MIS Systems Thread, non Capita Personnel Database in Technical; You should have a policy that shows the person running SIMS who should have access to what. I would start ...
26th October 2009, 03:32 PM #16
You should have a policy that shows the person running SIMS who should have access to what. I would start with saying no one has accesss to anything, then add the permissions that they require to perform their job.
IIRC if you create your own permissions groups then with regards to Capita support, you are on your own.
IDG Tech News
26th October 2009, 05:28 PM #17
No, only the ones with effective software for management do.
Originally Posted by User3204
Most business management software, ESPECIALLY where interactions between staff and customers are managed (e.g. sales management, support ticket systems), will link some of the personnel data to some of the customer data to some of the "interaction" data. The alternative is to have the same information stored in separate locations, which is a severe no-no for data integrity, and really does not work well in terms of scalability.
The way to do it, is to have a sufficiently granular and sophisticated access control system that allows staff (and sometimes customers) to see what they *need* to see, to change what they *need* to change, and not to access what they do not need to.
You could do this by implementing a second system, in parallel with SIMS: one major drawback to consider, is that you would need to update SIMS from the personnel system, or to update the personnel system from SIMS. How would you implement this? Obviously, having someone copy the data manually is unacceptable from the point of view of accuracy (as humans make mistakes quite frequently).
Another solution would be some kind of import/export script that copied data out from one system and then into the other. If you went this route, then you'd have to restrict the access, so that the script was only allowed to output the data it needed to. How is this a better solution than making sure that the relevant staff can or cannot access the data directly from within SIMS?
I'm assuming that you have students' work, internet email traffic, student assessment data, teachers' files, and administrative data (finance, personnel, etc) all on your network. Do you run each set of data on a separate set of physical wires, along with separate network cards on each machine, etc? I'm guessing the answer is "no", because you have access control measures in place instead.
SIMS (and any other decent MIS) can do this as well. To be honest, to have completely separate personnel, finance and academic management software systems would be a severe backwards step, and is likely to raise far more issues of security and data protection: I'll bet large sums of money that staff will send sensitive data of various sorts around in things like excel files, emails, and printouts.
Learn the permissions system in SIMS, consult to find out who needs to know what (you may want to change things from the defaults), and set up your permissions accordingly! It'll be a lot simpler, more effective, less painful, and also cheaper. If training or knowledge is an issue then get some training/consultancy/manuals. It's cheaper than trying to write an in-house system, and it's far better than trying to link a third-party solution. If you have trust issues with data management/admin/it staff then these should be addressed, and installing two software systems will not fix them.
26th October 2009, 10:39 PM #18
Totally agree. Part of SIMS's biggest problem is the fact they make it too easy to export data, I know someone's going to argue with me, but if actually think about it, any technical person with enough time on there hands could setup a "text parents" or whatever company without getting any checks etc and get a number of schools to buy into it.
At least Capita cares even if the Government doesn't about checking out providers, you think they have a partner scheme for software developers and for photographers.
26th October 2009, 11:00 PM #19
Totally agree with you on the export thing... I've thought for some time that it should be possible to audit who's exported/printed what. Surely it would be good to know that Mrs X or Mr Y has exported a list of all the kids in the school for instance?
Originally Posted by matt40k
26th October 2009, 11:19 PM #20
I like the idea of using API keys, just think Capita can't do it as others would moan.
26th October 2009, 11:48 PM #21
The issue is this - if users can't access their data via MS SQL, they need access in some other way. There are many legitimate packages that require this access, regardless of whether you think they should have access or not. If Capita introduced some form of API key requirement etc... then all that would do is force companies to fiddle with the MSSQL database instead.
Originally Posted by matt40k
Also, we all know that such a scheme, were it implemented, would inevitably incurr a charge of some form. This would not be acceptable to anyone who is doing open source coding.
It potentially would even mean that they'd end up in trouble for anti-competitive behaviour.
You can't have it both ways.
27th October 2009, 08:06 AM #22
Audited exports is probably the best way - although it's always possible to get round that by accessing the backend RBDMS directly. There will be times when it's reasonable and necessary for someone to export a list of contact addresses to other software, or get a contact list for a school trip; maybe the trick is to make sure that if you don't feel you can trust someone with that kind of information, then they aren't allowed access to it/a school/children...
27th October 2009, 08:37 AM #23
Be nice to have the API key, I mean WordPress does it, at least then you have a list of companies that can access SIMS and some basic details, even if the process was an online form. Pulling out stuff like Staff bank details ofcourse would need a special key, unlike getting firstname\surname.
Solving the accessing the database issue is quite simple actually, depends how evil you want to be about it. Best way would be to encrypt the database... isn't that an option is MSSQL2008... oh wait, that's enterprise ed.
28th October 2009, 08:34 PM #24
Oh dear, I seem to have upset a lot of people, infamy, in-for-me, they've all got it infamy....
Still, the problem is the scale of the permissions spreadsheet and the fact that Capita are due to upgrade the System Manager soon, I'd have to check the timeline to know when. So I'm not overly keen on learning how the old system works only for them to change it. Especially when Phil Neal (the Man himself) has a comment in another thread saying how it is not something they are proud of - check the phrasing but this was the gist.
Currently we have all the SIMS accounts integrated with our domain accounts, which I have managed to match up so that staff in finance are in the "finance" group and receptionists are in the "reception" group etc. So I can give finance access to the finance shares/sage based on this reception staff have access to the late sheets. The trouble is, I don't know what they do within SIMS, the only way to find this is to check with the Admin Manager who has to spend a lot of the time micro managing them (because some of them need it - you know what I mean).
I'm also not in charge of SIMS, the main SIMS coordinator also has to do timetabling (and we've made his job harder by introducing the IB - which has caused more grumbling by people). So between them two and myself trying to arrange when to get together for a long time to work out what staff need to access and then how to give them access.
So really, what is the simple and quickest solution.. really.. ignore it and wait for Capita to catch up with Sysman ? I was working on this plan, until the Bursar mentioned her concern.
Yes, yes, security by obscurity, well it works for the systems you have. One of the things that came up in the little meeting we (our internal ICT support) had was, if you want to find the details of a staff member who has a child (or even just used to) at the school, all the details are there to all staff, as it is acceptable for the teachers to be able to see the pupils/parents home details (but not apparently the other staff). If this is not a concern of your SLT/Bursar then okay.
I can't see any reason why anyone would use the same database for the personnel and whatnot, as most people use different accounts for paying salary an invoicing, we all must have different databases for SIMS .net, SIMS FMS, Tucasi (for invoicing students), Sage (or whatever payroll package is used) and then we have another software for contacting the bank. I know this as there is no single package to do all this. Ideally it would be all clever enough to map it all together so it all knew that person1 on X package was also person1 on Y package - but it doesn't all map into the LDAP domain like that yet.
As to the auditing, I would like to be able to see who made changes etc, as it would have shown up which muppet decided to change a students forename back and forth between 3 different names (and not just spellings, but completely different names) about 10 times.
....and this is the longest post I've ever written... I'm off for a nap...
28th October 2009, 09:34 PM #25
Right, SysMan 7 should have been out by now, or at least the beta. No such luck. I did comment to the SIMS release manager that they are planning rather a lot for August and bucket loads for Autumn.
I keep hearing mix things about SysMan 7, I know it's a pain to do, not sure why, but then again, I'm not a programmer. I've heard, not until everything is .net, i've heard not until silverlight, no idea why you would need silverlight for SysMan 7.
I really can't see how SIMS permissions is that much of a problem, I know there are bugs etc, but generally it's alright. I personally give everyone Classroom teacher access then go from there. This gives them access to most pupil data, there own staff record (i believe) and not much else.
Who ever does timetabling, gets timetabler, whoever does census gets school administrator (believe this gives you import lookups), personnel officer for the person who adds staff and does the workforce census.
Finance stuff we use FMS, which pulls the staff details from SIMS to work out pay commitments.
People may moan about Capita, but it's the biggest for a reason, it's the best... 99% of the time anyway.
28th October 2009, 10:04 PM #26
Most of the permissions setups are fairly logical - it's just a question of working out who needs to do what, and adding the roles to their account as needed. It's no more complex than the process of setting up an external set of access rules.
29th October 2009, 08:08 PM #27
Logical... Well maybe to you, but I find the fact that access is based on the menu location NOT on the task required confusing as
Originally Posted by MattMitchell
The problem we have is not with the Teachers - who are all class teachers, obviously (nor the magical way SIMS knows who are Dept heads/pastoral tutors).
It's all the support staff we have, of the clerical, there's over 20 who are full time, and they all require slightly different access, some work reception too, which requires the lowest level of access (according to the admin Manager). The easy ones are the Exams officer and the Cover arrangers. We also have another half a dozen part timers/seasonal workers. The most irritating (permissions wise) are the Key Stage support who either get the full "school administrators" or they end up calling us every day to say they can't do X and then Y and then Z and then A thru W - which they need to do for their job.
And this is all just to stop staff having access to other staff home details...
I think I will go back to the Bursar, with a report that states that "... after consultation with educational experts, the general conclusion is that it would be best to keep to a single software vendor (IE Capita) and make some changes to the customisable System Manager module when it is upgraded in the near future..."
After all one the ICT targets I have is "..to reduce administrative workloads.." and waiting for Capita to upgrade to Sysman 7 - rather than trying to fiddle the old systems - sounds like this to me. Oh and the "educational experts" that's all you lot, stick it on yer CV, it looks cool.
29th October 2009, 08:50 PM #28
One way round this, and I know it doesn't always work, is to insist on a written description (in English, rather than in SIMS/computer-speak) of who needs to be able to see (and/or to edit) what. THEN set up the permissions based on it. You won't get away with refusing to change stuff afterwards, but it will usually allow you a bit of lead time for future changes ("It'll take a day to set that one up for you").
Originally Posted by User3204
It's probably owrth doing this straight away - upgrades to this kind of thing generally transfer over the previous setup (otherwise no-one would be able to use SIMS after the upgrade!).
Originally Posted by User3204
Not having a team of admin people have to copy-type data all over the place, and correct the inevitable mistakes, wrong addresses, phone numbers, etc will be a major reduction in workload!
Originally Posted by User3204
By tech_guy in forum MIS Systems
Last Post: 13th November 2008, 04:08 PM
By moggy in forum MIS Systems
Last Post: 3rd October 2008, 01:43 PM
By Oops_my_bad in forum MIS Systems
Last Post: 23rd November 2007, 01:34 PM
By Oops_my_bad in forum School ICT Policies
Last Post: 26th September 2007, 09:09 AM
By SteveMC in forum MIS Systems
Last Post: 6th June 2007, 10:44 PM
Users Browsing this Thread
There are currently 1 users browsing this thread. (0 members and 1 guests)