Set Up and Maintain Users, Administration, Security - Materials Management and Financials Version

Contents

Overview

The Work in Administration menu contains the tools for system administration at your site. In particular, the user administration panels allow you to define new users and give them access to the areas in which they will work. The user administration feature is located in the Administration contents, and includes several areas: Data Profiles, Report Profiles, Roles, Users, and User Settings. You must be a system administrator to access the Administration contents.

To set up a user at your site, you need to enter identifying information and system feature authorizations into the person's user profile. A user profile is the repository for user identity information, and for the security settings and permissions that give the user access to system capabilities and organizational/department data. A user profile includes the user’s name, ID, password, email address, etc. When you create a new user profile for a staff member, you assign the user a role and a data profile.

Note: If your site uses SSO (single sign on), user profile details are added once the single sign on credentials for the user are established. Your Premier Consultant can assist. (See the discussion below.)

A role specifies task and ERP feature areas -- called role objects -- that users assigned to the role may work with. For example, the Buyer role includes the Approval role object. The DistributionClerk role includes the role objects Distribution (picking/issuing) and Receiving, among others. Roles determine the features and functions that a user can access. Several roles are provided for your use when the system is implemented, but you can edit these, copy them, and create others.

• To view roles, select Work in Administration > Administration > Roles.

Each user profile also has a data profile associated with it. A data profile specifies the regions, organizations, and departments whose data the user can work with.

• To view data profiles, select: Work in Administration > Administration > Data Profiles.

A user's assigned report profile makes the appropriate reports accessible to the user. You will want to restrict users from creating and running certain types of reports, and allow them to create and run other reports. For example, check printing runs in the system as a report. Most likely, you will want to authorize only a few users to print checks. Similarly, only a few users in each department will need the Department Expense Report.

Users who do not have a report profile assigned can access all reports. When the System Values field All Users Have Authority to All Reports is set, users can access all reports that they created, and all shared reports. Active Reports (such as the Inventory Transaction Register in Materials Management) are not affected by the Report Profile value. All expense reports are governed by the Report Profile.

• To view report profiles, select: Work in Administration > Administration > Report Profiles.

For any user, certain functions -- such as working with patient information, approving requisitions, and posting journal vouchers to the General Ledger -- need authorizations set in the user's profile. User authorization settings, limits, and similar types of user profile information are in this section as well.

• To view a list of all users with authorizations and permissions in summary form, select Work in Administration > Administration > User Settings (All Columns)

Mobile Applications on the iPad

Security for iPad ERP applications has some unique considerations, but also includes roles, data profiles, and user authorizations described in this document. You may wish to refer to the topic Mobile Application Security Administration.

Setting Up Vendors' Users

Some sites may wish to give a vendor's users access to the vendor's purchase orders in their supply chain data. If you are the administrator responsible for this task, the steps are similar to setting up any other user, except that a Vendor Security Code must be created and included in the vendor record. The Vendor Security Code is also specified on the data profile assigned to the vendor's users. A new role (VendorAccess) is also available. Instructions for this setup situation are in a separate topic: Setting Up Vendor Access to Supply Chain. However, we recommend that you read the information below to get the "big picture" of user setup and to understand the different terms.

HIPAA Requirements: User Authentication and Protection of Patient Data

Features are built into the system to ensure the privacy of electronic protected health records (ePHI), in compliance with HIPAA requirements.

Key areas of the application have been designed to protect patient data:

• User authentication procedures include rules for strong passwords.
• The authority to view patient data fields on system panels, reports, and downloaded files is set by a user security flag.
  Patient data is not accessible to users whose setting on the security flag restricts them from working with ePHI records.
• Logs are available to track and display user access and changes to ePHI data.
  Logs track users who viewed and downloaded ADT (admission, discharge, transfer) transactions and patient charge imports and exports. Logs contain the names of the files actually used.
• For features that contain patient information, audits display changes in ePHI data. For example, audits of purchase order/requisition lines that contain patient information are available. Except, patient data in any audit is not visible to users who are restricted from working with ePHI records.

A detailed discussion with examples is available in the chapter "Securing Electronic Protected Health Information."

Work with User Roles

When your system was implemented, several user roles were defined. You can assign these roles to users at your site, as needed, and you can create new roles as well. For quick setup of users, copy a role template. Then, edit the copy to tailor the role to your own needs. See Quick User Role Setup.

To view roles and role objects for your site,

1. From Work in Administration on the main Contents, Administration > Roles.
   The list of roles appears. Figure 1 is an example from the middle of a list.

Figure 1 - Sample List of User Roles

Role objects define the features that users in a particular role can access. For example, the APClerk role encompasses the role object Invoicing. This role object allows an AP clerk to match invoices. The Buyer role, for instance, includes the role object Approval. This role object allows a buyer to approve requisitions. Figure 2 is a list of role objects for the DistributionClerk role:

2. To view the role objects associated with a role, next to the role, click Role Objects.
   The Role Objects list appears (Figure 2).

Figure 2 - Role Objects for Distribution Clerk role

Users in different roles may have different levels of access set for the same role object. For instance, in some organizations, both a distribution clerk and a buyer may work with purchase orders (Purchasing is the role object.) But, the buyer needs to create POs, whereas the distribution clerk may only need to view POs occasionally. For the Purchasing role object, then, the Administrator defines a security level of View for the DistributionClerk role (Figure 2) and Create for the Buyer role. Security levels from greatest to least scope are:

All - Users can delete, create, modify, or view data.

Create - Users can view, modify, or create data. For Item Add, for example, users with the create security level can create new items, and can copy items as well, but they cannot delete items.

Modify - Users can change the data.

View - Users in the role can view the data, but not change it in any way.

None - Users have no access to the data or function.

If a user has a security level of None for a given role object (for example, the ItemAdd role object), then the functions (Consolidate Item Add and others) that the role object controls do not appear on the menu for that user. You can customize the menu for any user in other ways, as described in Customizing the Table of Contents for a Role.

A discussion of role objects for Sourcing and Contract Management is in the section Role objects associated with Sourcing and Contract Management.

View Role Objects and the Application Features Associated With Each

To view the actions/features allowed by each role object, click Menu > Has Access To... next to any role object in the list (Figure 2). The allowed actions/features for the role object appear (Figure 3). Figure 3 displays the first page of accessible actions for the Purchasing role object in the DistributionClerk role.

Figure 3 - Actions Allowed for Role Object Purchasing for Role Distribution Clerk

System administrators can view the role objects and the features for each in Microsoft Excel worksheet form. Worksheet details include the role object setting (e.g., View, Modify, Create, All, None) assigned to each user Role at a site. The features or activities that the setting allows are specified by check marks.
Note: The spreadsheet is read-only. You cannot modify its contents.

To view role objects and features/activities allowed for each role,

1. From the Work in Administration main Contents, select Administration > Roles, Security Worksheets.
   A window appears asking if you would like to open or download the worksheet.

2. Click Open. (You can also Save the worksheet to a local folder, if you wish.)

The Role Objects worksheet appears. Figure 4 is an example of part of the worksheet for a site.

Figure 4 - Part of the Role Objects Worksheet

In the A column, the worksheet displays the role object "Vendors." The B column contains each feature/action that the role object controls. Subsequent columns are minimum settings for each role object and the different user Roles at the site. Under each Role is the role object setting for that role, and the features/actions that are "turned on" by the setting, specified as check marks.

In Figure 4, for example, two roles "AP Clerk" (orange) and "Buyer2" (red) have the settings Modify and All, respectively, for the role object "Vendors". Reading down the worksheet columns, AP Clerk has a check in the row Add Vendor Select Type\ Edit*, but not in the row Add Vendor Select Type\ New*. The Modify setting allows users with the AP Clerk role to edit vendor records, but not to create them.

Compare the AP Clerk role to the Buyer2 role. Buyer2 has the setting All for the "Vendors" role object. Buyer2 can edit vendor records, but can also create vendor records, as specified by the check in the row Add Vendor Select Type\ New*.

Note: With the role objects "Maintain Item Catalog" and "Maintain Item Inventory," a chart lists the panels and capabilities governed.

To create a new role,

A. Enter the header information

1. From Work in Administration on the main Contents, select Administration > Roles. The Roles list appears.
2. Click New.
   The Role header panel appears (Figure 5).

Figure 5 - Header Panel for Creating a New Role

3. Complete the fields on the header as needed.
   The Default TOC is a required field. You can customize the table of contents to omit contents that users in the role will not need.
4. Click Submit.
   The Roles list reappears.
5. Click Refresh.
   You can now see the new role.
6. To leave the Roles list, click Back or close the tab on Internet Explorer.

B. Assign role objects and security levels to the new role.

1. Locate the role that you created on the Roles list.
2. Select Role Objects. The list of role objects appears.
3. Review the list for each role object to determine if you want to change the Security Level. The security levels have an initial default of All (unless you have copied a role).
• To change a security level,
  - Next to a role object, click Edit. The Role Object panel appears.
  - Select a new security level from the Security Level drop box. The choices are: All, Create, Modify, View, None.
  - Click Submit. The Role Object list appears.
4. Click Refresh to see the changed security level.

C. Create a customized main Contents for the role

If you need to, you can create a customized main contents for a role. The customized contents lets users with that Role only see areas of the system that you want them to see.

Special Role Objects for Departmental Records

Sites would like the ability to control which users are able to display and edit departmental data. Department records are available from this location: Materials Management main Contents > Requisitioning > Departments.

The role object DeptReqView controls users' ability to create, edit, and view department records. This new role object works in tandem with the role object DeptReq to provide access as follows in Table 1:

Table 1 - Role Objects that Control Departmental Records

Customize a Table of Contents for a Role

You can restrict users' access so that users in certain roles do not see parts of the system that they do not work with. The Contents that these users do see only contains the allowed features. Notice that the last column in the Figure 1 Roles list - Web Default TOC - contains the default table of contents for users assigned to each role. You customize the table of contents for a role by omitting menu areas.

To customize a table of contents,

1. From Work in Administration on the main Contents, select Administration > Roles. The Roles list appears (Figure 1).
2. Locate the role for which you want to create a customized main Contents.
3. Click Menu > Omitted Menu Options.
   The Menu Options Omitted list appears. (No Data appears if no menu options have been omitted for the role.)
4. Click New.
   The Omit Menu Options by Role selection panel appears. (Figure 6).

Figure 6 - Omit Role Menu Options: Select Panel for Customizing a Role's Contents

5. Select the checkbox next to any menu item that you wish to exclude. Users assigned to the role will not see menu items that you select.
   If you wish to allow a user to access a menu item that is on this list, unselect the item.
   Note: The menu options are listed on several pages. Be sure to scroll forward so that you do not miss any.

6. Click Submit.
   The Menu Options Omitted list appears.
7. To view the menu items that you have omitted, click Refresh

• Log out and then log in again to view the effective menu option changes.
  
  Note to Administrators: As with other menu selections, the Online Help and the Online Training menu items can be turned off from the Omit Role Menu Options panel (Figure 6).

Reports on User Roles

You can create reports on the security roles and role objects defined for users at your site. The "Security Roles and Objects" Report Object is available for creating the reports. See the discussion of Creating Custom Reports for instructions.

Work with Data Profiles

Data profiles specify the region, organization, department, and asset location data that a user may access. For example, a buyer's data profile identifies which organizations/departments the buyer can make purchases for. Each organization and department in a hospital has its own data records.

To create a data profile,

A. Create the profile header

1. From Work in Administration, select Administration > Data Profiles. The Data Profiles list appears (Figure 7).

Figure 7 - Sample Data Profiles List

2. Click New. The Data Profiles header appears.

3. Complete the fields in the header.

• Enter a name for the data profile in the Data Profile field. This field is required.
• Enter a description of the data profile in the Description field.
• Select the Allow Access to Restricted Vendors field, or leave it blank.

  A vendor is designated as "restricted" on the vendor record. This field gives users with the data profile access to information for restricted vendors.
  When a vendor is restricted, a user cannot see purchasing, invoicing, or vendor data unless the Allow Access to Restricted Vendors field is selected.
  Specifically, if this field is not set, the following are not available for restricted vendors for any user with the profile:
  
  On the Purchasing menu:
  - Purchase Orders
  - Authorize PO
  - View Deleted POs
  
  On the Invoicing menu:
  - Create Invoice From Purchase Order
  - Invoices
  - Exception Invoices
  
  On the Vendors menu:
  - Vendors
  
  On the Quick Click menu (and other menus):
  - PO Vendors
  
  You cannot restrict a vendor unless at least one data profile allows access to restricted vendors.
  Likewise, you cannot remove the "allow access" flag from a data profile if it is the last data profile where the restricted field is set and a restricted vendor exists. You get a hard error in either of these cases.

• If you are setting up a user for a vendor, enter the Vendor Security Code. (See Setting Up Vendor Access to Supply Chain.)

4. Click Submit. The Data Profiles list reappears.
5. Click Refresh to view the new data profile header.

B. Select/Omit Organizations

Several system features (such as inter-organizational processing of inventory) require access to multiple organizations' data. A user's job function (such as an accounts payable manager) may also require access to several organizations' records. Permissions for access to organizations' data are set in the user's data profile.

1. Select Administration > Data Profiles.
2. Locate the data profile header that you created using the Data Profile header panel.
3. Click Menu > Valid Organizations. No Data appears.
4. Click New. A list of organizations appears (Figure 8).

Figure 8 - Data Profile Organizations Select List

5. Select the checkboxes next to any organizations that you wish to include in the data profile. Users assigned to the data profile will have access to information for the organizations selected.
6. If your site identifies geographic regions, click the Regions tab and select the regions to be included in the data profile.
7. Click Submit. The Data Profiles list appears.
8. Click Refresh to view your new list of organizations.

C. Select/Omit Departments

Many users -- such as distribution clerks who do par cart processing, or financial staff who handle accounts -- need access to data for departments other than their own department. To access data for different departments, permissions must be set in the user's data profile. Similarly, some users -- such as warehouse staff who work with multiple inventories -- need access to multiple asset locations' data. This section explains setting permissions for department data access. Following this section are instructions for setting permissions to asset location data. (The instructions assume that you currently have no permissions set.)

1. Select Administration > Data Profiles.
2. Locate the data profile that you created using the Data Profile header panel.
3. Click Menu > Valid Departments. No Data appears.
4. Click New. A list of departments appears (Figure 9).

Figure 9 - Data Profile Department Select List

5. Select the checkboxes next to any departments that you wish to include in the data profile. Users assigned to the data profile will have access to information for the departments selected.

6. Click Submit. The Data Profiles list reappears.
7. Click Refresh to view the list of departments.

D. Select/Omit Asset Locations

1. Select Administration > Data Profiles.
2. Locate the data profile that you created using the Data Profile header panel.
3. Click Menu > Valid Asset Locations. No Data appears.
4. Click New. A list of asset locations appears (Figure 10).

Figure 10 - Data Profile Asset Location Select List

5. Select the checkboxes next to any asset locations that you wish to include in the data profile. Users assigned to the data profile will have access to the asset location(s) selected.

6. Click Submit. The Data Profiles list appears.
7. Click Refresh to view the list of asset locations.

Restricting Users from Editing Asset Location Records and Item Inventory Records

You can adjust user security so that a user can order items from multiple asset locations, without necessarily being able to maintain those asset locations.

The field Allow Changes to Asset Location and Inventory (Figure 11) on the Data Profile Asset Location panel controls the user's ability to edit asset location records and item inventory records for an asset location.

Figure 11 - The Data Profile Asset Location Panel with the "Allow Changes to Asset Location" Field

• The field is selected by default.
• If you unselect the field, the user can only order items from the asset location inventory.

The field Allow Changes to Asset Location and Inventory also controls access to these menu options from the Item Inventory - All Locations menu (Figure 12):

On the User Profile Authorities tab, the field Allow Pipeline Days Reset controls access to the menu option Reset Stock Item Pipeline Days on the item inventory menu (Figure 13).
For details, see Pipeline Days in the inventory edit chapter.

Figure 13 - Resetting the Pipeline Days for a Stock Item

Note: Also, the Inventory role object (Maintain Item Inventory ) must have its security level set to View (or higher), and must be included in the role that is assigned to your User ID. To be able to change Item Inventory information, the Inventory role object (Maintain Item Inventory ) must be set to Modify (or higher).

To display the Data Profile Asset Location panel and change the setting in Allow Changes to Asset Location and Inventory,

(Note: This procedure requires System Administrator privileges.)

1. From the Work in Administration main Contents, select Administration > Data Profiles.
   The list of data profiles appears.
2. Locate the data profile of interest in the list.
3. Click Menu > Valid Asset Locations.
4. Locate the asset location of interest.
5. Next to the asset location, click the edit icon or Menu > Edit.
   The Data Profile Asset Location panel appears.
6. Unselect (or re-select) the box for the field Allow Changes to Asset Location and Inventory.
7. Click Save and Submit.

Payroll Account Security

Security for payroll journal vouchers lets managers prevent a user from viewing imported journal voucher payroll data for specified organizations/departments, while retaining visibility to other types of journal vouchers for a department.

This security feature covers both payroll accounts and statistical payroll accounts, and applies to ERP departments only (not SCM departments). It applies to imported journal vouchers whose Journal Voucher Type is Payroll. (Manually created journal vouchers cannot be defined with the Journal Voucher Type of Payroll.)

Enabling a User’s Restriction for Payroll Data

Security is set in these areas:

1. In a Data Profile, selecting/unselecting a flag that governs access to payroll JVs for any department/organization in the Data Profile. For any selected departments, any user assigned the Data Profile cannot see payroll journal voucher details, but can display details for other types of journal vouchers.
2. In a user’s role through the role objects PayJV (General Ledger Payroll Journal Vouchers) and PayJVDtl (General Ledger Payroll Journal Vouchers Detail).
3. Selecting the field Allow Access to Payroll Journal Voucher Detail on the User Profile GL Limits tabbed panel (Figure 14). (Work in Administration > Administration > Users > edit > GL Limits)

Figure 14 - The User Profile Field That Allows Access to Payroll Data

Important:  The permission for payroll data by department (in a Data Profile), the appropriate values on the role objects, and the flag on the GL Limits panel must be set for a user to access payroll data.

To set the flag to allow payroll data access for a department,

1. From the Work in Administration main Contents, select Data Profiles. The list appears.
2. Locate the Data Profile of interest.
3. Click Menu > Restrict Access to JV Payroll  (Figure 15).

Figure 15 - Data Profiles Menu Item for Restricting Payroll Access

The Restrict Access to JV Payroll panel opens with a list of departments and organizations included in the Data Profile (Figure 16). In Figure 16, the departments where payroll data access is allowed are in the green box. The red box indicates departments where payroll data access is not allowed.

Figure 16 - Granting Payroll Information Access to Data Profile Departments

In the Restrict Access to JV Payroll panel General tab, in the center, the Selection Criteria box is initially blank. You can set the selection criteria to Select All, or when any departments are selected, UnSelect All.

4. In the Select column, check any organization/department  for which you wish to deny access to payroll details.
   Unchecked departments will have payroll details available to users assigned the Data Profile. The default is “unchecked.”
5. Alternately, to deny payroll data access to all departments in the list,  set the Selection Criteria box to Select All.

Note: If you add an organization/department to a  Data Profile, the new department’s  flag for access to payroll data will be unselected; i.e.,  “allowed.” If you need to restrict access to payroll data for the newly added department, return to the Restrict Access to JV Payroll panel and  check the Select box.

Access to payroll data for users who have department access is controlled in the application in several areas, outlined in the journal vouchers topic Application Areas Controlled for Payroll JV Access.

Working with Report Profiles

A user's ability to create, run, and view reports depends on whether a report profile is assigned to an User ID; and if so, which report profile. A report profile limits the reports that a user can access, so that not all users at a site will be authorized for all reports.

A report profile contains Report Objects that specify data areas for reports; for example, Discounts Taken and Lost, Check Printing, Department Expense Report, and Contract Statistics, among many others. Access options for reports for any user are:

• All reports - When the System Values field All Users Have Authority to All Reports is set, users can access all reports that they created, and all shared reports.
  - Also, if no report profile is assigned to a user, the user has access to all reports.
• Limited reports - Users assigned a report profile can access all of the reports that they created, and all of the shared reports built for the report objects in the assigned report profile.
• No reports - A report profile that contains no Report Objects can be created and assigned to users who do not use any reports.

To create a report profile,

1. From Work in Administration on the main Contents, select Administration > Report Profiles. The Report Profiles list appears
2. Click New. The Report Profiles header appears. (No Data appears if no report profiles are defined.)
3. Complete the fields in the header.
   • Enter a name for the report profile in the Report Profile field. This field is required.
   • Enter a description of the report profile in the Description field.
4. Click Submit. The Report Profiles list reappears.
5. Click Refresh to view the new Report Profile header.
6. On the list next to the report profile header that you created, select Menu > Report Objects.
   No Data appears.
7. Click New. The list of report objects appears.
8. Review the list and click the Select column to add report objects to the report profile.
9. Click Save to save the Report Objects to the report profile.
10. Click Submit when you are finished adding Report Objects.
    The Report Objects list is displayed. (You can refresh the list by clicking Refresh.)
11. Click Back to return to the Report Profiles list.

Work with Welcome Page Gauge Profiles

The ERP "Welcome Page" dashboard contains gauges -- charts and graphs -- that display supply chain key indicators. To be able to view gauges, a user must have the specific gauges of interest authorized in a gauge profile. Each gauge profile contains permission for one or more gauges. You can create gauge profiles as needed, and assign them to users. The "Welcome Page" dashboard is not visible to a user until the user has been assigned a gauge profile.

Note: If you wish to use the ERP "Welcome Page" dashboard feature, contact the Help Desk. This feature must be enabled via the Help Desk's administration setting Display ERP Gauges on Welcome Page. Once the Help Desk turns on the feature, you can begin setting up your own gauge profiles.

To create a gauge profile,

1. From the  ERP main contents (Figure 17), select Work in Administration > Administration > Gauge Profiles.

Figure 17 - The Gauge Profile Setup Link on the Administration Menu

The list of available gauge profiles appears (Figure 18), or No Data if none have been created.

Figure 18 - List of Existing Gauge Profiles at a Site

2. Click New. A header appears for you to enter the gauge profile name and description.
3. Enter a Gauge Profile name and a Description (Figure 19).

Figure 19 - Gauge Profile Header Panel

4. Click Submit.
   A panel of available gauges for the "Welcome Page" appears (Figure 20).

Figure 20 - List of Gauges for Including in a Gauge Profile

5. On the Select Gauges tabbed panel, click the Select box next to the gauges that you wish to include in the profile.
6. Click Save.
7. Click the Select Users tab. A list of users by User ID appears (Figure 21).
   - You can sort the list to locate any particular users, or use the Position to link .

Figure 21 - List of Users for Assigning a Gauge Profile

8. Click the Select box next to the users to whom you are assigning the gauge profile.
9. Click Submit. The application returns to the list of gauges.
10. Click Refresh to view the new profile on the list.
    If you wish to assign a gauge profile to additional users, you can re-open the Select Users panel, and make additional assignments, or, more easily, you can enter the gauge profile on each individual user profile (User Roles panel).

Work with User Profiles

For each user at your site, you establish a user profile that contains the user's Role, Data Profile, Report Profile, Gauge Profile (if the "Welcome Page" gauges are enabled at your site), permissions, limits, and authorizations. The authorizations and permissions that you set for a user depend on the user's job, and on the role you have defined for the user. Previous sections of this topic explained how to create a role, a data profile, and a report profile, and a gauge profile. This section discusses how to view user information, create new user profiles, and specify the user settings.

User Lists - Security

The contents of user lists is restricted by data profile and default organization. Table 2 displays user lists that are subject to data profile organizations and departments. The path to each list is in the corresponding columns.

Table 2 - Paths to Users Lists

Example
Carolina Health Systems has organizations 001, 002, 003, 004, 005.

- User X has the data profile "East Coast" which can access organizations 001, 002, and 004 only. When this user opens the Users list, she can only see users whose default organization is either organization 001, 002, or 004.
- User Y has the data profile "ALLDATA" which can access all 5 organizations. When User Y opens the Users list, he sees users for all five organizations.

To view the list of users,

• From Work in Administration on the main Contents, select Administration > Users. The Users list appears (Figure 22).

Figure 22 - Users List

• You can locate data for any user by scrolling the list, or by clicking Search and searching for the user by User Name, Default Organization, Default Department, Role, Data Profile, and/or Report Profile.

To view user settings,

1. From Work in Administration on the main Contents, select Administration > Users. The list of users appears.
2. Click Menu next to the user's ID.
   • From the drop-down menu, you can view the user's valid departments (View Valid Departments), approvals assignments (View Approvals References), and log information from the ERP iPad applications, if the person uses them (View Handheld Log).

To add a new user,

A. Create the user ID

This step shows you how to enter basic information for the user's profile.

1. From Work in Administration on the main Contents, select Administration > Users.
   The list of users appears.
   
2. Click New. The Users edit panel appears (Figure 23).

Figure 23 - New User Information Panel

3. Enter information in fields on the General panel as needed. (The User ID field is required.)
   Click Help for an explanation of fields on the General panel.

   • For users who will access ERP through Premier Connect, the text in the User Name field on the User Profile General tab must contain at least two separate segments (e.g., John Ashford).
     The Email Address must also be entered (in the standard format). Otherwise, the user cannot be set up in Premier's Customer Identity and Access program and will not have access to the applications.
     Error messages appear when either the User Name is not formatted correctly, or the Email Address is missing. Edit the values so that they are correct and re-submit the data.
   • Note that you can hide financial data from the user by selecting the field: Hide Financial Data.
     When this field is selected, the user cannot display pricing data on Item Inventory Inquiry panels. On the inquiry panels' pricing fields (e.g., Last Received Unit Cost, Last Invoice Unit Cost, and others), "Restricted Data" appears, instead of a dollar value.
   • Hide ePHI Data, when selected, restricts a user from accessing patient information. This field is selected by default.
     Hide ePHI Data is one of several features that aligns the system features with HIPAA requirements. When Hide ePHI Data is selected, a detailed series of restrictions apply to the user's access to ePHI records. The list of restrictions and examples is in the topics Setting Individual User Permissions for Patient Data.
     
     In sum, if Hide ePHI Data is selected, the user cannot access patient-identifying information.

     Important: By default when you create a new user profile, the Hide ePHI Data is selected. If you wish the user to have access to ePHI records, you must manually unselect the field. Also, when you copy a user profile, this field is selected in the copied version. Again, you must manually unselect it for the user if appropriate.
     (Previously, this field was called Hide Medical Data.)

   • You can set a Lock Out Counter for the user. A lock out counter gives the user a specified number of incorrect login attempts before locking the user out of the system. The system administrator must then reset the lock out counter.
   • When the Restrict access using IP Permissions field is selected, the IP address of the user's computer is entered into the IP Permissions list. Access to the system can then be turned on and off, as needed for the IP address. Setting up IP address access is summarized below.
   • The Printer Name field lets you identify a printer for the user to auto print purchase orders and receiving documents. See "To print a receiving document automatically."
     • To allow the user to print automatically, you must also select the field Make Delivery Docs auto-available to My Reports field on the Authorities tab.
     • To enable auto-printing of the pick list to the user's printer, go to the Authorities tab, and select the checkbox for Print Pick List To My Printer. Then on the General tab, in the Printer Name field, add the correct printer. These settings need to be done individually for each user.
     • Pulse must be configured correctly to handle auto printing.
4. Click Save.
   Next, you will enter the user's role.

B. Specify the user's role, data profile, report profile, and gauge profile:

1. From the Users panel, click the User Roles tab.
   The User Roles panel appears (Figure 24).
   On this panel, select a user Role, a Data Profile, and a Report Profile.
   

Figure 24 - User Roles Panel

If the "Welcome Page" dashboard is turned on for your site, the Gauge Profile field appears under the Report Profile (Figure 25A). Otherwise, if the dashboard is not enabled, Gauge Profile does not appear.

Figure 25 - User Roles Panel- Gauge Profile Field

2. Click the prompt following Role to select a role for the user.
3. Click the prompt following Data Profile to select the user's data profile. A data profile specifies the organization(s) and department(s) whose records the user can work with.
4. Sourcing and Contract Management users who manage services contracts: the Security Level field specifies the user's security level for working with Sourcing and Contract Management services contracts. If your site does not have Sourcing and Contract Management, or the user does not work with services contracts, you can ignore this field, and leave the default setting in place. Otherwise, for details, see "Shared Services Contract Security."
5. Click the prompt following Report Profile to select the type(s) of reports that the user can work with.
6. If the "Welcome Page" dashboard is enabled at your site, select the Gauge Profile for the user (Figure 25A). See the instructions for setting up gauge profiles.
7. If the user is a buyer, requisition approver, journal voucher approver, invoice approver, requester, administrator, storeroom manager, distribution technician, or works in your financial area, select the appropriate field(s).

Notes about the relationship between roles and "User is ..." fields: If you have a role that identifies the user as a Buyer, for example, you might wonder why you should also select User is Buyer on the Users panel. The reason is that clicking User is Buyer puts the person on the select list of buyers. This list appears when the Buyer field prompt is clicked; for example, when someone creates a purchase order, and needs to identify the buyer. Similarly, for requisition approvers, invoice approvers, and journal voucher approvers, selecting the field on this panel makes the user available from a select list.

More Information on Approvals

The following topics provide details on setting up approvers and approver groups, and the types of application transactions that can be subjected to approvals.
- Journal voucher approvers, see the GL Limits tab (on this page) and the topic "Journal Voucher Approvals Processing."
- Buyers, Requisition Approvers, Invoice Approvers, Check Request Approvers, see "Set Up Approvers and Approver Groups."
- Requisition approvers, also see "Requisition Approval Processing by Cost, Commodity Code and Item Type."
- Invoice approvers, also see "Invoice Approval Processing."

C. Enter restrictions and authorizations for the user.

The remaining tabbed panels -- Requester Limits, Buyer Limits, Approver Limits, AP Limits, Authorities, and GL Limits -- allow you to enter restrictions and permissions for the user. These restrictions and permissions depend on the user's role; whether the user is a buyer, approver, requester, etc.; the type of data the user works with; and the structure of your Materials and Financial organizations.

1. Review information on the remaining tabbed panels and enter/select fields as appropriate for the user.
   • Table 3 shows possible settings on the panels for different user roles. Following the table is discussion of Requester Limits, Approver Limits, AP Limits, and GL Limits.
   • Setting up a user in a Buyer role requires entering data on the organization and/or department record, as well as on the Buyer Limits panel. Setting up a buyer is covered in detail in "Set Up Approvers and Approval Groups."
2. When you have finished entering all the data to set up the user, click Save.
   Note: You can click Save at any time while you are entering information.
   
   
3. Click Submit.
   The Users list reappears. (Clicking Refresh displays the list with the new user added.)

Table 3 - Sample Roles and Permission Fields

Setting Requester Limits:

You can create user profiles with requisition approval requirements and limits. For example, some requesters may not need approval for stock item requisitions, but will need all non-stock item requests approved. Other requesters may need approval for stock items that cost more than a certain amount. A few requesters may only need non-file requisitions approved. For each user who creates requisitions, you assign one or more requisition approvers. Approvers review requisitions that are routed to them, and approve or reject the requisitions.

• The costing approver (Requisition Non-File Approver/Buyer) assigned to each requester reviews requests for non-file items, and completes any missing information, such as price.
• Either a Requisition Direct Approval User or a Requisition Approver Group is also assigned to each requester who has dollar limit amounts on requisitions that he/she can make without approval.
  

A Requisition Approver Group is a collection of users who approve requisitions and other application elements (such as invoices). Requisitions are routed through an approver group based on the cost of the requisition, and each member's approval dollar limit. See "Set Up Buyers, Approvers, and Approver Groups."

Some sites may also assign requests to approvers based on the commodity codes of items requested. This situation is covered by the commodity code processing area. You may wish to read "Requisition Approval Processing by Cost, Commodity Code and Item Type" to understand commodity codes and the requisition approvals process.

On a departmental basis, approval profiles let you define how a requisition line qualifies for approvals, independently of individual users' settings. Approval profiles contain the item types (stock, non-stock, non-file) and dollar limits for requisitions. Once created, an approval profile can be assigned to an entire department for the department's requesters. In this way, you can avoid maintaining approval data for multiple individual requesters who all have the same approval requirements because they belong to the same department. Details are in the section Settings for departmental requesters.

Note: If a user belongs to a department that has an approval profile assigned, the approval profile takes precedence over the individual user's settings for requisitions.

To set requester limits,

1. Click the Requester Limits tab.
   The Requester Limits panel appears (Figure 26).
   This panel is used for several purposes:
   • To set a requester's approval dollar limits on requisitions.
   • To assign a Direct Approval User or Approver Group to a user who can make requests up to a dollar limit.
   • To define the item types for which the user needs approval.
2. Enter values in the fields on the Requester Limits panel.
   
   Figure 26 and Figure 27 are examples of how the Requester Limits panel can be used. Figure 26 shows a user who can request stock requisitions without approval, up to dollar limits. After that, the requester needs approvals for stock items. Figure 27 shows a requester with no approval dollar limits. When you are finished reviewing the examples below, complete the fields on the panel as relevant for your user:
   • Enter values in the fields for dollar limits.
   • Select the boxes for the item types if you wish to require approval for requisitions for particular item types.
   • Enter a Requisition Direct Approval User or a Requisition Approver Group if you set any dollar limits.
   • Enter a Requisition Non-File Approver Buyer.

Sample settings for a requester with limits

In Figure 26, note that the Stock Item Approval Required field is unselected. The Non-Stock Item Approval Required and the Non-Stock Item Approval Required boxes are selected. The defined dollar limits are: item cost under $75.00, extended line cost under $650.00, and total cost under $2400.00.

Figure 26 - Requester Limits Panel with Approval Limits

This user does not need approval for stock requisitions under the Total Cost dollar limit. The user also does not need approval for non-stock and non-file requisitions under the Item Cost and Extended Line Cost dollar limits.

This user does need approval for:

• Requisitions for non-file items over the dollar limits for line cost and extended line cost.
  - Non-file requisitions are reviewed by the user called BillG, as specified in the field Requisition Non-File Approver/Buyer. (BillG is the non-file costing buyer.) You must complete the Requisition Non-File Approver/Buyer field for any user with the Requester role.
• Requisitions for non-stock items over the dollar limits for line cost and extended line cost.
  - When this user has a requisition that is over these limits, the requisition goes to a buyer in the Requisition Approver Group called General Apprv.

The red arrow indicates a flag that would limit the user to Non File Requisitions only.

Sample settings for a requester without limits

Figure 27 has settings for a user who does not need request approvals on the basis of dollar limits for any item type. Notice that neither the Requisition Direct Approval User field nor Requisition Approver Group has a value. (Stock and non-stock item requisitions are automatically approved.)

Figure 27 - Requester Limits Panel without Approval Limits

• The dollar limit fields are set so high that a requisition exceeding these limits is unlikely. The system interprets these values "no dollar limit."
• The Requisition Non-File Approver/Buyer field must be completed for requesters. This field contains the buyer's own user ID. Requisitions for non-file items are routed back to the user (NancyM) for costing and approval.
• The fields Stock Item Approval Required and Non-Stock Item Approval Required are unselected. This buyer needs no approval for requisitions containing these types of items.
• The Non-File Item Approval Required is also unselected.

Setting Buyer Limits

Setting up buyers is a process that requires entries in several areas, as well as in the user profile. (For example, a buyer must be associated with each organization at your site.) See "Set Up Buyers, Approvers, and Approval Groups."

To set dollar limits for buyers,

The steps below assign dollar limits to a buyer. The buyer can authorize purchase orders for items with an item cost up to the amount entered in the PO Item Cost Limit field. The limit for the line cost that a buyer can authorize is in the PO Line Extended Cost Limit. The total amount for a PO that the buyer can authorize is specified in the PO Total Cost Limit.

1. From Work in Administration on the main Contents, select Administration > Users. The list of users at your site appears.
2. Locate the user that you are interested in and click the edit icon () next to the User ID. The Users edit panel appears.
3. Click the Buyer Limits tab. The Buyer Limits panel appears (Figure 28). Edit the information as needed.

Figure 28 - Dollar Limits that a Buyer Can Approve

In Figure 28, the buyer can approve POs containing items that cost up to $6,999.00 per item. The total dollar amount for a line on a PO that the buyer can approve is $69,999.00. The buyer can approve purchase orders with a total up to $699,999.00. This buyer is allowed to approve price changes on items up to $3.00.

4. Enter new limits in the fields on the Buyer Limits panel.
5. Click Save to save the dollar limits.
6. You can move on to the Approver Limits tab, or select Submit to return to the Users list.

No Dollar Limit Authorization

If you wish to give a buyer no dollar limit, enter 9,999,999.00 in the fields for PO Item Cost Limit, PO Line Extended Cost Limit, and PO Total Cost Limit.

Setting Approver Limits

For each person who approves requisitions, invoices, check requests, journal vouchers, or vendors, you may wish to identify another user as an "approver buddy." An Approver Buddy performs the work of an approver if the approver is out of the office. The person can set his/her status as out-of-office when leaving for a vacation or trip, and the Approver Buddies will be routed the person's approvals.

To set approver limits and notifications,

1. From Work in Administration on the main Contents, select Administration > Users. The list of users at your site appears.
2. Locate the user that you are interested in and click the edit icon () next to the User ID. The Users edit panel appears.
3. Click the Approver Limits tab.
   The Approver Limits panel appears (Figure 29).

Figure 29 - Approver Limits Panel: Requisitions, Check Requests, Invoices, Journal Vouchers, Vendors

4. Click the prompt next to one or more of the ...Approver Buddy fields (for requisitions, check requests, invoices, or journal vouchers) to select an approver buddy for the user, as appropriate.
5. When the user goes out of the office (Out of Office is selected), approver buddies will take over the user's approvals.
   Note: Approvers can change their own out-of-office settings from the Misc Functions menu in the main Contents. Select Misc Functions > Change My Out-of-Office Status.
6. If the approver wants to be notified when a requisition, invoice, check request, or journal voucher has been submitted for approval, select Email on Submission in the appropriate ...Submit Notify Type field(s).
7. The Invoice Direct Approval Limit field lets you set a dollar limit when the user is a direct approver. Assigning each direct invoice approver a dollar limit lets you better control the amounts that direct approvers’  can handle. This field makes it easier to assign some users to approve only small dollar invoices.
8. If your site uses Approver Buddy Limits, enter values in the fields for Requisition Approval Limit and/or Invoice Approval Limit, as appropriate. When a user who approves requisitions, invoices, or check requests goes out of the office (setting the Out-of-Office flag), materials needing approval are routed to the user's approval buddy. On the Out-of-Office panel, the user can select an approver buddy. However, only approver buddies with approval limits that are the same or higher than the user's are available for selection.
9. Click the Help button for detailed information on panel fields.
10. Click Save.
    You can select another tab on the Users panel, or click Submit to return to the Users list.

Setting AP Limits and Notifications

Users working in Accounts Payable need parameters set for invoices and checks. The fields that you need to enter for check and invoice permissions and limits are on the AP Limits panel.

To set AP limits and notifications,

1. From Work in Administration on the main Contents, select Administration > Users. The list of users at your site appears.
2. Locate the user that you are interested in and click the edit icon () next to the User ID. The Users edit panel appears.
3. Click the AP Limits tab.
   The AP Limits panel appears (Figure 30).

Figure 30 - AP Limits Panel - Sets Check and Invoice Permissions

• Enter the appropriate values for invoice entry periods in the fields Future Periods Invoice Entry and Prior Periods Invoice Entry. These fields contain the number of periods after and before the current period for which the user can create invoices.
• Enter the maximum amount for a single check that the user can process.
• Select the appropriate values for the other fields. Click Help for detailed field information.

4. Click Save.
   You can select another tab on the Users panel, or click Submit to return to the Users list.

Setting User Authorities

The Authorities panel governs permissions for a variety of features. Fields on the panel set permissions for users as described in Table 4.

Table 4 - User Authorities Panel Fields

To set user authorities,

1. From Work in Administration on the main Contents, select Administration > Users. The list of users at your site appears.
2. Locate the user that you are interested in and click the edit icon () next to the User ID. The Users edit panel appears.
3. Click the Authorities tab.
   The Authorities panel appears.
4. Select the checkbox for each authority or restriction that you with to set.
   Information about the fields is in Table 3 and available by clicking Help.
5. Click Save.
   You can select another tab on the Users panel, or click Submit to return to the Users list.

Setting GL Limits and Notifications

General Ledger users need permissions for working with accounts and for creating and posting journal voucher entries to the General Ledger. The fields for General Ledger permissions and limits, including journal voucher approvals, are on the GL Limits panel.

To set GL limits,

1. From Work in Administration on the main Contents, select Administration > Users. The list of users at your site appears.
2. Locate the user of interest and click the edit icon () next to the User ID. The Users edit panel appears.
3. Click the GL Limits tab.
   The GL Limits panel appears (Figure 31).

Figure 31 - GL Limits Panel - Sets General Ledger Entry Permissions

• Enter the appropriate values for general ledger entry periods in the fields Future Periods GL Entry and Prior Periods GL Entry. These fields contain the number of periods after and before the current period for which the user can make General Ledger entries.

Journal Voucher Approvers and Notifications

• If the user originates manual journal vouchers, in the JV Approval Action Type, select either No Approval Required, Approval Required or Approval Required Before Posting.

The user's organization may have identified approvers for particular source journals and/or account codes.

• If the user's journal vouchers require approval, and no other approvers are defined in the organization, select a User JV Approver Group or a single User JV Direct Approver (but not both).
• Use the Journal Voucher Approval Notify Action field to specify an action when a journal voucher created by the user has been approved or rejected.

4. Select the appropriate values for the other fields. Click Help for detailed field information.
5. Click Save.
   You can select another tab on the Users panel, or click Submit to return to the Users list.

Sites Using Single Sign On - The SSO Tab

Single sign on relies on your site's network sign on process to validate users' credentials when signing on to   ERP.ingle signon, single sign-on, SSO

Note: This feature must be implemented by your Consultant, and users need to be set up with SSO credentials.

When new users are created as part of the single sign on implementation, they initially have a basic ERP User ID and password, but no user roles, data profiles, default organizations/departments, authorizations, or other required user profile elements. Until their user profiles are completed -- a step in the process -- they will not be able to sign in using SSO.

User information is considered incomplete when it missing any of the following:

• Data Profile
• Role
• Default Org
• Default Dept
• SSO Activation Date

Once a user is set up for single sign on, the Active flag on the User Profile Main tab disappears. Audit reports for users that are active in the system are based on the customer's Active Directory when SSO is enabled.

Process Flow in Creating New SSO Users

1. The site’s system administrator adds the new user to the Active Directory (AD) Group for ERP on the local (customer’s) network.
2. An automated service monitors the AD Group and adds the new user to the ERP within minutes of the user’s being added to the AD group.

• The single sign on user ID is created and mapped to the ID that is used by . (The user does not yet have permissions.)
• The External User field and the User Missing Info flags are checked on the External User tab in the User Profile (Figure 32).

3. Once the ID is created in Step 2, the system administrator can edit the User Profile for the appropriate values and permissions, and specify an activation date in the Activation Date field on the External Users tab (Figure 32).

Figure 32 - The External Tab on a User Profile

• A process runs nightly to activate users. (This may be eventually changed in the future to run more often.)
• When that process runs, the user becomes active and a Welcome letter is released to the user via email.
• The Release Status, Release Date, and Release Comments are then updated.

Identifying SSO Users with Incomplete User Profiles

The field SSO Missing Info YN on the User Settings list indicates (Yes) if the required User Profile fields are not assigned (Figure 33). You can use this list to review users whose User Profiles need completion.
- To open the User Settings list, select Work in Administration > Administration > User Settings.

Figure 33 - User Settings List with Single Sign On Columns

Copy an existing SSO User Profile to a new SSO user

The Replicate feature copies an existing SSO User Profile to generate a new user profile. This is a time-saving feature for system administrators.

Note: The user eMail Address is not copied. Also, the Password is not copied if it is an SSO password for access to an external system.

To create a new user profile by replicating an existing SSO user profile,

1. From the Administration main Contents, select Administration > Users.
2. Locate the SSO User Profile that you wish to replicate.
   - You can search for users that are SSO users with both complete and incomplete user profiles.
   Click Search.
3. From the Menu, select Replicate.

A panel appears containing the user profile information. The lower part of the panel lists user profiles that were created for SSO only (Figure 34).

Figure 34 - Selecting an SSO User Profile to Copy

4. Click Select on the left to identify the destination for the user profile that you are replicating.
5. Click Submit. The application updates the user chosen in the lower-lever panel to match the settings in the top panel.

Note: Once a user is set up for single sign on, the Active flag on the User Profile Main tab is unavailable

SSO User Data Import

This user data import is designed specifically for SSO users. It makes the process of setting up SSO users easier than using the standard User Maintenance tools.

Both a manual and an automated process are available for this import.

Security: Users working with this feature must have the role object "SSOUserMaintImport" set minimally to Modify.

When a user is provisioned for SSO, Premier staff create a "shell user profile." Once the user "shell" has been created, the site administrator must manually assign the role, data profile, default organization, default department, and other details. The process had relied on the existing user maintenance import template. That template has other fields in whose data the site administrator must manually key-in or copy. To improve the process, this a user data import template specifically for SSO users is available. This new import template and process handle more of the needed user data.

Manual import process

From the Administration menu, you can access a list of SSO users that are missing required information such as role, data profile, default organization, and department. A second menu element provides the import. See Figure 34.

Figure 34 - Administration Table of Contents with New SSO User Maintenance Elements

An example of the SSO Users List is in Figure 35.

Figure 35 - List of SSO Users Needing More User Profile Data

Administration main Contents > Administration > SSO Users Missing Info

On the list (Figure 34), the Spreadsheet link creates an Excel document in the format of a new SSO User Import. Administrators can open the spreadsheet and provide missing information, along with additional approval values, if needed by the user. Save the spreadsheet as a .csv file. The last field must be <EOF>.

You can then upload the .csv file to ERP using the new SSO user data import function that will apply the changes to the user profiles. The menu option SSO User Maintenance Imports (Figure 35) opens a list of existing imports. Figure 35 is the import list where you can see current imports and create new ones.

• To create a new import from a .csv file, click New (Figure 36).
  The import panel opens. This is the standard import where you select the file to bring in.
  - Use the Browse button to locate the file.
  - Click Submit to upload it.

Figure 36 - SSO Imports List with New Button to Create a New Import

Administration main Contents > Administration > SSO User Maintenance Imports

On the Imports List, the standard import functions are available, including the ability to view the details of the import, see messages, etc. The import process applies the changes from the import to the user and user settings tables in the application. Existing validations already in the ERP ensure that only correctly formatted data is used to update the actual user values.

Automatic import process

The automated process occurs through the Gateway when template files with completed data from an external application are dropped in a Gateway in-box. The import is available from the Imports List (Figure 36). This process needs no action by your site administrator; except in the case of errors which may require a conversation involving a corrected re-import.

  Users - The PremierConnect Tab

This tab contains fields for users who sign on to ERP/SCM through .

Important: When you copy a user, data on this panel is not included in the copy.

Update Status - For a user who accesses ERP/SCM through , this field indicates whether the user’s credentials have been updated (entered) in the Premier's User Management System. (Note: This system is also called CIAM: Customer Identity and Access Management.)

Update Date - The date when the user’s credentials were entered/updated in the User Management System.

Message - Any message related to the update.

Locked out Users

You can reset a user record so that the user is no longer locked out

To reset lockout for a user,

1. From Work in Administration on the main Contents, select Administration > Users.
2. On the Quick Click menu, click Show All. The Users list appears.
3. Locate the user for whom you wish to reset a lockout, or reactivate.
4. Click Menu > Reset Lockout. The system asks you if you want to reset lockout for the user.

Note: You can also select Reset Lockout on the Quick Click menu to reset user access.

5. Click Submit. Lockout is reset.

Inactive Users

The system provides a grace period for inactivity so that users who do not sign on to the system every day are not deactivated. The grace period is determined by each site, and set at implementation or by the Help Desk.

A process in the nightly maintenance procedure sets active users to inactive if they fall outside the inactive grace period determined by their site.
The process checks whether any user IDs NoActivityLockoutPeriod has expired. If the period has expired, then the Active YN flag is set to 0.

An audit record is created: AuditSource = 'Routine Maintenance' and AuditReason = 'No activity lockout period exceeded.'
System administrators will also be able to view the sign-on history and security activity for their site.

Ignore the Lockout Period

For any given user, you can suspend the inactive lockout rule by setting a flag on the User Profile.

1. Click Work in Administration > Administration > Users > edit User.
2. Select the field Ignore Lockout Period on the Users General panel (bottom right).

Topics for Sourcing and Contract Management

Several user features are relevant to sites where users also access Sourcing and Contract Management (SCM)

User Restriction against Changing Prices on Contract Items

Price changes to contract items on a purchase order, or during invoice matching (clearing a price exception) can be restricted for individual users, organizations, or for an entire site.

The field Restrict PO/Invoice Price Change on Contract Items on the User Profile restricts the user from changing contract item prices. The user cannot modify the PO Unit Cost and the Next Estimated Receipt Unit Cost on a purchase order line. The setting also restricts users from selecting the Invoice Correct field in clearing exception prices for contracted items.

To set the restriction at the different levels,

User:

- If the restriction is not selected in a user profile, the user can change cost/exception prices, as long as the restriction is not set at either the organization or system values level. Also, the user can select the Invoice Correct field when clearing price exceptions for contracted items.
- If the restriction field is selected, the user cannot change prices.

Organization:

Selecting the restriction field for an organization (on the Organization record) prevents any user in the organization from changing prices.
See "Organization Restriction for Contract Price Changes" for details.

System:

- If the field is not selected, price changes can be controlled at the organization level and/or the user level.
- If the restriction field is selected in System Values, no one at the site can change a PO price for a contracted item.
See "Restrict PO/Invoice Price Change on Contract Items for an Entire Site" for details.

Create and View Regions and Organizations

Your site's operational structure may include several organizations, each with multiple departments. In Sourcing and Contract Management, one or more organizations can be assigned to a region. You can view, edit, and create organizations and regions from the Sourcing and Contract Management Administration feature. You can add regions and organizations to users' data profiles (see "Work with Data Profiles)."

To view organizations,

• From the Administration contents in Sourcing and Contract Management, click Region/Org > Organizations.
  A list of organizations defined for your site appears.

To view Organization information,

• Click any organization identifier.
  The Organization Info panel appears.
• From the Organization Info panel, you can edit or copy the organization; view audit information, output the organization information to Excel, and assign a user field value to the organization.

To create an organization,

• Click Create Organization.
  The Organization edit panel appears. Complete the fields on the panel.
• Click Submit.

To view regions,

• From the Administration contents in Sourcing and Contract Management, click > Region/Org > Regions.
  A list or Regions defined for your site appears.

To view region information,

• Click any region identifier.
  The Region Info panel appears.
• From the Region Info panel, you can edit or copy the region; view audit information, output the region information to Excel, and assign a user field value to the region.

To create a region,

• Click Create region.
  The Region edit panel appears. Complete the fields on the panel.
• Click Submit.

To associate an organization with a region,

• From the Administration contents in Sourcing and Contract Management, click Region/Org > Region/Org Assoc.
  A list of regions appears. If organizations have already been assigned to regions, the organizations are listed under each region.
• On the Region/Org Association panel, locate the region that you wish to assign the organization to.
• Click Add Org.
  A select list of organizations appears.
• Locate the organization of interest on the select list.
• Click Select.
  The Region/Org Association panel refreshes, and the organization is added to the region.

Searching for an Organization

To search for an organization,

Use Search on the "Create Organization" page.

1. On the Administration main Contents. click Region/Org Association.
2. Click Add Org under one of the organizations listed.
   The Select Organization panel appears (Figure 37).

Figure 37 - Select Organization Panel with the Search Field

• In the Search box, enter characters from the organization name, description, or any tag value that you have assigned to the organization.
  Note: Tags are a special type of free-form user-defined field that allow you to assign one or more keywords to a contract, user, or organization.
• Click Search.

Role objects associated with Sourcing and Contract Management

The following role objects are used in Sourcing and Contract Management:

ContractSecurity (supply contracts) - provides access to the contract Security feature. The contract Security feature lets you identify the organizations/regions whose users are not allowed to view the contract. The list of organizations/regions is displayed when you click the Contract Info panel's Security link (Figure 38). Details about the contract Security feature are in the subsequent section "Restrict user access to a contract."

• The setting on this role object must be Modify, at minimum, for any user who sets region/organization restrictions for other users.

Figure 38 - Contract Info Panel Security Link

PriceActivation (supply contracts) - at the highest security settings (All, Create), allows the user to create vendor price activation headers for supply contracts. (Users with the role object Contracts set to View can select items for activation, once a header has been created.)

Restrict User Access to a Supply Contract

The contract security feature lets you specify the organizations/regions whose users are not permitted to access the contract. The Security link on the Contract Info panel displays the organizations/regions for selection. If none are selected (the default), a contract can be accessed by all users.

• Click Security on the Contract Info panel (Figure 38) to display regions; organizations associated with regions; and organizations not associated with regions (Figure 39). Each organization and region has a select box.
• Click the select box to make the contract unavailable to users in the organization/region.
• Click Save.

System alerts displayed on the Contract Workbench My Alerts panel take into account the organization/region security restriction: Users do not receive alerts for contracts that they are not able to view.

Figure 39 - Organizations/Regions for Restriction

Access to the Security link on the Contract Overview panel requires the setting Modify for the "Contract Security" role object, at minimum. If the role object setting is View or None, the security link is grayed out. A discussion of this role object is in the previous section "Role objects associated with Sourcing and Contract Management."

Setting Up IP Address Access

Your site probably has a key group of users who work with the system all the time. You may also need to grant access to the system to computers with IP addresses outside of the key group. For example, you may have users in another building, or in a remote location. Or, you may wish to give some users access from their home computers.

You may also wish to restrict access to an IP address that would normally belong to the main group. For example, you may have a special purpose computer that you do not want to be used for system work.

You can control access to the system based on a computer's IP address. The set up process for IP permissions has these components:

1. Discuss your need for access by IP address with the Help Desk. The Help Desk will set a system parameter to enable IP address permission.
2. For users at your site, set the Restrict access using IP Permissions field on users' profiles. This field is on the Users edit panel -- General tab (Figure 24).
3. Enter the users' IP addresses into the IP Permissions list, and set access to Yes.

To create restrictable IP addresses and set access,

1. From Work in Administration on the main Contents, select Administration > IP Permissions. The IP Permissions table appears with the list of IP addresses in the left column.

• If an IP address is permitted to access the system, Yes appears in the far right column.
• Otherwise, the right column is blank, and the IP address cannot access the system.

2. To specify an IP address, click New. The IP Permission panel appears.
3. Enter the IP address.
   
   The elements of an IP address are called "octets." Each octet has one to three digits, and every IP address has four octets.
   The value of an octet can range from 0 to 255. Only integers are valid in an octet; alphabetical characters are not valid.
   
   You specify an IP address as four octets separated by periods. For example, 152.163.9.2. If you want to set the IP permission
   for a group of IP addresses, you can enter a mask. You create masks using wild cards, positional substitutions, ranges, and lists. For example, 181.169.* .* is an IP address mask. The asterisk (*) is a wild card and matches any value. So, this mask will include IP addresses from 181.169.0.0 to 181.169.255.255.
   
   Here are the characters that you can use for masks:

   *   Represents any value.

   ,   (comma) Separates individual values.
       For example, 245.120,124.333.17 means 245.120.333.17 and 245.124.333.17.

:   Indicates the beginning and end of a range.
    For example, 245.120:124.333.17 means all the values between (and including) 120 and 124 in the second octet:
    245.120.333.17, 245.121.333.17, 245.122.333.17, 245.123.333.17, 245.124.333.17

?   Positional wild card. Matches only as many elements as there are question marks.
    For example, ? matches 0 to 9, but not 10 because 10 is two places. ?? matches 10 to 99.

[ ]   Optionally groups numbers and operators together, as needed, for clarity.
    For example, 245.122.199,20?.[17,20:24].

4. Select the Allow box if you want to grant permission for the IP address to access the system.
   
5. Leave the Allow box unselected if you wish to prevent the IP address from accessing the system.
6. Click Submit. The system displays the IP Permissions list.
7. Click Refresh to see the new IP address and its access setting.
   
   Note: You can edit the IP address at any time to change access, without deleting and re-entering the address.

To give a user access to the ERP mobile application on the iPad,

1. From Work in Administration on the main Contents, select Administration > Users.
2. On the Quick Click menu, click Show All. The Users list appears.
3. Locate the user's ID on the list and click Menu > Edit. The tabbed user information panels appear.
4. On the User Roles panel,
   • For users of the iPad Mobile ERP application, click the box next to User is Distribution Technician.
   • If the user creates requisitions with the mobile iPad application, also, click the box next to User is Requester.
5. Click Submit. The system changes the setting so that the user can work with iPad tools.

To give a user access to Cardinal's web site and to vendor punchout sites,

1. From Work in Administration on the main Contents, select Administration > Users. The list of users and settings appears.
2. Locate the user's ID on the list and click Menu > Edit. The tabbed user information panels appear.
3. On the General panel, select the appropriate option from the Punch-Out to External Vendor field.
   - Full Access must be selected if the user is allowed to click on a link from an item record to view the vendor's catalog entry. The user can access the public site and can access the password-protected pages. Also (when organization and department permissions are set), the user can order from punchout vendor web sites. (See "Using Vendor Punchout to Order Supplies)."
   - No access - The user cannot access any vendor web pages.
   - Public site only - The user can access the vendor's public web pages.

4. Click Save. You can select another tab on the Users panel, or click Submit to return to the Users list.

To make the Scheduled Jobs feature available to a user,

1. Include the ScheduleJobs role object in the user's role and set the ScheduleJobs role object to a value other than None. Select a different value such as All. See the discussion of assigning role objects.
2. Verify that the menu choices available for the user's role include "Scheduled Jobs."

• To view menu options for a role, next to a role on the Roles list, select Menu > Omitted Menu Options.
  If " Scheduled Jobs" appears on the list of omitted options, delete it from the list to make it available.
  See "Create a Customized TOC for a Role."
  

To delete a user,

1. From Work in Administration on the main Contents, select Administration > Users.
2. On the Quick Click menu, click Show All. The Users list appears.
3. Locate the user that you wish to delete.
4. Click Menu > Delete. The system tells you that you are about to delete a record.
   Note: You can also select Delete on the Quick Click menu to delete the user.
5. Click Delete. The user is removed.

View the User Activities Log

System administrators can view a log of users' activities with the system from a menu option on the Users list. User activity data is retained for seven days before it is purged.

To view user activities,

1. From the Work in Administration contents, select Administration > Users.
   The Users list appears (Figure 40).

Figure 40 - Part of a User List

2. Locate the user of interest.
3. Select Menu > View User Activity Log (Figure 41).
   

Figure 41 - Accessing the User's Activity Log from the User List

The user's activities appear (Figure 42), ordered by date. You can use the Quick Filters for Field Name (the name of a value that was changed by the user), Table Name (the data table where the value was changed), Job Name, Audit Reason, and Key Values. Click Help for detailed descriptions of the columns' contents.

Figure 42 - A Sample User's Activity Log

On the User list, by default, the system only displays users at a site. Clicking Show All displays users (Technical Support or development staff) who can access a site's database to track or fix problems.

Note: User activity data for user IDs is retained for a year.

See the discussion of "Access and Change Logs" for a discussion of patient information protections in log and audit displays.

View the Activities of All Users

System administrators can view a log of all users' activities with the system through the Administration menu. User Activity data is retained for seven days before it is purged.

Figure 43 - Activity Log

The Activity Log - All list displays the same fields as the individual user's activity log, along with the name and user ID of each user listed.

Create and Edit User Profiles via Mass Maintenance

Creating large numbers of new users and user maintenance is more efficient with the user record import and export. This feature allows a security administrator to create new users and to maintain and audit an existing user base without having to go into the ERP application and create or update each user record individually. Administrators can download and complete a template that sets up new user profiles when uploaded.

Some sites find it convenient to use the import to create one or more "generic" users with particular User Profile settings. Then, once in the application's Administration module, they copy the "generic" users and enter values for real, new users.

For maintenance purposes, administrators can export all user settings in the ERP application, make changes and import that data back into the ERP application to update users' profiles.

Security: This feature is controlled by the "Administrator" role object.

Single Sign On Sites: If the user you are creating (or updating) is a single sign on user; that is, if you enter Yes in the column Single Sign On User then the column for the single sign on Activation Date must also be completed with the date when you would like the user to have access to ERP.

Creating New User Records

To create user records, an Excel template is available for entering fields that you will upload and import into new User Profiles.

1. From the Work in Administration main Contents, select Administration > User Create Template.
   Follow the instructions to open the template in Excel. Figure 44 is an example.

Figure 44 - Excel Template for Creating New User Profiles

2. On the template, enter values for User Profile fields in the appropriate columns.
   Important:
   - The fields highlighted in yellow are required.
   - Enter information right over the text that says <required>. If you import the spreadsheet with the <required> word still in a cell, the application will take it as an invalid value, and will send an error message.
   - Click the worksheet tab Info for instructions on completing and saving the template.
   - The last entry on the template must be <EOF>.
3. When you finish entering values in the fields, save the spreadsheet as a .csv file on your local network.
4. Upload and import the spreadsheet to ERP using the instructions below.

Maintaining Existing Users - Exporting User Data from ERP

For maintenance, first export existing user records to an Excel worksheet. A new panel is available for the export task. Then, using the worksheet as a template, make changes as needed to the user data, Save the worksheet as a .csv file, and finally upload it to the application.

The upload is the standard upload process. A panel lets you work with uploaded user records.

To export data from the User Settings (All Columns) list,

1. From the Work in Administration main Contents, select Administration > User Settings (All Columns). Figure 45 is an example.
2. You can click Search to filter the list of users by organization, department, role, and other parameters to identify a subset for import/export, if you wish.

Figure 45 - The All Users Panel with the Spreadsheet Link for Exporting

Work in Administration > Administration > User Settings (All Columns)

3. Click the Spreadsheet link (Figure 45, red arrow, upper right). If you have a large number of user records, the application sends a request for you to identify the number of records that you would like to download.
4. Click the number.

You will need to save the file (Figure 46) as a .csv file for the export.

Figure 46 - Sample Downloaded User List

5. Edit values for users in the spreadsheet. Here are some tips:

• Columns that are defined as "YN" are shown with column headings ending in _ Y _ N. Enter only a 0 (No) or 1 (Yes) in these columns.
• Columns that are defined as dates are shown with column headings ending in _MMDDYY.
• Columns that normally contain a valid value (e.g. 0,1,2, etc.) are shown with the actual value description. This value will be translated on import back to the actual valid value.

6. Enter <EOF> in the first cell of the row following the last line of data. This value is critical, so that the import can find the end of the file (Figure 47).



Figure 47 - Entering the End-of-File Marker <EOF>

7. Save the file as a .csv (comma-separated) file. You are now ready to import the file back to ERP.

Importing New or Edited User Data to ERP

After you create or edit user records, you can import them back to ERP.
Important: The file you import must be in .csv (comma-separated values) format.

Follow these steps:

1. Select the import panel from ERP Work in Administration main Contents > Work in Administration > Administration.
   • For new user records, select User Create Imports.
   • For maintenance to existing user records, select User Maintenance Imports.
   The User Imports panel appears. Figure 48 is the panel for maintenance, but the panel for new user records is similar.

Figure 48 - The List of User Record Imports

- This panel lists previous imports if any, and lets you create new imports.

2. Click New. The Upload Panel appears (Figure 49).

Figure 49 - The User Maintenance Upload Panel

3. Enter the file that you wish to import in the File to Upload field.
   - Click Browse (on Microsoft IE or Edge) or Choose File (on Chrome) to locate the file on your network, then click the file to select it.
4. At this step, you have a choice. You can work through the import process in either one stage or two stages.

   If you have uploaded files to the application before, use the one-stage approach, as follows:
   - Click Submit. The system attempts to upload your file and validate it. The User Maintenance Imports or User Create Imports panel appears.
   - Click Refresh to see your file listed.

   For users working with import files for the first time, we recommend the two-stage import approach. The two-stage approach first loads the file and validates it. Click Load and verify, no import.
   Once the file has successfully loaded, you can process it manually from the User Maintenance Import panel appears to import it into the application.
   - Click Help on the Import panel for details on the processing step.

The processed import will appear in the list of imports.
Each import has a Menu that lets you Reprocess, View Details, Download or Delete an import file.
Clicking Menu > View Details lets you display messages and edit the import record. 

• Uploaded files that process completely with no errors have the Import Status of Complete.
  

- For new user records, the import creates a new User ID with the settings from the uploaded template that you entered for each User ID on the template.
- For existing user records that you edited, the changes that you made are in the Users' Profiles.

• You can view the new or changed User Profiles from either list:
  Work in Administration > Users or User Settings (All Columns).
  When you import a user as inactive, click Show All on the list to make the user appear.

Handling Import Errors

Valid rows on the spreadsheet will import into the application. If some rows are valid, and other are not, the invalid rows will not be imported. When the Import Status of the uploaded user record file is not Complete, the import encountered errors.
To work with errors, you need to review the import details, make corrections, and reprocess the data.

1. Next to the import, click Menu > View Import Details to display any errors or warnings that may have occurred.
   - On the Import Details panel, each imported record appears. The Messages column contains Yes if errors or warnings exist for any record.
   - Click Menu > View Messages.
   - Click Menu > Edit to edit any unprocessed data and correct it.
2. After making corrections, from the import list, click Reprocess to rerun the process for any imports that do not have an Import Status of Complete.

Create New Data Profiles via Template Import

The import/export feature for data profile record mass maintenance is now available. With the use of a template, this mass loader allows a security administrator to upload multiple new data profiles at one time instead of creating them manually in ERP. You can also maintain and audit existing data profiles without the necessity of updating each one individually within the application.

Usage Tips: Creating one or more "generic" data profiles is a convenient way to utilize this feature. From within the Administration module, an administrator can copy these "generic" profiles and make changes to the department, asset location, and organizations as needed.

Security: This feature is controlled by the "Administration" role object.

An Excel template is required for the data and fields that you will upload and import into ERP.

To download the Data Profile Import template,

1. From the Work in Administration main Contents, select Administration > Data Profile Import Template.
2. Save the Excel template to your computer or local network.
   The file should look similar to the example in Figure 50.



Figure 50 - Excel Data Profile Import Template

To work with data profiles using the Data Profile Import Template,

The template contains several tabs. The initial tabbed worksheet (Figure 50) is for your data. Detailed instructions,
including the colored columns are on the Info tab. Examples are on the Examples tab.

1. On the template, enter values for Data Profile fields in the appropriate columns.
   You can add, change, or delete data profiles. See the rules below about deletions.
   Important:
   • The fields highlighted in yellow are required and marked as such.
   • Enter information directly over the <required> text within cells. If you import the spreadsheet with the <required> word still in a cell, the application will take it as an invalid value and send an error message.
   • Click the Info tab on the worksheet for detailed instructions on completing and saving the template.
   • The last entry on the template must be <EOF>.
2. When you finish entering values in the fields, save the spreadsheet as a CSV file on your computer or local network.
   Important: When you save the file as .csv, make sure that it is saved as an MS-DOS .csv type. Otherwise, the upload will not recognize the record type, and you will get an error message.
   
3. Upload and import the spreadsheet to ERP using the standard upload process described below.

To import data profile records,

After you create or edit data profile records, you can import them back to ERP.
Important: The file you import must be in .csv (comma delimited) format.

1. Select the Data Profile Import panel from ERP Work in Administration main Contents > Administration > Data Profile Import.
   - This panel lists previous imports if any, and lets you create new imports.
2. Click New. The Upload Panel appears. This panel uses the standard upload process.
   - Click Browse (on Microsoft IE or Edge) or Choose File (on Chrome) to locate and enter the .csv file to upload.
3. You can work through the import process in either one stage or two stages.
   For the one-stage process,
   - Click Submit. The system attempts to upload your file and validate it.
   - Click Refresh to see your file listed on the Data Profile Import panel.
   For the two-stage process,
   - Click Load and verify, no import.
   Once the file has successfully loaded, you can process it manually from the Data Profile Import panel, and import it into the application. The Data Profile Import panel displays the import and its status. In Figure 51, an imported file (in blue) is incomplete. Problems occurred with this import file.
   (The actual problem was that the ActionCode was set to C, when it should have been set to A.)
   

Figure 51 - The Data Profile Imports List and Menu

Download and security information appears.

4. Click Menu > View Import Details to view the problem areas of the import. From the Import Details panel,
   you can display any messages (Figure 52).

Figure 52 - Using the Data Profile Import Details Menu

5. Click the edit icon or Menu > Edit to open the import and fix any problem. Figure 53 is an example.
   You can then reprocess the import.

Figure 53 - The Data Profile Import Edit Panel

• To reprocess an edited (corrected) import, from the Data Profile Import list (Figure 49), select Menu > ReProcess.

Data Profile Deletion Rules

• On the template, enter "D" in the Action column of any data profile row that you wish to delete (Figure 54).
  The yellow column -- Data Profile -- is required.
• The last entry on the template must be <EOF>.
• When you finish entering values in the fields, save the spreadsheet as a CSV file on your computer or local network.

Figure 54 - Using the Template to Delete a Data Profile

ERP checks that the data profile is not assigned to any user before it runs the delete. If it is assigned to someone, the delete fails and a message appears.

Here are additional rules for data profile records that are to be deleted:

- When a Delete (D) record doesn't have an organization, department, or asset location entered, then the entire data profile will be deleted.

- When a Delete (D) record has only an organization entered, then the organization and all the departments and asset locations for that organization will be deleted from that Data Profile.

- When a Delete (D) record has an organization and department entered, then the department for that organization will be deleted from that Data Profile.

- When a Delete (D) record has an organization and asset location entered, then the asset location for that organization will be deleted from that Data Profile.

- When a Delete (D) record has an organization, department, and asset location entered, an error message appears.

- When a Delete (D) record has a department entered, but no organization, an error message appears because the same department name can be present in multiple organizations.

- When a Delete (D) record has an asset location entered, but no organization, an error message appears, because the same asset location name can be in multiple organizations.

Display Audits of Data Profile and Role Object Changes

An audit facility is available on the Data Profiles lists and the Roles and Role Objects lists.

Data Profiles

Changes to a data profile's general information or to organizations, departments, or asset locations assigned to a data profile are audited.

• To display an audit of the data profile's general information, select Administration > Data Profiles.
  The list of data profiles appears.

Next to any data profile, click Menu > View Audit Info (Figure 55A, ).

• To display an audit of any department, organization, or asset location assignments, use either of these methods:

From the data profile, click Menu > View Regions/Organizations Audits or View Department Audits (Figure 55A, ).

Or:

Drill down to the department/organization/region and view an audit from there:

- From the data profile Menu click Valid Regions/Organizations, or Valid Departments (Figure 55A , red arrow,), or Valid Asset Locations.

The relevant list appears. Figure 55B is an example for the departments assigned to the data profile 6020.
- On the list, click Menu > View Audit Info (Figure 55B, ).

Figure 55 - Displaying Valid Departments in a Data Profile to Audit Changes

For example, imagine that a fourth department 4460 Sports Medicine Outpatient was once assigned to the data profile 6020 in Figure 55B, and has been removed. Figure 56 displays the audited change.

Figure 56 - Audit of Department Changes to a Data Profile: Department 4460 was Deleted

Roles

The audit displays changes to a role's general characteristics and to role objects' settings. Figure 57 is an example.

Figure 57 - Getting Audit Information for a Role and for Changes to Its Role Objects' Settings

On Figure 57A for the role of Buyer, the menu options are:

- Users -- displays users assigned to the role.

- Role Objects -- lists role objects. Clicking this option displays Figure 57B.

- Omitted Menu Options -- displays main Contents elements that users with the role cannot access.

- Available Menu Options -- displays main Contents elements that users can access.

- Omit Menu Options -- lets you omit main Contents elements so that the user cannot access them.

- View RoleObject Audits - displays changes to security object settings; for example, a change from Modify to All.

- View Audit Info -- displays changes to any general characteristics of the role.

- Edit -- lets you change the general role information, such as the role Description.

- Copy - lets you copy the role.

- Delete - deletes the role (Not shown).

Figure 55B is part of the list of role objects for Buyer.

• To access an audit of changes to role objects' security settings,
  - Click Menu > View Audit Info next to any role object (Figure 57B) to display changes to all role objects' settings.

- Alternately, on the menu for the role (Figure 57A), click View RoleObject Audits.

Audited Fields in Accounts Payable, General Ledger, Materials Management, and Administration

List of audited fields links to a spreadsheet containing the fields and their locations.

In summary, these fields are audited on the user record:

Active YN
Role
Data Profile
Hide Financial Data YN
Hide ePHI Data YN
IP Restriction YN
Password
Lock Out Counter
Lock Out Date
Last Used User
Report Security Profile
Email Address
User Security Level

• To view audits, on the User Info panel, click the audit icon , or Menu > View Audit Info.

See the discussion of "Access and Change Logs" for a discussion of patient information protections in log and audit displays.

Finding What Role Objects and Settings are Needed to Use a Feature

You can find out what security settings you need to use ERP features.

- Point the mouse over the feature of interest in the main Table of Contents (or in the Menu contents for any panel).

- Right click.

A pop up box displays the security object needed.

Copyright © 2023 by Premier Inc. All rights reserved.