Access Strings

Feature #30889- Support for privileged user group permissions in Personnel editor

Summary

This enhancement to Access Strings introduces the ability to identify "privileged" user groups and manage the ability of users to add these groups to a user's profile, including requiring user confirmation of changes.

Previously, it was possible for any user with Config.LookupEditor.UserGroup RIS Access String permissions to grant a user access to any UserGroup. However, in response to the ITCG (Information Technology General Controls) and audit review, a tightening down of controls on granting of these permissions was recommended.

With this change a new Privileged User Group Flag column has been added to the UserGroup lookup table to identify those groups that will require additional permissions to assign.

Graphical user interface, application Description automatically generated

If all flags are set to N, the feature will be disabled.

Only users granted full permission to the new Config.LookupEditor.Personnel.GrantPrivilegedUserGroup Access String will be able to select these User Groups when updating a user's profile.

Users without this permission will still see these privileged user groups when making a selection from the User Groups multi type-ahead box on the Account tab, but they will be displayed as disabled list items:

Graphical user interface, text, application, email Description automatically generated

When a user with Full permission does select one of these User Groups, a new Info icon will appear on the right side of the User Groups field. The tool tip for this icon will preview which of the selected User Groups are considered privileged before saving.

A screenshot of a computer Description automatically generated

When saving, a new confirmation dialog will confirm that the user has gone through the proper channels to authorize the change.

Graphical user interface, text Description automatically generated

The “Continue Without Privileged” option will remove the listed privileged user groups and proceed to save any non-privileged user groups that were added.

All changes are captured in the audit log.

Configuration Instructions

System Administrators must complete the following actions to enable this feature:

RIS Client

Changes to UserGroup Lookup Table

·         Update the new Privileged User Group Flag column to identify groups that require additional permissions to assign.

Changes to RIS AccessString Lookup Table Settings

·         Grant Config.LookupEditor.Personnel.GrantPrivilegedUserGroup permissions as necessary.

The following related settings were added or updated:

Setting

Default

Purpose

Config.LookupEditor.Personnel.GrantPrivilegedUserGroup

Value=[None|Full], Default=[None]

Controls the ability to grant privileged user groups to a user profile. Added in v3.2022.4.25 #30889