The PeopleSoft (PS) environment at UH System provides mission critical administrative applications in three functional areas – Human Resource Management Systems (HRMS), Financial (FS) and, Student Academics & Administration (SAA). The Human Resources Management Systems and the Financial Systems are in production. One campus at UH Clear Lake has implemented the Student Academics and Administration system. The other three campuses plan to be operating at all four campuses in 2003.

The chain of command for approving modifications to PeopleSoft administrative applications is The Board of Directors, followed by the Chancellor / President of University of Houston Systems, the PeopleSoft Executive Committee, the oversight committees, and the application lead.

The PeopleSoft Executive Committee is composed of the Vice Chancellor/Vice President of Information Technology, the Vice Chancellors/Vice Presidents representing Administration and Finance and student administration and academics from each of the four UHS campuses. The executive committee is responsible for oversight for management and maintenance of PeopleSoft administrative applications.

Each application area – financials, HRMS, and student administration and academics; has an advisory committee. The financials oversight committee is composed of the chief financial officers from each of the four UHS campuses. The financials oversight committee is responsible for the functional use of PeopleSoft Financials. They may approve or veto modifications to the financials application and shall use discretion as to what items to present to the executive committee which would require approval by the President / Chancellor for the University of Houston Systems or by the Board of Regeants.

The HRMS oversight committee is composed of the Associate Vice Chancellor/Associate Vice President of Human Resources, the Associate Vice Chancellor/Associate Vice President of Administration and Finance, the campus HR directors, the payroll manager, the HRMS functional lead, and the E. S. Application Manager. The HRMS oversight committee is responsible for the PeopleSoft HRMS and payroll application. They may approve or veto modifications to the HRMS application and shall use discretion as to what items to present to the executive committee which could require approval by the President / Chancellor for the University of Houston Systems or by the Board of Regeants.

The SAA oversight committee is composed of the Vice Chancellor/Vice President of Student Affairs, and the Vice Chancellor/Vice President of Information Technology. The SAA oversight committee is responsible for the PeopleSoft SAA application. They may approve or veto modifications to the SAA application and shall use discretion as to what items to present to the President / Chancellor for the University of Houston System or by the Board of Regeants.

The functional leads are the key contacts for functional users for all campuses. They provide application knowledge, business process expertise, training materials and workshops, and make requests for application enhancements to the technical application managers.

The local campus help desk provides support for desktop configuration, client installation, and workstation software and hardware. The local campus help desk also provides triage support in diagnosing problems reported by functional or technical communities.

Issues or problems may be reported to the UH help desk are recorded in Remedy. Remedy provides a centralized database for tracking issues. The functional leads and the technical application managers work cooperatively towards the resolution of each issue.

The CTS ECS (Computing and Telecommunication Services, Enterprise Computing Systems) manager is responsible for server architecture, availability, maintenance, backups, and connectivity to the data network.

The E.S. TS (Enterprise Systems, Technical Services) manager is responsible for database administration, database backups, database refreshes and production copies used for the reporting database and for upgrades.

The E.S. application manager provides a key role as a systems integrator. They are the key technical contact for functional leads and user communities. As such, the application area they support is their primary responsibility. All technical issues affecting the application, it’s availability and performance must be coordinated through the technical application manager.

Information Technology and/or functional areas are free to seek additional resources via outsourcing, contracting, etc. in order to meet the needs of University Systems. The E. S. application managers are charged with the responsibility of supervision and oversight of all technical resources used in application development. Local campus IT groups may provide additional technical resources under the direct supervision of the E. S. applications manager. (Refer IS-6 for additional details)

1.0 Infrastructure

UHS operates PS as a centralized application and databases supporting four campuses with the assistance and support of functional and technical staff located at all campuses. A centralized infrastructure requires

Ø A WAN data communications network linking local campus communities to the UHS data center.

Ø Local LANs at each local campus to support local campus data communications.

Ø Servers & storage devices centrally located and managed

Ø Central databases & applications support

Ø Local file servers and report servers to facilitate distribution of output and batch processes.

Ø Local campus help desk support for desktops, client installs, and triage support.

1.1 Architecture

PeopleSoft applications are designed to run utilizing client / server architecture. Security to the application is provided through the PeopleSoft application itself. Direct access to Oracle databases is restricted to database administrators and system administrators.

Batch processes run either on a 2-tier (client) or 3-tier (server) architecture. The following figures depict the PeopleSoft Environment from a high level. Figure 1 illustrates how a user can connect to the PeopleSoft application using the web browser

Fig. 1

1.2 Planning

Many of the changes to PeopleSoft applications and the PeopleSoft infrastructure is driven by PeopleSoft. PeopleSoft sets the hardware and software guidelines and is continually upgrading and improving it’s product. Other vendors such as Oracle, Sun, or MicroSoft may drive additional changes. The University of Houston Systems must be prepared to respond to changes by it’s vendors. Changes may also result in response to improve the performance or data storage for PeopleSoft applications. All changes to hardware and software systems are subject to the approval chain mentioned at the beginning of this chapter.

Functional groups may also request changes in either the PeopleSoft application itself or with bolt on functionality or 3^rd party products used to supplement or enhance the functionality provided by PeopleSoft. Future planning requires the cooperative efforts between all technical and functional groups across all components of University of Houston Systems.

2.0 Production Operations

In providing centralized support to our end customers, UHS Enterprise systems (ES) shall continue to operate with effectively with the resources available. UHS-ES places strong emphasis on planning, communicating, and participation amongst the functional and technical communities at all campuses.

2.1 System Monitoring

Section Owners

ITAC Director

ITAC provides 24 x 7 system monitoring of network, servers, and databases. Alert messages are sent via email whenever a problem results in downtime or loss of connectivity to PeopleSoft applications. It is the responsibility of the functional lead and the technical applications manager to relay these alerts to their respective communities at all campuses. As shown below in the diagram, ITAC typically uses software applications (e.g., -Foglight) to monitor the various databases, Servers and the other network related hardware and processes. Alerts sent to ITAC are typically classified according to the level of problems and the department personnel involved.

Fig .2 (refer IS-5)

ITAC engages the SWAT system whenever an event occurs or is scheduled to occur which requires facilitation and coordination between functional and technical groups. Such action constitutes of sending an alert message and activating Phone Bridge to facilitate communication. Staff may subscribe to the ITAC outage list via the url link below:

http://www.telecomm.uh.edu

2.2 Batch Management

Section Owners

E. S. Technical Services Managers

Batch processing requires three levels of support:

1) Creation and maintenance of batch processes and job streams within the Process Scheduler.

2) Submission and monitoring of batch processes.

3) Restart and recovery

UHS E.S. will be responsible for the setup of PeopleSoft production batch processes using PeopleSoft’s Process Scheduler. Such batch processes are to be created and maintained by E.S. application developers or by component campus technicians; however, E.S. application managers must make approval of the use of the batch process.

Functional users, E.S. application developers and component campus technicians will be allowed to run batch processes against the reporting database instance, but they will not be permitted to run ad hoc batch processes against the production databases.

If a process needs to be written to run against the production database, that request must be adhere to the change management procedures described within this document.

UHS E.S. shall provide assistance as needed to functional users in the use of Process Scheduler. Functional users will be responsible for scheduling and monitoring production and user submitted batch jobs. If a job aborts, it is the functional user’s responsibility to notify the application technical manager or their designee.

E.S. DBAs will have the ability to monitor and cancel batch job processes submitted through the Process Scheduler.

2.3 Query And SQR

Section Owners	E. S. Application Manager – Finance
	E. S. Application Manager – HRMS
	E. S. Application Manager – Student Administrative & Academics

Functional users may initiate a Query or SQR to extract data to the client workstation. SQR programs will be maintained by E.S., but may be developed or specified by local campus staff. Designated functional users may also create data extracts using Query provided they have received Query/Crystal training and are secured within PeopleSoft to submit Query. E.S. will work in cooperation with local IT staff in testing queries.

Functional users against either the reporting or production database may submit SQR processes. Requests for new SQRs that must access the production database or require modification to the PeopleSoft application must adhere to the change management procedures described within this document.

Local technical staff may perform final processing to suit local needs provided they have received the necessary technical training in SQR or Query.

The following table identifies what servers a user can use to run a batch process and where they can route the output.

	SQR	Crystal Reports	nVision
client work station	file-PI printer	file window printer	file printer
batch NT	n/a	file printer	file printer
batch Unix	file-PI printer	n/a	n/a

PI is a unique process instance number. This number can be used in SQR to create a unique file name whenever that process runs.

2.3.1 Security Considerations

There are 2 ways to allow a functional user to run a query:

1. Grant them access to the Query tool which would allow them to create and modify queries.

2. Restrict the queries that can run by the user. The user can only run queries that they are secured to run.

2.3.2 Query Trees

Inside the application, a query tree must be developed to identify which views a user can access. The query tree would be assigned to a specific security class. Some examples of query trees could be:

UHFin for financials

UHSA for students or if you want to segregate the data:

UHHREMP - employee data

UHHRPOS - position & job data

UHHRBEN - benefits data

The query tree significantly reduces the number of tables so that the end user is using a small handful of tables, which would satisfy most, if not all of their reporting or ad hoc needs.

2.3.3 Controlling Runaway Queries

There are occasions when user submitted queries appear to be in a “runaway” mode. They may be in an endless loop or trying to extract too much data or using too many joins.

1. E.S. DBAs reserve the right to kill run away queries by killing the session.

2. Limit the number of rows that can be returned for a given operator class. This is done within Query security.

3. Restrict the number of nested joins to 4. This seems to be a standard mentioned at PeopleSoft conferences.

4. Issue a policy statement that if a user repeatedly creates runaway queries, we can require the user to retake Query/Crystal and, if necessary under management discretion, revoke Query privileges.

2.3.4 Public vs. Private Queries

Anyone can run a public query or copy the public query and run it as a private query. However, unless security is in place, anyone can modify a public query. Security is placed to prevent functional users from modifying a public query, (they could still save it as a private query and make modifications there),

Since any functional user who has access to run that query can run public queries, we maintain the same rigor for public queries as a change or modification, thus ensuring that the queries are tested, efficient, and the results are accurate.

2.4 Output Management

Section Owners	Student Admin. Technical Manager – ES
	Manager Technology Support Services

2.4.1 Report Distribution

For HRMS, student administration, and most of financials; users will run their own queries and direct the output to either a file, desktop, or to a printer. If the output is lost or must be recreated, then the user reruns the query. Since most PeopleSoft tables are effective dated, users can recreate reports using data from earlier time periods or cycles.

In the legacy systems, report distribution is provided by taking one large report and bursting it apart. Each department is sent the pages corresponding to that department. In PeopleSoft, the departments will be responsible for running their own reports and routing those reports their printer. Report distribution as it exists under the legacy system will not be required for student administration, HRMS, and for most of the financials processes.

Report.web is a 3^rd party utility used by the financials group. Report.web provides a central repository for reports that can be accessed via a web browser by the user.

2.4.2 Printer Support

Printers supporting batch processes on Unix servers must be identified and attached to Unix servers. Campus desktop support will handle local printers. The process scheduler will allow a user to route output to either a file, to the desktop, or to a LAN/WAN printer. As part of the launcher installation, the user should attach the default server and printer as LPT5.

To request a printer to become attached to a Unix server, send the queue name, IP address, printer type, model, and location to Jitender Kumar at 713-743-4054.

2.4.3 FTP

CCTS maintains FTP service to UHS servers. The Process Scheduler allows user submitted jobs to place extract files directly on the client machine, thus eliminating the need to ftp files from servers to the work station. SPEEDE or ANSI X12 EDI transactions are handled by ftp services on the GenTran server.

When running processes on the Unix server, files, which require ftp or access, should be written to a secured directory on the Unix server. PeopleSoft does not provide an automated FTP process within Process Scheduler; however, FTP can be coded within SQR to provide automated FTP processing.

2.4.4 Modem to Modem

The tool set for modem-to-modem links using 2780/3780 protocol has not been determined. Wherever possible, this should be replaced with ftp. In the interim period, files may be ftp’d to the Admin system and use the existing Admin communication servers and modems. These servers are functional but are not supported because the vendor is out of business.

2.4.5 Imaging

UHS maintains an image server. Contact the E. S. Applications Manager for Financials to arrange for documentation storage on the imaging server.

2.4.6 MicroFiche

The following steps should be followed to create microfiche:

1. First determine how many originals and how many copies of each original is needed. (Usually this is one original and one copy).

2. Send email to E. S. Technical Service Manager and copy Mark Aycock (CCTS) at 713-743-1474 mlaycock@uh.edu and the person requesting the fiche. In the mail, request

a. Report files be copied to tape for fiche

b. You be notified when the tape is created.

3. Send email to Mark Aycock, copying the person requesting the fiche. Ask Mark to send the tape to the fiche company. The following information should be sent with the tape:

a. tape number and filenames on the tape

b. number of originals and number of copies for each file on the tape.

c. delivery address and contact info for when fiche is returned.

2.5 Disaster Recovery

Section Owner

Assoc. Vice Chancellor/Assoc. Vice Pres. Security / S/W

Backup tapes for the entire PeopleSoft system will be kept at an offsite storage facility. The UH Disaster Recovery plan managed by the I/T Security group will be followed in case of a disaster. Please reference the following url link for more information:

http://www.uh.edu/infotech/refguide/recovery.html

3.0 Customer Support

3.1 Global Support Center

Functional and technical users may use PeopleSoft’s global support center to report a problem with the PeopleSoft application. If there is a problem with the delivered application or code, this problem should be reported to the global support center. Whenever possible, PeopleSoft delivered code should not be modified. PeopleSoft should be contacted first and given the opportunity to correct the problem and send a patch to correct the code. If that is not possible, PeopleSoft should be notified via the global support center with a note that we have corrected the code and can share that fix with them.

ITAC (Information Technology And Connectivity) provides 24 x 7 system and network monitoring and alert notices for servers, databases, and applications. ITAC broadcasts system alerts whenever unscheduled downtime occurs. ITAC may also activate the SWAT (Swift Action Team) alerts which are designed to facilitate and coordinate corrective activities between various technical and functional groups when a major event occurs. The SWAT alert may be either a proactive or reactive response. Technical support for non-production systems, databases, hardware, and software is provided Monday through Friday, from 8:00 a.m. to 5:00 p.m. unless previous arrangements have been requested to provide support after-hours or on weekends.

The Global Support Center can be located by logging in as a customer at the following url:

http://www.peoplesoft.com/corp/en/public_index.asp

3.1.1 Customer Connection

Via Customer Connection PeopleSoft provides valuable information with regards to product updates, patches, and upgrades. Security administrators are responsible for managing access to PeopleSoft’s Customer Connection. As such they will activate or inactivate UHS staff to Customer Connection. Customer Connection can be accessed by logging in as a customer at the following url:

http://www.peoplesoft.com/corp/en/public_index.asp

3.2 Help Desk

Section Owners	Manager Technology Support Services
	E. S. Application Manager - Student Administrative and Academics

Technical support is provided through the combined efforts of the component help desks and desk top support personnel, component technical staff, and UHS central technical staff. The primary concern is to provide quality support to the functional users in a timely manner. The local campus help desk and desktop support staff will provide support for desktop configuration, desktop products, and peripheral hardware attached to the client workstation. Each campus is responsible for determining the level of support they will provide for desktop products.

Ideally all support calls would be routed through the help desk for triage and logging purposes. Because of staffing issues and because users have a tendency to call the person who can help them the most directly, we chose not to make any changes to the customer support model.

Problem tracking for trend and impact analysis is an important part of customer support. Each campus shall determine it’s method for tracking problems reported to the help desk. Users may also contact E.S. application managers directly with regards to PeopleSoft technical problems, process analysis, data analysis, etc.

A SWAT alert may be requested by the Help Desk, Enterprise Systems, or by CCTS. SWAT alerts are issued to IT and technical managers to alert them to an emergency situation or of an event which requires communication, coordination, and facilitation between the various groups. When ITAC issues the SWAT alert, a phone bridge is established to facilitate communication. When the item causing the alert has been resolved, ITAC will send a second SWAT alert advising that the item is resolved. At that point, the phone bridge is closed.

The diagram (Appendices-Fig .1) illustrates how customer support is provided.

The following table identifies key support area outside of desktop support for UHS.

Financial	Financial Functional Lead Financial Technical Manager – ES
HRMS	HRMS Functional Lead HRMS Technical Manager - ES
Student Admin	Student Admin Functional Lead Student Admin Technical Manager -ES
DBA	Technical Services Manager
Desktop	Manager Technology Support Services
Network	Network Operations
System Admin	Unix Systems Administrator
Security	Technical Services Manager

Help Desk Information

Central: (713)-743-1411; Open Mon – Fri 8:00 a.m. to 8:00 p.m.

Email: support@uh.edu

Web: http://www.uh.edu/infotech/itnews/problems.html

Down Town: 713-221-8031 or extn 3000 internally; open Mon – Fri 7:00 a.m. to 6:00 p.m.

Email: help@dt.uh.edu

Clear Lake: (281) 283-2828; open Mon – Fri. 8:00 a.m. to 6:00 p.m.

Email: helpdesk@cl.uh.edu

Web: http://www.cl.uh.edu/uct.helpdesk/front.html

Victoria: (361) 570-4399; open: Mon - Fri, 8:00 a.m. - 5:00 p.m.

Remote learning centers have desktop support staff assigned at each location. This staff serves in lieu of a help desk. UH-Victoria will support Fort Bend. All other remote learning centers will be supported by UH-Central.

3.3 Customer Support

Information Technology (IT) resources operates as a market driven entity. The customer or functional users create demand for application enhancements. IT also provides the supply of resources to meet these needs (Fig 3)

PeopleSoft Demand/Supply Overview

Fig. 3

3.4 Problem Reporting And Resolution

Problems can be broken down into basically two types: functional problems or technical problems. All problems related to PeopleSoft should be logged into Remedy for problem tracking and resolution. These problems may be logged by the user themselves by calling the help desk or by logging the call on the help desk’s web site. Problems may also be logged by the application functional lead or by the E. S. Application Manager. It is the responsibility of the functional leads to resolve functional problems and for E. S. Application Managers to resolve technical problems. PeopleSoft security administration for operator ids will move from the help desk to E.S. (see section pertaining to security).

End user assistance can occur on 3 practical levels. Fig 4 illustrates the flexibility in providing technical support.

Fig .4

Technical customer support is managing the response to any type of technological problem related to either hardware or software pertaining to the operating systems environment, network, or application. These problems will be handled by a combination of help desk personnel, technical staff members, UNIX/NT administrators, database administrators, application developers, network administrators, power users, etc. As problems arise and are reported to the technical PeopleSoft support staff, each reported problem would be analyzed and given to the appropriate team member for resolution. In the event the issue appears to be outside of the PeopleSoft production environment, it will be turned over to the technical or functional team who is responsible for that issue or campus area.

Other functional application users, power users and functional managers will continue to provide initial support. If the problem remains unsolved, the issue will be escalated to either the campus help desk or the Functional Managers may directly access the appropriate Application Manager.

If the problem is related to the desktop workstation, peripheral hardware, or Local Area Network, the user shall obtain support using established campus procedures.

3.4.1 Level 0 Support

Level 0 support is provided by other users, power users and super power users. They provide minimum assistance to resolve any problems associated with pc workstation hardware or software, local printers, navigating on-line applications, interpretation of reports or data, and explaining application processes and logic. They resolve many minor problems that never reach level 1 (help desk) or level 2 supports. If the user is unable to resolve the problem; they should contact the local campus help desk for additional support. If a determination can be made at this level that the problem is associated with a PeopleSoft application (panel, process, query, or report) and that programmer assistance is required, either the user, the power user, or the super power user may contact the E.S. manager directly, otherwise, they should be referred to the campus or UHS help desk. After the transition period, the FAST team should NOT be contacted directly by the users for technical support.

3.4.2 Level 1 Support

Section Owner

Manager Technology Support Services

Level 1 support is provided by the campus or UHS help desk. The UHS help desk will log and track reported problems. Component campuses may track reported problems using problem-tracking software, which is specific to that campus. The help desk will attempt to diagnose and resolve the problem with the user. If they are unable to resolve the problem, they will assign the problem a case number and refer the case to the appropriate technical staff. Logging of all reported problems to the help desk is required.

3.4.3 Level 2 Support

Section Owner
Financials	Financial Technical Manager – ES
HRMS	HRMS Technical Manager – ES
Student Administration	Student Admin. Technical Manager – ES

Level 2 Support is provided by local campus technical staff or by UHS IT technical staff. IF UHS IT assistance is required, a technical coordinator should be appointed at the component campus to be a focal point of communications between the component campus and UHS IT staff. If a case number is assigned, the technical staff should either contact the help desk once resolution has occurred or indicate within the problem tracking software that the case is completed.

Any UHS IT staff member may enter a case into the problem tracking software on behalf of the end user. Level 2 support is advanced technical support and would include but is not limited to problems pertaining to desktop and workstation configuration, systems operations, networking operations, and application support.

3.5 Problem Escalation

Escalation of reported problems will follow the current procedures in place at each campus, particularly Level 0 and Level 1 issues since those issues are being resolved internally. Level 1 help desk issues will follow existing procedures at the component campuses, but the escalation of issues at this level will need to be coordinated between the component campus and the UHS PeopleSoft production support team according to the Operations Support Responsibilities located within this document under Application Specific Procedures.

ITAC must be notified whenever an event occurs which results in a loss of connectivity outside the Sunday maintenance window. ITAC will broadcast an outage alert on their outage network. If the event requires extensive coordination between technical groups, ITAC will issue a SWAT alert to key technical and functional staff. A telephone bridge will be opened and identified in the SWAT alert message to allow key staff to communicate to each other in a conference call.

ITAC will issue periodic updates until the system is back on-line and operations have returned to normal. Staff may subscribe to the ITAC Outage list by going to http://telecomm.uh.edu.

4.0 Security

Section Owner	Technical Services Manager
Servers	Manager Operating Systems – ECTS
LAN/WAN	Manager Network Planning & Development
Database	Technical Services Manager
FS Application	Financial Technical Manager - ES
HR Application	HRMS Technical Manager – ES
SA Application	Student Admin. Technical Manager – ES
Incident Reporting	Steve Green

4.1 Security Policy

To protect the integrity of PeopleSoft data which supports 3 critical administrative systems, it is essential that access is tightly controlled and restricted to authorized staff and processes.

Request for access should be presented by the functional users to the functional owners located at their local campus. If access is needed to HRMS, they should contact the HR director; for financials the chief financial officer; for student administration the registrar or campus contact support that application. The application owners at the local campus will forward the request to the functional leads who may either accept or reject the request. If the request is rejected, the requestor may appeal this decision to the Executive Committee via Assistant Vice President/Assistant Vice Chancellor for Enterprise Systems.

With the exception of database administrators and system administrators, direct access to PeopleSoft databases and tables is not permitted or allowed. Access to the PeopleSoft databases is granted through the PeopleSoft application. Batch processes may be written in SQR, SQC, Cobol, or Application Engine. Online and web processes may be written in PeopleTools, PeopleCode, Query, nVision, or Crystal Reports. Database links may be granted between the three PeopleSoft applications and also between PeopleSoft databases, provided that the application leadership/advisory group has approved that access and such access is technically feasible.

The following table describes who can be granted access and who will control access to PeopleSoft environment and applications.

	Who Can Access	Who Grants Access	Max Turn Around Times
Network via VPN	UHS IT staff who provide support services on the servers.	Manager Network Planning & Development	???
Network via Terminal Server	Functional users and application developers	???
NT Servers	NT system administrators and DBAs will have direct access.	NT system administrator	1 day
Unix Servers	Unix system administrators and DBAs will have direct access.	Unix administrator	1 day
PeopleSoft Domains	Functional users and E.S. application support staff.	Access is granted by TSS for UH Central. Component IT staff will grant access according to local campus procedures.
Databases	DBAs will have direct access to Oracle databases.	E.S. Technical Services Manager	???
Financials Security Classes	Functional security administrators.	Functional managers	1 day
HRMS / SA Security Classes	E.S. security administrators	Functional managers	1 day
PeopleSoft Operator Ids	UHS employees, vendors, customers, external entities and agencies	Functional managers must approve access. Functional managers at components will provide access for financial application. E.S. security administrator will provide access for HR and student administration.	1 day
Resetting PS Passwords	All users	Functional or E.S. security administrators.	1 hr
Operator Preferences	All users	E.S. Security administrator sets default settings. Functional managers can override.	1 day
PeopleSoft Financials Application	All users	Functional managers must approve access. Functional security administrators at components will provide access for financial application. E.S. security administrator will provide access for HR and student administration.	1 day
PeopleSoft HRMS and Student Administration Applications	All users	Functional managers must approve access. E.S. security administrator will provide access for HR and student administration.	1 day
Row level security	All users	Functional managers	1 day

4.2 Environment

4.2.1 Facilities

Hardware will be maintained in an environment controlled computer room with secured access. Access to the computer room is only authorized to personnel whom by job description and job responsibilities have been designated to monitor and support the equipment.

The computer room is secured with a card key system, which identifies the individual attempting to gain access to the area, if access has been granted the door will automatically unlock when the card has been swiped through the reader.

4.2.2 Network

The network design employs a strategy of network switches that regulate the incoming and outgoing network traffic. The network has an internal network connecting the computer system to one side of the network switch; on the other side there is a public (outside) network that has limited access to the environment. By this design or approach it allows for the isolation and segregation of the environment and data.

4.2.3 Servers

Unix

Access to the UNIX environment will only be granted to the UNIX administrators and Database Administrators. Passwords on accounts in this environment will be changed on a predetermined schedule.

The NT administrator will control security access to the NT servers centrally and accounts on this system will have automatic password expiration on a predetermined schedule. For the central campus, the user will be assigned to an NT account and the PeopleSoft domain through Remedy. A feed from HRMS to Remedy will be used to establish accounts, however, it is possible for the user to request the account directly via email, telephone, in person.

4.2.4 Database

Access to the Oracle database will be limited to only the Database administrators. In the event a predefined system process needs direct access to the database, this will be accomplished by creating specific user roles with granted privileges to certain objects in the database, whereas theses accounts will be inaccessible to users.

Passwords for these accounts will be changed on a predetermined schedule.

4.3 PeopleSoft

Security administration under PeopleSoft versions 7.6 and lower allows the Security Administrator to assign users access to all data and applications residing within a single database. This does not present a problem for the financial applications, as functional managers will continue to administer their own security since it resides in its own database. Since the human resource and student applications must share a common database, and due to the security design embedded within PeopleSoft, there are concerns with allowing functional users to also act as Security Administrators who would be able to grant security access to both HR and SA applications. Security administration for HRMS and student administration, therefore, will be located outside of both functional areas until we install version 8.0.

4.3.1 Security Class Maintenance

User access to the system will be predefined by the use of PeopleSoft operator classes. These classes will define the level of access to the system. They will limit a user to a particular area of the system, which will pertain to their job function.

These security class definitions will be defined and maintained by the functional area managers for their user base.

A finance functional manager or their designee will serve as the financial security administrator who will maintain security classes for the financials application for all campuses as designed by functional managers. HR/SA functional managers must approve changes to security classes, but E.S. Technical Services will post the security class changes within the security module. If multiple campuses are using a security class, then each campus using that class must authorize changes to that class.

4.3.2 Operator Id Administration

Anyone accessing the PeopleSoft application will require a unique operator id across all applications and databases. Because PeopleSoft is an enterprise wide solution for all 4 components, a single database repository for the assignment of unique operator ids is required. This single repository will reside on a MicroSoft Access database which will be maintained by E.S. Technical Services (TS) who shall also serve as PeopleSoft security administrators. TS will create unique operator ids for all applications and all databases (development, test, UAT, production, etc.). TS will also assign operator classes to an operator id for HRMS and student admin applications. Financials plan to assign operator classes by functional users who will also serve as security administrators in a limited capacity.

There is not a uniform naming convention for logon or operator ids for NT domains, email addresses, or for PeopleSoft.

The naming convention for PeopleSoft operator id is

Maximum length of the operator id is 8 characters long
First 6 characters will be the last name followed by first and middle initials
If no middle initial exists, the letter “X” will be used.
If an operator id already exists, subsequent operator ids will begin a numerical sequence starting in the eight positions of the logon id and incrementing by one as necessary.

Examples:

User John David Millenkamp would be MILLENJD

User James Donald Millenkamp would be MILLENJ1

User Joan Doris Millenkamp would be MILLENJ2

User Joe Bob Smith would be SmithJB (one blank space at end)

User June Barbara Smith would be SmithJB1

The following procedure will be used to obtain a PeopleSoft operator id:

1) The new user must obtain a UH email account from their local campus according to local campus procedures. This email account will be used to place the employee on a LISTSERV to be used for general notices.

2) The user must submit a PeopleSoft Operator Id Request form to the department business administrator. The forms should be available from the local campus functional managers or E.S. Technical services.

3) The department business manager will sign the form and forward it via fax to E.S. Technical Services at 713-743-1395;

4) E.S. will assign a unique operator id and a password for the new employee; link the operator to an operator class (for HRMS and student admin applications only) and forward that information to the functional manager who is responsible for forwarding that information to the campus functional trainer.

5) The user must attend orientation at the local campus. The user must complete any required PeopleSoft functional training for the department they will be working in. After the user has completed functional training, they will be given their operator id and password.

Upon request, E.S. will deactivate operator id for all applications. Deactivating can also occur as the result of a feed of terminated employees from HRMS. This will require an SQR to update the security tables. Deactivating an operator id will be accomplished by removing all security classes with the exception of the “No Access” security class from an employee.

4.3.3 Resetting Passwords

Requests for resetting PeopleSoft passwords must be sent by email to the E.S. security administrator or to the campus application security administrator. Telephone requests should not be permitted since there is no way to validate the identity of the caller. The security administrator may send the new temporary password to the requestor either by return email or by telephone with instructions that the requestor should change the temporary password upon logging on to PeopleSoft.

Password resetting for FA/HR/SA could be done by campus help desks provided controls or modifications are written to restrict campus help desk personnel to password resetting privileges only. (Audit requirement). There are no any plans for modifying PeopleSoft to provide this functionality at this time.

4.3.4 Operator Preferences

Before an operator can use PeopleSoft, security and operator preferences must be setup. Whenever a request is processed to create a new operator id, the E.S. security administrator will also setup default operator preferences. These preferences will vary between HR/SA and financials. The functional managers will be responsible for overriding the defaults for an operator.

4.3.5 Application Level Security

Access to the PeopleSoft system for each campus will be limited to authorized users only. This will be accomplished by use of the existing PeopleSoft security tools. Each campus will be assigned a Business Unit or Company ID; access groups will be setup for each campus user defining the appropriate Business Unit or Company for them to access the system.

Financials

FA functional managers or their designee may act as security administrators within the FA database and link employees to a security class. This is a trust relationship and will not maintain employees belonging to another campus without that campus’s permission. It is standard practice for campus security administrators to serve as backups for other campuses.

The FA Application Request form should be available by contacting the FA functional manager or E.S. Technical Services. This form will eventually be available on the UH website.

To obtain access to the PeopleSoft Financials Application, the user must

1. Have an approved PeopleSoft operator id;

2. Be secured to the PeopleSoft NT domain for their campus;

3. Submit the FA Application Request form to the business administrator who will authorize the request and forward the form to the Financials Functional Manager at their campus.

4. The FA functional manager will secure the employee to the application by assigning them to PeopleSoft security class (es) and by performing any row level security, which might be required.

5. The functional manager will schedule the employee for PeopleSoft functional training.

6. After the employee has completed the PeopleSoft functional training, they will receive their PeopleSoft operator id and password.

Student Admin and HRMS

Student Administration and HRMS application level security will be administered by UHS E.S. Technical Services group.

The SA Application Request form and the HRMS Application Request form should be available by contacting E.S. Technical Services. These forms will eventually be available on the URL: http://www.uh.edu/fast/

To obtain access to the PeopleSoft Student Admin Application or HRMS application, the user must

1. Have an approved PeopleSoft operator id;

2. Be secured to the PeopleSoft NT domain for their campus;

3. Submit the SA Application Request and/or the HR Application Request form to the business administrator who will authorize the request and forward the form to the appropriate functional manager at their campus.

4. The functional manager will forward the SA Application Request or the HR Application request form to E.S. security administrator who will post the security change in PeopleSoft.

5. E.S. security administrator will notify the functional manager once the employee has been secured to the application.

6. The functional manager will post any row level security that is required for the employee.

7. The functional manager will schedule the employee for PeopleSoft functional training.

8. After the employee has completed the PeopleSoft functional training, they will receive their PeopleSoft operator id and password.

4.3.6 Row Level Security

Row level security is not conducted within the security module, thus allowing row level security to be administered by functional managers at all components.

4.3.7 Information Ownership

All information assets (data and systems) have an appointed owner who makes decisions about classification and access rights.

Functional administrative user groups own the data. Functional data owner groups remain accountable for the maintenance of appropriate security measures. The functional managers will also participate with other staff in security administration, patch and upgrade analysis, and implementation planning. They will also work with database administrators to coordinate change propagation across database instances.

4.4 Remote Connectivity

Remote connectivity refers to the ability to access PeopleSoft environment or software from outside the central or component WAN/LAN network.

The following types of remote connectivity are needed:

· System administrators require remote access to NT and Unix servers.

· Database administrators require remote access to NT/Unix servers and to PS8 applications and databases

· Application support staff requires remote access to the PeopleSoft application.

· Power users require remote access to the PeopleSoft application to on-line screens and to submit and monitor batch processes.

· Remote learning centers require remote access to the PeopleSoft application.

System administrators and database administrators have access via a restricted management network via VPN (Virtual Private Network). The management network will provide access to NT and Unix servers and Oracle databases. A private network will connect the database servers to the application servers, process scheduler servers, report servers, and file servers. The private network is intended to facilitate the transfer of data between these servers. As such outside access is not permitted.

Recommended access for developers, functional users, and remote learning centers is through MicroSoft Terminal Server. This requires a NT server that will provide connectivity to the public network. The public network allows connectivity to the application servers, process scheduler servers, file servers, and report servers. It does not allow direct access to the database servers. Access to the databases is accomplished via the PeopleSoft application.

4.5 Security Audit

Develop technical requirements to business needs for the security audit requirements of the security policy in the PeopleSoft production environment need to be established. Insure that each technical requirement listed contains a detailed description of the requirement and a full explanation of the business needs which the requirement addresses.

4.6 Internet Security & Privacy

This requirement involves the definition and documentation of security to be implemented for use with web-enabled applications. This requirement will differ substantially from the established earlier, and will be required to protect UHS data environment from a much larger array of access methods.

This will add such technical requirements such as intrusion detection, Internet firewall protection and other sources of entry not typically secured on an internal network environment. These technical requirements need to be developed to ensure that the security policies established in earlier discussions are successfully applied to the Internet component of the PeopleSoft production and development environments. Each technical requirement listed will require a detailed description of the requirement and a full explanation of the business need, which the requirement addresses.

4.7 Security Violation Reporting

All employees are required to report suspected security violations to the Security Information Officer per UHS Policy, which can be located at the following url:

http://www.uh.edu/infotech/security.html

5.0 Maintenance & Administration

Section Owners

Change Management Committee

5.1 Hours Of Operation

With the exception of the Sunday maintenance window, the PeopleSoft production environment will be available 24 x 7. Reference section 2.3 concerning procedures to follow when the production environment is not available.

5.2 Sunday Maintenance Window

System maintenance to the production infrastructure is performed on Sundays between the hours of 6:00 a.m. and 2:00 p.m. This time is used to perform software, hardware updates or replacements on the system. This time slot may also be used for system stress and load testing when applicable.

The 1^st and 3^rd weekends of the month are reserved for data base administrators. The 2^nd and 4^th weekends are reserved for system administrators. The 5^th Sunday of the month will be negotiated between the two groups. It is not unusual for the groups to swap weekends to accommodate maintenance requests.

Requests for extended downtime (i.e., major upgrades or system reconfiguring) must be made to the Change Management Committee. Such requests should be made at least 2 weeks prior to the maintenance window.

As systems integrators, the E.S. technical applications managers are responsible for communicating and coordinating the scheduled downtime to their respective technical and functional communities at all components.

The Change Management Committee must approve the request for extended downtime.

5.3 Emergency Maintenance

Emergency maintenance requires effective communication and coordination between the functional and technical communities. ITAC must be notified whenever an event occurs which results in a loss of connectivity outside the Sunday maintenance window. ITAC will broadcast an outage alert on their outage network. If the event requires extensive coordination between technical groups, ITAC will issue a SWAT alert to key technical and functional staff. A telephone bridge will be opened and identified in the SWAT alert message to allow key staff to communicate to each other in a conference call. (related reference Fig .4)

ITAC will issue periodic updates until the system is back on-line and operations have returned to normal. A final update will be issued notifying staff that the system is available for their use.

Staff may subscribe to the ITAC System and Network Outage list by going to www.telecomm.uh.edu

5.4 Data Network Administration

5.4.1 Network Services

Section Owners

Manager Network Planning & Development

UHS will support the network for the UH central campus (LAN) and network services to the UHS universities. (WAN). Each component campus will support its own LAN including the LAN connections to the file and report servers located at the component campus as well as providing assistance to UHS CCTS to support the WAN.

UHS CCTS is responsible for the procurement, monitoring, and maintenance of hardware, software, and vendor services supporting the UHS central communication networks and the carrier lines up to the Marconi switch located at the component campus. The component campus’s IT staff is responsible for the component’s internal network and the PeopleSoft network from the Marconi switch and beyond to the file and report servers located at the component campus.

UH-CLC and UH-DTN shall be connected via OC3 lines. T1 lines shall be used to connect UH-VIC and the component learning centers (UH-FB, UH-WH, UH-NHI). CCTS provides all the equipment except for the T1 lines. Each campus and component learning center shall provide either a help desk or desktop support staff to assist in triage work and to act as a liaison in escalating a networking issue with CCTS.

The diagram (Appendices-Fig .2) provides a high level view of network support.

ECS is responsible for providing monitoring, support, and maintenance for servers required for development, test, production, reporting, and other database configurations required to support PeopleSoft 8.x. This responsibility includes upgrades of server hardware and operating system software as well as software used to manage the PeopleSoft environment. E.S. Technical Service DBAs will be responsible for starting and stopping application processes which run on either Unix or NT servers.

Support of the remote NT based servers is shared between the component campus technical support personnel and the centralized system administration personnel. “Lights out” capability for operation of component servers, component monitoring, administration, and rebooting will allow central support to co-manage the component physical servers. The custodian of each physical location will provide physical and environmental security.

5.5 System Administration

Section Owners

ECS Manager of Operating Systems

5.5.1 System Architecture

Appendix K depicts the various types of servers and software components needed to support the PeopleSoft 8.x environments.

Detailed drawings of the system architecture are located in Appendices- Fig 7, Fig 8, Fig 11, Fig 14 describe the Production environment. Other Non-Production architecture is shown in Appendix 11 and to an extent in Appendix 14.

5.5.2 Service Level Agreements

Service level agreements between ECS and all components for services provided by ECS (servers and LAN/WAN) can be located at the following url link.

http://infocall.cc.uh.edu/website/sla.html

5.5.3 Server Maintenance

ECS is responsible for all hardware maintenance, both routine and emergency, for equipment installed centrally and at component campuses. As noted above, all devices are equipped with “lights out” software, which allow for centralized administration and monitoring of the hardware device.

All changes to server environments at either the computer center or local campuses will be completed during the Sunday maintenance window. The manager of ECS will make requests for maintenance to the Change Management Committee. Support collaboration will exist for hardware located at component campuses.

5.5.4 Operating Systems Patches

Section Owners

Manager Operating Systems – ECTS

ECS is responsible for all operating system patches and upgrades for the servers installed centrally and at component campuses as a part of the PeopleSoft infrastructure. Requests for maintenance will be made to the
Change Management Committee by the manager of ECS and will be performed during regularly scheduled maintenance windows. (refer Appendices-Fig .3)

5.5.5 Server Backup, Recovery, And Failovers

Section Owner

Manager Operating Systems – ECTS

CCTS will be responsible for providing system level backups on all devices except for the report servers and the file servers located at the component components. The file server replica located at the computing center will serve as a recovery source for the component campus file server. CCTS does not plan to backup the report file server located at the component campus. The functional user is responsible for moving critical reports to another location. If reports are lost as a result of a hardware failure, the user can rerun queries to recreate the reports.

5.6 Database Administration

Section Owners

E. S. Technical Services Manager

UHS E.S. DBAs provide Oracle database administration services for PeopleSoft Oracle tables and any additional Oracle tables created in PeopleSoft Oracle table spaces to support additional functionality to PeopleSoft applications. This includes daily performance monitoring, tuning, maintenance, database and PeopleSoft object migrations between environments, backup and recovery.

5.6.1 Database Migration Process

Only databases related to production, development, testing, and user acceptance need formal procedures for migration purposes. The database migration form is used to provide permanent documentation, authorization signatures, and an audit trail for database migrations. This form can be located at the following url:

http://www.uh.edu/fast/FAST-technical.htm

3.0 Customer Support

Financial

Financial Functional Lead

HRMS

HRMS Functional Lead

Student Admin

Student Admin Functional Lead

DBA

Technical Services Manager

Desktop

Manager Technology Support Services

Network

Network Operations

System Admin

Unix Systems Administrator

Security

Technical Services Manager

3.4 Problem Reporting And Resolution

4.2 Environment

4.2.4 Database

4.6 Internet Security & Privacy

5.0 Maintenance & Administration

5.4 Data Network Administration

5.5.1 System Architecture