Overview: Data Center Alias IDs
In order for us to assist our clients with day-to-day CU*BASE support issues and perform various daily and monthly processing tasks on their behalf, special employee IDs have been set up in all credit union libraries and are used by all data center employees.
Individual data center employee IDs have some obvious benefits,
• When someone leaves the data center’s employ, it is not necessary to change a password manually on every credit union library; that individual employee’s ID is simply locked or archived.
• Any activity performed by a data center employee on credit union files is logged using that individual person’s ID, not a generic one used by others.
As always, file maintenance or member transactions are performed only upon written request by an authorized credit union employee. Refer to the separate CU*BASE Client Support Security Policy for details.
The “Alias” Solution
This system gives each online credit union complete control over what data center staff is allowed to do on their files, without adding additional maintenance chores for the CU or for the data center, and without using up more credit union employee ID numbers. This is accomplished by the use of a central, single file that stores IDs for data center employees, and the use of “alias” IDs on credit union Employee Security master files (such as the existing ID 89, or 93 for call center employees, etc., as outlined below).
The alias ID controls what tools can be accessed by any data center employee that is tied to that alias. So if employee 89 can do something, any data center employee ID that uses 89 as an alias can do it, too. If 89 is restricted, so are the corresponding data center employees. So all the CU security officer is responsible for is controlling the credit union’s settings for 89.
Data Center Staff ID Rules
• Data center staff IDs will be stored in one central location (file name DCEMPSEC in library CUBASEFILE) and used by all online credit union libraries, so if a password needs to be changed or an employee added/deleted, it only has to be done once from any CU. This also means that if an employee leaves, the ID simply needs to be locked or archived; it is not necessary to access all individual credit union libraries and change the alias password. (The ID is locked or archived rather than deleted so that any previous activity by that employee would still be able to tie out to that employee’s name.)
• Adding data center IDs, changing alias assignments, and assigning tools to data center employee IDs requires a data center employee ID that has access to Tool #5606 DC Employee Security Maintenance. (Data center employees can adjust data center employee ID settings and passwords, but the CU is still responsible for the alias ID.)
• Resetting data center employee ID passwords requires a data center employee ID that has access to either Tool #5606 DC Employee Security Maintenance or Tool #5610 Reset Data Center Employee Password. Online credit union security officers will NOT be able to reset a data center employee ID password.
• Data center employee IDs will use separate expiration settings (regardless of the CU’s normal settings):
-
Staff ID passwords will require a minimum of 4 characters (alphanumeric)
-
Password expires every 30 days
-
One warning each day for 7 days prior to expiration
-
Can’t use the same password used the last 13 times
-
The ID and password cannot be the same (this is also true for credit union Employee IDs); if they match, the system will treat like an expired password
• When an Employee ID password expires (or if the password is reset), the employee security window will note “password has expired.” Tool #40 Change Employee ID Password will be available to both CU and data center employees to change an expired password. As always, an employee must know his or her password in order to change it.
• Each data center employee ID will be tied to an alias Employee ID on the credit union’s employee security master. The alias Employee ID controls what tools can be used by data center staff. For example:
• Employee IDs used as aliases will be disabled in the Employee Security window (where an ID and password is entered) so that an individual staff ID must be entered to use any CU*BASE program. The same restriction will apply to miscellaneous programs such as Inquiry, Phone, Teller, etc., that do not use the Employee Security window.
• This system allows us to set up alias IDs with different degrees of access (such as an employee ID without access to OPER or other sensitive tools). To start, data center IDs will use the following aliases for all online credit unions:
-
89 Client Services and other client support staff
-
90 Operations (replaces OP)
-
91 Systems
-
92 Programming and Quality Control
-
93 Xtension Call Center
-
9x Various, used by Xtend, Lender*VP, etc.
NOTE: Alias IDs (89, 90, 91, 93, etc.) still must be set up in each individual CU’s employee security master. Currently we reserve employee IDs 89-99 for data center use, including 9x where x equals a character A-Z.
• Any password assigned to an alias ID on the CU’s employee security master will be ignored and not used. For example, CSR access cannot be controlled by simply changing the 89 password.
• The credit union is responsible for maintaining the alias; the data center is responsible for maintaining data center staff IDs.
When Data Center Staff IDs are Used vs. the Alias
When a CU*BASE screen requires an employee ID to be recorded, such as a loan interviewer ID, etc., CU*BASE will require a credit union employee ID to be entered. In these cases the alias ID would be used instead of the data center employee ID.
Whenever a program writes out an employee ID to a file behind the scenes (such as if a transaction is being posted, or when the system records a “last maintained by” ID, etc.), CU*BASE will use the actual ID being used, not the alias.
If it is necessary for a data center employee to access Teller Posting screens (typically for testing purposes only), the program will be accessed using the data center staff ID, but the system will use the alias teller drawer number (for example, if staff ID “&A” was alias 89, &A would be used to access Teller Drawer Control and Teller Posting, but employee ID 89 would be activated as the drawer). Again, this applies primarily to test libraries and other testing situations.