peoplesoft security - techhosteddocs.ittoolbox.com/rg31507.pdfof your peoplesoft system ... single...
TRANSCRIPT
PeopleSoft Security Dynamic Role Rules Presenter : Rinkesh Garg Functional Consultant of MCA – 21 group
Components of PS 8 Security • Three major building blocks used when defining your PeopleSoft security – User Profiles – Roles – Permission Lists User Profiles • Define the individual users of your
PeopleSoft system • Set of data describing a particular user
of your PeopleSoft system • Information about the user such as e-
mail address, language code, and password
• Assign process profiles, row-level security or business unit security at the User Profile level
• User Profiles are linked to Roles to grant access to specific areas within the PeopleSoft application
Roles • Roles are assigned to User Profiles • Intermediate objects that link User
Profiles to Permission Lists • Multiple roles can be assigned to a
single User Profile • Examples: Applicant, Employee,
Vendor, Accounts Payable Clerk, and Manager
• Roles allow you to mix and match access to your PeopleSoft system
• Roles can be assigned to User Profiles manually or dynamically
Permission List • Lowest level of PeopleSoft security • Grants access to pages, PeopleTools,
and sign-on times • Assign actions such as Add, Update
/Display, and Correction • The fewer Permission Lists used, the
more modular and scalable your PS security will be
• Multiple Permission Lists can be assigned to a single role
• Granularity allows you to “mix and match”
What are dynamic role rules? • The assignment of roles to User
Profiles based on your business rules • These business rules run against
system(s) to assign PeopleSoft access • Business rule data can reside in a
number of places: – PeopleSoft data – 3rd party systems – LDAP
• Allows your PeopleSoft security structure to change in an automated fashion
• The dynamic role rule process removes and grants access to User Profiles
Methods - Assigning dynamic role rules • There are three technologies you can
use to execute your business rules: o PS/Query o LDAP Plug-in o PeopleCode
• One, two, or all three of the technologies listed above can be used
Building Role Rules - PS/Query • PeopleSoft recommends using
PS/Query to build role rules if the membership data resides in your
PeopleSoft database • Access is removed or granted based on
the User Profile IDs retrieved by the query
• Can be built on Queries and/or Views • Business rules can be built into the View
and/or Query
Assigning Roles - LDAP • Organizations that currently have LDAP
directory server groups defined • Plug into current LDAP configuration • Leverage existing directory groups/roles • Easier to maintain • Single directory server leveraged by
multiple applications • Single point of maintenance reduces the
risk of user information getting out of synch
• Involves PeopleCode expertise/coding
Assigning Roles - PeopleCode • Membership data not contained within
the PS database • Data might exist on other 3rd party
systems • Extremely flexible
o SQLExec functions o Business Interlinks o Component Interfaces
Static role assignments • Roles are assigned to User Profiles
manually • Not scalable • All security changes require manual
intervention • High administration costs • High margin for human error
Benefits - Dynamic role rules • Roles are assigned to User Profiles programmatically • Scalable (internet friendly) • Less manual work for the PeopleSoft
Security Administrator • Eliminating static assignment decreases
administration costs • Reduces risk of human error • Lessens load on your help desk calls • Audit reporting is simplified • Schedule your rule execution based on
your environment
Application Messaging • DYNROLE_PUBL publishes
messages when assigning dynamic role rules
• The DYNROLE_PUBL Application Engine does not update the database directly
• Application Server must be configured to handle Application Messaging
• Status of the Application Messages are viewed in the Application Messaging Monitor
• Administrator must monitor the Application Messages to correct invalid data or errors
Technical Setup – Application Server • Publish and Subscribe servers need to
be configured on the application server
Demo Dynamic Role Rules using PS/Query
Example – Steps for creating PS/Query rules • Define the business rules • Create a view that retrieves a list of
OPRIDs • Create a query (ROLEQRY) that selects
from the view • Attach the ROLEQRY to the Role in
Maintain Security • Execute DYNROLE_PUBL • Check Application Message Monitor • View Results!!
Example – PS/Query Rules • Dynamically grant access to the
Payroll Administrator role • Job codes that perform the Payroll
Administrator role are KC006 and KC008
• Create a view that selects all OPRIDs that have a job code of KC006 or KC008 on their current job record
• Save the view as SPH_PAYROLL_ADM
Creating the View SELECT B.OPRID FROM PS_JOB A, PSOPRDEFN B WHERE A.EFFDT = (SELECT MAX(A_ED.EFFDT) FROM PS_JOB A_ED WHERE A.EMPLID = A_ED.EMPLID AND A.EMPL_RCD = A_ED.EMPL_RCD AND A_ED.EFFDT <= GETDATE()) AND A.EFFSEQ = (SELECT MAX(A_ES.EFFSEQ) FROM PS_JOB A_ES WHERE A.EMPLID = A_ES.EMPLID AND A.EMPL_RCD = A_ES.EMPL_RCD AND A.EFFDT = A_ES.EFFDT) AND A.EMPLID = B.EMPLID AND A.JOBCODE IN ('KC008','KC006') AND A.EMPL_STATUS = 'A'
Creating the View Don’t forget the following: • Build the view • Add the SPH_PAYROLL_ADM view to
one of your security trees • The query driving the dynamic role rules
will be built using SPH_PAYROLL_ADM
Create the Query • Create a new query, selecting OPRID
from SPH_PAYROLL_ADM • WHERE logic can be maintained in the
view or in the query • Note: When saving the query, it must be
saved as a PUBLIC ROLEQRY • Saved query as
PAYROLL_ADM_ROLE_RULE
Creating the Query
Assign the Query to the Role • Navigate to PeopleTools Maintain
Security Use Roles • Open the Payroll Administrator role • Click on the Dynamic Members tab • Click on the Query Rule Enabled
checkbox • Populate the Query Rule textbox with
PAYROLL_ADM_ROLE_RULE • Save the role
Assign the Query to the Role
Execute DYNROLE_PUBL AE • Navigate to PeopleTools Maintain
Security Process Execute Role Rules
• Enter the server name (PSNT) • Click on Execute Dynamic Role Rules • The pushbutton initiates the
DYNROLE_PUBL application engine process
• Process Monitor will display “Success” when the application engine process completes
Application Message Monitor • DYNROLE_PUBL application engine
publishes messages to ROLESYNCH_MSG
• Click on App Msg Monitor to view the status of the messages
Application Message Monitor • The Application Message Monitor
displays the different types of messages and the status
• Messages move from “New” to “Done” as they are processed
• Assignment of the dynamic role rules is not complete, until each of the messages is out of “New” status
• Click on the Refresh pushbutton to watch the message process
Application Message Monitor
View the Dynamic Members • Dynamic members attached to the
role can be viewed when looking at the role definition
• Navigate to PeopleTools Maintain Security Use Roles
• Click on the Dynamic Members tab
View the Dynamic Members
View the User Profile
Summary • Drive down PeopleSoft Administration
costs by implementing dynamic role rules
• Define your business rules • Develop your dynamic roles based on
the business rules defined by your organization
• Three technologies used to develop dynamic roles
o PS/Query o PeopleCode o LDAP
• Start small – Mix and match dynamic and static
o Dynamically assign PS/Query or Process Monitor