May 26, 2022  
Policies and Procedures Manual 
    
Policies and Procedures Manual

08:08:13 Information Technology ERP Form Access Management


Revision Responsibility: Assistant Vice President of Information and Educational/CIO
Responsible Executive Officer: Vice President for Business Affairs

Purpose

TBR Guideline G-052, Access Control, requires institutions to ensure information assets are managed securely by industry best practices, complying with legal and regulatory requirements. This defines the authorized users, how they are managed, and the controls in place to satisfy the requirements of TBR Guideline G-052. Authorized users must be compliant with the policies refered to and referenced in the source and reference sections; non-compliance is strictly prohibited. This policy provides guidance on ERP account changes. This policy prevents unauthorized access to the Walters State information asset infrastructure.


Policy

Definitions: For the purposes of this policy all definitions are defined in the Information Technology Definitions Policy All requests for user access changes shall be submitted via the online Application for Computer Accounts form. A TSR ticket is automatically created and forwarded by completing the form.

All requests for changes to a security class are completed on a TSR. To request that an ERP form be added to a security class, a Supervisor must complete a TSR. The Supervisor is advised as to other users who are in that security class. Once the Supervisor approves the security class and users, an approval is sent to the Data Owner. Once the Data Owner approves the ERP form to be added to the security class, access is granted by Server Systems.

Once a title change has occurred for a user, a TSR is to be created. Verification determines if access needs to be altered. Prior Supervisor and current Supervisor are notified of current access. An Application for Computer Accounts form is processed for any changes required.

A Supervisor requests access to a particular ERP form to be given to a user via the Application for Computer Accounts form. Verification determines if the ERP form is in a class by itself. If so, the user is added to the class. If not, IET will evaluate if the ERP form can be added to a class in which the user is the sole user of the class. If neither option is viable the ERP form is added to the user by Server Systems.

When the Server Systems team receives a TSR requesting access removal due to employee separation, the Server Systems team documents the access the user has and then disables and locks the account.

Server Systems removes all security classes and/or ERP forms from the user account and assigns a no access security class. 11/15; 09/17