Changes to the SIS Security Request and Authorization Model
The SIS security model has become dated and is not sustainable as currently configured.
The following have been identified as limitations of the current SIS security model:
- Time and resource intensive - Too much time is devoted to investigating and trying to ascertain user access requirements, resulting in insufficient resources to manage the system properly.
- Not transparent and vulnerable to security risks - The lack of clarity in assessing user security requirements introduces a significant risk that inappropriate access rights are assigned and/or that access rights are not removed when employees change positions or departments.
- Manual and outdated methodology - SIS security access is currently a manual process. Fax requests (Banner SIS authorization forms and others) are based on outdated methodology that must be replaced.
- Model is not sustainable - New and evolving SIS functionality and new systems have occurred since the original model was designed. The security infrastructure must now change in order to accommodate growth and achieve effective management of user access.
To resolve these issues Enrolment Services proposes to:
- Develop a business profile model (role based) for SIS security access assignments. Define meaningful sets of business profiles (roles) that capture all required security access based on the users’ business responsibilities. Enrolment Services will pre-define all the access required for each role based on the existing security classes and functions (e.g. in Banner, Minerva, Imaging, data warehouse, etc.). The Security Designate will no longer have to indicate or select each function that a user requires. They will only have to ensure the user is put in the appropriate role, based on a pre-defined list.
- Automate the request process. Make it paperless. Simplify the access request and security assignment processes through the use of a Web based request form.
- Document new methodology. Use of online tools to facilitate distribution of knowledge and proper procedures (how to make requests, type of access that will be granted, required training courses, etc.).
If you have questions or concerns, contact us.