1. Home
  2. Categories
  3. IT User Guides & Documents
  4. Agresso

Agresso - Security Role Information

326  David Stefan Thu, Jun 25, 2020  Agresso


This document is intended to assist staff in determining what access roles are needed for Country Office staff and can be used to assist in completing the Agresso Access Form (AAF). When determining what access rights a user needs, please take into consideration the user’s job roles and responsibilities, what information the user should have access to, internal controls, and segregation of duties. This document does not reference all available roles in Agresso or all roles presented on the Agresso Access Form. This document is intended to focus on the main security roles used by Country Office staff.

Access Request Process

To request access for Country Office staff, an Agresso Access Form (AAF) must be completed and approved before IT can update access rights. Once the form is completed, it must be approved by the (1) Supervisor or Requestor, (2) HQ Director of Finance and Administration for that Area, and the (3) Module Owner(s). See the Agresso Access Approval Matrix on page two of the Form for information about module owners.

For new hires, a Workforce Notification must be received before IT can grant access to Agresso. The Workforce announcement also notifies IT to grant new hires access to Timesheets via the "HR-Employee Self Service Salary" role. Therefore, you do not need to create an AAF for access to Timesheets.

 

After IT receives an approved Agresso Access Form, it may take up to five business days before access is updated in the system.

When an employee leaves Heifer, the Country Office is responsible for updating the employee’s Agresso personnel file and completing the departure process. This triggers a Workforce announcement which notifies IT to remove access from the system. It is unnecessary to complete an AAF to remove access for departing staff.

 

Security Role Design

In general, each module or process has the following roles: Admin, Approval, Data Entry, and Read Only.

  • Admin - The admin role is reserved for Agresso Super Users that are responsible for building new module functionality, making configuration changes, responsible for system maintenance and approving access for the module.
  • Approval Allows users to approve or post transactions. Depending on the module, this role may also have elevated privileges to see additional data.
  • Data Entry Allows user to enter data or transactions.
  • Read Only Allows users to view information, but users are not allowed to save changes. Users that are granted Admin, Approval, or Data Entry access will be able to see everything that a user with Read Only access can see. Therefore, you do not need to request Approval access and Read Only access or Data Entry access and Read Only access.

 

Security Roles for Country Office Staff

Process or Module

Roles for Country Office Staff

Comments

Accounts Payable

Finance Staff

  • Approval
  • Data Entry
  • Read Only
  • The Approval role allows users to add, change or delete vendors, and approve incoming invoices.
  • The Data Entry allows users to enter incoming invoices.
  • Read only can only look up the information but cannot make changes.

Bank Reconciliation

Finance Staff

  • Approval
  • Read Only
  • The person responsible for the bank reconciliation should be given Bank Rec Approval access; this role allows staff to create and post a bank reconciliation
  • In order to separate duties for internal control purposes, it is recommended that the person processing bank reconciliations not have access to the General Ledger Approval security role. Also, it is recommended that only two staff members have access to Bank Rec Approval.
  • Read only can view the reconciliation, but cannot create, post or make changes.
  • Bank Rec does not use a Data Entry role. This is because when processing the bank reconciliation, there is not data to enter, but instead users are matching transactions.

Batch Input - Approval

Finance Staff

  • Approval
  • Allows users to upload journal entries using the GL07. It does not grant access to upload budget information. (See Planner section for information on uploading/entering budgets).

Common Module/Folder

Finance Staff

  • Read Only
  • Document Archive Load
  • In general, Finance staff should have Agresso Common -Read Only access. This will allow users to view information in the Common folder, but not to make changes.
  • Agresso Common - Document Archive Load: Used for special circumstances such as to allow temps and interns the ability to only scan documents into Agresso for registrations of transactions or to attach to existing transactions whereas the temp or intern does not need access to other AP, GL, Fixed Asset or other transaction registration screens. Normal data entry or approval access rights automatically has access to document archive.

Fixed Assets

Finance Staff

  • Approval
  • Data Entry
  • Read Only
  • Fixed Asset Data Entry allows users to enter transactions. This role has access to dispose of assets.
  • The design of Fixed Asset security roles is under review. Any changes to the Fixed Asset roles will be communicated.

Fund Request

Finance Staff or Requestors

  • Data Entry
  • Fund Request Data Entry - These users are responsible for requesting funds or an expense reimbursement from HQ. Only users that have completed the Fund Request or Expense Reimbursement training may be given access to Data Entry. It is recommended that only two people per office have access to this role: the staff responsible for requesting funds and a backup.
  • Fund Request Read Only - This role is not in use at this time. We may use this role in the future. Anyone with Data Entry or Approval access will automatically have read only access.
  • Fund Request Approval Roles are reserved for HQ Staff that are responsible for approving requests.
  • The Fund Request process is set-up in the US Client; therefore, no one should have access to Fund Request roles in any client except for the US client.

General Ledger

Finance Staff

  • Approval
  • Data Entry
  • Read Only
  • Approval -Allows user to post transactions.
  • Data Entry -Allows users to enter transactions.

Human Resources and Timesheets

 

Country Office HR Staff

  • HR\Timesheet - Country Approval
  • HR\Timesheet - Read Only

 

Country Office Employees

  • HR-Employee Self Service Salary (HR-ESS)
  • HR-Manager Self Service (HR-MSS)
  • HR\Timesheet Country Approval - Country Office staff responsible for HR and/or Timesheet Processes should be granted access to this role. This allows users to:
    • Review timesheets and approve after supervisor approval (2nd tier of approval for time sheets)
    • Enter personnel data for country office staff.
    • Monitor and redirect workflow of timesheets
    • Assign new substitutes for approval process
    • Access to process a timesheet for another employee
  • HR\Timesheet Country Read Only - Users that need to view, but not enter, HR or Timesheet information should be granted access to this role.
  • Reporting-HR-Country - Users that need to run HR reports should be granted access to Reporting-HR-Country. See reporting section for more information about reports.
  • HR-ESS: Every Country Office employee should have access to HR-ESS so that they can enter a timesheet. Access is granted during the new employee set-up and you do not have to submit an Agresso Access Form for this role.
  • HR-MSS: Only Supervisors in Country Offices should have access to HR-MSS. Access is granted during the PCR process and you do not have to submit an Agresso Access Form to request access. This allows access to approve timesheets. (You will need to ensure that it is clear in the employees personnel record in Agresso that the employee supervises others.)

Planner

Finance Staff

  • Data Entry
  • Read Only
  • Only staff that have completed or scheduled to take the Planner postback training with the HQ Planner team may be granted Planner Data Entry access. All other staff that need to access the Planner module should have Planner Read Only access.
  • Users that need access to Budget data can pull budgets from reports that are available with the Reporting Role. Reporting-Finance-CTRY and Reporting-Programs both allow users access to run budget reports.

Project Master File Access/ Project

Finance & Programs

  • Read Only
  • Read only gives the user the access to see the details of the Project Master File.

Reporting Access
  • Reporting-Finance-CTRY
  • Reporting-HR-Country
  • Reporting-Programs
  • In general, there are three reporting roles that Country Office staff may have access to:
    • Reporting-Finance-CTRY - Reporting role for Country Office Finance Staff.
    • Reporting-HR-Country - Reporting role for Country Office staff that need access to run HR reports
    • Reporting-Programs - Reporting role designed for HQ Programs and Country Office Program staff.

 


This document is intended to assist staff in determining what access roles are needed for Country Office staff and can be used to assist in completing the Agresso Access Form (AAF). When determining what access rights a user needs, please take into consideration the user’s job roles and responsibilities, what information the user should have access to, internal controls, and segregation of duties. This document does not reference all available roles in Agresso or all roles presented on the Agresso Access Form. This document is intended to focus on the main security roles used by Country Office staff.

Access Request Process

To request access for Country Office staff, an Agresso Access Form (AAF) must be completed and approved before IT can update access rights. Once the form is completed, it must be approved by the (1) Supervisor or Requestor, (2) HQ Director of Finance and Administration for that Area, and the (3) Module Owner(s). See the Agresso Access Approval Matrix on page two of the Form for information about module owners.

For new hires, a Workforce Notification must be received before IT can grant access to Agresso. The Workforce announcement also notifies IT to grant new hires access to Timesheets via the "HR-Employee Self Service Salary" role. Therefore, you do not need to create an AAF for access to Timesheets.

 

After IT receives an approved Agresso Access Form, it may take up to five business days before access is updated in the system.

When an employee leaves Heifer, the Country Office is responsible for updating the employee’s Agresso personnel file and completing the departure process. This triggers a Workforce announcement which notifies IT to remove access from the system. It is unnecessary to complete an AAF to remove access for departing staff.

 

Security Role Design

In general, each module or process has the following roles: Admin, Approval, Data Entry, and Read Only.

  • Admin - The admin role is reserved for Agresso Super Users that are responsible for building new module functionality, making configuration changes, responsible for system maintenance and approving access for the module.
  • Approval Allows users to approve or post transactions. Depending on the module, this role may also have elevated privileges to see additional data.
  • Data Entry Allows user to enter data or transactions.
  • Read Only Allows users to view information, but users are not allowed to save changes. Users that are granted Admin, Approval, or Data Entry access will be able to see everything that a user with Read Only access can see. Therefore, you do not need to request Approval access and Read Only access or Data Entry access and Read Only access.

 

Security Roles for Country Office Staff

Process or Module

Roles for Country Office Staff

Comments

Accounts Payable

Finance Staff

  • Approval
  • Data Entry
  • Read Only
  • The Approval role allows users to add, change or delete vendors, and approve incoming invoices.
  • The Data Entry allows users to enter incoming invoices.
  • Read only can only look up the information but cannot make changes.

Bank Reconciliation

Finance Staff

  • Approval
  • Read Only
  • The person responsible for the bank reconciliation should be given Bank Rec Approval access; this role allows staff to create and post a bank reconciliation
  • In order to separate duties for internal control purposes, it is recommended that the person processing bank reconciliations not have access to the General Ledger Approval security role. Also, it is recommended that only two staff members have access to Bank Rec Approval.
  • Read only can view the reconciliation, but cannot create, post or make changes.
  • Bank Rec does not use a Data Entry role. This is because when processing the bank reconciliation, there is not data to enter, but instead users are matching transactions.

Batch Input - Approval

Finance Staff

  • Approval
  • Allows users to upload journal entries using the GL07. It does not grant access to upload budget information. (See Planner section for information on uploading/entering budgets).

Common Module/Folder

Finance Staff

  • Read Only
  • Document Archive Load
  • In general, Finance staff should have Agresso Common -Read Only access. This will allow users to view information in the Common folder, but not to make changes.
  • Agresso Common - Document Archive Load: Used for special circumstances such as to allow temps and interns the ability to only scan documents into Agresso for registrations of transactions or to attach to existing transactions whereas the temp or intern does not need access to other AP, GL, Fixed Asset or other transaction registration screens. Normal data entry or approval access rights automatically has access to document archive.

Fixed Assets

Finance Staff

  • Approval
  • Data Entry
  • Read Only
  • Fixed Asset Data Entry allows users to enter transactions. This role has access to dispose of assets.
  • The design of Fixed Asset security roles is under review. Any changes to the Fixed Asset roles will be communicated.

Fund Request

Finance Staff or Requestors

  • Data Entry
  • Fund Request Data Entry - These users are responsible for requesting funds or an expense reimbursement from HQ. Only users that have completed the Fund Request or Expense Reimbursement training may be given access to Data Entry. It is recommended that only two people per office have access to this role: the staff responsible for requesting funds and a backup.
  • Fund Request Read Only - This role is not in use at this time. We may use this role in the future. Anyone with Data Entry or Approval access will automatically have read only access.
  • Fund Request Approval Roles are reserved for HQ Staff that are responsible for approving requests.
  • The Fund Request process is set-up in the US Client; therefore, no one should have access to Fund Request roles in any client except for the US client.

General Ledger

Finance Staff

  • Approval
  • Data Entry
  • Read Only
  • Approval -Allows user to post transactions.
  • Data Entry -Allows users to enter transactions.

Human Resources and Timesheets

 

Country Office HR Staff

  • HR\Timesheet - Country Approval
  • HR\Timesheet - Read Only

 

Country Office Employees

  • HR-Employee Self Service Salary (HR-ESS)
  • HR-Manager Self Service (HR-MSS)
  • HR\Timesheet Country Approval - Country Office staff responsible for HR and/or Timesheet Processes should be granted access to this role. This allows users to:
    • Review timesheets and approve after supervisor approval (2nd tier of approval for time sheets)
    • Enter personnel data for country office staff.
    • Monitor and redirect workflow of timesheets
    • Assign new substitutes for approval process
    • Access to process a timesheet for another employee
  • HR\Timesheet Country Read Only - Users that need to view, but not enter, HR or Timesheet information should be granted access to this role.
  • Reporting-HR-Country - Users that need to run HR reports should be granted access to Reporting-HR-Country. See reporting section for more information about reports.
  • HR-ESS: Every Country Office employee should have access to HR-ESS so that they can enter a timesheet. Access is granted during the new employee set-up and you do not have to submit an Agresso Access Form for this role.
  • HR-MSS: Only Supervisors in Country Offices should have access to HR-MSS. Access is granted during the PCR process and you do not have to submit an Agresso Access Form to request access. This allows access to approve timesheets. (You will need to ensure that it is clear in the employees personnel record in Agresso that the employee supervises others.)

Planner

Finance Staff

  • Data Entry
  • Read Only
  • Only staff that have completed or scheduled to take the Planner postback training with the HQ Planner team may be granted Planner Data Entry access. All other staff that need to access the Planner module should have Planner Read Only access.
  • Users that need access to Budget data can pull budgets from reports that are available with the Reporting Role. Reporting-Finance-CTRY and Reporting-Programs both allow users access to run budget reports.

Project Master File Access/ Project

Finance & Programs

  • Read Only
  • Read only gives the user the access to see the details of the Project Master File.

Reporting Access
  • Reporting-Finance-CTRY
  • Reporting-HR-Country
  • Reporting-Programs
  • In general, there are three reporting roles that Country Office staff may have access to:
    • Reporting-Finance-CTRY - Reporting role for Country Office Finance Staff.
    • Reporting-HR-Country - Reporting role for Country Office staff that need access to run HR reports
    • Reporting-Programs - Reporting role designed for HQ Programs and Country Office Program staff.

 

Subscribe to knowledge base

Get notified when new articles are added to the knowledge base.