Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 2 Next »

The following row-based security has been implemented with the Employee Activity Hub (EAH) on top of standard Activity Hub security.

  • UCPath transactors: EAH data access mirrors role and row-level security access in UCPath.
  • EAH data consumers and EAH report developers who are not UCPath transactors: data access must be requested and approved as part of an exception provisioning process.
  • Labor Ledger data: all approved EAH data consumers and report developers have access to all rows.

EAH users who need access to department data beyond the default access outlined above to perform their job must fill out a Request Form specifying the additional departmental access needed.

Access forms to use are based on the type of access you need. You may need to submit more than one request:

  1. Running an EAH report without row-level security that has been built by your local report developer: ask your developer what Active Directory (AD) group your DSA should add you to in order to gain access to the report.
  2. Running HR/Payroll reports found at reports.ucsd.edu: fill out the UCPath Reports Access Request form to request:
    1. Access to HR/Payroll reports. Repeat for each group.
    2. DOPE and UCPath-Oracle Salary Reconciliation access.
    3. Additional departmental access.
  3. Building reports in Cognos or Tableau using EAH: complete the Employee Activity Hub Report Developer Access Request.
    1. EAH Report Developers can request additional departmental access via this form.
  4. Running an EAH report built by your local report developer that relies on row-level secured view(s): fill out Employee Activity Hub Report Consumer Access Request and request your report developer add you to the AD group that has access to their reports.
    1. EAH Report Consumers can request additional departmental access via this form.
  5. Running the HR/Payroll report and developing EAH reports: fill out both #2 and #3 from above.
  6. Running local EAH reports and developing EAH reports: fill out both #3 and #4 from above.
  7. Running HR/Payroll reports, running local reports and develop EAH reports: fill out #2, #3 and #4.
  8. Developing data integration: read this page and follow the steps: https://collab.ucsd.edu/display/AH/How+to+Get+Activity+Hub+Data

Viewing reports that use blended data

If you use EAH data in your report, the type of join used in the report will drive what the consumer will see. 

  • If your report contains data from more than one Activity Hub, the consumer running the report will need access to all Activity Hubs included in the report.
  • If your report blends EAH data without row-level security with EAH data with row-level security, the consumer will only see the row-level data they are approved to see. 
  • If you use an inner join to combine EAH with other data, the user will only see data based on their approved UCPath data.  If the consumer has no access to UCPath then they will see nothing in your report. 
  • If you use a left/right join to combine EAH with other data, the consumer will see their UCPath approved data and some of the other activity hub, depending on how you set up the join.  If the consumer has no access to UCPath, they will see blank data in the EAH fields and some of the other activity hub data.
  • In Cognos, if you use an outer join to combine EAH with other data, the consumer will see their UCPath approved data and all of the other activity hub.  If the consumer has no access to UCPath, they will see blank data in the EAH fields and only the other activity hub.
  • In Tableau you can create an left/right join, depending on which data source you bring into the worksheet first.
  • In Cognos you have full control over what join you use in your report.

If your report uses a row-level secured view, the consumer will need to complete a Reports Access Request specifying which additional departmental access they need.

Questions

Where can if find the FAQs for this security?

https://esr.ucsd.edu/projects/activity-hubs/employee/employee-report-access-faq.html

When will these changes be applied to UAT?

November 9, 2020

When will these changes be applied to Production?

November 16, 2020

What EAH views do not require row-level security?

  • EAH-DepartmentHierarchy-View
  • EAH-IdentityDemographics-View
  • EAH-JobCoseSalaryPlan-View
  • EAH-LLActualDetail-View
  • EAH-LLDeductionDetail-View
  • EAH-LLFringeDetail-View (used for DOPES)
  • EAH-LLSalaryDetail-View (used for DOPES)
  • EAH-LLSummary-View
  • EAH-PayCalendar-View
  • EAH-Position-View

Will I be able to see people who are not 100% in my requested department?

EAH view without row-level security:  Yes, you will see all people.

EAH view with row-level security:  Yes. If a person is in your requested department, even at less then 10%, you will see all of their positions and jobs as part of your requested department.  The additional positions will appear as a second row in addition to the department you have requested.

Note:  In order to maintain one row per person for specific views, such as EAH-AbsenseDetail-View, only the primary position for the employee will be seen.  It may appear that you are seeing employees outside of your department, but if you look at those employees in EAH-Workforce-View you will see your approved department listed as non-primary for those specific employees.

How will people look up salaries across campus for grant application? Some requests may be needed within 24 hours for turn around.  A consumer would need to see the title and salary in order to fill out their grant application and would need access to all of campus.

The consumer can now use reports built from Labor Ledger views to see results for all of campus.

How will this impact the data integration processes? 

It will not.  The existing scenarios will remain the same.

  • Scenario:  I use Cognos / Tableau to preview the data that will be in my data integration.  What will I see? 
    • If you are not a transactor or do not have a UCPath inquiry role, your reports – new or old - will not return data on July 20, 2020.  You will need to request access to the data via the forms (links) so that you can see the data in Cognos/Tableau.  We recommend that you request access to ITS only - access to all of UCSD is not necessary to test most UCPath scenarios.  Please work with Continuity Planning to fill out the form in order to gain more than ITS access.
  • Scenario:  I have a data integration that is currently working. 
    • The current column groups are machine to machine using Nifi and therefore will continue to point at non-secured views and therefore your data integration will continue to see all of the rows.  The assumptions is that your end application implements appropriate security.
  • Scenario:  Machine to machine using API. 
    • An API can use the generic AD account, but one of the parameters passed should be the AD account of the person physically using the application and this parameter will engage the security.  When the API pulls data there needs to be a WHERE clause to identify the person physically using the application in order to engage the EAH security.
  • Scenario: Machine to machine using Nifi.
    • Nifi can use the generic account and target application is expected to set the appropriate security.  Example: Batch Jobs

Do you have further questions about your data integration processes?

Email busintel@ucsd.edu.

Do you have further questions about the Employee Activity Hub security policy?

Email UCPathReports@ucsd.edu


  • No labels