uAchieve Self-Service Roles and Permissions

Roles

uAchieve Self-Service

♦ New in 4.4 ♦

Actions

Read: Allows a user to view components in uAchieve Self-Service

Update: Allows a user to edit components in uAchieve Self-Service

Create: Allows a user to create components in uAchieve Self-Service

Delete: Allows a user to delete components in uAchieve Self-Service

Functions

uAchieve Self-Service

SS_AREA_AUDIT: Controls permissions for audits for a student's record
SS_AREA_AUDITEXCEPTION: Controls permission for creating exceptions from the audit (new in 4.3.0.4)

Has access to the exception from the audit area (exceptions from the audit button restrictions still apply (e.g., auth codes, missing pseudo)
Does not have access to exception xml form area ("Exceptions" menu option)
Does not have access to "More" button within exceptions from the audit

SS_AREA_BATCHES: Control permissions for batches
SS_AREA_BLACKOUTS: Controls permissions for blackout periods on batch runs
SS_AREA_COMMENTS: Controls permissions for comments
SS_AREA_COURSE: Controls permissions for courses on the student's record
SS_AREA_CROSSWALK: Controls permissions for mapping degree programs from a student information system to uAchieve degree programs
SS_AREA_DPROG: Controls permissions for degree programs on a student record
SS_AREA_EXCEPTION: Controls permissions for exceptions on a student record

Has access to exception xml form area ("Exceptions" menu option)
Has access to "More" button within exceptions from the audit
Does not have access to exceptions from the audit; the user/group MUST have the new SS_AREA_AUDITEXCEPTION app function to access exceptions from the audit

SS_AREA_PLANNEDCOURSE: Controls permissions for planned coursework on a student record
SS_AREA_PROGRAMMATCHER: Controls permissions for the Program Matcher
SS_AREA_RESULTS: Controls permissions for batch results
SS_AREA_STUDENT: Controls permissions for student profile information
SS_AREA_TRANSFERCOURSE: Controls permissions for transfer coursework on a student record
SS_AREA_TRANSFEREVAL: Controls permissions for student transfer evaluations

UPDATE and DELETE permissions for SS_AREA_TRANSFEREVAL will not allow user to export and/or lock transfer coursework

SS_AREA_TA_IREF: Controls permissions for IREFs in transfer articulation
SS_AREA_TA_RULE: Controls permissions for rules in transfer articulation
SS_ENCODING_TA_IREF: Controls who may acces IREFs in transfer articulation
SS_ENCODING_TA_RULE: Controls who may access rules in transfer articulation
SS_MISC_PWCHANGE: Controls permissions for who is allowed to change their password in Self-Service
SS_MISC_STUDENTSEARCH: Controls permissions for how users may use the Search for Students feature in uAchieve Self-Service, including the ability to search students other than their advisees.
- New in 4.5.1 Setting the READ permissions controls which advisses an advisor has search access to. See Self-Service Security Definitions for more information.

New App Functions in 4.4

CS_ADMIN_FUNCTIONAL: Controls user access to all admin functions except the logging area
CS_ADMIN_TECHNICAL: Controls user access to only the logging area–no admin functions
CS_ROLE_ANONYMOUS: Controls user access to the "Access Denied" page. A user with CS_ROLE_ANONYMOUS with READ set to FULL can access the login screen without the "Access Denied" error.
CS_ROLE_STAFF*: Controls user access to the staff menu within the application
CS_ROLE_STUDENT*: Controls user access to the student menu within the application
CS_ROLE_USER*: Controls user entry into the application. Every user MUST have this role and must have CREATE set to FULL

NOTE:
The following functions are considered flags that must be set in order for other permissions to work:

CS_ROLE_STAFF: Must be set to FULL for everything if the role pertains to Staff of any sort
CS_ROLE_STUDENT: Must be set to FULL for everything if the role pertains to a Student of any sort
CS_ROLE_USER: Must have FULL permission across the board for all roles you create

Access

Three types of access in Self-Service include Full, Restricted, and None:

FULL: User has complete access
RESTRICTED: User has access that is restricted by either domain or advisee list

"Restricted" access is the same as "Full" access across all uAchieve web apps except the uAchieve Planner.

NONE: User has no permissions

Control Access

Permission must be set to use each separate function of uAchieve Self-Service.

A simple formula to remember for setting permissions is: Action + Function + Access Type = Permission Setting

For example:

Read + SS_AREA_COURSE + FULL = Users able to view all coursework on a student record
Read + SS_AREA_COURSE + RESTRICTED = Users able to read coursework only for students specified in their Group domain settings (not applicable to Student role)
Read + SS_AREA_COURSE + NONE = Users cannot view coursework at all

NOTE:
Although each function in uAchieve Self-Service has a drop-down option for each action, it is inaccurate to say that you can control Read, Update, Create, and Delete access for each function. This is especially true since the Roles for the main users (Students and Advisors) have such different levels of access.

NOTE:
In general, Students only need to view Self-Service functions, i.e., they will have full Read permissions but little-to-no permissions to Update (or change) their information.

Student Role Settings

Some areas will most likely never need permissions on the part of the Student. For example, permissions are excluded–NONE–for exception processing (SS_AREA_EXCEPTIONS) and running transfer evaluations (SS_AREA_TRANSFEREVAL).

The area that a student will need almost full permissions will be in audits (SS_AREA_AUDIT). Students must be able to read, update, and create audits as this corresponds to viewing audits, running new audits, and rerunning audits. Also, students will need full permission to experiment with "planned" coursework on an audit (SS_AREA_PLANNEDCOURSE), if a school allows, thereby enabling students to add, remove, and edit future coursework to view its effect on a degree program.

For other functions in Student roles settings, each component's permission can be altered based upon how a school chooses to define the roles. Some students may be permitted to plan courses; other students may only be allowed to view audits. In this case, two student roles must be defined in which permissions are set to reflect the different types of access to uAchieve Self-Service.

Advisor Role Settings

A typical Advisor set of Self-Service permissions will show most permissions set to FULL. At times, you may wish to change functionality to RESTRICTED or NONE at all. Since every permission is configurable, you can create multiple Advisor roles in which certain functions are restricted.

If permission is set to RESTRICTED, a specific domain is assigned to the Advisor (e.g., a college or department), or the Advisor is restricted to view only information for their advisees.

TIP:
Remember: All settings are configurable.

Any function listed in the security console can have its permissions changed. You can create any number of roles and assign different permissions to each.

NOTE:
Each user is assigned to a group that contains roles that contain the permissions.

Self-Service Properties

The Properties drop-down menu in Self-Service contains ten options:

For a detailed description of each of the properties, see the Properties page.

Configure Exceptions

Your school may have many exception types defined on the uAchieve Exception Table, but you may wish Advisors to have access to a limited number of types. The setup for which exceptions are accessible can be found in the configuration file documentation. Once you define which exceptions display in Security, you may wish to further define whether users can Create, Read, Update, or Delete individual exception types. This is also configurable from the security console, based upon individual Users or the Groups to which they belong.

To set up this functionality, you will need to be familiar with the exception control codes that are set up within your uAchieve Client:

You will also need to know that, as with defining Roles, there are four permissions you can give

C: Create
R: Read
U: Update
D: Delete

Set Exception Permissions

Exception permissions are set the same way at either the Group or User level on the Properties tab of the Group Management page or User Management page. On the screenshot below, two exceptions have already been set: CS (Course Substitution) and RM (Requirement Modification).

At the bottom of the Group Management page, select Exception Code from the Property field drop-down:

The remaining fields are discussed below:

Field	Description
Value	Format "control code" : "permission" Control code for the exception for which you wish to set a permission Starting letters of the desired permission (create, read, update, or delete) to set For example, if a Group can only read a requirement modification exception, RM:R is entered in Value. If a User may create and read the same exception type, it is entered as RM:CR.
Instidq	All three further limit where the User/Group can access exceptions.
Instid
Instcd
Description	Explains the property setting

Users must have read permissions for any exception to show up on the list screen. If no permissions are defined on the exception code (e.g., the Value of the exception code property has no permissions following the control code), the User will have full permissions for that exception type.

Need More?
For additional information on Self-Service and Security settings, see uAchieve Self-Service Security Definitions.