Managing PeopleSoft security is an important component of managing your system. We find that system security is oftentimes an afterthought, especially during an implementation or an upgrade. This can result in security being perceived as an obstacle by users rather than a positive system module.
The security team’s responsibility is to make sure users have the access they need for their day-to-day job tasks and to assign the appropriate levels of security. In your production environment, users should only retain the access they need, as there is no reason to retain access that is not used or needed. Users will often protest when faced with having some levels of security removed from their profiles. We hear, “I do not want to forget about it” or “I might decide to use it someday”—or most popular, “I have always had that.” As a security administrator, how do you go about removing unnecessary access while still maintaining a positive working relationship with the functional teams who are impacted?
When you start talking to a team about removing unneeded access, find a way to present a win-win situation. Convey to your team that you are streamlining and removing unnecessary items that are no longer pertinent to their jobs and/or to your school. For example, removing access to foreign pages if you are a U.S.-only institution is a logical choice. There is no reason to maintain New Zealand pages if you are not in New Zealand.
When users express that they do not want to forget about a particular page, or they might decide to use a feature in the future, convey that they will have access in a non-production environment, as appropriate. This way users can retain a level of access in demo, development, or sandbox databases. A benefit of this approach is that users who are not familiar with the complexity of certain pages or configurations can test their work in the non-production environment, reducing potential risk to the production environment.
When users express, “I have always had that,” and they challenge their access being altered, a more authoritative approach may be required. It may help to refer users to your school’s Security Policy and audit requirements. Remind users that your security administrator’s responsibility is to heighten security of your school’s PeopleSoft environment and data, which in part has to do with users’ access levels. If needed, ask your executive sponsor/executive backer for support.
It is important to remember that managing security access while maintaining good working relationships with the functional teams is critical. Sometimes compromise, provided it does not present risks, is a good policy in itself.