0 eCPIC Admin Training: Managing User Rights and Permissions These training materials are owned by the Federal Government. They can be used or modified only by FESCOM member agencies.

1 Managing User Rights and Permissions 2 – Access Control Overview 4 – Users 9 – Groups 14 – Rights and Permissions 21 – Process Permissions 25 – Organizations 32 – Account/Password Configurations

2 Access Control Overview  Effective IT Portfolio Management requires collaboration and input from a number of stakeholders across an organization. Different stakeholders play different roles, and have varying levels of responsibility and authority. It is important that agencies manage their eCPIC users’ access to certain types of data and functionality within the tool. This helps maintain privacy and security of sensitive information, and allows agencies to control important business process workflows.  eCPIC is designed to allow system administrators a great deal of flexibility in assigning various access control levels. This training session will focus on the ways that administrators assign access rights and permissions to individual users and to groups of users. RightsPermissions Users Groups

3 Managing User Rights and Permissions 2 – Access Control Overview 4 – Users 9 – Groups 14 – Rights and Permissions 21 – Process Permissions 25 – Organizations 32 – Account/Password Configurations

4 Adding Users to eCPIC  The first step of access control starts with adding a user to eCPIC.  To create a new eCPIC user account, open the Admin Module. Either select the “Add User” link in the Navigation pane, or use the Admin module menu bar to navigate to: Add > Add User.  Complete the user entry form, and click the Add User button.

5 Users and Contacts  To validate and manage system access privileges, use the Admin module menu bar and navigate to: Access Control > Users.  The eCPIC Users and Contacts table shows a list of all users and contacts in the system, along with several links for administrators to control user access privileges.  Note: Users have eCPIC accounts and privileges that enable them to access data within the tool. Contacts are names that have been entered into eCPIC as points of contact for specific investments, but they do not have eCPIC accounts or privileges. Contact names are easily identified in this list because they appear in italicized text (as shown below). Lock/Unlock User Account Activate/Deactivate Account Assign User Rights/ Permissions Generate User Access Report Global Lock/Unlock Non-Admin Users Edit User Account Information User (regular text) Contact (italicized text)

6 Deactivating Users Accounts  To deactivate an individual user’s eCPIC access, there are two ways to accomplish this: 1)Select the Yes link in the “Is Account Active?” column. Once the link has been selected, eCPIC will immediately update the user’s access status in the list to No. Click the link again to activate the user. 2)From the Manage Users and Contacts page, click the user’s name to display the Manage User page. Select the Deactivate button at the bottom of the page to deactivate the user. If activating a user, an Activate button will be available.

7 Locking Users from the System  To temporarily lock all non-administrator users from logging into the system, use the global lock functionality by selecting the Lock button.  To lock an individual user’s eCPIC access, select the No link in the “Is Locked?” column. Once the link has been selected, eCPIC will immediately update the user’s access status in the list. Click the link again to unlock the user.

8 Managing User Rights and Permissions 2 – Access Control Overview 4 – Users 9 – Groups 14 – Rights and Permissions 21 – Process Permissions 25 – Organizations 32 – Account/Password Configurations

9 Groups  Establishing groups in eCPIC is an efficient strategy for managing system access. Utilizing the group functionality will save valuable time spent on administrative tasks, as well as enhance the maturity of your agency’s system access control structure.  Administrators will find that it is easier to manage the rights and permissions of a group rather than assigning the same rights and permissions to individual users one at a time. By assigning the appropriate rights and privileges to a group, any user assigned to the group is automatically given the same group privileges.  To begin creating and managing groups, use the Admin module menu bar and navigate to: Access Control > Groups.

10 Adding a Group  To add a new group, select the Here link shown below.  Assign a group name (required), organizational alignment, and group description in the pop up window.  Once complete, click the Add Group button.

11 Navigating Groups  Once the new group is defined, it will appear in the “Manage Groups” list. Administrators can select the group name to modify and make updates to the group. Administrators may also delete the group; add users; add rights; assign investments and portfolios; and lock or unlock the group’s users from the system. Delete Group Manage Group Users Manage Group Rights Manage Group Investment and Portfolio Permissions Lock/Unlock Group Users

12  To add a user to a group, select the Users link. You will see a list of all eCPIC users, as well as any users that have already been assigned to the group.  Highlight an Available User(s) name and select the button to move the highlighted name to the Assigned Users list. Highlighting an Assigned User(s) name and selecting the button will remove the name from the group and place them in the Available Users column.  Select the button to move all eCPIC users to the Assigned Users list. Select the button to remove all users from the group.  Select the Update button to save your changes after the desired users have been placed in the Assigned Users column.  With the selected users successfully added to the group, the subsequent slides will cover how to create and manage organizations. Adding Users to a Group

13 Managing User Rights and Permissions 2 – Access Control Overview 4 – Users 9 – Groups 14 – Rights and Permissions 21 – Process Permissions 25 – Organizations 32 – Account/Password Configurations

14 Understanding eCPIC Rights and Permissions  Assigning a user or group with an eCPIC “right” gives them complete access to a certain functionality or module (Investments, Portfolios, etc.). A user or group who has been assigned the investments right can access every investment within eCPIC.  Assigning a user or group with an eCPIC “permission” gives them access only to specifically assigned objects (an individual investment, an individual portfolio, etc.). Permissions limit the user’s or group’s visibility within the tool.

15 Assigning Rights and Permissions  To assign user rights or permissions, open the Users and Contacts table by using the Admin module menu bar to navigate to: Access Control > Users. The same steps can be followed for Groups, from the Manage Groups page.  Click either the Rights or the Permissions link on the row of the user to whom you wish to assign rights or permissions.

16 Managing and Assigning Rights  To assign user rights, select the appropriate check boxes. Hover over the icon next to each checkbox for a definition of that specific right access.  When assigning administrator rights to a new user, click on the Global Admin check box, or select the Select All option to efficiently assign access to all system rights.  Click the Update button to save and apply the access changes to eCPIC.

17 Managing and Assigning Rights  The table below describes the access provided by each right available within eCPIC:  Note: No other eCPIC right will override a user’s access to specific investments. Therefore, if a user has the Delete right, they can only delete investments to which they have access. If a user has the PBCR Manager right, they can only approve Performance Baseline Change Requests for investments to which they have access. RightDescription CreateGrants the ability to create new investments, portfolios, resources, scoresheets, etc. ReadGrants the ability to view existing investments, portfolios, resources, scoresheets, etc. UpdateGrants the ability to update data and properties for existing investments, portfolios, resources, scoresheets, etc. DeleteGrants the ability to delete existing investments, portfolios, scoresheets, etc. Assign PermissionsGrants the ability to assign user and group permissions relating to investments, portfolios, scoresheets, etc. IT DashboardGrants the ability to compare and submit OMB Submission package data to the IT Dashboard. PBCR ManagerGrants the ability to manage, approve, or deny Performance Baseline Change Requests. Global AdminGrants full access for all administrative rights.

18  To assign investment permissions, select the appropriate check box(es). Hover over the icon next to each checkbox for a definition of that specific permission access.  Use the Select All option to assign a permission type for all agency investments.  Select the Update button to save all changes. Managing Investment Permissions PermissionDescription CreateGrants the ability to submit a revision for this investment ReadGrants the ability to view this investment UpdateGrants the ability to update data and properties for this investment DeleteGrants the ability to delete this investment Assign PermissionsGrants the ability to assign user and group permissions for this investment ITDBGrants the ability to compare and submit investment data to the IT Dashboard PBCR ManagerGrants the ability to manage Performance Baseline Change Requests for his investment

19  To generate a report of a specific user's eCPIC access permissions, open the User and Contacts table and select the Access Report link.  To export the user’s Access Report to MS Excel, select the icon in the top left-hand side of the window. User Access Reports

20 Managing User Rights and Permissions 2 – Access Control Overview 4 – Users 9 – Groups 14 – Rights and Permissions 21 – Process Permissions 25 – Organizations 32 – Account/Password Configurations

21  Even after a user has permission to view or update an investment, they still will not be able to access or view any data for that investment until the system administrator grants them access to specific eCPIC processes.  To grant process permissions, use the Admin module menu bar and navigate to: Access Control > Permissions > Processes. Assigning Process Permissions

22  The Process Permissions table allows system administrators to assign groups and users with permission to access specific processes.  To assign a process permission, find the desired process in the list, and select the Groups or the Users link to assign that process to either an entire group, or to an individual user. Assigning Process Permissions

23  Click the “Grant Access” checkbox next to the intended Users name. This same process can be done for groups. To expand how many users you can view at once, click the drop down box “show X results per page,” Once completed, select the button to save. Assigning Process Permissions

24 Managing User Rights and Permissions 2 – Access Control Overview 4 – Users 9 – Groups 14 – Rights and Permissions 21 – Process Permissions 25 – Organizations 32 – Account/Password Configurations

25 Organizations  Managing organizations, often referred to as bureaus, within eCPIC is an integral function that allows central tool managers to push down administrative responsibilities to the bureau level of the organization. Administrators should ensure that organizations are set up properly to make sure accurate information is captured.  Organizations are defined within the admin module and will populate the ‘Bureau’ field within the Descriptive Information section of the Exhibit 300 processes. Administrators can create, edit, delete, activate and deactivate organizations, as well as assign the role of Organizational Administrators.  To begin creating and managing organizations, use the Admin module tool bar and navigate to: Access Control > Organizations.

26 Adding an Organization  To add a new organization, click the Here link shown below.  Enter the organization’s Name, Abbreviation, and Bureau Number (required fields) in the pop up window, then click the Add Organization button.

27 Managing Organizations  Once the new organization is added, it will appear within the Manage Organizations page listing. Within this page, Administrators can edit, delete, activate and deactivate organizations, as well as assign the Organizational Administrators.  It is important to note that once an organization is associated within an investment in your agency’s portfolio, it can no longer be edited or deleted. To ensure historical accuracy, organizational alignment remains fixed within previous revisions of the investment.  As an alternative solution, administrators have the ability to deactivate the organization, which will not remove the historical reference within a revision, but will remove the organization as a field option within the Investment module.  Note: If an Administrator attempts to edit an organization that is assigned to an investment’s historical revision, they will receive a warning message. In this circumstance, an additional organization should be added to the listing and the original should be deactivated. Assign Org Admin Delete Edit Activate/ Deactivate

28 Assigning Org Admins  System administrators can assign the role of an Organizational Administrator (Org Admin) to any of the organizations listed. The Org Admin can create/update user accounts, import investments, and assign permissions to investments, portfolios, and OMB submission packages for the investments assigned to their organization.  To assign an Org Admin, click on the Assign link under the Org Admin column, as seen below.  Note: The Org Admin does not have access to investments by default. The system administrator must grant the Org Admin permissions to investments and processes.

29  Administrators will view the list of users that are available to assign as the Org Admin. It is possible to assign multiple users as an Org Admin.  To select an Org Admin check the box next to the user(s) that will be assigned as an Org Admin. Once you have selected the appropriate user(s) click the Update button at the bottom of the screen. Assigning Org Admins  After selecting Update, the administrator will be brought back to the Manage Organizations page. The Org Admin is now successfully assigned.

30 Org Admin Tool Bar  When an Org Admin logs into the system, they will be able to access the Admin module, but will have a limited set of menu options. The screenshots below that depict the options available to Org Admins versus System Administrators. Org Admin System Administrator Note: The Manage Permissions, Manage Users, and Manage Groups pages will only list a subset of the full list that is displayed for the System Administrator. The subset of the listings is based on the rights and permissions that have been specifically assigned to the Org Admin.

31 Managing User Rights and Permissions 2 – Access Control Overview 4 – Users 9 – Groups 14 – Rights and Permissions 21 – Process Permissions 25 – Organizations 32 – Account/Password Configurations

32 Enabling and Disabling New User Request Forms  System Administrators have the ability to enable and disable the New User Request feature within eCPIC. Select Active/Inactive under the User Registration section.  Click on the Update Configuration button at the bottom of the screen to successfully make the change.

33 Managing New User Requests  When User Registration is activated, a link saying “Request eCPIC Login” will appear on the login page, allowing users to submit new account requests.  When a new request is received, administrators will see a notification in the Admin module that alerts them off a pending request.

34 Managing New User Requests  Clicking a name on the Manage Pending Users will open up the user’s account request form.  Administrators can then select Approve or Deny to update the status of the new user request.  If approving a request, the administrator must provide the user with a username and a temporary password.  Administrators can add comments to the ‘Approval/Denial Comment’ box to provide rationale to the user for their approval or denial.  Once the administrator approves or denies a request, the user will receive an notifying them of their account status change.

35 Automatic Account Expiration  In order to avoid users accessing older accounts as well as reducing user management overhead for Administrators, Administrators can define an automatic account expiration period, defined in days. If a user does not login to the system at least once in the defined period, that user’s account is automatically deactivated, preventing use of that account.  To configure automatic account expiration, navigate to the Admin module and select App Config > Update Configuration. To apply automatic deactivation, under User Account Deactivation select the radio button next to “Automatically deactivate accounts if the user has not logged in for [X] days.” In the text box in that line, enter the number of days the user has to log in before their account is deactivated. Click the Update Application Configuration button to save changes. Note: Deactivating an account does not delete that account or its settings, nor does it affect historical references to that user (such as actions taken in the audit log). Deactivation removes that user’s ability to log in to the system.

36 Password Configurations  eCPIC allows administrators to manage password configurations for all eCPIC users. Administrators should configure their site based on the Security Requirements and Procedures found in the Memorandum of Understanding (MOU) between the General Services Administration (GSA) and the participating agencies. See slide 41 for the specific GSA security requirements that must be implemented in accordance with the eCPIC MOU.  To begin managing your agency’s eCPIC password configurations, navigate to the Admin module and select Access Control > Password Configuration.

37  Shown below are the settings that an administrator can update to configure passwords within eCPIC.  After configurations are updated, click the Update Password Configuration button at the bottom of the screen. Note: The example shown below complies with the minimum security requirements outlined in section eight of the MOU. Review the MOU requirements when managing password configurations for your site. Managing Password Configurations

38  eCPIC has a password reset functionality that allows users to rest their password without having to notify the Administrator. The Password Reset functionality can be activated or deactivated by the System Administrator as a system wide setting.  To activate the Password Reset, navigate to the Admin module and select App Config > Update Configuration. Under the Password Reset field, select Activate to allow the Password Reset functionality. Click on the Update Application Configuration button on the bottom of the page to apply the feature. Note: When allowing for the Password Reset functionality to be enabled, the user will receive an with a new password. This is sent to the user’s address that is stored in the eCPIC database for that user account. If no address is associated with the user’s account within eCPIC, the user’s password cannot be reset using the password reset functionality. Managing Password Reset

39 Session Expiration  An additional requirement that is specified in the MOU is a session expiration time limit. This will allow System Administrators to set the time limit for active sessions for all end users. The requirement’s objective within the MOU was to terminate any users active session when they have been inactive for 30 minutes.  To configure the session expiration, navigate to the Admin module and select App Config > Update Configuration.

40 Session Expiration  The ‘Manage Applications Configuration’ page allows Administrators to view the many options that can be configured. At the top of the screen, under Session Expiration, select the drop down box next to User Session Time. Select 30 from the drop down list to update the user session expiration time.  Click on the Update Configuration button at the bottom of the screen to successfully set to the required timeout as specified in the MOU. 30

41 GSA Security Requirements When using the eCPIC system hosted by the Managing Agency, the Participating Agency shall:  Use up-to-date virus protection software on all systems accessing the eCPIC system.  Be responsible for, and may be held accountable for, all accesses made with usernames and passwords.  Lock user accounts after three (3) unsuccessful login attempts.  Notify the eCPIC Help Desk immediately of all significant security incidents.  Ensure all users of the system:  Complete security awareness training annually.  Use passwords that contain a minimum of 8 characters and a combination of letters, numbers and special characters.  Maintain the confidentiality of their passwords.  Change passwords upon initial access to the system, and at least every 90 days; and  Terminate user sessions when inactive for 30 minutes.  Upon written request by the Managing Agency, provide evidence of completion or compliance with the above as appropriate.