What is a (UDOC) User Maintenance Document?
The UDOC (User Maintenance Document) is a document that is used to create a user’s FMS security account (profile) and to link the user to FMS resources (security roles).
The UDOC must include the user’s basic information, Security Roles, and Approval Roles (if applicable). All UDOC requests, except for locking user’s access, will workflow to the department and the Controller’s Office and/or GSD for approval before taking effect (Final).
For more information Click HERE to view the UDOC Manual.
How can we create a UDOC?
Only designated department users with the “GN_UDOC_MGT” Role can create a UDOC. All UDOC must follow the following Document ID naming convention: ##_eid_vv
## – Department number
eid – Employee ID
vv – version number
Example – 26_123456_01
For more information Click HERE to view the UDOC Manual.
How can we modify UDOC?
Only designated department users with the “GN_UDOC_MGT” Role can modify a UDOC. When the UDOC is being modified, it must keep the same Precedence number for each existing Role. The Precedence number must stay consistent always. If the Precedence number is used for another Role, an error message will occur and delay the approval process of the UDOC.
What if someone requests access that is not appropriate via the UDOC document?
The UDOC will be subject to Controller approval to verify the requested access is appropriate (i.e. separation of duties). If the request is deemed inappropriate, it will be rejected.
When a user leaves my Department do I “Lock Out” the user account, delete their Security Roles, or both?
When a user leaves your Department and you lock them out, there is no need to select the “Delete” radio button to delete their Role(s). The default is to use ‘Disabled’.
When the employee leaves our department, when do I “Lock” out the user? Is there a time frame to do so?
Once the user leaves your department you should “Lock” them out immediately. This is to avoid the user having access to FMS for your Department.
After the employee has left my department and I have not locked them out, can I lock them out after they have transferred to their current department?
You should NOT “Lock” out an employee if his OR her Home Department has been updated by their new current department. This will cause an override of the user's current Department. If the override happens, that user will be placed back into their old Home Department and will not have access to their current department FMS information. Click HERE for more information.
I Can't delete Security Role due to Foreign Org Access dependencies.
Please click HERE to open a Quick SNow ticket to remove the user’s Foreign Org access. Choose “SW-REMOVE FOREIGN ORG ACCESS” from “Commonly requested and reported issues” drop-down list.
Why do some UDOC do not require level 5 FMS SW approval and only departmental approval?
UDOC, like other documents in FMS, will route to different approval levels based on defined conditions and routing sequences.
There are 3 conditions to route a UDOC to CTR Level 5 SW for approval.
Updated non-SM security role
Updated one of the workflows in "39_L4","26_L6_FA","26_L5_SW","26_L5_PO","26_L5_PM",
"26_L5_GA","26_L5_FA","26_L5_DA","26_L5_CR","12_L10","10_L12","10_L11","76_PE_L10"
Override Level is greater than 6. Changing the Locked Out status to Locked / Disabled will not require FMS SW level 5 approval
How to Lock a User’s FMS Access?
When a user has left their current department (via retirement, department change or leaving the city), the Department Coordinator must lock the user by creating and submitting an UDOC. In the UDOC, under the “Account Option” tab and the “Locked out” field, should be marked as “Locked Out”. Locking user(s) only requires department Level 2 approval and does not require Controller’s Office approval. As a result, the document will go to final, and the user's FMS access is locked immediately.
UDOC Approval Sequence
Below is a general Workflow process.
Department Level Approval
GSD Level 8 SW approval, if
One or more of the following security roles has been added or removed SM_nnn,"INV_MOB_CNT","INV_MOB_ISS","INV_MOB_REC","INV_MOB_SN","INV_MOB_TI","INV_MOB_TR"
Certain Approval Roles had been added or deleted.
CTR Level 5 SW approval, if
A non-SM security role had been added or removed
Certain Approval Roles had been added or deleted.
Override Level is greater than 6
What is a FMS Security Role?
Security Roles are roles established based upon Job Functions by the Accounting Modules (AP, AR, CA, GL and Procurement), and those Job Functions are assigned Security Roles. (e.g. the AP Payment Management role gives a user access to process FMS payment documents).
In addition, specific FMS tables and pages are assigned to each security role (“Resources”) and include read or write access, depending on minimal needs of the role. Since FMS Security uses the building block approach, the Department can add additional roles to users depending on needs.
How do I determine what Security Role I need?
Your Security Role is based upon your duties and responsibilities in your department. If you need help determining the Security and Approval roles, please please click HERE to open a Quick SNow ticket to request help choosing Security and Approval roles. Choose “SW-SECURITY & APPROVAL ROLES” from “Commonly requested and reported issues” drop-down list.
Can the security and workflow team create a customized role for a department? Can the current roles be grouped together?
Security roles are like building blocks; so some users may be associated with only one role while other users may be associated with multiple roles. Each role must be maintained by the FMS Security and Workflow group and customized roles are not permitted. Any requests for "customized" roles should be directed to the Controller's Office. You can also note which roles are common for your type of users (i.e., a cheat sheet to remind yourself when requesting access to FMS).
What is a FMS Workflow Approval Role?
Workflow roles will allow the user to approve a document based on the level of the role. User is not allowed to apply more than one approval level on the same document. The workflow role will also require appropriate security for that workflow role to be applicable.
How do I determine what Workflow Approval Role I need?
Your Workflow Approval Role is based upon your duties and responsibilities in your department.
If I approved a document at a Level 1 can I also approve the same document as a Level 2 approver?
If the user has both approval roles, they can only approve at Level 1 or Level 2, not both. A user can be a member of multiple approval groups and levels, but will be restricted to applying only one approval per document.
What is Foreign Organization Access?
Foreign Organization Access is the ability given to a user from a different Department access to process documents of another Department.
It requires a formal written/scan agreement, memo or email, between both departments' chief accounting employee to grant this ability to a user.
What is my default access to other departments?
Below is the list of departments and their default access to other departments: (If your department is not listed, it means that your access is limited to your department only.)
Department Foreign Org. Access
CAO, 10 53 (Users are automatically given access)
City Attorney, 12 59 (Users are automatically given access)
City Clerk, 14 11, 13, 15, 19, 28, 46, 56 (Users are automatically given access)
Emergency Management, 35 34 (Users are automatically given access)
GSD, 40 60 & 63 (Users are automatically given access)
Personnel, 66 61 (Users are automatically given access)
Board of Public Works, 74 50, 54, 62, 76, 78, 82, 84, 86 (Users are automatically given access)
Bureau of Contract Admin, 76 50 & 54 (Users are automatically given access)
Bureau of Engineering, 78 50 & 54 (Users are automatically given access)
Bureau of Sanitation, 82 50 & 54 (Users are automatically given access)
Bureau of Street Lighting, 84 50 & 54 (Users are automatically given access)
Bureau of Street Services, 86 50 & 54 (Users are automatically given access)
Recreation and Parks, 88 89 (Users are automatically given access)
Will there be any restrictions on access to other departments’ information?
Most departments will have only access to their own department's information in FMS. InfoAdvantage also has row restriction by department. However, some central departments, such as the Controller’s Office, Mayor’s Office, and CAO’s Office, and other departments may have access to other departments' information if there is a business reason for doing so.
On the Major Project Budget Inquiry, if the Project involves more than one department, will FMS show all the departments involved on one screen that can be accessed by all the departments involved?
No, based upon security user roles and rules, the system will be partitioned for department users to access only their corresponding department information, with the exception of the shared departments (foreign org access).
How does granting DOC_SEC Foreign Org Work
DOC_SEC refers to the accounting line with the document. A user that is granted DOC_SEC Foreign Org to another department can only use that department in the accounting line. The user cannot create a document with the other's department header.
What does LDAP mean?
LDAP means (Lightweight Directory Access Protocol). The City uses this industry standard Lightweight Directory Access Protocol (LDAP) for City networks and other City systems, such as PaySR, GMail, etc.
How does LDAP work with FMS?
When a new FMS user is created, the department OR ITA’s network administrator must establish the user’s employee LDAP id first. Having a LDAP established is a prerequisite before requesting user access or assignment of security roles. FMS user IDs and passwords are controlled centrally by a specialized ITA section and provided to the FMS system through secure “permissions”.
How to Request for an LDAP for proprietary, non-citywide, and temporary user?
For departments that use City’s Google/Gmail account (@lacity.org, @lapl.org) please contact your department IT or HR to verify the readiness of the user's LDAP ID status.
For LAWA, LACERS, LAFP, PLA, DWP, & LAPD: Fill out the LDAP request form and open a SNow ticket to ITA-IDM
To create an LDAP (Lightweight Directory Access Protocol) account, the department’s FMS Coordinator should open a SNow Ticket and assign it to ITA-IDM. The following information must be included in the SNow ticket.
Department Name
Employee ID
LDAP ID (usually with lower-case dept_prefix+EID, for example, lapd999999)
Last Name
First Name
Email address
Address
Telephone number (needed for FMS User table, and issuer/buyer for POs)
Account expiration (required for contractor)
Please note an LDAP account is required in order to establish an FMS (UDOC) User Maintenance Document .
How to check if an LDAP ID is active?
Regular department: when the user’s @lacity.org or @lapl.org email account is ready or contact your IT or HR sections
Network proprietary departments usually will receive a notification from ITA
Use the FMS Security Audit Reports to lookup https://fmssecaudit.insidela.org/ -> SINGLE USER REPORT
How to request infoAdvantage access for a user?
infoAdvantage and FMS are separate applications and require different access requests. UDOC will provide a user with FMS access only.
You can use one of the methods below to request for a user's infoAdvantage access
Open a SNow ticket or FMS SNow quick ticket
or submit along with UDOC by one of the following methods
Add the SM_D_INFOADV security role (it will be ignored if the user already has this role and its Action is Update)
Add a comment requesting for infoAdvantage access with the UDOC
What is the URL access link?
https://fmssecaudit.insidela.org
"fms sec(urity) audit insidela org"
Does every FMS user have access to the CTR SecAudit application?
Only users with the GN_UDOC_MGT security role (UDOC creator and approver), and CTR, GSD, and ITA FMS support teams have access to the SecAudit app.
Why the reports doesn't download?
Please make sure your browser's pop-up blocker is set to allow for https://fmssecaudit.insidela.org
Scott Lin: (213) 978-7363 / scott.lin@lacity.org
Ricardo Reyes: (213) 978-7495 / ricardo.reyesjr@lacity.org
email: ctr.fms-sw@lacity.org
Why there is no response for SINGLE USER REPORT?
The SINGLE USER REPORT will open a new tab in your browser if a valid FMS user ID is submitted. Please make sure your browser's pop-up blocker is set to allow for https://fmssecaudit.insidela.org
Does every FMS user have access to the CTR SecAudit application?
Only users with the GN_UDOC_MGT (UDOC creator and approver), and CTR, GSD, and ITA FMS support teams have access to the SecAudit app.
I click on SINGLE USER REPORT or try to download a report, but nothing happens.
Please make sure your browser pop-up block is set to allow for http://fmssecaudit.insidela.org
How do I get support for the SecAudit app?
Ricardo Reyes: (213) 978-7495 / ricardo.reyesjr@lacity.org
email: ctr.fms-sw@lacity.org
I tried to open or download an attachment or report but it doesn't work. (pop-up clocker)
Please download the simple how-go guide to configure your browser's pop-up blocker to allow for https://fms.insidela.org, https://infoadv.insidela.org , and https://fmssecaudit.insidela.org. Or have the pop-up blocker disabled