On the 1st of the month of the review period, a reminder is emailed to the system members’ Application Security Officer(s) and Application Role Reviewer(s) reminding them to perform this required security review.
Application Role Reviewer Responsibilities
The review consists of using the tools below to verify that the Central Administrative roles are properly assigned for their location(s):
- The “SSO Roles by Application” report for Department-level (Adloc) roles. This report lists a location’s administrative roles for a given application. Click here to learn more about this report.
- The “Employees with SSO Roles” report. This report can list users for a specified location who are no longer active employees. Click here to learn more about this report.
- The “Employee Monthly Position Changes” report. This report lists users who have had a position change during the date range specified and can help identify individuals whose position or responsibilities have changed. Click here to learn more about this report.
- The Guardian User List spreadsheet provided to the Application Role Reviewers by the Workday Services team. This spreadsheet lists users for a location who have an active account in the Guardian I-9 application.
These reports should be reviewed to confirm that only active employees are users of System applications and that their security access level is appropriate.
After completing the review(s), the ARR must record the results of the review in the SSO Role Review application.
Application Security Officer Responsibilities
When all of the ARRs have done their reviews, the ASO must verify the role reviews for which he/she is responsible to ensure completeness.
The department-level role reviews must be completed by the 10th day of the review cycle; therefore, the ASO should ensure that the ARRs are completing their role reviews in a timely manner.
Automatic Reporting
On the 11th day of the review period, the System-wide SSO Department-level Role Verification Report will be sent to the Application Owner and the System Chief Information Security Officer.
Consequences for Missing or Incomplete Reviews
Missing reviews may lead to the loss of administrative role authorizations for the member institution’s ASOs, ARRs, and/or administrative role holders at the institution.
Additional Documentation
For a visual description of the role review process, view the Security Review Process flowchart.