Getting Started with the Federated Authorization FedAuth Community

Overview

The new Federated Authorization Community will allow University faculty and staff to request access to the University's enterprise systems and data—including requests for Employee Mart, the Student Information System (PeopleSoft), the Student Mart, the General Ledger (GL) Mart, the Employee Mart, and Responsibility Center Administrator (RC Admin) access. The system also handles the entire approval process, routing user requests to any appropriate Human Resources, Security Contact, Data Steward, and RC Admin approvers. Access is then implemented by the Pitt IT Analytics team.

Key Benefits

Access the system easily without restrictions–You can access the Federated Authorization Community from any device and using almost any web browser.
Improve workflow efficiency–Use one central, streamlined location to handle data and enterprise system access requests and approvals reduces time to process requests substantially.
View and manage requests transparently–As a requester, receive email feedback about the status of your request(s). As an approver, quickly view and handle any requests requiring your attention.

Detail

Getting Started

To get started or have questions answered, please contact one of these three groups:

Financial Data Approvers for information about the General Ledger (GL Mart).
Responsibility Center Administrators (RC Admin) for information about RC Admins.
Security Contacts for information about PeopleSoft and the Student Mart.
Responsibility Center Authorized Approvers (RC HR Approvers) for information about Employee Mart.

Make a selection from the following options:

Submitting a Request

Log in to the Federated Authorization Community.
Click one of the following tiles:
- PeopleSoft
- Student Mart
- General Ledger (GL) Mart Users
- General Ledger (GL) Mart Groups
- Responsibility Center Administrator (RC Admin)
- Employee Mart
Note: Approval Requests are handled below.
Enter all required information. If the form has multiple pages, fill each page out, then click Next Page. Click Submit.
Your access request is routed and—pending its approval(s)—is granted. You will receive an email message that indicates your request’s final status.
If you are an approver, you can see the comments in the Approval History list to see all the information about why your request was approved or not.
Note: If a request for Federated Authorization resources is not approved, you can reapply making sure that your new submission satisfies all additional submission criteria.

Checking the Status of a Request

This option is only available to those who can approve requests. All RC HR Approvers, RC Admins, RC Financial Approvers, and Security Contacts have access to all requests. Please reach out to your Approver for a status update on the request. If they are not able to give you an update, then contact the Technology Help Desk at 412-624-HELP (4357).

View your Pending Approvals

Log in to the Federated Authorization Community.
Click the Approval Requests tile.
If you are a member of an approving queue, such as a Security Contact, the approval list is divided into two sections with the top section showing your pending Federated Authorization requests. Click the Record link of an access request to view and manage information about it. The lower section contains a set of adjustable list views for Approval Requests of varying statuses and types and may include ones that are not pending action from you (for example, All Open GL Mart Requests).

Note: You can use the Search field to narrow your search to a single name or username.

Filter your Approval Requests

You can apply filters to look at specific groups of Approval Requests

Log in to the Federated Authorization Community.
Click the Approval Requests tile.
The approval lists is divided into two sections with the lower section showing a table that you can use to filter specific groups of Approval Requests. Click one of the downward-pointing arrowheads in the table headers ('v'), then make a selection from the drop-down list to apply a sorting filter to the table.
The Approval Stage for approved access requests will be listed as Approved, while those that still require authorization will be listed as Pending.
You can see the full history and comments in the Approval History list, including all the information about why your request was approved or not.

Approving a Request

This option is only available to those who can approve requests. Approvers see requests based on their role(s).

When you receive an email to approve a request, click the link provided, then log in to the Federated Authorization Community.
Click the Approval Requests tile.
In the My Pending Federated Authoization, click the Record link of an access request to view and manage information about it.
Review the Items to Approve section. Click View All to see more information about a specific item.
Review the details found in the right-hand column, including any (but not necessarily all) of the following:
- Authorization Request
- Career/Campus/Academic Center
- Details of the Request
- Division and Department Information
- Requestor and Requestee Information
- General Request Information
- Restricted Data Requested
After completing your review, locate the Approval History section, then click Approve.

For the entire request history so far, to view role/title, and to view or add comments to the request, click View All.
Type your comments then click Approve.
The process is repeated if additional approval for a request is needed.
Note: All requests are routed to Information Technology for final approval.
The requestor receives an email notification when the request is granted and completed.

Denying a Request

This option is only available to those who can deny requests. Approvers see requests based on their role(s).

When you receive an email to approve a request, click the link provided, then log in to the Federated Authorization Community.
Click the Approval Requests tile.
Click the Record link for an access request.
Review the Items to Approve section. Click View All to see more information about a specific item.
Review the details found in the right-hand column, including any (but not necessarily all) of the following:
- Authorization Request
- Career/Campus/Academic Center
- Details of the Request
- Division and Department Information
- Requestor and Requestee Information
- General Request Information
- Restricted Data Requested
After completing your review, locate the Approval History section, then click Reject.
Type your comments, then click Reject.

Note: You can view any of your posted comments via the Approval History.
The requestor receives an email notification when the request is denied:

More Ways to Get the Most from the Federated Authorization Community

Frequently Asked Questions

How are approval requests routed?

The following table identifies all the University administrators involved in approving your Federated Authorization Community requests:

	Scenario Name	Initiated by	Pre- Submission	1st Level Approver	2nd Level Approver	3rd Level Approver	4th Level Approver	Notes
PeopleSoft	Select 1 diamond/restricted role or Select 2 diamond/restricted (different data stewards) roles	User or Security Contact	User Agreement (if Security Contact), Send Supervisor Notification	Security Contact (RC of requestee)	Data Steward* (one approver)	Pitt IT Security	Student Systems	* indicates optional step if the approval component is a diamond/restricted role
PeopleSoft	Select no approval components or Do not select diamond/restricted role	User or Security Contact	User Agreement (if Security Contact), Send Supervisor Notification	Security Contact (RC of requestee)	(skipped)	Pitt IT Security	Student Systems
GL Mart	User Submits or Supervisor submits	User or Supervisor or RC Financial Approver		Supervisor	RC Financial Approver	Financial Data Steward	Pitt IT Analytics*	* indicates implementation rather than approval
GL Mart Group	User submits	User or Supervisor or RC Financial Approver		Supervisor	RC Financial Approver	Financial Data Steward	Pitt IT Analytics*	* indicates implementation rather than approval
Student Mart		User or Security Contact	User Agreement (if Security Contact), Send Supervisor Notification	Security Contact (RC of requestee)	Data Steward*	Privacy Officer*	Pitt IT Analytics	* indicates optional step if the approval component is diamond or restricted role
RC Admin		RC Admin	Send Supervisor Notification	RC Admin	Pitt IT Security
Employee Mart	No Highly Restricted Data or Additional RCs Selected	User or Supervisor	User Agreement	Supervisor Approval	RC Authorized Approver (RC HR Approver for the RC of the Requestee)	Pitt IT Analytics
Employee Mart	Restricted Data Selected	User or Supervisor	User Agreement	Supervisor Approval	RC Authorized Approver (RC HR Approver for the RC of the Requestee AND Any Additional RCs)	*HR Data Steward and/or Privacy Officer	Pitt IT Analytics	*Any Highly Restricted Data selected will lead to additional approvals

What happens to a request when there are multiple approvers?

The request goes in to a queue and any approver can review, then accept or reject the request.

Are there steps that I can take as an approver to add information to my approvals?

In addition to adding comments, a site feature lets you post notes to the request using the Notes section.

How will I be notified about pending requests that require my approval?

You will get an automated email when the request is submitted and receive reminder messages containing the links to each approval request that is pending every Tuesday and Thursday.

As a Data Steward or other Approver, can I approve a portion of a request and deny another part?

No, to remain compliant with audits, requests cannot be partially approved and processed. If any portion of the request is not appropriate, you must reject the request. Please include comments to the Requestor on what to change in the new request, so that the new request can be fully approved.

What steps can I take if I wish to resolve a request that was not approved?

You can submit a new request making sure that you address the specific reason(s) for its rejection.

If my request is not approved at any stage of the approval process, will I be contacted?

Yes, you will receive an email with information about why the request was not approved.

Are there situations in which the use of adding additional documentation to an approval request is necessary?

Yes, additional documentation, including the use of comments and notes, is needed if an approval request for information is made outside the Requestee's own RC.

Both All-Temps approval requests and Financial Data approval requests outside of your area fall under this category.

As an All-Temps employee, how is my Federated Authorization access request routed?

All Temps falls under RC 89 – Human Resources, so all Federated Authorization requests will be routed through the Security Contact(s) for RC 89. However, prior to officially submitting the request, the supervisor of an All Temps employee or the Security Contact of the department where the All Temps staff is assigned should discuss the access request details with the Security Contact for RC 89.

As a Security Contact, will I still receive a request to authorize a request that I have submitted?

Yes, the workflow determines that Security Contacts must authorize/digitally sign all requests in that portion of the workflow, even if you are the original requestor of the form.

I get an error that reads “5. Create Approval_Request__c - Issue with the requestee data. Please contact support.” How can I proceed?

This error indicates that the requestee username is not a primary account. If the account was recently converted to primary, you may need to wait up to 48 hours for the permissions to matriculate into the Federated Authorization Community.

Sponsored accounts generally will not have access to privileged data through the Federated Authorization process. If you believe that the requested account is a service account that is entitled to data protected by the Federated Authorization process, please enter your own username as the requestee. In the Request Details and Justification section, list the name of the sponsored account and the owner of the account. Include any additional information that will be important to the approvers.

What tasks can a Responsibility Center Administrator (RC Admin) perform?

Responsibility Center Administrators can perform the following tasks:

Add additional email addresses (called email aliases) to individual accounts and groups
Create and modify Exchange resources (used to schedule rooms, equipment, and services)
Restrict who can send email to a group
Require authentication to be able to send email to a group
Convert groups between “mail-enabled” and “not mail-enabled”
Show or hide groups within the Global Address List
Grant “full access” or “send-as” rights to Resource Account mailboxes
Set a customized out-of-office message for a user in your responsibility center who is no longer with the University

Where can I learn additional information about RC Admins?

You can learn more here.

Who are the Financial Data Stewards?

Peter L. DeNardis (pld7@pitt.edu)

Where can I find the list of Approvers for my Request?

The Financial Data Approvers list is here.
The Responsibility Center Administrators (RC Admin) list is here.
The Security Contacts list is here.
The Financial Data Stewards list is here.
The Employee Mart Responsibility Center Authorized Approvers (RC HR Approvers) is here>.

How do I find a username?

To find usernames:

Contact your RC Administrator or your department's IT Contact.
Use Find Pitt to look up the email address of the user. Unless the person is using an alias, the username will appear before the @ symbol (for example jdoe if the email address is jdoe@pitt.edu). If the user is using an alias, it will be different from the username—aliases will be greater than eight characters or it will contain a period (.), dash (-) or underscore (_) and be greater than 4 characters.

Note: Requests to clone user access must include the username of the requestee. For PeopleSoft, only row level access can be cloned. Roles must be selected in the form, or outlined in the Request Details and Justification section if the roles are not selectable on the form.

Are there steps I can take if I need to make specific Federated Authorization access requests to specific departments, rather than an entire school?

Yes. When you submit your request, list any relevant details or specifications, including department or other row-level access.

May I submit a request to clone or duplicate the access of a user who has restricted roles or permissions?

All restricted roles and permissions must be individually selected and justified to ensure proper routing through the Data Stewards. For PeopleSoft, to lookup the roles of an existing user, follow the instructions here: http://pi.tt/SISUserRole.

Are there steps I need to take if I need access to restricted data that is not part of my Responsibility Center (RC)?

Yes, use the following guidelines:

Notify the RC Admin for your location. They should contact the appropriate RC approver in the area where the data resides.
If you need access to restricted data, Data Stewards approval is part of the request workflow.

More Federated Authorization Resources

Employee Mart

Using Tableau for Employee Mart Data

Federated Authorization

Process for Designating Federated Authorization Security Contacts

PeopleSoft

RC Admins

Governance

Release Notes

The following table provides a brief history of changes to the Federated Authorization Community:

Date	Change	Description
January 5, 2021	New Approval Features Coming to the Federated Authorization Community	Two-column page layout – contains all comments for the approval history list, providing information on why a request was approved or not. My Pending Requests feature – allows approvers to view and process all of their open approval requests without needing to conduct additional searches.
March 15, 2022	New Reminders for Federated Authorization Requests	Approvers will receive an email every Tuesday and Thursday with a reminder to view and process any open approval requests. The message will have a link to each Approval Request.
June 1, 2022	Updated Approval Requests Screen	Under Approval Requests view additional descriptive information about pending approval requests, including record type and request type. The requests screen is now divided and shows a new top section with Pending Requests information followed by the familiar Approval Request List Views section.
December 21, 2022	Employee Mart Added	Employee Mart has been added as a new type of Access Request.