Applicability:
 This policy applies to data maintained in, or derived from, the University Data Warehouse as distinct from the Banner2000 transaction processing system.  Both systems operate from an Oracle database, but these two databases are physically separate entities.  Banner2000 has built-in security features allowing a system administrator to identify which screens an individual is authorized to execute as part of the transaction processing environment.  In contrast, the Data Warehouse (DW) is a separate database used for reporting.  This policy applies exclusively to the DW environment, addressing the roles and responsibilities for access and security concerning this University resource.

Principles:
1. Data in the transaction processing system (Banner2000) is owned by functional offices charged with specific business responsibilities (student, financial aid, finance, and human resources).  When data are copied in read-only form to the reporting database and then merged into the Data Warehouse, they become institutional data.  These data are then “owned” by the University and the office of University Budget and Institutional Research (UBIR) is assigned caretaker responsibility for these data.
2. Overall responsibility for administering DW security is assigned to the office of University Budget and Institutional Research in the position of the University Data Administrator.  MCIS will manage the server, the Oracle server and instance, the Oracle security environment, and the securing of views for the Data Warehouse; University Budget and Institutional Research will grant access to data in the Data Warehouse by granting access to views.
3. The University shall appoint two persons to serve as Security Administration Officers (a primary person and a backup) – SAOs.  The primary responsibility of these two officers will be to determine level of access and assign access through a simple interface designed by MCIS.
4. Security protection, security auditing, and access to the Data Warehouse will be provided using the features present within the Oracle RDBMS.
5. This policy applies to:

• Access to the data elements directly, as in the case of writing queries and reports;
• Access to completed reports published electronically;
• Access to DW data, information or unpublished reports held in user files.

Practices:
1. Security access will be determined by an assigned “profile” or “profiles.”  These profiles will be designed and recommended by the University Data Administrator (in UBIR) in conjunction with the Data Warehouse Team and in cooperation with user departments.  MCIS will be responsible for building and deploying profiles.
2. Any user may have multiple profiles assigned depending on need for access.  Work responsibilities will be the governing factor in assessing access needs.  For example, a profile may be established to serve the needs of all academic advisors, another for the “departmental budget master” and another for departmental chairpersons.  An Associate Dean may have all three profiles assigned.
3. A Security Request Form will be developed.  University employees requesting access will complete the form, stating the purpose for their access, then have it approved by their immediate supervisor, unit/department head, or designated unit security person within the division, who will then submit it to the primary SAO for implementation.  (It is desirable to implement this form electronically, rather than on paper, to the extent it can be done without compromise).  Upon receiving the completed and approved form, the SAO will determine the appropriate profile(s) to be assigned and initiate access via a desktop interface.
4. The Security Request Form shall contain a statement that will summarize the University’s position regarding the use and further dissemination of data.  By signing the request form, persons agree to abide by the University policy on dissemination of data.
5. The University Personnel Offices will send timely notification to the SAO’s of position transfers, promotions, university resignations, retirements, and dismissals so that correct profiles can be reassigned and/or access can be terminated if appropriate.  It is desirable for the Banner2000 system to accomplish this notification automatically and electronically upon action by the Personnel Offices.  Termination of access should be engineered by MCIS to be date sensitive, permitting the SAO’s to enter an effective date in the case of resignations or retirements, as compared to dismissals when access must be terminated immediately.
6. Student employees may be granted access on the same basis as regular employees.  That is, their student employment must require access in order to perform the job.  Each department head bears ultimate responsibility for insuring student workers have a bona fide “need to know” and for providing operational security to guard against unauthorized access.  UBIR will maintain and use separate access profiles specifically for student employees, where necessary.
7. All persons granted access must use their own IDs and passwords and agree in writing not to share their personal account ID or password with another person.  No one shall log on to the system then let another person use their workstation to access the data warehouse.
8. Individuals not in the direct employ of Miami University (alumni, media, Regents or their staff, legislators or their staff, etc.) will not be granted direct access to data or information contained in the Data Warehouse.  All such requests for University data or information from outside agencies or individuals must be routed to UBIR or the appropriate University office for handling.
9. Persons who fail to comply with this security/access policy may be subject to appropriate disciplinary action, including termination of employment.