Body
Overview
This article outlines the differences in security access throughout OneUSG Connect as it pertains to assigning and updating access:
Row Level Security Permission List Overview
-
Row level security (RLS) permission list is an access list assigned to everyone in OneUSG Connect. This allows the data that can be retrieved throughout OneUSG Connect to be tightly secured to certain units. This ties into the roles available for every user as well.
-
For example, a person with the HR Job Inquiry role with the (RLS) of BOR_N143_FCS_180 has access to job data throughout the entirety of the College of Family and Consumer Sciences.
How RLS Functions in OneUSG Connect
-
To understand the scope of RLS, it helps to break it down into three distinct layers:
-
The Identity (Who): Every employee in the system is assigned a UserID.
-
The Role (Action): This determines the pages and components you can see. For instance, the HR Job Inquiry role allows you to look at job data,but it doesn't specify whose data.
-
The Permission List / RLS (Scope): This acts as a data filter. It limits the search results returned by the database to a specific population,such as a "Business Unit" or campus-wide access. While the Role determines what you can do, this layer determines exactly who or what you are allowed to see.
The red outline shows the name of the RLS, while the blue outline shows all the departments that can be accessed by the RLS
TL Group IDs
-
TL Group IDs or Dynamic Group IDs provide the ability for individuals other than the employee, Reports To (supervisor/manager), and Time & Absence (TA) Approver (if separately identified) to view/edit timesheets. This access is separate and outside the scope of the RLS. This distinction is critical for maintaining system integrity: while a user’s RLS profile may grant visibility into an employee’s record or timesheet, their specific TL Group ID assignments grant authority exclusively for the viewing and editing of timesheets.
-
The last three digits of the TL Group ID corresponds to the HR department the TL Group ID can access. Example: D180285 is tied to HR department H1000285-CAES-Plant Pathology
Business Practice Expectations for TL Group IDs
While the TL permission list provides flexibility, it is not intended to replace the standard time entry process.
The Expected Workflow:
The employee enters their own time. This is the best practice for accountability and data integrity.
Managerial Override When the employee is unable to enter time (e.g.,unexpected leave or technical issues), the Reports To manager or the Time & Attendance(TA) Approver handles the entry.
TL Group ID Provisioning as a last resort and infrequent option, specific individuals can be granted TL Group IDs.This allows for broader timesheet editing capabilities but should be monitored to prevent it from becoming a workaround for standard processes
Conclusion and Additional Resources
Understanding the distinction between Row Level Security (RLS) and Time & Labor (TL) access is critical for maintaining system integrity and data security. While RLS acts as a broad data filter across the entire HCM system , TL Group IDs provide specific, limited authority for viewing and editing timesheets. To maintain proper internal controls, access should be limited to 1–2 backups for infrequent use, rather than replacing standard employee or managerial entry processes.
Additional articles: