UCPath User Roles and Access

About User Roles

User roles control the UCPath online screens you see, the information you can access, and the types of actions you can take. Because UCPath includes personal data, additional security has been implemented to keep your information safe and to protect against unauthorized access or changes to your information. These measures include the use of Duo multi-factor authentication, and security questions and answers.

Employee and Manager Access

Self-Service Access	Available Functions	Role Provisioning
Employee	View and update personal information including contact information and tax withholding. View earning statements. Manage life events (marriage, new baby, etc.) and related benefits. Enroll in and manage benefits. View vacation, paid time off, sick leave, extended sick leave, FMLA and other leave balances. Submit, monitor, or reopen a case with the UCPath Center.	Employee self-service access is granted automatically when a person is hired into a UCPath position. At go-live, all current UCSF-paid employees were automatically provisioned with self-service access.
Manager/Supervisor	View information about their direct reports and their subordinates (indirect reports) including Job Data and leave balances. Submit, monitor, or reopen a case with the UCPath Center.	Manager self-service access is granted automatically when a 'reports to' relationship is identified in UCPath. At go-live, all current UCSF managers and supervisors (have a 'reports to' relationship) were automatically provisioned with manager self-service access.

Self-Service Access

Available Functions

Role Provisioning

Employee

View and update personal information including contact information and tax withholding.
View earning statements.
Manage life events (marriage, new baby, etc.) and related benefits.
Enroll in and manage benefits.
View vacation, paid time off, sick leave, extended sick leave, FMLA and other leave balances.
Submit, monitor, or reopen a case with the UCPath Center.

Employee self-service access is granted automatically when a person is hired into a UCPath position.

At go-live, all current UCSF-paid employees were automatically provisioned with self-service access.

Manager/Supervisor

View information about their direct reports and their subordinates (indirect reports) including Job Data and leave balances.
Submit, monitor, or reopen a case with the UCPath Center.

Manager self-service access is granted automatically when a 'reports to' relationship is identified in UCPath.

At go-live, all current UCSF managers and supervisors (have a 'reports to' relationship) were automatically provisioned with manager self-service access.

Campus Roles for Funding Entry and Salary Cost Transfers

The following roles have been established in UCPath for campus departments to perform Funding Entry and Salary Cost Transfer functions. These roles do not apply to UCSF Health departments; UCSF Health departments will continue to include funding source chartstrings in PeopleConnect Management Action forms and will submit PeopleConnect Salary Cost Transfer Management Action Forms. UCSF Health Human Resources will enter the corresponding information into UCPath.

Campus Department Role	Responsibilities	Role Provisioning
Funding Entry Initiator	Completes training before requesting access. Updates funding at the position or department level. Defines funding for filled or vacant positions.	Department Access Administrator confirms training plan has been completed. Department Access Administrator submits request using the Access Management Application.
Funding Entry Approver	Completes training before requesting access. Reviews and approves transactions. Can “approve” or “deny” (denial requires comments and returns transaction to the Initiator). Can add ad hoc approvers who must already have the Approver role and row level security for the position department.	Department Access Administrator confirms training plan has been completed. Department Access Administrator submits request using the Access Management Application. Access for approvers is assigned at the department level. Access Administrators must include a list of authorized departments with each request.
Salary Cost Transfer Initiator	Completes training before requesting access. Enters transactions into UCPath to move salary and benefit costs from one chartstring to another. Submits transactions for approval.	Department Access Administrator confirms training plan has been completed. Department Access Administrator submits request using the Access Management Application.
Salary Cost Transfer Approver	Completes training before requesting access. Reviews and approves transactions. Can “approve” or “deny” (denial requires comments and returns the transaction to the Initiator). Can add ad hoc approvers who must already have the Approver role and row level security for the position department.	Department Access Administrator confirms training plan has been completed. Department Access Administrator submits request using the Access Management Application. Access for approvers is assigned at the department level. Access Administrators must include a list of authorized departments with each request.

Security Restrictions and Other Considerations for Funding Entry and Salary Cost Transfer Roles

For each of the campus Initiator and Approver roles, at least one person should be identified for each department within your organization. It is recommended that you identify a minimum of two users for each role to ensure adequate coverage of all tasks.

As you identify who should perform which roles in your department, note the following security restrictions:

Row-level security controls whose data you can access, based on the department where each position is located.

Generally, users with an Initiator role will be granted “open access” to initiate a funding entry update or salary cost transfer for any position across all position departments.
When assigning users to an Approver role, you will be required to indicate one or more departments (by Dept ID) for which the user is authorized to approve. Granting Approver access to a department will grant the user access to all “child” Dept IDs under the department on the Dept ID tree .

When granting the same user access to multiple roles in UCPath, only one row-level security can be assigned. The same row-level security restriction will be assigned across all roles.

For example, assigning Jane Smith the role of Funding Entry Initiator with open access and the role of Salary Cost Transfer Approver restricted to positions within Dept ID 408040 will result in the following:

Jane can approve Salary Cost Transfers for all positions in Dept ID 408040 and positions in any child departments
Jane can initiate Funding Entry transactions only for positions in Dept ID 408040 (and positions in any child departments)

A user may be assigned both the Initiator and Approver role for the same function (e.g., both the Funding Entry Initiator and Funding Entry Approver role). However, UCPath will restrict an Approver from self-approving any transaction they initiated.
In addition to the Salary Cost Transfer Approver role at the department level, high risk transfers will be flagged for exceptional review and routed automatically to Contracts & Grants Accounting.
While there are no limits to the number of users you may assign, note that when a transaction has been submitted by an Initiator, notification will be sent by email to all Approvers authorized to approve transactions for positions within that department. Only one Approver is required to approve the transaction. Departments should develop local business processes to ensure that approval queues for pending transactions are monitored and timely action is taken.

Common Questions

How can I find my department Access Administrator?

Use the Department Functional Role Search on the Controller's Office website. You can search by Department ID or Name.

I do not have enough employees in my Department to cover all the roles, what should I do?

We recommend you discuss your situation with your Control Point leadership. In some cases, it may make sense to “partner” with other departments to cover all functions. In other cases, certain roles may be assigned at a “parent” Dept ID level to ensure role coverage across a group of departments.

How were users identified to fill these roles at UCPath go-live?

Control Point Financial Officers led the effort to identify Funding Entry and Salary Cost Transfer Initiators and Approvers for campus departments within their Control Point. Workbooks were used for role analysis and identification. These workbooks were distributed in January and were due back by March 2, 2020. The identified employees were notified on April 2 and assigned training in the UCLearning Center.

How do I make a change for an employee that I identified for an Initiator or Approver role at go-live?

Have your Department Access Administrator submit the change using the Access Management Application.

How will I request new users or role changes for existing users after go-live?

Department Access Administrators will use the Access Management Application to submit access requests for UCPath after go-live. Managers will need to contact their Department Access Administrator (or follow local business processes) to initiate an access request.

Is training required for all roles?

Yes. Training is required for any campus department user who will initiate or approve Funding Entry or Salary Cost Transfer transactions in UCPath. Department Access Administrators and Control Point Financial Officers are responsible for ensuring that users have completed their required training before allowing access to UCPath to enter or approve funding entry or salary cost transfer transactions.

Where can I look up who has been assigned a Funding Entry or Salary Cost Transfer role for my department?

You can use the Department Functional Role Search on the Controller’s Office website to review role assignments.

Can an Initiator direct a transaction to a specific Approver for action?

No. Unlike PeopleSoft Financials, where Journal Preparers and Journal Approvers are assigned in pairs, transactions submitted for approval by Funding Entry Initiators and Salary Cost Transfer Initiators are routed to all Approvers who are authorized to approve transactions for positions within the department.

Funding Entry Approvers and Salary Cost Transfer Approvers can add an additional “ad hoc” approver to route a transaction for additional approval prior to committing the transaction. However, in order to be assigned a transaction for ad hoc approval, the user must already be assigned the Approver role and must have row-level security for the department in which the position resides.

Is there a reviewer feature or the ability to send an “FYI” notification to someone?

Funding Entry Approvers and Salary Cost Transfer Approvers can add one or more reviewers during the approval process. However, reviewers must already be assigned the Approver role and must have row-level security for the position department. No action is required (or permitted) by the reviewer.

Former Employees and Retirees

Access to UCPath online is available only to former employees and retirees who received pay processed by UCPath. Former employees and retirees who separated from UC before implementation of UCPath will not have access to UCPath online and should continue to use At Your Service Online.

Before you leave UCSF employment, it is important that you update your personal information including your non-business email address in UCPath online to ensure that you receive all payments and communications.

Self-Service Access	Available Functions	Role Provisioning
Former Employee (paid by UCPath)	View and update personal information including contact information and non-business email address View earning statements View W-2 forms	Upon separation from employment, you can register for UCPath online access as a former employee once your separation has been finalized in UCPath online. If UCPath has your non-business email address on file, you will receive a notification email as soon as you are eligible to register for access to the UCPath former employee site. Follow the steps to register and activate your account. You must complete the registration process within the timeframe listed in your email message or you will lose access. If you did not supply your non-business email address, contact the UCPath Center for assistance. More information is available on the UCnet website .
Former Employee (no UCPath pay)	No UCPath access Use AYSO	Not applicable.