XV. Internal Policy: Ad Hoc access to BANNER Databases v2.0
I. Purpose:
To establish policies and procedures for granting Ad Hoc access privileges to
the BANNER database.
II. Scope:
These policies affect all users with access to any BANNER database.
III. Introduction:
Metropolitan State College of Denver (MSCD) places a premium value
on the data collected, created by and used by the institution. This data is
vital to the on-going operation of the College. Everyone associated with the
College has an obligation to protect this vital asset from unauthorized or
inappropriate access, unauthorized or inappropriate use and, unauthorized or
inappropriate alteration or destruction.
The College recognizes and values the privacy of its students and employees.
Everyone associated with the College has an obligation to protect, within
reason, the privacy of students, employees and College associates.
The principle of least privilege states that a user (or program) is not given
access to more data, or given more access privileges, than is necessary to
perform their duties. This requires a good understanding of what data a user
needs to access, and what access privileges (read/insert/update etc…) are
necessary, for them to be able to perform their assigned duties.
The BANNER forms do an adequate job of controlling a user’s access to BANNER
data. However, there are other tools that can be used to access BANNER data.
Tools such as MS Access and SQL*PLUS bypass many of the security features
provided by BANNER forms. The statements listed below define policies to govern
the granting of Ad Hoc access privileges to BANNER data.
IV. Definitions:
Ad Hoc access: Using applications, such as SQL PLUS or MS ACCESS, that are
capable of dynamically querying data from the BANNER database.
BANNER module owner: The individual responsible for the administrative
oversight of a given BANNER system (i. e. Student, Finance, Financial Aid, etc…)
and ultimately responsible for the data within said system.
Oracle role: A technical security mechanism used to define access privileges
to specific data within the BANNER database.
V. Policy Statements:
- BANNER users, and programs accessing BANNER data, will be given access to
the Oracle Role that most closely matches the data which is necessary for them
to perform their assigned duties. By default, BANNER users will not be given “ad
hoc” query privileges. No BANNER user will be permitted to query all BANNER
data. - Each BANNER module owner is responsible for determining which database role
a user needing ad hoc access to the data within their BANNER module, should be
given. - Users of the BANNER system and data are responsible for complying with all
College policies regarding privacy, security, and the appropriate use of BANNER
data and other College resources. Managers and supervisors are responsible for
insuring that their employees comply with said policies and procedures. - The inserting, deleting or updating of BANNER data will only be performed
using applications developed and installed by SungardSCT or the Division of
Information Technology for that express purpose. Applications developed by 3rd
parties may be certified for such use by either SungardSCT or Information
Technology. - Applications that were not developed or certified for use by SungardSCT or
the Division of Information Technology are considered to be "ad hoc". Ad hoc
applications will be restricted to read only (select) access. The use of ad hoc
programs must be compliant with these and other applicable policies. - These policies and ensuing procedures will be applied retroactively. No
BANNER user, application program or system will be exempted from or
“grandfathered” under these policies and ensuing procedures.
VI. Guidelines:
A conservative approach is recommended when assigning BANNER access
privileges. Access privileges should be commensurate with an employee's
training, knowledge, skills, degree of supervision and, their assigned duties.
Supervisors should periodically review their employees’ access privileges to
ensure the access is appropriate for their assigned duties. The Division of
Information Technology and Human Resources should be notified immediately when
any employee leaves employment of the Institution or relocates to another
department.
VII. Remedies for non compliance:
Failure to comply with these policies may result in one or more of the
following actions: a) suspension of access to the network, b) when appropriate,
disciplinary action in accordance with the Metro State Handbook for Professional
Personnel or State Classified Personnel Rules, c) when appropriate, initiation
of civil or criminal proceedings.
Approved January 30, 2005
