DPAS SCR: 00792

Description
The ability to assign DPAS Columbus and Leidos staff access to all warehouses without having to add each warehouse to the account separately. In PA there is a User Type Code called Application Administrator. When this User Type Code is assigned it allows enterprise access to all Site-Ids. A role is then added to the account to allow view only access at the enterprise level. Once the Application Administrator account is established no further action is required for the user to be able to see new Site-Ids added to DPAS.

Recommended
Something needs to be developed in the warehouse module that will allow enterprise data inquiry access without each warehouse having to be added to the users account. Currently there are 273 warehouses in Production. As new warehouses are added to DPAS, each DPAS Columbus and Leidos staff account must be updated to include the new warehouse. Currently, each account takes over 3 hours to create and then additional time to be maintained. We are requesting the User Type be used as a solution. This also fulfills the requirement for a clear separation of duties. The User Types could be utilized as follows:

Standard – Used for the majority of the users. All roles but Help Desk, Security Officer and Job Schedule Manager would be available for this user type.
Security – This is already in use. The only role that can be assigned is Security. No change is being requested.
Application Admin – Used for DPAS Columbus and Leidos. Data Inquiry enterprise access is needed for all individuals with this user type. The roles available to this user would be Enterprise Inquiry (which would need to be created) and Admin Reports.
Agency Coordinator – Used for USMC help desk. From talking with USMC, their help desk will need to be able to complete all transactions in the system for the caller. This would require roles assigned at the Logistic Program level with the ability to access all warehouses under the assigned LP without adding each warehouse individually. All Standard roles would be available for this user type.
Admin Console – The only available role for this user should be Job Schedule Manager.

Mission Critical
FISMA Control ECLP-1 states: Access procedures enforce the principles of separation of duties and "least privilege." Access to privileged accounts is limited to privileged users. Use of privileged accounts is limited to privileged functions; that is, privileged users use non-privileged accounts for all non-privileged functions. This control is in addition to an appropriate security clearance and need-to-know authorization. This was an audit finding for us during our old SAS70 audit. It was the reason why the User Type Codes were developed on the PA side. The User Type Codes are in the Warehouse but the only ones in use are Standard and Security.
During the SSAE 16 audit, Control 6.39 states Access controls have been established to enforce segregation of duties. I’ve always provided the following:

User Type Codes within the application create a clear separation of duties.
Users’ can only be assigned one User Type Code.
They are as follows:
- Standard User – Used for the majority of users
- Security Officer – Only used for DPAS User Account Management in Columbus, OH
- Application Administrator – Assigned to the DPAS Support Desk. Inquiry only access to assist callers requiring assistance.
- DPAS Agency Coordinator – Typically one or two users per agency. User has the ability to determine a few agency setting and inventory plans.
- DPAS Administration Console – Used to monitor the general health of the system. Only assigned to DPAS Columbus and Leidos staff.

Benefits
It will save time for the DPAS Account Management staff and allow the DPAS Columbus and Leidos staff immediate access to all warehouses as they are added to the system. This is also required to provide the appropriate information for the upcoming SSAE 16 audit.

Users
This SCR is needed to be in compliance of the upcoming SSAE 16 audit.

Completed - Release 3.0 - 15 May 2015