Member institutions must regularly review which of their employees have what roles (privileges) in the various SSO applications, and update those roles to reflect departures or transfers. For example, if an employee had roles in File Depot but is no longer employed by a particular institution, then those roles should be removed. Similarly, if that employee is still employed but has moved to a different position that no longer requires access to FileDepot, then those roles should also be removed.
If you are an Application Role Reviewer you have one or both of the following scopes of review, depending on what has been assigned to you.
- Department level: Responsible for one or more Adlocs, with a semi-annual review period (January 1st and July 1st).
- Member level: Responsible for one or more system members, with a more frequent quarterly review period (January, April, July and October 1st).
On the 1st of the month of your quarterly or semi-annually review period, the SSO system will generate a reminder email to the system members’ Application Security Officer(s) and Application Role Reviewer(s) reminding them to perform this required security review. This review should be finished by the 10th of the month. On the 11th day of the review period, the System-wide SSO Member-level Role Verification Report will be sent to the Application Owner and the System Chief Information Security Officer(s).
Consequences for Missing or Incomplete Reviews
Missing reviews may lead to the loss of administrative role authorizations for the member institution’s ASOs, ARRs, and/or administrative role holders at the institution.
Additional Documentation (needs removed or updated)
For a visual description of the role review process, view the Security Review Process flowchart.
Application Role Review Process Details
Following is a suggested procedure for this process:
- Log in to https://sso.tamus.edu.
- Perform a review to ensure that every application within your assigned review domain is accessible to only those employees which still require access by performing the following steps:
- Click on the Cent Admin button in the upper right.
- On the Cent Admin home page, choose the Reports tab
- Generate and review the following four reports:
- Roles by Application (Click here to learn more about this report)
- Employees with SSO Roles (Click here to learn more about this report)
- Employee Monthly Position Changes (Click here to learn more about this report)
(For Departmental reviews, set the time period to 6 months;
For System reviews, set the time period to 3 months)
- If responsible for Guardian I9 reviews, review the Guardian User List spreadsheet as supplied by the Workday Services Team.
- Review the reports to ensure that access is granted to only authorized employees. Remove access as necessary.
- Document that you have performed the review in Step #2 above:
- Navigate to the SSO Role Review application. You should see the Welcome Role Reviewer! greeting.
- As instructed on that page, click Add New Role Review Record
- Fill out the record:
- Review Date: Typically the current date
- Review Type: Select a review type that matches the scope of your review; if you are responsible for particular Adlocs, select Departmental Roles; if responsible for an entire system member, select Member Roles; for those few that have access to all system members, select Global Roles. If you have more than one scope, you will have to repeat this process for each scope.
- In the Applications field, select the one or more applications for which you are responsible and have reviewed.
- In the Workstations field, select the one or more workstations for which you are responsible.
- Comments are optional.
- Select the green Save & close button.
If you are responsible for both Department and Member level reviews, you will have to repeat the above process for each scope of review.
Congratulations! You have finished your SSO Application Role Review. These reviews will remain in the SSO Role Review application and will be subsequently verified by your workstation’s Application Security Officer on or after the 11th of the month.