Open topic with navigation

Security Administration

Last Revised: January 2, 2020

 

Table of Contents

The Security Administration screens are accessible only from the Tax Collection System but are used to control security for the Tax Collection System, the Permits module, and TaxLedge.   

The Security Administration screen allow you to create users and to grant and/or revoke jobs, tasks, entitlements, and batch menu reports/processes associated with each user.

The Security Maintenance screen allows authorized tax office employees to create their own jobs by copying existing jobs and then modifying them. As you are creating these new jobs, you can add or remove tasks to create a job that is unique to your tax office. ACT has created a set of default 'template' jobs for you to use as models from which to copy and create your own jobs.

This online help topic covers the following:

Definitions

Job - a defined set of tasks. ACT has created jobs such as cashier, head cashier, and accounting that will hopefully include the activities that these tax office employees have. If the default jobs created by ACT do not fit your tax office's needs, you can create new jobs, either 'from scratch' or by copying a pre-existing job and then modifying it. You cannot change ACT's default jobs.

Task - a 'chore' done by a tax office employee.  For example, the job 'Cashier' includes the tasks 'take a payment' and 'reprint a receipt'. Tasks must be assigned to jobs.  You cannot add or remove tasks from ACT's default jobs.

Entitlement - the specific action(s) taken to fulfill a task. For example, to take a payment, you need access to the deposit control screen and to the payment screen. You also need to open and close a deposit. Each of these activities is an entitlement in ACT's security system. Entitlements cannot be added or removed from a task, but can be turned on and off for each user.

Set Up

The following user entitlements must be set for each user who needs access to the Security Administration and Security Maintenance screens. They are part of the Security Administration task.

Only users having the User Administration job can view or make changes to this screen. See Tasks, Entitlements, and Jobs for more information.

Entitlements:

UPDATE_OWN_SECURITY: This must be checked to allow users to change their own security settings. Uncheck the box to prevent users from changing their own security. This defaults to being unchecked. (Note: If a user has super admin privileges--which can be assigned only by ACT--then that user does not need to have this entitlement checked in order to make changes to security settings. The super admin user must have an e-mail address entered into the security system by ACT. If a tax office does not have a super admin assigned, then the UPDATE_OWN_SECURITY entitlement setting is not considered.)

USER_ADMIN20: This must be checked for each user allowed to see the Security Administration screen.

USER_ADMIN20_UPDATE: This must be checked to make changes to the Security Administration screen, such as modifying the security settings for each employee.

USER_ADMIN_BLW_UPDATE: This must be checked to make changes to the Security Administration settings for Licensing and Permits users. If it is not granted to the user logged in, but that user does have the USER_ADMIN20 entitlement, the screen will have a Read Only message at the top and no changes can be made to security settings for the modules listed as being read-only. This defaults to being unchecked.

USER_ADMIN_TCS_UPDATE: This must be checked to make changes to the Security Administration settings for Tax Collection System users. If it is not granted to the user logged in, but that user does have the USER_ADMIN20 entitlement, the screen will have a Read Only message at the top and no changes can be made to security settings for the modules listed as being read-only. This defaults to being unchecked.

USER_ADMIN_TXL_UPDATE: This must be checked to make changes to the Security Administration settings for TaxLedge users.If it is not granted to the user logged in, but that user does have the USER_ADMIN20 entitlement, the screen will have a Read Only message at the top and no changes can be made to security settings for the modules listed as being read-only. This defaults to being unchecked.

SECURITY_MAINT: This must be checked for each user allowed to see the Security Jobs Maintenance screen.

SECURITY_MAINT_UPDATE: This must be checked to create and/or copy jobs on the Security Jobs Maintenance screen.

KILL_SESSION: Allows users to terminate sessions. by default, this is set to N and must be manually set to Y for those users authorized to terminate sessions. (To do this, go to Security Administration and enter the authorized user's name. Click the Job Assignment tab, then click on the job - the template job is User Administration. Click the Fine Tune task, then click on the task Security Administration. On the right side, the KILL_SESSION entitlement checkbox will be blank. Check that box, then click Apply.)

The following roles are also required to be set up prior to using these screens. Contact ACT for assistance.

ACT_BASE_OBJECTS: This should be granted to all Tax Collection System users. It provides base level access to most database tables in ACT 7.0. However, this access can be removed or reset using user entitlements, which allow or deny access to individual screens and processes. This replaces the ACT_USER and ACT_FOUNDATION roles used in the original security system. This role does not grant access to the so-called guarded tables: owner, taxdtl, apport, valdtl, receivable, rechist, depctl, distribution, and remittance.

GLTAXLEDGE_FOUNDATION: (TaxLedge only, assigned behind the scenes when users are created) This provides the ability to use the functionality available in all of the screens.

LP_FOUNDATION: (Permits only, assigned behind the scenes when users are created) This provides the ability to use the functionality available in all of the screens. Jobs must still  be assigned to allow specific actions.

Creating or Copying Jobs, Assigning Tasks, Blocking or Adding Entitlements to Jobs

  1. From the Main Menu, select Administration, then Security Job Maintenance. The Security Job Maintenance screen appears. The jobs that are bolded and a gray background are ACT's default 'template' jobs. Those with a white background have been created by your tax office.  
  2. In the System drop-down list, keep the default of Tax Collection to see TCS jobs. Select Licensing and Permits to see Permits jobs or TaxLedge to see TaxLedge jobs.

All of the available tasks appear on the right side of the Create/Maintain Jobs tab. As you click on each job, the tasks given to that job have a checkmark in the Assigned column on the right side.

  1. To see the entitlements and batch menu reports/processes available for a task, do one of the following:
  1. If none of the pre-existing jobs contains the combination of tasks that works for your tax office, you can create a new job by copying an existing one and then changing the tasks. To begin, highlight the existing job that is closest to the one you need. This is the job whose tasks and entitlements you will be copying to the new one.
  2. In the Copy a Job field at the bottom left of the Jobs and Tasks tab, enter the name of the job you want to copy. ACT recommends that Permits jobs begin with 'LP_' and that TCS jobs do not begin with a specific prefix. If you copy a job that your tax office created, the settings for the new job will be those from the tax office-created job.
  3. In the Job Description field, enter a description of the job that makes sense for your tax office.
  4. Click Apply to save the job name. It will appear in the list of jobs on the left side of the screen. All of the settings for tasks and entitlements that were part of the 'source' job are now assigned to the new job.
  5. Click in the line for the newly created job. The tasks on the right side are those of the pre-existing job that you copied.
  6. You cannot create new tasks, but you can add or remove tasks as desired by checking or unchecking them on the right side of the screen.
  7. If any batch menu processes (BMIs) have been assigned to these tasks, they appear in the bottom part of the screen. By default, these processes are set to N. Check the Override Default box for each item that user needs to use.
  8. Click Apply to save the tasks.
  9. If you need to make additional changes to the tasks after saving, you can do so, but remember to click Apply again when you are done.
  10. If you want to rename a job that you created, perhaps because it was misspelled, click the name of the job to be renamed, then click the Rename Job button.
  1. To make changes to the entitlements or tasks for specific users, see Assigning Jobs, Tasks and Entitlements to Specific Users below.
  2. Users must log out and log back in whenever changes are made to jobs, tasks, or entitlements.

Adding or Removing Entitlements from a Job

Users who can make changes to the Security Maintenance screen can override the system defaults on entitlements that are attached to user-created jobs by using the tab called View Entitlements/Override Default. These defaults do not change on the ACT template jobs. You can change defaults for entitlements from Y to N or from N to Y. Please note that these changes do not take effect if the user does not have the job for which the entitlement was changed and they may not take effect if the user has that job assigned prior to the default being changed. You can remove the job from the user and add it back if you want it to take effect.

These entitlements are added or removed from a task only for a specific job. They will not be blocked for the same task if that task also is associated with a different job. However, the override default setting takes precedence if the change is made after the user was assigned to that job.  

  1. From the Main Menu, select Administration, then Security - Job Maintenance.
  2. In the left side of the Create/Maintain Jobs tab, click in the line for the user-created job you wish to modify. These jobs have a white background; the ACT template jobs have a gray background.
  3. In the right side of the same tab, click in the line for the task you want to change. The task must be assigned already for the job you selected. The View Entitlements tab is renamed to View Entitlements/Override Default for authorized users only.
  4. If you wish, double-click on the task to see the entitlements and their default settings.
  1. Click the View Entitlements/Override Default tab. The entitlements for that task are listed.
  2. Check the Override Default box to the right of the entitlement you want to add or remove.
  3. A message appears stating that the default has been overridden for future users who are assigned this job and asks if you want to apply the change to existing users having the same job.

If you click No, the default for the entitlement will be changed only for new users assigned that job.

If you click Yes, the default for the entitlement will be changed for both new and existing users who have that job.

A message appears confirming which option you chose. You do not need to click Save or Apply. If you unchecked the Override Default box, the entitlement box turns red, indicating that it has been revoked from this job. If you checked the Override Default box, the pre-existing entitlement has been added back to that task. You cannot add other entitlements in this tab.

Warning! If an entitlement is assigned to more than one of the jobs that the user has, overriding that entitlement will affect all of those jobs, for all users.

  1. Users must log out and log back in whenever changes are made to jobs, tasks, or entitlements.

Deleting a Job

You can delete any job that your tax office has created. To do so, you must first restore any blocked entitlements, then delete the tasks. Only then can you delete the job.

  1. In the Create/Maintain Jobs tab in the Security - Job Maintenance screen, then click in the line for the job you want to delete.
  2. On the right side of the screen, uncheck the tasks for that job.
  3. If you have blocked any entitlements, you will receive a warning message.
  4. Click in the line for that task.
  5. Click the Exclude Entitlements from Job tab.
  6. Check the Exclude box to the right of the entitlement.
  7. Click OK to the confirmation message. These entitlements are removed only from this task, not from other tasks to which they may belong.
  8. In the Create/Maintain Jobs tab, click Apply.
  9. Click in the line for the job to delete.
  10. Click the red X ( )in the toolbar.
  11. Click Apply.

Creating Users and Assigning Office Locations

  1. From the Main Menu, select Administration, then Security Administration. The User screen appears.
  2. If the screen is blank, enter the new User Name to add. Do not enter spaces. Instead, enter either a single word or words separate by an underscore.

If a user name, description, etc. are already populated in the screen and you want to create a new user, click in the User Name field. This clears the screen. Enter the new User Name.

Warning You can use the same user name as a person had in the 'old' role-based security system, but after you save the changes in this screen, that user name will lose the old security roles and entitlements and become a user only in the new security system. All jobs, tasks, and entitlements for v2 security will need to be assigned.

  1. After leaving the User Name field, a confirmation message asking if you want to create a new user appears. Click Yes.
  2. Enter the user's Full Name.
  3. In the User Type field, select Tax Office Employee (or ACT Employee, Linebarger Employee, Other, or Public) from the drop-down list.
  4. In the Primary System field, select Tax Collection, Licensing and Permits,or TaxLedge as appropriate. You cannot have the same User Name for TCS, TaxLedge and Permits.
  5. Enter an Email Address for the user.
  6. Enter a Description of your choice for this user.
  7. Click the Save Changes button. If an error message appears, make sure you have entered something in all of the above fields, then try again.
  8. In the Profile field, click the Star button, select a profile (the default setting is 'Default'), then click OK.
  9. Click the OK button next to Maintain User's Locations. A popup list of locations appears.
  1. Click the Job Assignment tab.
  2. In the Job Assignment tab, all of the available jobs are shown. None of them are checked.
  3. To copy the jobs assigned from another user, enter that user's name in the Copy Jobs and Tasks from User field.
  4. To see the tasks for a particular job, double-click the job name. To see the entitlements for a particular task, double-click the task name. After viewing the tasks, click Close to return to the Job Assignment tab.
  5. Check the Granted column next to the jobs you want to assign to the new user.
  6. Click Apply. The Apply button grays out after the changes have been saved.  You can make additional changes as described below.

Assigning Jobs, Tasks and Entitlements to Specific Users

At this point, you can add or remove jobs from any user and also remove certain tasks or entitlements from those assigned to any user.

Note: You can remove entitlements from jobs as shown above, which will remove the entitlement for any user having that job. Or, you can remove entitlements from a job for a specific user, as shown below.

  1. From the Main Menu, select Administration, then Security Administration. The User screen appears.
  2. Enter the User Name.
  3. Press Tab to fill in the information in the remainder of the screen.
  4. If a tax office has at least one user who has been assigned super admin status by ACT, other users cannot change their own security unless they have been assigned the UPDATE_OWN_SECURITY entitlement (which can be assigned only by the user that has super admin status).

If users do not have this entitlement, a pop up window will appear on the Security Administration at this point, which asks if they want to request permission to change their own security settings. Click Yes to send an e-mail to the super admin(s), who can click on a link and grant the entitlement. The super admin must tell the user that the entitlement has been granted. (Until the request has been granted, this user has read-only access to this screen.) This entitlement lasts for only a single visit to the Security Administration screen, after which the entitlement is revoked from the user.

If the user clicks No on the pop up window, he/she is granted read-only status on the security screens.If the tax office does not have a super admin user created, then the UPDATE_OWN_SECURITY entitlement is not considered. Also, if the super admin user does not have an e-mail entered in the Security Administration screen, no e-mails will be sent and other users will not be able to update their own security.

  1. Click the Job Assignment tab.
  2. Add or remove any job for that user. Double-click any job to see the tasks for that job.
  3. If the user is assigned the same entitlement in more than one job, a warning message stating that the default has been overridden for all future users who are assigned this job and asks if you want to apply the change to existing users having the same job. If you click No, the default for the entitlement will be changed only for new users assigned that job. If you click Yes, the default for the entitlement will be changed for both new and existing users who have that job.

WARNING! When a user is assigned two jobs with the same entitlement, but within one job the entitlement has the default permission setting (for ex., N for no) and within the second job, the permission setting for the same entitlement is set to Y (yes), both jobs will be highlighted in yellow on the Security Administration screen and a 'Entitlement Conflict' message will appear on the right side of the screen.  [The changing of the entitlement's default setting can be done only on the Security - Job Maintenance screen, but assigning jobs to users is done on the Security Administration screen.]

Click the Detail button to see a list of entitlement conflicts for that particular user. The message at the bottom of the Entitlement Conflicts screen states that in all cases the permission setting that takes precedence if you give both jobs to the user is that of the override value (in this case, the Y setting). To prevent this conflict, return to the Security - Job Maintenance screen and adjust the settings of the entitlement in both jobs to be the same.

If you click Apply, the yellow highlighting of the jobs in conflict is removed.

  1. Click the Fine Tune tab. All of the tasks for the jobs granted to that user are listed on the left side. This is not the complete list of tasks for all jobs, just those granted to the user.

As you click on each task, the entitlements for that task are listed on the right side. The Allow column shows the default setting for the entitlement. If an entitlement belongs to more than one task, the same default setting applies to each task.

  1. To remove a task from this user, uncheck the Granted box next to that task.
  2. To remove entitlements as desired for that particular user, change the setting in the Allow column. If it is red, the current permission is NOT the default setting for that entitlement.

Warning! If an entitlement is assigned to more than one of the tasks that the user has, adding or removing that entitlement will affect all of those tasks, but only for that user. For example, if you remove the ACTBLW_02 entitlement from the CHANGE_FEES_ON_RENEW/REISSUE task for a particular user, it will also be removed on the RENEW_OR_REISSUE_A_PERMIT task if that user has that task. It will not be revoked for either of these tasks for other users.

  1. Click Apply. There are separate Apply buttons for tasks and entitlements.
  2. Tasks and entitlements that have been revoked from a user are outlined in red.
  3. To see batch menu items, click the Run Batch Processes task on the left side of the Fine Tune tab. All batch menu items (reports and processes) are controlled through the Batch Menu job and the Run Batch Processes task.
  4. Click the BMIs radio button on the Fine Tune tab. All batch menu items granted to the user will be checked.

Note: All batch menu items are defaulted to N for new users to not be available. Security administrators at each tax office will need to grant permission to each user to use the individual batch menu items that he/she needs to run.

  1. Check or uncheck the individual batch menu items until each user has permission to see only those reports and processes he/she needs to use.
  2. Click Apply on the right side of the Fine Tune tab.
  3. Users must log out and log back in whenever changes are made to jobs, tasks, or entitlements.

Resetting Passwords/Revoking Connect Privileges

  1. From the Main Menu, select Administration, then Security Administration. The User screen appears.
  2. Enter the User Name.
  3. Press Tab.
  4. Click the OK button next to Reset User's Password. The password will be reset to texas1 if the client preference PASSWORD_RESET is set to TEXAS1. The password will be randomly generated if the preference is set to RANDOM. The first time a user logs in (using texas1), he/she will be prompted to change the password. The following rules apply when creating a new password:

Notes:  If your tax office requires passwords to expire on a regular basis, the client preference DB_PROFILE must be set by ACT.  This tells the system what the password requirements are for your office, for ex., how many numbers, letters, and special characters.

  1. If an employee no longer works for your tax office, you can prevent him/her from signing on by entering the user name in the User Name field, pressing Tab or Enter, then clicking the Grant or Revoke Connect button.

Viewing Grant History

To see what jobs, tasks, and entitlements have been granted or revoked from a user, see the User's Grant History tab.

  1. From the Main Menu, select Administration, then Security Administration. The User screen appears.
  2. Enter the User Name.
  3. Press Tab.
  4. Click the User's Grant History tab. A list of all of the changes to jobs, tasks, and entitlements for the user will be displayed.
  5. The Grant or Revoke column shows what action was taken for that item. If an item has been revoked, a red bar appears to its left.
  6. The Grant Name column lists the name of the job, task, and entitlement.
  7. If the Grant Name is 'ALLOW', the Object column gives the name of the entitlement that is allowed.
  8. If the Grant Name is a job or task, the Object column shows either 'task' or 'job', as appropriate,
  9. The Change Date and Opercode columns show the date of the change and operator ID of the person that made the change.

Creating a spreadsheet of jobs, tasks, and entitlements or a spreadsheet of changes made by user and date

To create a spreadsheet of job(s), task(s), entitlement(s) or batch menu reports/processes for any or all users,

  1. Click the Spreadsheet button on either the Security Maintenance or Security Administration screen.
  2. A new browser window appears that is titled User Security Spreadsheets.
  3. (optional) In the Security Details section of the window, select a User Name from the drop-down list. To see data for all users, leave this set to '-all'.
  4. Select either the Entitlements or BMIs radio button, depending on whether you want to see jobs, tasks, and entitlements, or batch menu reports and processes (BMIs).
  5. (optional) If you chose Entitlements in the step above,
  1. (optional)Select a Job from the drop-down list.
  2. (optional) Select a Task from the drop-down list.
  3. (optional) Select an entitlement from the drop-down Entitlement/BMI list.
  1. (optional) If you chose BMIs in the step above,
  1. (optional) Select a Job from the drop-down list.
  2. (optional) Select a Task from the drop-down list.
  3. (optional) Select a batch menu no.  from the drop-down Entitlement/BMIlist.
  1. Leave the Allow field set to Y to see job(s), task(s), and entitlement(s) for which the user has been granted permission. Set to N to see job(s), task(s), and entitlement(s) that the user is not allowed to use.
  2. In the Connect field, choose either Users with and without connect, Only users with connect or Only users without connect, depending on whether you want to view users who do not have permission to login to the ACT system.
  3. Click Produce Spreadsheet.
  4. From the next popup window, either open the file (in Excel as a.csv file) or save it to either a local or network drive.

To create a spreadsheet of changes made by a user within a specified date range,

  1. (optional) In the Change History section of the screen, select a User Name from the drop-down list. To see data for all users, leave this set to '-all'.
  2. (required) Enter a From Date and a To Date. This creates the date range for which to report changes to user permissions.

Killing Sessions

  1. Users must log out whenever a change has been made to one or more of their jobs, tasks, or entitlements. If this happens during the day and they do not log out upon request, you may need to kill the users' sessions.
  2. The user entitlement KILL_SESSION must be set to Y to terminate sessions.  See the Set Up section above for instructions on how to do this.
  1. From the Main Menu, select Administration, then Security Administration. The User screen appears.
  2. Click the User Sessions button.
  3. The Client's User Sessions screen appears. On the left side are the current statuses:
  1. To kill a session, check the box next to the User Name, then click Terminate Session. The status changes to Killed after the session has been terminated.