Security Administration

Last Updated April 21, 2011


The Security Administration screen from the Tax Collection System are accessible but are used to control security for both the Tax Collection System and the Permits module.

The Security Administration screen allow you to create users, and to grant and/or revoke jobs, tasks, entitlements, and batch menu reports/processes associated with each user.

This online help topic covers the following:

  • Definitions
  • Set Up
  • Assigning jobs, tasks and entitlements to users
  • Resetting passwords
  • Viewing grant history
  • Creating a spreadsheet of jobs, tasks, and entitlements for each user

Definitions

Job - a defined set of tasks. ACT has created jobs such as cashier, head cashier, and accounting that will hopefully include the activities that these tax office employees have. If the default jobs created by ACT do not fit your tax office's needs, you can create new jobs, either 'from scratch' or by copying a pre-existing job and then modifying it. You cannot change ACT's default jobs.

Task - a 'chore' done by a tax office employee.  For example, the job 'Cashier' includes the tasks 'take a payment' and 'reprint a receipt'. Tasks must be assigned to jobs.  You cannot add or remove tasks from ACT's default jobs.

Entitlement - the specific action(s) taken to fulfill a task. For example, to take a payment, you need access to the deposit control screen and to the payment screen. You also need to open and close a deposit. Each of these activities is an entitlement in ACT's security system. Entitlements cannot be added or removed from a task, but can be turned on and off by user.

Set Up

The following user entitlements must be set for each user who needs access to the Security Administration and Security Maintenance screens. They are part of the Security Administration task.

Only users having the User Administration job can view or make changes to this screen. See Tasks, Entitlements, and Jobs for more information.

Entitlements:

USER_ADMIN20: This must be checked for each user allowed to see the Security Administration screen.

USER_ADMIN20_UPDATE: This must be checked to make changes to the Security Administration screen, such as modifying the security settings for each employee.

USER_ADMIN_TXL_UPDATE: This must be checked to make changes to the Security Administration settings for TaxLedge users. If it is not granted to the user logged in, but that user does have the USER_ADMIN20 entitlement, the screen will have a Read Only message at the top and no changes can be made to security settings for the modules listed as being read-only.

KILL_SESSION: Allows users to terminate sessions. by default, this is set to N and must be manually set to Y for those users authorized to terminate sessions. (To this, go to Security Administration and enter the authorized user's name. Click the Job Assignment tab, then click on the job - the template job is User Administration. Click the Fine Tune task, then click on the task Security Administration. On the right sided, the KILL_SESSION entitlement checkbox will be blank. Check that box, then click Apply.)

The following roles are also required to be set up prior to using these screens. Contact ACT for assistance.

ACT_BASE_OBJECTS: This should be granted to all Tax Collection System users. It provides base level access to most database tables in ACT 7.0. However, this access can be removed or reset using user entitlementsm which allow or deny access to individual screens and processes. This replaces ACT_USER and ACT_FOUNDATION, used in the original security system. This role does not grant access to the so-called guarded tables: owner, taxdtl, apport, valdtl, receivable, rechist, depctl, distribution, and remittance.

GLTAXLEDGE_FOUNDATION: (TaxLedge only, assigned behind the scenes when users are created) This provides the ability to use the functionality available in all of the screens. Security is restricted by not granting

Assigning Jobs, Tasks and Entitlements to Specific Users

  1. At this point, you can add or remove jobs from any user and also remove certain tasks or entitlements from those assigned to any user.

Note: You can remove entitlements from jobs as shown above, which will remove the entitlement for any user having that job. Or, you can remove entitlements from a job for a specific user, as shown below.

  1. From the Main Menu, select Administration, then Security Administration. The User screen appears.
  2. Enter the User Name.
  3. Press Tab to fill in the information in the remainder of the screen.
  4. Click the Job Assignment tab
  5. Add or remove any job for that user. Double-click any job to see the tasks for that job
  6. If the user is assigned the same entitlement in more than one job, a warning message stating that the default has been overridden for all future users who are assigned this job and asks if you want to apply the change to existing users having the same job. If you click No, the default for the entitlement will be changed only for new users assigned that job. If you click Yes, the default for the entitlement will be changed for both new and existing users who have that job.

WARNING! When a user is assigned two jobs with the same entitlement, but within one job the entitlement has the default permission setting (for ex., N for no) and within the second job, the permission setting for the same entitlement is set to Y (yes), both jobs will be highlighted in yellow on the Security Administration screen and a 'Entitlement Conflict' message appear on the right side of the screen.  [The changing of the entitlement's default setting can be done only on the Security - Job Maintenance screen, but assigning job to users is done on the Security Administration screen .]

Click the Detail button to see a list of entitlement conflicts for that particular user. The message at the bottom of the Entitlement Conflicts screen states that in all cases the permission setting that takes precedence if you give both jobs to the user is that of the overridde value (in this case, the Y setting). To prevent this conflict, return to the Security - Job Maintenance screen and adjust the settings of the entitlement in both jobs to be the same.

If you click Apply, the yellow highlighting of the jobs in conflict is removed.

  1. Click the Fine Tune tab. All of the tasks for the jobs granted to that user are listed on the left side. This is not the complete list of tasks for all jobs, just those granted to the user.

    As you click on each task, the entitlements for that task are listed on the right side. The Allow column shows the default setting for the entitlement. If an entitlement belongs to more than one task, the same default setting applies to each task.

  2. To remove a task from this user, uncheck the Granted box next to that task.
  3. To remove entitlements as desired for that particular user, change the setting in the Allow column. If is is red, the current permission is NOT the default setting for that entitlement.

Warning! If an entitlement is assigned to more than one of the tasks that the user has, adding or removing that entitlement will affect all of those tasks, but only for that user. For example, if you remove the ACTBLW_02 entitlement from the CHANGE_FEES_ON_RENEW/REISSUE task for a particular user, it will also be removed on the RENEW_OR_REISSUE_A_PERMIT task if that user has that task. It will not be revoked for either of these tasks for other users.

  1. Click Apply. There are separate Apply buttons for tasks and entitlements.
  2. Tasks and entitlements that have been revoked from a user are outlined in red.
  3. To see batch menu items, click the Run Batch Processes task on the left side of the Fine Tune tab. All batch menu items (reports and processes) are controlled through the Batch Menu job and the Run Batch Processes task.
  4. Click the BMIs radio button on the Fine Tune tab. All batch menu items granted to the user will be checked.

Note: All bat6ch menu items are defaulted to N for new users to not be available. Security administrators at each tax office will need to grant permission to each user to use the individual batch menu items that he/she needs to run.

  1. Check or uncheck the individual batch menu items until each user has permission to see only those reports and processes he/she needs to use.
  2. Click Apply on the right side of the Fine Tune tab.
  3. Users must log out and log back in whenever changes are made to jobs, tasks, or entitlements.

Resetting Passwords/Revoking Connect Privileges

  1. From the Main Menu, select Administration, then Security Administration. The User screen appears.
  2. Enter the User Name.
  3. Press Tab.
  4. Click the OK button next to Reset User's Password. The password will be reset to texas1 if the client preference PASSWORD_RESET is set to TEXAS1. The password will be randomly generated if the preference is set to RANDOM. The first time a user logs in (using texas1), he/she will be prompted to change the password. The following rules apply when creating a new password:
  • Passwords cannot be the same as the user name (upper or lower case doesn't make any difference).
  • Passwords must contain at least 1 digit and at least 5 characters.
  • Passwords cannot be too simple. For ex., 'WELCOME', 'DATABASE', 'ACCOUNT', 'USER', 'PASSWORD', 'ORACLE', 'COMPUTER', 'ABCD'  (or any variation of these in upper or lower case) are not allowed.
  • Passwords cannot contain the following characters:  @$/\|<>;
  • Passwords must differ by at least three characters from the previous password.

Notes :  If your tax office requires passwords to expire on a regular basis, the client preference DB_PROFILE must be set by ACT.  This tells the system what the password requirements are for your office, for ex., how many numbers, letters, and special characters.

  1. If an employee no longer works for your tax office, you can prevent him/her from signing on by entering the user name in the User Name field, pressing Tab or Enter, then clicking the Grant or Revoke Connect button.

Viewing Grant History

To see what jobs, tasks, and entitlements have been granted or revoked from a user, see the User's Grant History tab.

  1. From the Main Menu, select Administration, then Security Administration. The User screen appears.
  2. Enter the User Name.
  3. Press Tab.
  4. Click the User's Grant History tab. A list of all of the changes to jobs, tasks, and entitlements for the user will be displayed.
  5. The Grant or Revoke column shows what action was taken for that item. If an item has been revoked a red bar appears to its left.
  6. The Grant Name column lists the name of the job, task, and entitlement.
  7. If the Grant Name is 'ALLOW', the Object column gives the name of the entitlement that is allowed.
  8. If the Grant Name is a job or task, the Object column shows either 'task' or 'job', as appropriate.
  9. The Change Date and Opercode columns show the date of the change and operator ID of the person that made the change.

Creating a spreadsheet of jobs, tasks, and entitlements or a spreadsheet of changes made by user and date

To create a spreadsheet of job(s), task(s), entitlement(s) or batch menu reports/processes for any or all users,

  1. Click the Spreadsheet button on the Security Administration screen.
  2. A new browser window appears that is titled User Security Spreadsheets.
  3. (optional) In the Security Details section of the window, select a User Name from the drop-down list. To see data for all users, leave this set to '-all'.
  4. Select either the Entitlements or BMIs radio button, depending on whether you want to see jobs, tasks, and entitlements, or batch menu reports and processes (BMIs).
  5. (optional) If you chose Entitlements in the step above,
  • (optional)Select a Job from the drop-down list.
  • optional) Select a Task from the drop-down list.
  • (optional) Select an entitlement from the drop-down Entitlement/BMI list.

(optional) If you chose BMIs in the step above,

  • (optional) Select a Job from the drop-down list.
  • (optional) Select a Task from the drop-down list.
  • (optional) Select a batch menu no.  from the drop-down Entitlement/BMIlist.
  1. Leave the Allow field set to Y to see job(s), task(s), and entitlement(s) for which the user(s) has been granted permission. Set to N to see job(s), task(s), and entitlement(s) that the user(s) are not allowed to use.
  2. In the Connect field, choose either Users with and without connect, Only users with connect or Only users without connect, depending on whether you want to view users who do not have permission to login to the ACT system.
  3. Click Produce Spreadsheet.
  4. From the next popup window, either open the file (in Excel as a .csv file) or save it to either a local or network drive.

To create a spreadsheet of changes made by user and date,

  1. (optional) In the Change History section of the screen, select a User Name from the drop-down list. To see data for all users, leave this set to '-all'.
  2. (required) Enter a From Date and a To Date. This creates the date range for which to report changes to user permissions.

Killing Sessions

  1. Users must log out whenever a change has been made to one or more of their jobs, tasks, or entitlements. If this happens during the day and they do not log out upon request, you may need to kill the users' sessions.
  2. The user entitlement KILL_SESSION must be set to Y to terminate sessions.  See the Set Up section above for instructions on how to do this.
  3. From the Main Menu, select Administration, then Security Administration. The User screen appears.
  4. Click the User Sessions button.
  5. The Client's User Sessions screen appears. On the left side are the current statuses:
  • Inactive - logged in but not doing anything.
  • Active - logged in and working.
  • Killed - your session has been terminated.
  • Already dead - your session was already killed, and you tried to terminate it again.
  1. To kill a session, check the box next to the User Name, then click Terminate Session. The status changes to Killed after the session has been terminated.