|
For the most part, we can tell if a change is warranted. If we have questions, we email the division head. We look at cost center (department) and job code (before & after the change) - not title - and err on the side of caution. We'll proactively disable if the change is obvious or we're unsure or can't get an answer right away. No reinstatement or changes are made without a signed reqeust form - thank you SOX ;-(( The cross reference is a possibilty but since our HR system supports any number of user-defined 'personal property' we'll probably use that - same concept but more integrated. Less than 10% of our employees have system access. Again, we don't add or change anyone without all the proper paperwork. If we miss someone on the termination list, our fallback is a monthly report of profiles unused in > 60 days. Once they hit 90, they're disabled. Lastly is annual (at least) audits of system access by user by application.
mcunning@xxxxxxx 03/16/2007 11:10:54 AM >>>
This sounds like exactly what we are doing, trying to figure out what HR is doing. We give ourselves notice of a title change but right now our network admins don't do anything with it because they say they don't know what to do. From a title change they can't tell if the person actually changed jobs or not. When you say you "take appropriate action" is that calling someone to find out what happened and then making whatever changes are necessary? p.s. In order to be sure thet SSMITH is Sally Smith and not Sam Smithfield, We created a cross reference table that mapped userid to an employee number so we don't have to guess what two go togeather. We scan all userids weekly and look at the linked HR records and see if the person is still employed just as a double check of the e-mail notifications our HR office sends out. We also do the opposite and scan HR files and look for active emplyees who don't have accounts (in our standards all employees get an account) and report those as problems also. Sometimes (rarely but it heppens) the HR notification of a new hire does not come out until after someone has been at work for a week or more. We are also scanning Active Directory LDAP accounts to match them up to iSeries userids (standard is both userids will be the same) and HR files and tell our network admins what accounts they should disable/delete. ________________________________ From: midrange-l-bounces@xxxxxxxxxxxx on behalf of Roger Harman Sent: Fri 3/16/2007 2:14 PM To: midrange-l@xxxxxxxxxxxx Subject: Re: User authority controls When I started here, they used the concept of naming a user profile by the job type. I converted to using names a few years ago and everyone has loved it. Besides matching the network & email naming, it just makes life easier. Can you remember who RMBY11 (Retail Merchandise Buyer #11) is? I can't, but I can easily know who SSMITH is. As to job changes.... we run a SQL report over the HR transaction database nightly. We look for job code changes and cost center changes and match the name to user profiles. If we get a hit, we take appropriate action. The job change may have no effect on their access or we may disable the profile if they've moved, say, from Merchandise to Foods - particularly important for Time & Attendance access. BTW... we also run a daily termination list and match it to user profiles (iSeries and network) and disable those. We review both manually since there is a good possibility of false positives - SSMITH user profile may be Sally Smith but it was Sam Smith who left the company. I hope to improve the process by adding a notation for computer access to the HR record to eliminate the false positives - track it like we do special licenses, company issued property, etc.
mcunning@xxxxxxx 03/16/2007 8:30:15 AM >>>
We have a good handle on authority setup for new employees and on removing authority for employees who are leaving. What we struggle with are those employees who change jobs within the college. Sometimes those are people leaving one department and going to another, sometimes those are people just getting a title change. Our HR office is very good at telling us who new hires are and who is leaving but not so good at jobs changers. I am curious to know how you handle these people from an authority control perspective. One idea we had was to look for any title changes and treat them as if they left the college and are coming back in as a new employee. Disable their account and revoke all authority then grant just the base level of authority to the new job until we hear from that persons new supervisor. Of course this then requires going into all the systems where mcunning has an account and disabling it. Another thought was to stop creating accounts based on someone's name but use their position instead. So my userid would not be MCUNNING but ITSDIR. ITSDIR is granted authority not MCUNNING. When MCUNNING changes jobs the ITSDIR account would be disabled and my new job account would be enabled. When the new ITSDIR comes on board we reactivate that account. We use to use this method a long time ago but our users revolted because it is sometimes very hard to turn a title into 10 characters and have it make sense. Try coming up with 10 characters for Director or Desktop Computing/Academic Computing/Media Services.
As an Amazon Associate we earn from qualifying purchases.
This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].
Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.
midrange.com
