Banner Access Control (Policy)

Communication

Release Date: 06/30/13
Revision 1: 05/02/23

Table of Contents

Introduction
1. Roles and Responsibilities 
2. New Employee Access
3. Employee Transfers
4. Access Exceptions
5. Employee Separation
6. Definitions
Forms
Support Materials
Reference Materials

Introduction

Central New Mexico Community College (CNM) uses the Banner system as its primary enterprise resource planning (ERP) system. As such, the Banner system is accessed on a regular basis by CNM’s Employees. This administrative directive governs the process for providing access control to the Banner system through the Banner security mechanism. The roles and responsibilities of various positions and departments within the CNM community, with regard to Banner security, are also defined herein.

1. Roles and Responsibilities 

1.1 The Office of Data Strategy (ODS) serves the role of data steward for all CNM data.  The following responsibilities are delegated to the ODS team: 

1.1.1 Convening the Role-Based Access Team (RBAT) and Banner Module Coordinators (BMC).
1.1.2 Ensuring access is given in a timely manner.
1.1.3 Coordinating ERP access using the appropriate team either internally or with the CHESS role-based access team.
1.1.4 Auditing access exceptions on an annual basis.
1.1.5 Auditing usage by security groups to fine-tune access rights.

1.2 The Human Resources (HR) and Business Office departments serve the role of initial entry for new employees, as well as change in job class and/or separation of current employees.  The following responsibilities are delegated to these departments: 

1.2.1 Maintaining automated alert workflows in Banner and processing employee changes.
1.2.2 Initial onboarding of employees.
1.2.3 Requesting creation of Banner accounts through the Information Technology Services Department (ITS).
1.2.4 Informing ITS when an employee transfers to a different job class.
1.2.5 Informing ITS of any employee separations. 

1.3 The Information Technology Services Department serves the role of execution and enforcement of this policy.  The following responsibilities are delegated to ITS:

1.3.1 Creation of Banner accounts.
1.3.2 Administration of Banner security according to the standard permission for a role and exception as directed by the RBAT.
1.3.3 Creating new security groups based on RBAT review.
1.3.4 Securing the appropriate level of Banner accounts for employee separation as directed by the HR Department.
1.3.5 Locking of Banner accounts in the event of account compromise as directed by the ITS Information Security team.

2. New Employee Access

2.1 Access to Banner for new employees is initiated by the supervisor's use of the RBAT request form. 

2.2 The RBAT team reviews the request and, upon approval, forwards the request to ITS.

2.3 The ITS Department creates the Banner account and assigns access as designated by RBAT.

3. Employee Transfers

3.1 Banner access for transferred employees is governed by their job class. Access is initiated through the Human Resources and Business Office departments' automated alert workflows. The request will flow as follows:

3.1.1 A request for the transferred employee to retain prior job class access only if it is absolutely necessary.
3.1.2 The RBAT team reviews the request and, upon approval, forwards the request to the ITS Department.
3.1.3 If prior job class access was requested, it is the responsibility of the RBAT team to decide the time period for which the prior job class access is required and provide this time period to ITS.
3.1.4 The ITS Department assigns Banner access as requested by RBAT.
3.1.5 If prior role access was approved, then the ITS Department will take responsibility for maintaining a reminder to remove the prior role access on the designated date.

4. Access Exceptions

4.1 Additional access to Banner beyond the designated job class must be approved by the RBAT.  The request will flow as follows:

4.1.2 The requesting department will make the request for additional access to RBAT.
4.1.3 RBAT reviews exceptions weekly.
4.1.4 If the access is approved, ITS will make the changes and document as an exception.
4.1.5 The ITS Department assigns Banner access.
4.1.6 The RBAT will notify the requesting department of approval or disapproval.

5. Employee Separation

5.1 When employees leave CNM, it is necessary that their access to all computer systems and networks be terminated.  This process is followed within other processes, so its inclusion herein is for documentation only.  The following workflow will be used when an employee separates from CNM: 

5.1.1 The HR department will notify the ITS department of the separation.
5.1.2 The ITS department will remove all Banner Access and lock the banner account.

6. Definitions 

Role-Based Access Team (RBAT) A team formed to manage which positions (roles) would have access to certain Banner functions and screens. Each operational area HR, Finance & Operations, Financial Aid, student, has a representative who helps decide if someone in a role would be given elevated permission.
Banner Module Coordinators (BAM) Banner Module Coordinators (BAM) represent the role of security stewards for their respective domains such as HR, Finance, Student Records, and Financial Aid.

Forms

Support Materials

  • N/A

Reference Materials

  • IS-1002 Information Technology Use Policy
  • IS-1013 Information Security
  • IS-1014 Data Classification and Handling