Rule 43005 - Invalid PASI Client Security role to submit or approve exemption

Rule TypeRejection

Validated Data

This rule is used to validate the following data in a Student Credential Requirement record:

  • PASI Client Roles of the PASI Client submitting the Credential Requirement Exemption.

To perform this validation, the following information is used:

Description

This rule ensures the PASI Client making the request has the:

This rule ensures the client has the permission to request/approve the exemption reason submitted in the request. In other words, this rule checks the permission on the exemption reason the record is being updated to. Rule 43008 ensures users have the necessary permission to modify the existing exemption reason.

The rule leverages the data in the SecurityExemptionReason table in the PASI database.

Example segment from database table:

Exemption ReasonRequested By PASI Client Security Role (Submit Exemption Role)Approved By PASI Client Security Role (Approve Exemption Role)
Ministerial OrderNULLSubmit Transcript User
Criteria ExemptionSubmit Transcript UserPASI System User
Special CasesNULLPASI System User

The client has the Requested By PASI Client Security Role when its PASI Client System Role is found in the Submit Exemption Role column for the exemption reason on the record. (i.e. The client has permission to “submit/request” the exemption reason)

  • If the Submit Exemption Role is NULL, then an exemption cannot exist for the reason with a status of 'requested'. The exemption reason can only exist on an exemption with a status of “Approved/Denied/Pending”. (i.e. An exemption with for reason cannot be requested, it can only be submitted as an approved exemption).

The client has the Approved By PASI Client Security Role when its PASI Client System Role is found in the Approve Exemption Role column for the exemption reason on the record. (i.e. The client has permission to “approve/deny/pend” the exemption reason).

  • Note: The Approve Exemption Role is never NULL.

Each exemption reason has exactly one set of permissions (one row) which means a client can either:

  • Request an exemption for a specific reason where the same exemption needs to be approved by another user with the permission to approve it, or,
  • Submit the exemption in approved status.

There are currently only two PASI Client System Role defined in the table:

  • Submit Transcript User role. Typically these clients are schools submitting exemption requests or approved exemptions on behalf of their students.
  • PASI System User role. PASIprep is the only client with the PASISystemUser role with access to Student Credential Management functionality. This role is never permitted to request an exemption. Ensuring the client has the role to approve an exemption means the client must approve the exemption in PASIprep. This allows PASI to implement another layer of security by showing/hiding request/approve functionality in relation to specific exemption reasons based on the users PASIprep permissions.

Business Scenarios

From a business perspective this rule will prevent a user without the necessary permission from:

1. Submitting an exemption with a status of requested for a specific exemption reason.

  • Example A: The Submit Transcript User does not have the permission needed to 'request' the Special Cases exemption.
  • Example B: The Submit Transcript User cannot 'request' the CALM Ministerial exemption. It can only be submitted in 'approved' status.

2. Changing the exemption reason on an existing exemption with a status of 'requested'. This rule fires if the user does not have permission to 'request' the new exemption reason. Rule 43008 will fire if the user does not have permission to 'request' the existing exemption reason.

  • Example: The Submit Transcript User does not have the permission needed to update the 'requested' Criteria Exemption to a CALM Ministerial exemption because the Submit Transcript User does not have permission to 'request' a CALM Ministerial Exemption.

3. Adding/modifying exemption details on an exemption with a status of requested for a specific exemption reason.

  • Example: The user does not have the permission needed to 'request' the Special Cases exemption and therefore cannot add/modify the exemption details.

4. Submitting an exemption with a status of approved for a specific exemption reason.

  • Example: The user does not have the permission needed to submit an 'approved' Special Cases exemption.

5. Changing the exemption reason on an existing exemption with a status of 'approved'. This rule fires if the user does not have permission to 'approve' the new exemption reason. Rule 43008 will fire if the user does not have permission to 'approve' the existing exemption reason.

  • Example: The Submit Transcript User does not have the permission needed to update the 'approved' Criteria Exemption to a Special Cases exemption because the Submit Transcript User does not have permission to 'approve' a Special Cases Exemption.

6. Adding/modifying exemption details on an exemption with a status of 'approved' for a specific exemption reason.

  • Example: The user does not have the permission needed to 'approve' the Special Cases exemption and therefore cannot add/modify the exemption details.

Note: Permission to 'Approve' an exemption status refers to the ability to set the status to 'Approved', 'Pending', or 'Denied'.

Effective Period

  • This validation rule is in effect for all school years.

Additional Notes

NOTES: There is a corresponding rule in PASIprep with the same message but with no error number.

Message

When this validation rule is triggered, the following message is returned:

Access Denied. You are not authorized to submit or update the {ExemptionReason} exemption reason or exemption details.

Where {ExemptionReason} is the submitted (new) Exemption Reason.

Applies To

Change History

  • Release 6.10 – Updated to remove auto-approve considerations