wiki:queryConsultants]

Version 1 (modified by lttoth@…, 7 years ago) (diff)

--

Steps to Manage Query Access to PROD for Consultants

There are a few consultant IDs that have been created, but no SUPER classes were assigned because all they needed was query access to PROD. These are very unique requests, but, as you know, Rex still wants these to go through IAM.

I put the essential points in BOLD just to make it easier for you to identify when you need to go back and look at this information. I can put it in our wiki, if you have a suggestion of where we might detail how to manage Consultant accounts.

There is one thing to keep in mind when creating any consultant account, and two specific steps to check for those that ONLY have QUERY PROD access.

Insert Required for All Consultant Accounts

First: All consultant accounts, when created also need a termination date set for 6 months from the day of creation. Otherwise, we never know to remove them and Rex never knows to terminate PROD access. We also need to know who they are consulting for, otherwise, we can't check with the requesting department to see if they need to continue despite the last work date.

Here is a sample consultant creation query that could have been used for SHAMW:

{{ INSERT INTO ZTBUSRH (ZTBUSRH_LOAD) (ztbusrh_user_acct_id, ztbusrh_first_name, ztbusrh_last_name,

ztbusrh_middle_initial,ztbusrh_user_uid, ztbusrh_misc1, ztbusrh_misc2, ztbusrh_last_work_date)

VALUES ('shamw','Allison','Waldmann',

'M',-1,'-1', 'Waldmann/Allison? M, EllucianOIT EAS Consultant',

to_date('31-JUL-2018','DD-MON-YYYY'

); }}

SUPER Class Created Specifically for These Users

Unless we have at least one class assigned to these unusual users, when they come up for termination the only place there might be a record that they have PROD query access is in ZUAUSR Administrative documents/Consultant Records sheet. IAM won't know to notify the DBA team to terminate the account. CSM_CONSULTANT_QUERY_ONLY has been added to ZUAUSR to act as a place holder for these consultants.

When the entry appears in the ZUAUSR processing queue, simply mark it as complete.

DBA Reference Document for Query Access Users

The DBA team keeps a record of who has query access at this link which is how I knew they had privileges that we would not know to terminate: DBA Provisioned Users