UITS provides the campuses with technical and functional support for User Access Certification to key systems. UMass uses the Oracle Access Manager system to periodically certify the access users have to key systems.

Key Features

A person pointing to a bar chart.
Automates access certification and access auditing.
A document with a pencil.
Provides systematic features such as automated notifications and escalation processes as well as reporting for audit compliance.
A trophy with a star.
Reduces human error, improves data accuracy, and provides the University with key audit capabilities

Eligibility

Employees at Amherst, Boston, Chan, Dartmouth, Lowell, and the President's Office.

Key Questions/Responses about Access Certification

UMass is required, annually, to certify/recertify user's access to our key administration and finance applications: PeopleSoft HR, PeopleSoft Finance, BuyWays, and Summit. The Oracle Identity Manager platform has been configured to facilitate this process. You will find common questions and responses below about Access Certification.

Who are certifiers?

By default, the certifier is the employee's direct supervisor. These can also be appropriate delegates as determined by the campus security team.

Who determines the appropriate certifiers?

These are determined by the campus security team and data custodians prior to the certification cycle. 

What determines what's on a certifier's list? 

All employees with access to PeopleSoft HR, PeopleSoft Finance, Summit, and Buyways for whom you are designated as the certifier will appear on your list. 

What if someone is on my list but should not be?

That employee can be reassigned to the appropriate certifier. This can either be done by a member of the campus' security team or by the original certifier themselves. The minimum expectation, prior to reassigning to someone else is that there is a conversation either with your security team or with the employee you are reassigning to and that there is agreement to the transfer of responsibility.

What's labeled as an "application" in the certification tool?

The application is the header level record in the system that represents either a single application (such as BuyWays) or a module of an application (Such as PeopleSoft- Finance). 

What's labeled as an "entitlement" in the certification tool?

The term "Entitlement" in the system represents what we often refer to as a "Role". These are the specific rights the user is entitled to within the application.

What is best practice for the process of certifying/ re-certifying your employees?

The data is point-in-time data, meaning it is not updated once the campaign has been launched.  For this reason, we recommend either approving or revoking access as would be appropriate related to when the campaign was launched.

We are aware that changes such as terminations, transfers and changes in who employees report to can occur between when a campaign is launched and when a certifier certifies.  These can typically be accommodated the data point-in-time perspective described above as well as reassigning as necessary and revoking all for anyone who has off-boarded.

What actions do I need to take to complete my certification task?

Certifiers will choose to either "approve" or "revoke" entitlements. This can be done on either a single entitlement, for an entire application, or for all rights the employee has (in the case of a terminated employee).

The expectation is that one of the actions will be taken on every entitlement. If a certifier is uncertain, they can mark an entitlement as "revoke" and explain that they are not certain in the required comment for "revoke".  This will trigger a follow-up conversation with the data custodian to determine if revoking truly is the correct action to be taken.

Once all access has been marked as either approved or revoked, the system will ask you to sign off on the completion of the certification task. 

What is the result of revoking access?

Indicating that something should be revoked does not automatically take any action.

The security team and data custodians will review the reporting of any rights that have been tagged as "revoke" and will follow up if they need clarification or if there is any concern before taking any additional action that would impact the employees' rights. 

What does the system look like and what does it look like to complete the necessary actions?

You may watch this short demonstration/tutorial to know what the system looks like as well as what it looks like to take the necessary actions.

Campus Access Certification Administrator Support

 

How do I submit revoke requests for systems resulting from this process?

This Access certification revoke request form can be used by any campus to submit revoke requests for any of the systems within the current scope.  Use of this form ensures consistent, readily identifiable and retrievable data for the audit process.  This form will automatically route your request to the appropriate group in UMPO responsible for servicing your request.

Support

  • Amherst: Coming Soon! 
  • Boston: Coming Soon!
  • Chan Medical School: Coming Soon!
  • Dartmouth: Coming Soon!
  • Lowell: Security_Admin@uml.edu
  • President's Office: Innovation@umassp.edu