Position Based Desk Assignment

(Revised December 22, 2000)

This document describes the effect of converting our NSM application security from a user based desk assignment to a position based desk assignment, for appointed employees. This transition alleviates the need for Desk Administrators to assign a desk to new employees and remove the desk assignment for terminated employees or employees who change departments within the University. This was not possible when the original desk security was implemented since positions (as defined in the BASIS PSB application) did not exist. This also alleviates the problem of synchronizing the Budgetary Unit defined for a User ID (which will be dropped) with the Budgetary Unit where the employee is actually working (a common problem when employees change jobs within the University).

In addition to appointed employees of the University, there are three other types of users that are granted system access and thus assigned desks: hourly employees, temporary or interim users issued an ID under control of a supervisor, and non-employees. Desk assignment for these continues to be based upon a Desk ID associated with the User ID, with minor changes to the process as noted below.

Background

Natural User IDs are assigned by Computing Services at the request of University departments. These IDs are classified as active, temporary, or inactive. Each ID requires a social security number and Budgetary Unit (which essentially defines the department where the employee works). There can only be one active ID per social security number, but several temporary IDs may be assigned to the same social security number. (Temporary IDs are intended for supervisors who issue those IDs to others on a temporary basis. Use of the ID is the responsibility of the supervisor to whom the ID was issued.)

Any user ID can access applications which provide default access. However, for any privileged access an ID must be associated with a desk that has been granted specific access rights. Desks (a virtual concept for a job or role performed within a department as specifically related to administrative computer systems) are pre-defined by the Budgetary Unit (Departmental) Desk Administrator, and have been granted the necessary application access by an Application Owner (an administrator responsible for an application and the granting of appropriate access to that application). With user based desk assignments, the Desk Administrator is required to assign a desk to a Natural User ID given the restrictions that the desk and the User are associated with the same Budgetary Unit and one for which the Desk Administrator is approved.

Once a month, program NSBUSERU compares the User's budgetary unit with the budgetary unit where the employee is currently working (via appointment in PSB or by having an active wage rate). If the employee has terminated or the BUs do not match, the user's desk assignment is removed. If terminated (the employee is no longer appointed and has no active wage rate) the ID is also cancelled and marked as inactive. If the employee is now working in a different BU, the BU associated with the user is also updated to reflect the new employment location. The above check is based upon using the User's SSN to find the UA Employee ID. Some IDs have been intentionally issued to non-UA employees who are not defined on the Employee file. These IDs are reported each month, but no action is automatically taken regarding their access.

Position Based Assignment Overview

The assignment of a desk to a User ID is replaced with the assignment of a desk to a position, as defined in the PSB system, for appointed employees. The desk administrator is responsible for the assignment of a desk to a position. This assignment is time stamped so that an historical record is maintained of all desk assignments, and so that future changes can be entered in advance. Positions are also associated with a Budgetary Unit, so these assignments are restricted in the same manner user desk assignments were -- the desk administrator must be authorized for the BU associated with the position and that BU must match the BU of the Desk.

Note: The desk administration function may be removed from the departments and centralized within Financial Affairs. This has no affect on the system since this is merely a security definition within the NSM-MS application.

Desk assignments continue to be made directly to User IDs for temporary users, hourly employees, and users whose SSNs are not defined on our Employee file (see U of A Affiliates for additional plans regarding this group).

The following steps are performed by the system at signon based upon the type of user.

Inactive users
Normally, inactive user IDs will not be permitted to signon to the administrative system since the user ID should have been inactivated within the operating system. If a user flagged as inactive does reach Natural, it will not be assigned a desk and will only be permitted default access.
Active users
  1. The user's SSN is used to find the Employee ID. If the SSN is not on the Employee file, the desk ID (if any) associated with the user is assigned.
  2. The Employee ID is used to determine what position the employee is filling (appointed in) on that date.
  3. If appointed, the Desk assigned to the position at that point in time is assigned to the user. If there is an interim assignment, the user is given the choice of which desk to be assigned.
  4. If not appointed, the desk associated with the user is assigned as long as the employee has an active hourly wage rate in the BU of the Desk. Otherwise, no desk is assigned and the user is only permitted default access.
Temporary users
  1. The SSN associated with the temporary user is used to find the Employee ID. If the SSN is not on the Employee file, no desk ID is assigned and only default access is permitted.
  2. The Employee ID is used to determine what position the employee responsible for the temporary ID is filling (appointed in) on that date.
  3. If appointed, the BU of the appointment (position) is checked against the BU associated with the desk designated for the user. It these are the same, that desk is assigned to the user.
  4. If not appointed or the BU of the appointment does not match that of the desk, no desk is assigned and the user is only permitted default access.

Interim Desks

The system allows a user to be assigned a second desk in order for one user to perform two separate job functions. This feature is provided so that one employee can fill in during the absence of another (due to unfilled positions or any other reason). This dual desk assignment is possible for appointed employees by permitting two desks to be assigned to a position, the second desk being designated as an interim assignment. This feature is no longer permitted for temporary IDs, hourly employees, and U of A affiliate users (SSNs not defined on our Employee file).

Historical Record of Desk Assignments

Previously there was no history of past desk assignments that were made for a user. This problem has been resolved by time stamping both the desk assignments associated with positions and assignments associated directly with User IDs. The desk administrator is permitted to make future desk assignment changes, but is prevented from making any modification of past assignments -- either to a User ID or to a Position. The desk assignment is based upon the record effective at the point in time of the user's signon to the system. Online facilities are provided to browse the historical assignments.

Test and Demo Systems

Implementation of position based desk assignments requires special accommodation on the TEST and DEMO systems since the employee, position, and wage rate definitions are not maintained in these environments and yet the same security features are desired (access based upon current employment data). To address this, the production Employee, Position, and Hourly-Wage-Rate files are accessed from TEST and DEMO when managing desk assignment data and making the actual desk assignments. The User and Desk-Assignment files used are, however, for the specific environment -- either Test or Demo. This permits the flexibility needed to set up different user profiles and distinct desk assignments for the TEST and DEMO environments. It also requires that User SSNs be accurate in these environments, since the SSN is the link to the Employee ID required to access positions and wage rates.

U of A Affiliates

There are several situations where access to the University administrative systems is granted to individuals who are not UA employees. These may be auditors, adjunct faculty, ROTC officers paid by the federal government but working full time on campus, and other individuals working in affiliation with the University. Access for these individual is currently provided by issuing them an active or temporary ID with an associated user desk assignment. It is feared that active IDs issued for these purposes are not actively monitored. An alternative approach is being considered that involves the creation of non-paid PSB positions for these affiliates. These non-employees could be placed in and removed from these positions by the responsible departments, and the desk assignment could be performed in the same manner as other appointed employees. Other advantages are envisioned for these affiliate positions, such as inclusion in University Directories, campus mailings, and even budget preparation purposes (Agriculture). No decision has been made, nor the impact analyzed, for the creation of these non-paid affiliate positions. If implemented, system access would be changed to not assign a desk for users whose SSN is not defined on the Employee file.

Conversion

One time conversion programs will be required to be executed at the time these changes are implemented. In TEST, DEMO and PROD the conversion program NSBDC7 will do the following.

  1. Find the position the user is currently filling in Production (if any) and create the identical desk assignment for that position on the new Desk-Assignment file,
  2. If not appointed, see if the individual has an active Hourly Wage Rate in the BU of the current desk assignment and create the identical desk assignment for the user on the new Desk-Assignment file, and
  3. If not in a position and no wage rate in the correct BU, report this user as a condition requiring further investigation,

Once the conversion has proven successful, conversion program NSBDC8 will be executed to reset to null the old User-Desk-ID values on the User file.

Testing Restrictions

Initial testing of these changes must be conducted within an isolated environment since the features of the system being modified are actively used in the TEST environment. Limited unit testing will take place in a private library with final system testing being performed on a weekend to avoid disruption to developers.

Documentation

The Desk Administrator Guide will be updated to reflect the new concepts and NSM-MS operation, and will be converted to HTML. Note that other relevant documentation exists and may need to be updated.

Training

Desk administrators will require special training and support during this transition.

Summary of Changes

The specific system changes required to implement position based desk assignments follow, and are technical by nature.

File modifications

Employee, Position and Hourly-Wage-Rate
Views of these PROD files are required in TEST and DEMO.
Desk-Assignment
This is the new ADABAS file created to contain the time stamped desk assignments, either for a Position or for a User (temporary User ID, hourly employee, or non-UA employee). (The Predict data dictionary report and the summary element list for this file are available.)
Position-Master
The field Position-Desk-ID should be removed from this file.
Position
The field Desk-ID should be removed from this file.
User
The field User-Desk-ID and associated indexes should be removed from this file.

NSM-MS application changes

D
The desk maintenance function will be modified to check the new Desk-Assignment file for the future existence of a Desk ID before permitting a delete. It will also restrict a BU change if future assignments for the desk are associated with some other BU.
DA
This is the new command and online function to display and maintain desk assignments, either postion based or user based. The NSM-MS security by value used to restrict desk administrators to their pre-approved BUs is implemented here in the following manner:

(Open a separate window with an image of the desk assignment screen.)

LDB
This list is changed to check the new Desk-Assignment file in order to report the existence of current or future desk assignments.
LHDA
This is a new function to list historical desk assignments for a position or for a user.

(Open a separate window with an image of the list historical desk assignments screen.)

LPBD
This is a new list modeled after the one by the same name in PSB. It lists the positions allocated to a BU for a date and shows any desk assignment effective on that date. The following image is of the LPBD screen.

(Open a separate window with an image of the list positions for a budgetary unit and date screen.)

LUD
This online list was redesigned in order to access and display individuals assigned to a desk at a point in time, based upon entries in the new Desk-Assignment file. It is really now a list of desk assignments for a desk showing any assoicated user/employee.

(Open a separate window with an image of the list users of a desk screen.)

LUU
This is a new list, List User IDs for a User. It displays employment data for the user and a list of the user IDs assigned to that user's SSN.

(Open a separate window with an image of the List user IDs for a user screen.)

U
The user maintenance function was modified to terminate any future desk assignment if an ID is re-classified as inactive. It was also changed to permit unrestricted change to the BU for a User, since this is no longer used in the desk assignment process and is maintained only for informational purposes. (Monthly the batch program NSBUSERU is executed and will update the user's BU based upon current appointment or hourly wage rate information.)
UBUN
The function has been removed. It was used to update the Budgetary Unit or name of the User, when they were out of sync with the administrative systems. These are incorporated in NSBUSERU and are no longer time critical since the user BU is no longer associated with the desk assignment process. Also note that current information regarding a user's employment is included in DA and LUU.
UD
This function has been replaced by DA.
NSBUSERU
This batch program ran monthly to sync up user names with the Employee file, inactivate users no longer employed, update the BU maintained on the User file, and remove desk assignments for terminated or transfered users. Similar functions are now performed using the new Desk-Assignment file and employment location data based upon Position and Hourly-Wage-Rate. In addition, it checks to ensure the BUs of desks correspond with the Allocated BU of Positions or employment location of Users for all current and future assignments and terminates the desk assignment if these do not match. It also resets the Near-Current-Or-Future-Cd for assignments that have been ineffective for more than 31 days.

PSB application changes

APBU
The act of returning a position to the pool or of assigning a position to a new BU will result in a warning to the operator and the termination of any future desk assignments associated with the position.
POSM
Deleting a position with a future desk assignment results in a warning to the operator and the termination of all future desk assignments.
PBLDBVP
The Desk-ID field was removed from the Position view within this LDA.
Other
All functions that reference Desk-ID on Position or Position-Master must be modified to eliminate reference to this field.

TARGET modifications

TABCCRB2
This report shows all users established as reviewers (multiple assignments for the same desk) for cost centers by BU. It was modified to obtain this information using the new routine NSNRDAD.
CCCR
This screen shows a user assigned to a desk. It has been modified to use the new NSNRDUDN utility for this purpose.
PROX
The proxy function previously did not permit a proxy to be established for a User that is already assigned the same Desk. This check has been removed since this condition causes no problem and this check is only correct for a specific point in time (the condition can be created by other means).

System component changes

NSN#COM
This is a new routine written to consolidate the establishment of system wide user variables associated with a user, one of which is the user's desk assignment. This routine is responsible with making the desk assignment as outlined previously. In addition it sets user field attributes and printer options as defined on the user profile.
NSNDUDID
This routine was called when a user was assigned to multiple desks and had to choose one of those desks to work. This function has been incorporated into NSN#COM, so this subprogram has been deleted.
NSNHDSKU
This is the help routine for desk selection. It reads the USER file by user name and displays the associated Desk ID for selection. It has been modified to determine the desk ID to list for a user by first searching for a position type assignment effective for the user at that time, and if not found to search for a user type assignment.
NSNRDAD
This is a new utility that obtains a variable number of assignments for a Desk, returning assignment type and ID as well as any associated User ID and Name (or BU and Title if a position type assignment for an unfilled position).
NSNRDUDN
This is a utility routine that looks up anyone assigned to a desk and returns their User ID and name. It now looks at the Desk-Assignment file using the current date. This is done by looking for a current Position association. For the first one found, the employee in the position is displayed if the position is filled otherwise position information is displayed (BU and title) and no User ID is returned. If no current position is assigned the desk, the first User associated with the desk is shown. If no user is associated with the desk, the BU and description of the desk is provided.
NSNVULP
To eliminate redundancy and increase efficiency, this routine was changed to now call NSN#COM, and do that only when necessary.
NSNVULP2
This routine unnecessarily reference the User-Desk-ID field which was deleted. This reference was removed. To eliminate redundancy and increase efficiency, this routine was also changed to now call NSN#COM, and do that only when necessary.
UANHRDKP
This is the help routine that returns the Desk IDs for which a user has been established to act as a proxy. It calls NSNRDUDN to get the User ID and name of an individual assigned to the reviewer desk. Previously it blanked out the descriptive value (name) if no user was assigned to that desk. It now retains that description since it might be the BU and title of the position containing that desk assignment.
UANLOGND
This routine provided the name of the desk administrator for a BU when the user signing in does not have a desk assigned. This function is now performed by NSN#COM, so this routine has been deleted.
UAOCCCR
This application independent command retrieves a user assigned to a desk. It has been modified to use NSNRDUDN.
UAOCDCD
This application independent command displays information regarding the user's current desk assignment, and if the user has an interim desk requests the user select which desk he wishes to work. This routine previously called NSNDUDID, but has been changed to call NSN#COM to re-assign the user's desk and offer the selection between an interim or primary desk. The screen was modified to no longer show the number of user's assigned to the same desk since this is now much more difficult to determine.
UAOLOG
This is the program that presents the initial signon screen and processes the request to logon to other applications. For users without a desk it previously called UANLOGND while for users with multiple desks it called UANDUDID. It has been modified to call NSN#COM to eliminate redundancy and increase efficiency.
UAOLUD
This application independent command has been changed to operate like the new NSM-MS LUD command -- really a list desk assignments for a desk but it shows any associated user for the assignment. (Open in a separate window an image of the application independent list users of a desk screen.)
UAOPROX
This routine previously verified that the user was authorized to work the desk for which a proxy was being established. Since the evaluation of this is much more complex that previously, it now merely restricts proxy updates to the desk for which the user is currently working. (Only user's with two desks are affected, requiring them to signin or change desk in order to establish proxies for their other desk.) Also, the restriction that a user could not be a proxy if that user was assigned the same desk was removed (as in the TARGET PROX command).
UAOUPRO
The user profile command was previously used to establish the desired user session settings via terminal control commands at sign on. The logic to execute these settings has been moved into copy code so that it can be executed by NSN#COM at signon as well as by UAOUPRO while the user is making changes. This routine was also changed to effect any saved user changes within the *COM variable used to share select user settings throughout NSM applications.