HR Professionals,
I want to take this opportunity to thank you for continuing to navigate the system and quickly bring issues to our attention for resolution. We could not do this without your help. The engagement and enthusiasm for IPPS-A I’m seeing from the HR Pro community is greatly appreciated.
As we continue to make progress, I would like to provide you with some updates and guidance regarding IPPS-A Application Security (AppSec), access, and roles:
Principal Validator Admin
We are restricting the approval for the below subcategories to a National Provider level, which have been defined as National Provider level and need to be aligned with a higher approval authority (this will follow the Least Privileged Access Principle):
Users with the Key Entity Enabling Bundle (KEEB) Validator Subcategory and the following roles:
- IP_HCMHR_CASUALTY_VALIDATOR
- IP_HCMHR_PROMOTIONS_VALIDATOR
- IP_HCMHR_PRINCIPLE_VAL
- IP_HCMHR_SENIORITY_DT_VAL
Users with Promotions Centralized Subcategory and the following roles:
- IP_HCMHR_BOARD_NG_CENTRAL_ENL (move)
- IP_HCMHR_BOARD_NG_CENTRAL_OFC (move)
- IP_HCMHR_BOARD_NG_CENTRAL_WO (move)
All users requesting access for the below Subcategories:
- KNOWLEDGE MANAGER
- RESTRICTION MASS UPD
- YMAV MASS UPDATE
- Promo STEP MGMT
- Principle Validator
- Casualty Management
- Promotions Centralized
- ARNG Promotions Create
- KEEB Validator
The following roles will be removed from the KEEB Validator Subcategory and added to the new Principal Validator Admin Subcategory:
- IP_HCMHR_CASUALTY_VALIDATOR
- IP_HCMHR_PROMOTIONS_VALIDATOR
- IP_HCMHR_PRINCIPLE_VAL
- IP_HCMHR_SENIORITY_DT_VAL
The Principal Validator Admin will now approve the following Subcategories (Removing approval from KEEB Validator):
- KNOWLEDGE MANAGER
- RESTRICTION MASS UPD
- YMAV MASS UPDATE
- Promo STEP MGMT
- Principle Validator
- Casualty Management
- Promotions Centralized
- ARNG Promotions Create
- KEEB Validator
Promotion Centralized Subcategory will lose the below Roles:
- IP_HCMHR_BOARD_NG_CENTRAL_ENL
- IP_HCMHR_BOARD_NG_CENTRAL_OFC
- IP_HCMHR_BOARD_NG_CENTRAL_WO
ARNG Promotions Create Subcategory will add the below Roles:
- IP_HCMHR_BOARD_ADMIN_VIEW
- IP_HCMHR_BOARD_NG_CENTRAL_ENL
- IP_HCMHR_BOARD_NG_CENTRAL_OFC
- IP_HCMHR_BOARD_NG_CENTRAL_WO
- IP_HCMHR_BOARD_TRANSFER
Please note that the New Principal Validator Admin will be limited to five individuals per component. The Principal Validator Admins will be the only validator subcategory able to approve the above subcategories in the Access request tile.
The estimated release is 7 March 2024; the Principal Validator Admin will be available to request 8 March 2024. The Bundle Mod will be on 9 March 2024 (the roles listed above will be removed from KEEB, Promotion Centralized, and ARNG Promotions Create subcategories).
Revoke Access
To provide additional security measures and tools and prevent misuse of the system, we have built a process for leaders to revoke a user’s access semi-permanently. This action focuses on users whose access needs to be revoked due to an investigation or System Use Violation, or who pose a Security risk. Leaders will submit a Customer Relationship Management (CRM) case in accordance with the Remove / Revoke Elevated Access User Productivity Kit (UPK) found here:
https://hr.ippsa.army.mil/upk/onl_help/Publishing%20Content/PlayerPackage/index.html?Guid=b08a8b3d-014f-4f1a-89d5-f1c72d0adcbf.
Once adjudicated, the user will be returned to member level access and lose the ability to request elevated access. When the leader determines the member is eligible for elevated access, they will submit a CRM case to reinstate the user’s ability to request access. Additional information on this new functionality can be found below.
Revoke Elevated Access: There are several reasons why Members may have their elevated access revoked: 1) they engage in unauthorized actions; 2) they have access beyond their work scope in IPPS-A; 3) they present a possible security concern. Revoking Elevated Access prevents them from submitting a new access request.
To revoke a Member’s Elevated Access, submit a CRM case. When submitting a CRM case to revoke/reinstate a Member’s Elevated Access, use the following:
Category – “Access & Security”;
Type – “Access Revoke”;
Detail – “Access Revocation” or “Access Reinstatement.” Elevated Access remains revoked until a CRM case is submitted to reinstate access. Members that have their Elevated Access revoked will retain access to Self-Service. When a Member is reinstated, they will need to request elevated access (if needed).
To revoke a Persons of Interest’s (POI) Elevated Access, submit a CRM case. When submitting a CRM case to revoke/reinstate a POI’s Elevated Access, use the following:
Category – “Access & Security”;
Type – “Access Revoke”;
Detail – “Access Revocation” or “Access Reinstatement.” POI’s that have their Elevated Access revoked will lose all access to IPPS-A. When reactivating a POI in a revoked status, a CRM case must be submitted on their behalf for reinstatement of Self-Service access. Once approved, the HR Professional will reactivate the POI’s account and then submit an access request to have their Elevated Access reinstated.
The estimated release is 7 March 2024.
TAM Subcategory (TAM Mgmt Admin)
We are reducing the number of users with the below access to ensure data integrity with reference to Talent Management (TAM). These roles allow users to create and delete Job openings, which should be aligned with the National Provider level (this will follow the Least Privileged Access Principle):
Users with HR System Admin and Career Management Subcategories with the following roles:
- IP_HCMTM_ADMIN_CLSD_MKTS
- IP_HCMTM_ADMIN_OTH_COMP
The following roles will be removed from the HR System Admin and Career Management Subcategories and added to the TAM Mgmt Admin Subcategory:
- IP_HCMTM_ADMIN_CLSD_MKTS (Career Management)
- IP_HCMTM_ADMIN_OTH_COMP (Both)
TAM Mgmt Admin will be approved by the Principal Admin Validator. Users will have a grace period to request the TAM Mgmt Admin Subcategory before the Bundle Mod. If users do not have the TAM Mgmt Admin Subcategory approved by 23 March 2024, they will lose access to the above roles.
Principal Validator Admins will be the only validator subcategory able to approve the above subcategories in the Access request tile.
The estimated Release is 7 March 2024; please request the TAM Mgmt Admin subcategory as needed after 12 March 2024. The estimated Bundle Mod is 23 March 2024.
Resources
Our IPPS-A group on Facebook is a great place to connect with your peers and access real-time updates, dialogue, and answers to
your questions. Under the tab labeled “Files,” you will find a lot of helpful resources. To join, visit
https://www.facebook.com/groups/875398305999928.
We also have a lot of great IPPS-A products created by units located on S1Net. On the left-hand side of the
IPPS-A landing page, find the SUB-TOPICS column, and click “IPPS-A SOPs/Tools” underneath that. Please feel free to “donate” any IPPS-A SOPs and products that have worked for your team!
S1Net is where you may also find our webinars. These instructional sessions cover a variety of IPPS-A topics and can be viewed anytime on the
Training & Webinars page.
For additional information and resources, you may also visit our website at
https://ipps-a.army.mil/.
Thank you for your continued support and patience as we improve and ensure the security of data in IPPS-A.
You are truly driving the change we need in our Army!
v/r,
Becky Lust
Rebekah S. Lust
COL, AG
IPPS-A FMD Director