Can't assign clerk role?

[chriswoodut]

There seems to be changes on who can grant someone a calling. I swear two weeks ago I had the ability to give someone the calling of 'clerk'. I needed to change the brother's calling from finance clerk to ward assistant clerk to get the right LCR rights for his calling. (Actually, I need him to have access to both.) The system would not let me assign him the calling. I'm a ward clerk. I then released him as a finance clerk hoping it would then allow me to assign it. Nope, now he has no clerk calling.

I asked the stake clerk to fix it. He says he can't assign the calling because the system is prompting for 2 logins to assign an assistant ward clerk a calling! This latest push to make everything double logins to change anything is making things really hard and I'm not sure that it is really making things more secure.

I'm seeing these things now require 2 person authentications to get done:

1. Finance approvals (batch, checks). This makes sense to me.

2. Granting someone a clerk calling. This seems new. Not even a stake clerk can do it. What's hard is that it requires two people to be in the same place/same computer at the same time to do it. We can't both be remote from each other. The real kicker is forcing the two to be in the same room. If people are traveling, it is hard. We now allow financial reimbursements to be done remotely and separately, it would be nice if this was as well.

3. If someone wants to change their password on MLS, two logins are required. Plus, they have added password expiration. We got in a jam where a password expired and it was discovered in the middle of a tithing batch and couldn't complete the batch without another person driving to the church to authenticate the batch. (Note that recent studies have proven password expiration does not increase security. The church is really late to implementing it and now companies such as Microsoft have declared the theory dead.) On the other hand, the church has made two factor authentication available on LCR which is cool.

4. Have you guys seen other changes?

(Usually when I see people post here there are two unhelpful responses, so don't bother with those. The two are; you should trust the church is doing the right thing and don't ask questions, and the second is that nobody from the church IT departments read these forums so don't post here because it's not helpful.)

[sbradshaw]

When you say you were assigning him to regular clerk, do you mean "Ward Clerk" or "Ward Assistant Clerk"? Only one person can be ward clerk at a time (but you can have as many assistants as you want).

[chriswoodut]

When you say you were assigning him to regular clerk, do you mean "Ward Clerk" or "Ward Assistant Clerk"? Only one person can be ward clerk at a time (but you can have as many assistants as you want).

'Ward Assistant Clerk' is the role I need to assign.

[russellhltn]

According to Handbook 1, clerks are subject to stake approval. Since "Ward Assistant Clerk" also has finance rights, I can see why that might require two logins to approve.

I'll take a guess that the intended change was either to require the stake to input the name (using the two logins), or that the ward clerk could do it (but it would also take two logins). In the latter case, it sound like there may be a bug.

I have noticed in the forum that there have been some units handing out "assistant clerk" callings to grant LCR rights to people they think should have them. So, requiring the stakes to input them might be the Church's response to that.

Have you contacted support to find out?

As for changing MLS passwords, I know it requires two people to reset it if it's forgotten, but does it really require two to change an expiring, remembered password?

I agree with you on expiring passwords, but I'm not sure as the church has found any code library that implements what was recommended to replace it. That recommendation was to prevent certain simplistic or commonly used passwords. Detecting a "keyboard walk" isn't easy.

[Biggles]

As mentioned by russellhltn you do indeed require two other administrators to confirm the password change, in MLS. However, if the password hasn’t expired yet, but you get the expiring message. I have found that by logging out of MLS, then logging back in you can change the password without involving anyone else. This scenario invariably crops up when a counsellor comes to authorise a donation batch. If the batch is suspended, he can then carry out his password change (by logging out) following which the suspended batch can then be authorised normally. Saves a lot of aggravation, if no one else is there.

Hope this makes sense!

[scgallafent]

There seems to be changes on who can grant someone a calling. I swear two weeks ago I had the ability to give someone the calling of 'clerk'. I needed to change the brother's calling from finance clerk to ward assistant clerk to get the right LCR rights for his calling. (Actually, I need him to have access to both.) The system would not let me assign him the calling. I'm a ward clerk. I then released him as a finance clerk hoping it would then allow me to assign it. Nope, now he has no clerk calling.

I asked the stake clerk to fix it. He says he can't assign the calling because the system is prompting for 2 logins to assign an assistant ward clerk a calling! This latest push to make everything double logins to change anything is making things really hard and I'm not sure that it is really making things more secure.

Because an assistant clerk has finance rights, dual authorization is required to make a change to an assistant clerk calling. If dual authorization isn't required to add a new clerk, that creates implications for ...

1. Finance approvals (batch, checks). This makes sense to me.

If you have the ability to add someone as an assistant clerk without a secondary approval, there is no control that prevents you from granting finance rights to another account that you control and using the two accounts you control to authorize payments, which is why ...

2. Granting someone a clerk calling. This seems new. Not even a stake clerk can do it. What's hard is that it requires two people to be in the same place/same computer at the same time to do it. We can't both be remote from each other. The real kicker is forcing the two to be in the same room. If people are traveling, it is hard. We now allow financial reimbursements to be done remotely and separately, it would be nice if this was as well.

There is opportunity for process improvement here, but I don't know when that will be high enough priority to result in a change. It is not a trivial change.

I'm not sure why you're having errors. It's possible that there is a bug preventing the add.

3. If someone wants to change their password on MLS, two logins are required. Plus, they have added password expiration. We got in a jam where a password expired and it was discovered in the middle of a tithing batch and couldn't complete the batch without another person driving to the church to authenticate the batch. (Note that recent studies have proven password expiration does not increase security. The church is really late to implementing it and now companies such as Microsoft have declared the theory dead.) On the other hand, the church has made two factor authentication available on LCR which is cool.

The same issue applies here. If a single user can authorize a password change on MLS, there isn't anything that would prevent me from logging in, changing your password, and then using the two accounts that I now control to disburse funds.

I've read the studies. They all make a presumption of good password hygiene, which does not exist in some places in the church. When users are sharing passwords and recycling accounts, forcing a password change provides a small bit of additional defense against those practices.

[chriswoodut]

There seems to be changes on who can grant someone a calling. I swear two weeks ago I had the ability to give someone the calling of 'clerk'. I needed to change the brother's calling from finance clerk to ward assistant clerk to get the right LCR rights for his calling. (Actually, I need him to have access to both.) The system would not let me assign him the calling. I'm a ward clerk. I then released him as a finance clerk hoping it would then allow me to assign it. Nope, now he has no clerk calling.

I asked the stake clerk to fix it. He says he can't assign the calling because the system is prompting for 2 logins to assign an assistant ward clerk a calling! This latest push to make everything double logins to change anything is making things really hard and I'm not sure that it is really making things more secure.

Because an assistant clerk has finance rights, dual authorization is required to make a change to an assistant clerk calling. If dual authorization isn't required to add a new clerk, that creates implications for ...

1. Finance approvals (batch, checks). This makes sense to me.

If you have the ability to add someone as an assistant clerk without a secondary approval, there is no control that prevents you from granting finance rights to another account that you control and using the two accounts you control to authorize payments, which is why ...

2. Granting someone a clerk calling. This seems new. Not even a stake clerk can do it. What's hard is that it requires two people to be in the same place/same computer at the same time to do it. We can't both be remote from each other. The real kicker is forcing the two to be in the same room. If people are traveling, it is hard. We now allow financial reimbursements to be done remotely and separately, it would be nice if this was as well.

There is opportunity for process improvement here, but I don't know when that will be high enough priority to result in a change. It is not a trivial change.

I'm not sure why you're having errors. It's possible that there is a bug preventing the add.

3. If someone wants to change their password on MLS, two logins are required. Plus, they have added password expiration. We got in a jam where a password expired and it was discovered in the middle of a tithing batch and couldn't complete the batch without another person driving to the church to authenticate the batch. (Note that recent studies have proven password expiration does not increase security. The church is really late to implementing it and now companies such as Microsoft have declared the theory dead.) On the other hand, the church has made two factor authentication available on LCR which is cool.

The same issue applies here. If a single user can authorize a password change on MLS, there isn't anything that would prevent me from logging in, changing your password, and then using the two accounts that I now control to disburse funds.

I've read the studies. They all make a presumption of good password hygiene, which does not exist in some places in the church. When users are sharing passwords and recycling accounts, forcing a password change provides a small bit of additional defense against those practices.

A lot of the pain could be minimized by a cleaner implementation and process flow being done with the roll out and not reactive to frustrations after. IMO, it's tempting to just say "security is a always so important therefore we must do this even if it is annoying to everyone." Yes, doing it well takes more effort but it sure is frustrating to not be able to do my calling because of awkwardly implemented systems that nobody at the ward or stake level really understands.

[chriswoodut]

As an update:
If I go into the person's membership record, then click the callings tab, and then try to add a calling as a 'ward assistant clerk', the calling doesn't show up to select. e.g. I select bishopric and then there is no calling to select.

The stake pointed out this morning, if I go into organizations and then bishopric and then add calling and type in the new clerk's name, I WILL GET the prompt for additional approval. So, the system isn't providing consistent behavior between the two methods of adding a calling.

[russellhltn]

If I go into the person's membership record, then click the callings tab, and then try to add a calling as a 'ward assistant clerk', the calling doesn't show up to select. e.g. I select bishopric and then there is no calling to select.

I wonder if it would do that if he didn't already have an assistant clerk calling.

[chriswoodut]

If I go into the person's membership record, then click the callings tab, and then try to add a calling as a 'ward assistant clerk', the calling doesn't show up to select. e.g. I select bishopric and then there is no calling to select.

I wonder if it would do that if he didn't already have an assistant clerk calling.

I ended up removing all the clerk callings thinking the same thing but the problem persisted.