Maintaining OAKS FIN User Security Roles

It is the responsibility of the CFO or agency FIN Security Designee to review existing security roles, add new or update existing roles, delete old roles, and ensure that users of OAKS FIN have the access they need to do their jobs and no more access than they need.

Reviewing Security Roles for OAKS FIN Users

• https://ohid.ohio.gov/wps/myportal/gov/myohio/ > NavBar > Menu > Reporting Tools > Query > Query Viewer

Prior to accessing the Online Security Request, review the information contained in the Agency FIN Role Handbook available in OAKS FIN using the OH_ROLE_HANDBOOK query.

1. Choose "Query Name" in the Search By dropdown box.
2. Enter "OH_ROLE_HANDBOOK" in the begins with field.
3. Click Search.

4. Select Run to format from Query.

• The list of both central and agency security roles for OAKS FIN displays.

• Each role includes a short and long description by module.

• Agency FIN Security Designees can also view a user's roles in their business unit using the PT_SEC_USER_ROLES query.
• A list of users assigned to a particular role is also available to review using the OH_SEC_ROLE_USERS query.
• BI Standard Reports has a folder called Security. This folder is available to all BI users, and in it users will find the SEC-0001 Security Role Lookup report. This flexible report provides the ability to look up which OAKS roles a specific user has, as well as the ability to look up all users who have a specific role.

Accessing the Online Security Request

The process of maintaining OAKS FIN security roles is done using the Online Security Request form located in the OAKS FIN application.

• All OAKS FIN access for the individual must be created or modified using this online form.

• Access to this form is limited and based on the designee's security role assignment.

• https://ohid.ohio.gov/wps/myportal/gov/myohio/ > Financials > NavBar > Menu> Online Security Request

1. Select an Action radio button to:
   • Review Current Access.
   • View All Previous Requests.
   • Add or Update Access.
   • Delete All Access.
2. Enter the Employee Identification Number (EmplID) or use the look up icon to verify or find the Employee ID.

3. Press Enter on the keyboard.

Review Current Access

No changes can be made in the Review Current Access mode. Select the Add or Update Access radio button on the screen if information currently displayed for the user needs to be modified,

• Employee Information, Ledger Group and Business Unit Access appear at the top of the page.

• A list of all the security Roles a user already has assigned will appear in the center of the page.

• Access Group, Voucher Processor Origin and Purchasing Workflow information (if applicable) appear at the page bottom.

Add or Update Security Access

Employee Information, Ledger Group, and Business Unit Access appear at the top of the page. Below that, all the security roles a user already has assigned will appear at the top of a list and all additional roles available appear at the bottom of that list. Access Group, Voucher Processor Origin and Purchasing Workflow information appear at the page bottom when applicable.

• All OAKS FIN access for the individual must be created or modified using this online form.

1. Return to the top of the page.
2. Select Add or Update Access as the Action.
3. Verify the Employee Information populated is accurate. If there are errors, contact the agency HR department to update.
4. Enter a statement in the Requestor field for record maintenance, and when applicable, add an explanation for the request when Central Approval is required.
5. For Ledger Group, choose one:
   • Actuals – All Agencies
   • Full & Mod Accrual – OBM only
   • Local (CFIS) – JFS only
6. Enter the Primary agency Business Unit code for a new user. Verify the Default Business Unit appears when updating roles.
7. Click the Look up icon to confirm the Default Business Unit code.

• If this is a request for a user with no Default BU assigned prior to this request, a warning message will appear stating the Business Unit Access will be marked as Default BU.

8. Select Specific BUs and click the plus sign (+) if additional Business Units need to be added.

•  
• The Business Unit Access will always display the Default Business Unit and PRT01 (State Printing).
• All Role Names will appear on the page in Group Name alphabetical order along with a short Description.

• When adjusting access for an existing user, current roles are listed first, followed by all other roles available.

• The Role Definition displays when the Role Name link is clicked.

9. Click in the appropriate Add Role or Delete Role box to make adjustments.

• Do nothing to mark current roles that should remain active.
• A box that is grayed out cannot be selected. That would be like trying to delete a role the user does not have or add a role the user already has assigned.

10. Choose an Access Group name to determine the time of day OAKS FIN will be available to the user.
    • FINUSER = 6 am – midnight, Mon-Sat.
    • OBMADMN = 7 days, 24 hours, and rights to keep normal access during year-end processing.
    • TECHADMN = 7 days, 24 hours.
    • Anything other than FINUSER will require central approval.
11. Click the Submit Request button.

• A Warning message displays asking the preparer to review the request.

10. Only the roles added or deleted will appear for review.

12. After review, click either the Finalize Request button to submit, or Modify Request button to make adjustments.

10. Depending on the access requested, a warning may appear stating that the request has to be approved at the central level.  Email notification is sent to the requester once the request has been approved and processed or when it is denied.

• Exceptions to immediate approval and access are:
• • Ledger type – Based on the Ledger Group selected.
  • Access Group – OBMADMN or TECHADMN selected for OAKS Category.
  • Business Unit – If Business Unit is assigned that is not in the users Business Unit Profile.
  • GRF Access – Set to “Yes,” approval must come from the agency security designee (Budget Planning Centers) and Central Agency approvers.

If central approval is not required, the request will be processed and access will be immediately available to the employee. (Some agencies have additional internal requirements.)

View All Previous Requests

Updates made for the user since online security go-live date will appear along with any comments.

1. At the top of the page select View All Previous Requests as the Action.
2. Enter the Employee Identification Number (EmplID).
3. Press Enter on the keyboard.
4. Approval information shows when the request was submitted, if status update has been granted or pending approval, who submitted the request, whether or not Central Approval was required, who approved the request, and when it was approved.
5. Comments from the requester and approver will appear if entered.

4. Click the View All link at the top of the page to review multiple updates (three per page).

Or

Click the forward or backward icon to view updates one at a time.

Delete All Access

All roles currently assigned to a FIN user are marked for deletion when submitted. Once finalized, roles will be deleted immediately and cannot be undone.

1. Select Delete All Access as the Action.
2. Enter the Employee Identification Number (EmplID).
3. Click Enter.

Or

Use the look up icon to find the ID.

4. Optional: Click the Previous Request Comments link to view prior requests for security updates for the user along with any comments.

• The previous comments will display.

5. Click OK to close.
6. View the Prior Request Status of a request that has not been processed and any related comments from the requestor.

• All current security roles are listed and are marked to delete.

• An error message will display when trying to delete all FIN roles if that user has a workflow approval role with no other user assigned to that BU/Origin for approval.

To remove all non-workflow related roles, choose the Add or Update Access mode to delete only select roles. Once the workflow team cleans up the remaining issues the Agency Security Designee can go back into Delete All Access mode to finish removing that user’s remaining access.

Contact the OAKS FIN Helpdesk at OAKS.Helpdesk@oaks.state.oh.us to create a ticket for the PO-RACM Purchasing Team when there are outstanding worklist items and have them appropriately transferred, closed, deleted, etc.

7. Click the Submit Request button at the bottom of the page.
8. A warning message appears asking the submitter to review the request and verify that they truly want the individual to have their access fully revoked.

8. Click the OK button to confirm the request.
9. Click the Finalize Request button to revoke all access for the employee.

Or

Click the Modify Request button to make changes.

10. A message will appear stating the request to delete all FIN access is approved and granted.  

10. Click OK.

Recent OAKS FIN Role Additions

Details on OAKS FIN security roles that were effective September 2015 are shown below. It will help in selecting the appropriate role for a user when they request access to OAKS FIN. The tables below will list any required information when completing the Online Security Request that must be provided by the OAKS FIN Security Designee when requesting the role.