[SIMS] SIMs Security for sensitive data

[sparker]

My school has asked me to support SIMS ( updates, new installs etc) which I have done for a long time but I have always used the Bursars login ( yeah I know). Things came to a head when I requested a machine login for our library integration when I was told that I was not allowed on due to the sensitive nature of the data. I pointed out that I have access via the Bursars login but more basically have file level access to SQL Db didn't move anyone so I am wondering if any of you know of a way of passwording certain files or permissions that will preserve data security whilst allowing me to do my work.
Capita were pretty baffled so I thought I would consult some experts....
My knowledge of SIMS is pretty basic but surely there is some granularity to the permissions but not sure where to begin?

[creese]

System Manager should most likely be all you need.

Upgrades and installs are done outside of SIMS. So as long as you have the sa password you should be able to do all you need.

[sparker]

Thanks for that but won't the SA password allow me to view personnel files? They are worried that I might look at salaries, identity theft etc

[notalot]

If you have access to SupportNet then you want KB 18694 if not pm me an email address and I'll send you the file from SupportNet for the Permission groups and what access each give

[LosOjos]

Thanks for that but won't the SA password allow me to view personnel files? They are worried that I might look at salaries, identity theft etc

With system manager access, you have the power to grant yourself additional permissions so that you could view whatever you want. It's a matter of whether or not you're trusted to be honest! I wonder if SMT realise the amount of data technicians could get at if they tried?

[creese]

Thanks for that but won't the SA password allow me to view personnel files? They are worried that I might look at salaries, identity theft etc

In theory, yes. But without certain access you can't really do your job. They either want you to do upgrades and trust you, or find someone they do trust. That's the nature of the job. I'm sure anyone competent enough with IT could open all sorts of data, given the password or not.

[sparker]

This was my point to the head, he could lock me out of SIMS but what about the underlying Db? What about email?
It really is the elephant in the room and there are so many techs out there on tiny wages with their hands on the most critical data in the school. So the upshot is that in order to do the job I must have the access or an unknown person can do it for them for a huge fee!

[creese]

This was my point to the head, he could lock me out of SIMS but what about the underlying Db? What about email?
It really is the elephant in the room and there are so many techs out there on tiny wages with their hands on the most critical data in the school. So the upshot is that in order to do the job I must have the access or an unknown person can do it for them for a huge fee!

I have access to over 140 schools and all their data. I would think only about a handfull of Heads are fully as aware as they should be of this. They know, but have not really thought about what they know. Your Head should be applauded for questioning it, but eventually needs to decide if he wants an upgrade and support from an IT technician/manager or not.

[matt40k]

Thanks for that but won't the SA password allow me to view personnel files? They are worried that I might look at salaries, identity theft etc

Yes\No. It won't via the SIMS\FMS application, it will allow you to reset the sysman password, which in turn can reset any sims\fms user account. This however would create an audit trail.

Just a question of having a procudure in place with solid reasons and sticking to it. If you've physical on the server and your got admin rights on the server, your half way pass any other security anyway.

So a common one for technicians would be to have a logon that would at least allow them to check that SIMS is installed correctly and that someone can logon successful.

[vikpaw]

Isn't the Bursar, also the system manager as is the case in many schools? With that login you can create a low level account for testing and library integration, assuming management have approved sims data being present in the library. How it's done shouldn't matter.
I would have just gone and done it, based on your brief. Sometimes, it's better to just do it and document what you've done. Ask for permission, and you end up with a discussion, and all these other issues.
They can't really expect you to only use the bursar's login and think that is secure. You can look at personnel data with their login surely!