Position Based Desk Assignment
(Revised December 22, 2000)
This document describes the effect of converting our NSM
application security from a user based desk assignment
to a position based desk assignment, for appointed
employees. This transition alleviates the need for Desk
Administrators to assign a desk to new employees and remove the
desk assignment for terminated employees or employees who change
departments within the University. This was not possible when the
original desk security was implemented since positions (as
defined in the BASIS PSB application) did not exist. This also
alleviates the problem of synchronizing the Budgetary Unit
defined for a User ID (which will be dropped) with the Budgetary
Unit where the employee is actually working (a common problem
when employees change jobs within the University).
In addition to appointed employees of the University, there
are three other types of users that are granted system
access and thus assigned desks: hourly employees, temporary or
interim users issued an ID under control of a supervisor, and
non-employees. Desk assignment for these continues to be based
upon a Desk ID associated with the User ID, with minor changes to
the process as noted below.
Background
Natural User IDs are assigned by Computing Services at the
request of University departments. These IDs are classified as
active, temporary, or inactive. Each ID requires a social
security number and Budgetary Unit (which essentially defines the
department where the employee works). There can only be one
active ID per social security number, but several temporary IDs
may be assigned to the same social security number. (Temporary
IDs are intended for supervisors who issue those IDs to others on
a temporary basis. Use of the ID is the responsibility of the
supervisor to whom the ID was issued.)
Any user ID can access applications which provide
default access. However, for any privileged access an ID
must be associated with a desk that has been granted
specific access rights. Desks (a virtual concept for a job or
role performed within a department as specifically related to
administrative computer systems) are pre-defined by the Budgetary
Unit (Departmental) Desk Administrator, and have been
granted the necessary application access by an Application
Owner (an administrator responsible for an application and
the granting of appropriate access to that application). With
user based desk assignments, the Desk Administrator is required
to assign a desk to a Natural User ID given the restrictions that
the desk and the User are associated with the same Budgetary Unit
and one for which the Desk Administrator is approved.
Once a month, program NSBUSERU compares the User's budgetary
unit with the budgetary unit where the employee is currently
working (via appointment in PSB or by having an active wage
rate). If the employee has terminated or the BUs do not match,
the user's desk assignment is removed. If terminated (the
employee is no longer appointed and has no active wage rate) the
ID is also cancelled and marked as inactive. If the
employee is now working in a different BU, the BU associated with
the user is also updated to reflect the new employment location.
The above check is based upon using the User's SSN to find the UA
Employee ID. Some IDs have been intentionally issued to non-UA
employees who are not defined on the Employee file. These IDs are
reported each month, but no action is automatically taken
regarding their access.
Position Based Assignment Overview
The assignment of a desk to a User ID is replaced with the
assignment of a desk to a position, as defined in the
PSB system, for appointed employees. The desk
administrator is responsible for the assignment of a desk to a
position. This assignment is time stamped so that an historical
record is maintained of all desk assignments, and so that future
changes can be entered in advance. Positions are also associated
with a Budgetary Unit, so these assignments are restricted in the
same manner user desk assignments were -- the desk administrator
must be authorized for the BU associated with the position and
that BU must match the BU of the Desk.
Note: The desk administration function may
be removed from the departments and centralized within Financial
Affairs. This has no affect on the system since this is merely a
security definition within the NSM-MS application.
Desk assignments continue to be made directly to User IDs for
temporary users, hourly employees, and users whose SSNs
are not defined on our Employee file (see U
of A Affiliates for additional plans regarding this
group).
The following steps are performed by
the system at signon based upon the type of user.
- Inactive users
- Normally, inactive user IDs will not be permitted to signon
to the administrative system since the user ID should have been
inactivated within the operating system. If a user flagged as
inactive does reach Natural, it will not be assigned a desk and
will only be permitted default access.
- Active users
-
- The user's SSN is used to find the Employee ID. If the SSN is
not on the Employee file, the desk ID (if any) associated with
the user is assigned.
- The Employee ID is used to determine what position the
employee is filling (appointed in) on that date.
- If appointed, the Desk assigned to the position at that point
in time is assigned to the user. If there is an interim
assignment, the user is given the choice of which desk to be
assigned.
- If not appointed, the desk associated with the
user is assigned as long as the employee has an
active hourly wage rate in the BU of the Desk. Otherwise, no desk
is assigned and the user is only permitted default access.
- Temporary users
-
- The SSN associated with the temporary user is used to find
the Employee ID. If the SSN is not on the Employee file, no desk
ID is assigned and only default access is permitted.
- The Employee ID is used to determine what position the
employee responsible for the temporary ID is filling (appointed
in) on that date.
- If appointed, the BU of the appointment (position) is checked
against the BU associated with the desk designated for the user.
It these are the same, that desk is assigned to the user.
- If not appointed or the BU of the appointment does not match
that of the desk, no desk is assigned and the user is only
permitted default access.
Interim Desks
The system allows a user to be assigned a second desk in order
for one user to perform two separate job functions. This feature
is provided so that one employee can fill in during the absence
of another (due to unfilled positions or any other reason). This
dual desk assignment is possible for appointed employees by
permitting two desks to be assigned to a position, the second
desk being designated as an interim assignment. This feature is
no longer permitted for temporary IDs, hourly employees, and U of
A affiliate users (SSNs not defined on our Employee file).
Historical Record of Desk Assignments
Previously there was no history of past desk assignments that
were made for a user. This problem has been resolved by time
stamping both the desk assignments associated with positions and
assignments associated directly with User IDs. The desk
administrator is permitted to make future desk assignment
changes, but is prevented from making any modification of past
assignments -- either to a User ID or to a Position. The desk
assignment is based upon the record effective at the point in
time of the user's signon to the system. Online facilities are
provided to browse the historical assignments.
Test and Demo Systems
Implementation of position based desk assignments requires
special accommodation on the TEST and DEMO systems since the
employee, position, and wage rate definitions are not maintained
in these environments and yet the same security features are
desired (access based upon current employment data). To address
this, the production Employee,
Position, and Hourly-Wage-Rate
files are accessed from TEST and DEMO when managing desk
assignment data and making the actual desk assignments. The
User and Desk-Assignment files
used are, however, for the specific environment -- either Test or
Demo. This permits the flexibility needed to set up different
user profiles and distinct desk assignments for the TEST and DEMO
environments. It also requires that User SSNs be accurate in
these environments, since the SSN is the link to the Employee ID
required to access positions and wage rates.
There are several situations where access to the University
administrative systems is granted to individuals who are not UA
employees. These may be auditors, adjunct faculty, ROTC officers
paid by the federal government but working full time on campus,
and other individuals working in affiliation with the University.
Access for these individual is currently provided by issuing them
an active or temporary ID with an associated user desk
assignment. It is feared that active IDs issued for these
purposes are not actively monitored. An alternative approach is
being considered that involves the creation of non-paid PSB
positions for these affiliates. These non-employees could be
placed in and removed from these positions by the responsible
departments, and the desk assignment could be performed in the
same manner as other appointed employees. Other advantages are
envisioned for these affiliate positions, such as inclusion in
University Directories, campus mailings, and even budget
preparation purposes (Agriculture). No decision has been made,
nor the impact analyzed, for the creation of these non-paid
affiliate positions. If implemented, system access would be
changed to not assign a desk for users whose SSN is not defined
on the Employee file.
Conversion
One time conversion programs will be required to be executed
at the time these changes are implemented. In TEST, DEMO and PROD
the conversion program NSBDC7 will do the following.
- Look at all active users' desk assignments:
- Find the position the user is currently filling in Production
(if any) and create the identical desk assignment for that
position on the new Desk-Assignment file,
- If not appointed, see if the individual has an active Hourly
Wage Rate in the BU of the current desk assignment and create the
identical desk assignment for the user on the new Desk-Assignment
file, and
- If not in a position and no wage rate in the correct BU,
report this user as a condition requiring further
investigation,
- Look at all temporary users' desk assignments and create
identical entries on the new Desk-Assignment file.
Once the conversion has proven successful, conversion program
NSBDC8 will be executed to reset to null the old User-Desk-ID
values on the User file.
Testing Restrictions
Initial testing of these changes must be conducted within an
isolated environment since the features of the system being
modified are actively used in the TEST environment. Limited unit
testing will take place in a private library with final system
testing being performed on a weekend to avoid disruption to
developers.
Documentation
The Desk Administrator Guide will be updated to reflect the
new concepts and NSM-MS operation, and will be converted to HTML.
Note that other relevant documentation exists and may need to be
updated.
Training
Desk administrators will require special training and support
during this transition.
Summary of Changes
The specific system changes required to implement position
based desk assignments follow, and are technical by nature.
File modifications
- Employee, Position and Hourly-Wage-Rate
- Views of these PROD files are required in TEST and DEMO.
- Desk-Assignment
- This is the new ADABAS file created to contain the time
stamped desk assignments, either for a Position or for a User
(temporary User ID, hourly employee, or non-UA employee). (The Predict data dictionary report
and the summary element list
for this file are available.)
- Position-Master
- The field Position-Desk-ID should be removed from
this file.
- Position
- The field Desk-ID should be removed from this
file.
- User
- The field User-Desk-ID
and associated indexes should be
removed from this file.
NSM-MS application changes
- D
- The desk maintenance function will be modified to check the
new Desk-Assignment file for the future existence of a Desk ID
before permitting a delete. It will also restrict a BU change if
future assignments for the desk are associated with some other
BU.
- DA
- This is the new command and online function to display and
maintain desk assignments, either postion based or user based.
The NSM-MS security by value used to restrict desk administrators
to their pre-approved BUs is implemented here in the following
manner:
- If it is a position type assignment or temp user, the desk
administrator must be authorized for the allocated BU of the
position,
- If it is a user type assignment for an active user that is an
employee, the desk administrator must be authorized for a BU
where the employee has an active hourly wage rate, or
- If it is a user type assignment for an active user that is
not an employee, the desk administrator must have unrestricted BU
access.
(Open a separate window with an image of the desk assignment
screen.)
- LDB
- This list is changed to check the new Desk-Assignment file in
order to report the existence of current or future desk
assignments.
- LHDA
- This is a new function to list historical desk assignments
for a position or for a user.
(Open a
separate window with an image of the list historical desk
assignments screen.)
- LPBD
- This is a new list modeled after the one by the same name in
PSB. It lists the positions allocated to a BU for a date and
shows any desk assignment effective on that date. The following
image is of the LPBD screen.
(Open a separate window with an image of the list positions for a
budgetary unit and date screen.)
- LUD
- This online list was redesigned in order to access and
display individuals assigned to a desk at a point in time, based
upon entries in the new Desk-Assignment file. It is really now a
list of desk assignments for a desk showing any assoicated
user/employee.
(Open a
separate window with an image of the list users of a desk
screen.)
- LUU
- This is a new list, List User IDs for a User. It displays
employment data for the user and a list of the user IDs assigned
to that user's SSN.
(Open a
separate window with an image of the List user IDs for a user
screen.)
- U
- The user maintenance function was modified to terminate any
future desk assignment if an ID is re-classified as inactive.
It was also changed to permit unrestricted change to the BU for a User,
since this is no longer used in the desk assignment process and is
maintained only for informational purposes.
(Monthly the batch program NSBUSERU is executed and will update the
user's BU based upon current appointment or hourly wage rate information.)
- UBUN
- The function has been removed. It was used to update the
Budgetary Unit or name of the User, when they were out of sync
with the administrative systems. These are incorporated in NSBUSERU and
are no longer time critical since the user BU is no longer associated
with the desk assignment process. Also note that current
information regarding a user's employment is included in DA and
LUU.
- UD
- This function has been replaced by DA.
- NSBUSERU
- This batch program ran monthly to sync up user names with
the Employee file, inactivate users no longer employed,
update the BU maintained on the User file, and
remove desk assignments for terminated or transfered users.
Similar functions are now performed using the new Desk-Assignment
file and employment location data based upon Position and
Hourly-Wage-Rate. In
addition, it checks to ensure the BUs of desks correspond with
the Allocated BU of Positions or employment location of Users for
all current and future assignments and terminates the desk assignment if these
do not match. It also resets the
Near-Current-Or-Future-Cd for assignments that have been
ineffective for more than 31 days.
PSB application changes
- APBU
- The act of returning a position to the pool or of assigning a
position to a new BU will result in a warning to the operator and
the termination of any future desk assignments associated with
the position.
- POSM
- Deleting a position with a future desk assignment results in
a warning to the operator and the termination of all future desk
assignments.
- PBLDBVP
- The Desk-ID field was removed from the Position view within
this LDA.
- Other
- All functions that reference Desk-ID on Position or
Position-Master must be modified to eliminate reference to this
field.
TARGET modifications
- TABCCRB2
- This report shows all users established as reviewers
(multiple assignments for the same desk) for cost centers by BU.
It was modified to obtain this information using the new routine
NSNRDAD.
- CCCR
- This screen shows a user assigned to a desk. It has been
modified to use the new NSNRDUDN utility for this purpose.
- PROX
- The proxy function previously did not permit a proxy to be
established for a User that is already assigned the same Desk.
This check has been removed since this condition causes no
problem and this check is only correct for a specific point in
time (the condition can be created by other means).
System component changes
- NSN#COM
- This is a new routine written to consolidate the
establishment of system wide user variables associated with a
user, one of which is the user's desk assignment. This routine is
responsible with making the desk assignment as outlined previously. In addition it sets user field
attributes and printer options as defined on the user
profile.
- NSNDUDID
- This routine was called when a user was assigned to multiple
desks and had to choose one of those desks to work. This
function has been incorporated into NSN#COM, so this subprogram
has been deleted.
- NSNHDSKU
- This is the help routine for desk selection. It reads the
USER file by user name and displays the associated Desk ID for
selection. It has been modified to determine the desk ID to list
for a user by first searching for a position type assignment
effective for the user at that time, and if not found to search
for a user type assignment.
- NSNRDAD
- This is a new utility that obtains a variable number of
assignments for a Desk, returning assignment type and ID as well
as any associated User ID and Name (or BU and Title if a position
type assignment for an unfilled position).
- NSNRDUDN
- This is a utility routine that looks up anyone assigned to a
desk and returns their User ID and name. It now looks at the
Desk-Assignment file using the current date. This is done by
looking for a current Position association. For the first one
found, the employee in the position is displayed if the position
is filled otherwise position information is displayed (BU and
title) and no User ID is returned. If no current position is
assigned the desk, the first User associated with the desk is
shown. If no user is associated with the desk, the BU and
description of the desk is provided.
- NSNVULP
- To eliminate redundancy and increase efficiency, this routine
was changed to now call NSN#COM, and do that only when
necessary.
- NSNVULP2
- This routine unnecessarily reference the User-Desk-ID field
which was deleted. This reference was removed. To eliminate
redundancy and increase efficiency, this routine was also changed
to now call NSN#COM, and do that only when necessary.
- UANHRDKP
- This is the help routine that returns the Desk IDs for which
a user has been established to act as a proxy. It calls NSNRDUDN
to get the User ID and name of an individual assigned to the
reviewer desk. Previously it blanked out the descriptive value
(name) if no user was assigned to that desk. It now retains that
description since it might be the BU and title of the position
containing that desk assignment.
- UANLOGND
- This routine provided the name of the desk administrator for
a BU when the user signing in does not have a desk assigned. This
function is now performed by NSN#COM, so this routine has been
deleted.
- UAOCCCR
- This application independent command retrieves a user
assigned to a desk. It has been modified to use NSNRDUDN.
- UAOCDCD
- This application independent command displays information
regarding the user's current desk assignment, and if the user has
an interim desk requests the user select which desk he wishes to
work. This routine previously called NSNDUDID, but has been
changed to call NSN#COM to re-assign the user's desk and offer
the selection between an interim or primary desk. The screen was
modified to no longer show the number of user's assigned to the
same desk since this is now much more difficult to
determine.
- UAOLOG
- This is the program that presents the initial signon screen
and processes the request to logon to other applications. For
users without a desk it previously called UANLOGND while for
users with multiple desks it called UANDUDID. It has been
modified to call NSN#COM to eliminate redundancy and increase
efficiency.
- UAOLUD
- This application independent command has been changed to
operate like the new NSM-MS LUD command -- really a list desk
assignments for a desk but it shows any associated user for the
assignment. (Open in a
separate window an image of the application independent list
users of a desk screen.)
- UAOPROX
- This routine previously verified that the user was authorized
to work the desk for which a proxy was being established. Since
the evaluation of this is much more complex that previously, it
now merely restricts proxy updates to the desk for which the user
is currently working. (Only user's with two desks are affected,
requiring them to signin or change desk in order to establish
proxies for their other desk.) Also, the restriction that a user
could not be a proxy if that user was assigned the same desk was
removed (as in the TARGET PROX command).
- UAOUPRO
- The user profile command was previously used to establish the
desired user session settings via terminal control commands at
sign on. The logic to execute these settings has been moved into
copy code so that it can be executed by NSN#COM at signon as well
as by UAOUPRO while the user is making changes. This routine was
also changed to effect any saved user changes within the *COM
variable used to share select user settings throughout NSM
applications.