Scope out Client Defined Roles

Folks in the scholarship admin office are opp admins for the scopes they manage. However, they serve a dual role where they are liaisons with specific colleges on campus and need "view" access to see those other department level objects, but the system admin doesn't want these folks to be able to modify those other departmental objects.

 

Right now, a user account has scopes and whichever role they are in, they have access to whatever objects are scoped out for the user. North Carolina wants a way to grant scopes to specific roles such that when you are logged in as a particular role, you only have access to the scopes of that role. Or, perhaps be able to identify scopes for each role for each user. Example, the same role applied to various users can have various scopes for those particular users.

  • Deleted User
  • Apr 28 2017
  • Reviewed: Voting Open
Employee Name David Welch
Client Name "shard name" ncsu, pitt
User System Admin
Functional Unit Client-Defined Roles, Scopes
  • Attach files
  • Deleted User commented
    May 11, 2017 21:47

    At Seth's suggestion, I'm appending University of Pittsburgh's situation to this ticket since it points to a similar underlying issue of needing better controls and more power behind scoping.

     

    Pitt's issues are basically twofold:

    1. Need more granular controls for field permissions (more than simply Restricted on or off)
      This quote from Pitt captures their requirement pretty well:
      So a staff member in the History department might have access to the Pitt GPA but not SAT/ACT score. Or an admissions counselor might have access to the SAT/ACT score but not the Pitt GPA. And maybe neither of these staff would have access to Family Income or Pell Eligibility.
    2. Need to block departmental admins from seeing applicants outside their department / programs
      Pitt has pretty strong data controls on their campus and one of their provisions is (in some form) that staff should only be able to check out the records and profiles for students that are registered in their own departments and programs. To my knowledge we can't really achieve this degree of separation. Even if Opportunity Administrators are working with a scoped Conditional App, they can (at worst) still unlink an Opportunity from the Conditional, and then gain access to every applicant coming through the General App. Pitt is not a fan of such loopholes.
    Attachments Open full size

Related Enhancements