-level security with EAH data with row-level security, the consumer will only see the row-level data they are approved to see. 
  • If you use an inner join to combine EAH with other data, the user will only see data based on their approved UCPath data.  If the consumer has no access to UCPath then they will see nothing in your report. 
  • If you use a left/right join to combine EAH with other data, the consumer will see their UCPath approved data and some of the other activity hub, depending on how you set up the join.  If the consumer has no access to UCPath, they will see blank data in the EAH fields and some of the other activity hub data.
  • In Cognos, if you use an outer join to combine EAH with other data, the consumer will see their UCPath approved data and all of the other activity hub.  If the consumer has no access to UCPath, they will see blank data in the EAH fields and only the other activity hub.
  • In Tableau you can create an left/right join, depending on which data source you bring into the worksheet first.
  • In Cognos you have full control over what join you use in your report.

If your report uses a row-level secured view, the consumer will need to complete a Reports Access Request specifying which additional departmental access they need.

Where do I request access?

Access to EAH will depend on what your client is looking for. Here are the different options.
1. Access to existing HR/Payroll reports found on the Business Analytics Hub (BAH = https://bah.ucsd.edu/hr-payroll/index.html) can be requested via the 'Request Access' link found on the same page. You'll need to 'Request Access' to each Category (aka Category Tab) on that page.
2. Access to existing EAH reports not found on BAH will need to be requested directly from the developers who built the report. If you can provide BIa with the report link we can point you toward the report developer.
3. Access to build your own EAH report can be requested via the Employee Activity Hub Report Developer Access Request form = https://support.ucsd.edu/its?id=sc_cat_item&sys_id=1c57e401db8a1c5006037a131f961939&sysparm_category=4c4a24f0db982740a7907aa9bf9619a8.
4. If you have access to the reports they want but need to see additional departments within those report they can request access to additional departments via the Employee Activity Hub Row Level Access Request form = https://support.ucsd.edu/its?id=sc_cat_item&sys_id=1c26e456db101450dbd6f2b6af96199c&sysparm_category=4c4a24f0db982740a7907aa9bf9619a8.

When was this security implemented?

November 16, 2020

What EAH views do not require row-level security?

The EAH Quick Start Guide summary page has a table with a column that indicates if the view has row-level security.

Will I be able to see people who are not 100% in my requested department?

EAH view without row-level security:  Yes, you will see all people.

EAH view with row-level security:  Yes. If a person is in your requested department, even at less then 10%, you will see all of their positions and jobs as part of your requested department.  The additional positions will appear as a second row in addition to the department you have requested.

Note:  In order to maintain one row per person for specific views, such as EAH-AbsenseDetail-View, only the primary position for the employee will be seen.  It may appear that you are seeing employees outside of your department, but if you look at those employees in EAH-Workforce-View you will see your approved department listed as non-primary for those specific employees.

How will this impact the data integration processes? 

It will not.  The existing scenarios will remain the same.

  • Scenario:  I use Cognos / Tableau to preview the data that will be in my data integration.  What will I see? 
    • If you are not a transactor or do not have a UCPath inquiry role, your reports – new or old - will not return data on July 20, 2020.  You will need to request access to the data via the forms (links) so that you can see the data in Cognos/Tableau.  We recommend that you request access to ITS only - access to all of UCSD is not necessary to test most UCPath scenarios.  Please work with Continuity Planning to fill out the form in order to gain more than ITS access.
  • Scenario:  I have a data integration that is currently working. 
    • The current column groups are machine to machine using Nifi and therefore will continue to point at non-secured views and therefore your data integration will continue to see all of the rows.  The assumptions is that your end application implements appropriate security.
  • Scenario:  Machine to machine using API. 
    • An API can use the generic AD account, but one of the parameters passed should be the AD account of the person physically using the application and this parameter will engage the security.  When the API pulls data there needs to be a WHERE clause to identify the person physically using the application in order to engage the EAH security.
  • Scenario: Machine to machine using Nifi.
    • Nifi can use the generic account and target application is expected to set the appropriate security.  Example: Batch Jobs


What is my EAH Access?

Run this report to see what departments you have access to in EAH and UCPath: EAH Security report.

See what Active Directory (AD) groups you are a member of with these instructions: How to View Active Directory Group Membership

  • You have EAH Report Developer access if you are a member of EAH-Developers AD group.
  • You have access to a group of HR/Payroll reports from bah.ucsd.edu if you are a member of an AD group that starts with EAH-Cognos

Do you have further questions about your data integration processes?

Email busintel@ucsd.edu.

Do you have further questions about the Employee Activity Hub security policy?

Email UCPathReports@ucsd.edu