Security Role

The Security Role (SCROLE) page defines the security roles, which are collections of users with the same functional tasks and security requirements. Security roles are defined for groups of users and not individual users. Individual users are given their security rights by being assigned one or more security roles. Examples of possible Security Roles are System Administrator, Procurement Officers, Employment Supervisor, Budget Administrator, and Accounts Payable Manager.

The most important Security Role is the predetermined security role called ANY. This security role is inherited automatically by all users in the system based on the value of the Perform Default Security Role Check field on the Security Configuration page. This provides a mechanism to grant all users access to common resources without any role assignments and little additional setup. Common Page resources are assigned to the ANY role (for example, Page Search and Transaction Catalog). The ANY security role is configured exactly as any other security role with the exception that it is never assigned to a user.

The default inheritance of the ANY Security Role is excluded for the Employee and Manager Business Role Type if an Employee or a Manager user is given exclusive access to a limited (or applicable) set of Advantage pages (for example - submitting Travel Authorization and/or Expenses) via the Application Security Roles page (refer to the “Application Security Roles” topic for more information). The system will also bypass Application authority checks configured on the User Information page in this situation. The user must have access to at least one application in order to login inside the application.

The use of the ANY Security Role is optional and configurable. The ANY Security Role can behave in three possible ways:

Never – The ANY Security Role is neither implicitly added to users nor checked during security authorization.
Before – The ANY Security Role is implicitly added to all users and is checked before any other Security Roles during security authorization.
After – The ANY Security Role is implicitly added to all users and is checked after all other Security Roles during security authorization.

The recommended setting is to use the Before setting so that CGI Advantage recognizes common authority access before checking user authority based on additional security roles assigned to the user.

CGI Advantage has a predetermined security role (ADMN) that can be used to give a user Super-User access with very little setup required. A user with the ADMN security role essentially bypasses all CGI Advantage security checks. This means that such a user is not restricted by any CGI Advantage security settings, regardless of the user's other roles, home organization, and so forth.
CGI Advantage provides the ability to define a security role that can access the User Information (SCUSER) page for other users. This role may be used to change passwords and other sensitive information. The creation of this role is optional and can be defined by setting the entry UserMgmtRoles in the system’s Initialization Parameter file (ADV30Params.ini). The user must also be given update access to the R_SC_USER_INFO and SecurityAdmin.pUserInformation Application Resources. On s belonging to this role can reset passwords. The ID of this role can be modified to any ID that the customer prefers, for example, HELPDESK.

Note: If this role is not defined, updates to the User Information page of other users can be reset only by users belonging to the ADMN role.

A parameter identified as BatchAdminRole in the CGI Advantage initialization parameter file (ADV30Params.ini) is created with a default value of BATCHADM. This allows users assigned to BATCHADM role and other users assigned to this property the privilege to view all content (not just their own user named jobs) on inquiry pages such as “View All Jobs” (BATJOBS) and a list of all Catalog entries on Report Search (RPTSRCH) pages. Clients will be able to provide comma separated list of roles through this property. The customer may also add additional security grants to these security roles via Access Control.
CGI Advantage provides the predetermined security role JOBCTRL to handle specific Job Manager tasks. These tasks include the ability to start the Job Manager itself, to update a particular Job Manager’s settings, to start registering jobs for the specific Job Manager, and to stop registering jobs for the specific Job Manager.

Note: The security permissions related to the JOBCTRL security role are not dependent on the security setup performed via the Access Control (SCRACS) page.

In addition to online interaction, an authorized user of the Job Interaction Client (JIC) utility must be a member of either the JOBCTRL security role or the ADMN security role to perform the same types of Job Manager-related updates via this command-line utility.

There are also certain security restrictions for special security roles. The first is that users who belong to the JOBCTRL or ADMN or the security role identified by the UserMgmtRoles property) cannot reset their own passwords via the Password Reset application. The second is that authorized security administrators who do not belong to the JOBCTRL security role may not assign the JOBCTRL security role to other users unless these administrators are already members of the ADMN security role.

Field	Description
Security Role ID	A unique identification of a security role.
Description	A descriptive field to capture a name, title, or information about a security role.
Override Errors	Indicates the override error level for the security role. This value will be used when Use Role’s Override Level check box is checked on the Access Control record that grants the security role the privilege to override. Assigning an override level at the role level not only reduces the setup involved with setting an Override Error level for each user, but also permits users to apply different values depending on the Security Roles assigned.
Foreign Organization Restriction	This field determines whether the User ID and/or Home Department fields are required on the Foreign Organization (SCFORG) page or whether a value of ALL must be entered. Valid values are: None - If this value is selected, then foreign organizational security for the selected security role is determined by the security role and resource group combination; therefore, a value of ALL must be entered in the User ID and Home Department fields on the Foreign Organization page for records associated with the selected security role. User ID Required - If this value is selected, then foreign organizational security for the selected security role is determined by the security role, resource group, and user ID combination or security role and User ID combination (if Resource Group is ALL). Therefore, a value of ALL is not allowed in the User ID field on the Foreign Organization page for records associated with the selected security role; a valid User ID must be selected. Home Department Required - If this value is selected, then foreign organizational security for the selected security role is determined by the security role, resource group and home department combination or security role and home department combination (if Resource Group is ALL). Therefore, a value of ALL is not allowed in the Home Department field on the Foreign Organization page for records associated with the selected security role; a valid Home Department must be selected. User ID or Home Department Required - If this value is selected, then foreign organizational security for the selected security role is determined by one of the following combinations: security role, resource group and User ID; security role, resource group and home department; security role and User ID ((if Resource Group is ALL); or security role and home department combination (if Resource Group is ALL). Therefore, a value of ALL is not allowed in both the User ID and Home Department fields on the Foreign Organization page for records associated with the selected Security Role. Either a valid User ID must be selected and/or a valid Home Department must be selected.
Integration	An indication that a security role corresponds to an infoAdvantage User Group. When checked an infoAdvantage User Group is created corresponding to the Security Role.