PeopleSoft Security Dynamic Role Rules Presenter : Rinkesh Garg Functional Consultant of MCA – 21 group

Components of PS 8 Security • Three major building blocks used when defining your PeopleSoft security – User Profiles – Roles – Permission Lists User Profiles • Define the individual users of your

PeopleSoft system • Set of data describing a particular user

of your PeopleSoft system • Information about the user such as e-

mail address, language code, and password

• Assign process profiles, row-level security or business unit security at the User Profile level

• User Profiles are linked to Roles to grant access to specific areas within the PeopleSoft application

Roles • Roles are assigned to User Profiles • Intermediate objects that link User

Profiles to Permission Lists • Multiple roles can be assigned to a

single User Profile • Examples: Applicant, Employee,

Vendor, Accounts Payable Clerk, and Manager

• Roles allow you to mix and match access to your PeopleSoft system

• Roles can be assigned to User Profiles manually or dynamically

Permission List • Lowest level of PeopleSoft security • Grants access to pages, PeopleTools,

and sign-on times • Assign actions such as Add, Update

/Display, and Correction • The fewer Permission Lists used, the

more modular and scalable your PS security will be

• Multiple Permission Lists can be assigned to a single role

• Granularity allows you to “mix and match”

What are dynamic role rules? • The assignment of roles to User

Profiles based on your business rules • These business rules run against

system(s) to assign PeopleSoft access • Business rule data can reside in a

number of places: – PeopleSoft data – 3rd party systems – LDAP

• Allows your PeopleSoft security structure to change in an automated fashion

• The dynamic role rule process removes and grants access to User Profiles

Methods - Assigning dynamic role rules • There are three technologies you can

use to execute your business rules: o PS/Query o LDAP Plug-in o PeopleCode

• One, two, or all three of the technologies listed above can be used

Building Role Rules - PS/Query • PeopleSoft recommends using

PS/Query to build role rules if the membership data resides in your

PeopleSoft database • Access is removed or granted based on

the User Profile IDs retrieved by the query

• Can be built on Queries and/or Views • Business rules can be built into the View

and/or Query

Assigning Roles - LDAP • Organizations that currently have LDAP

directory server groups defined • Plug into current LDAP configuration • Leverage existing directory groups/roles • Easier to maintain • Single directory server leveraged by

multiple applications • Single point of maintenance reduces the

risk of user information getting out of synch

• Involves PeopleCode expertise/coding

Assigning Roles - PeopleCode • Membership data not contained within

the PS database • Data might exist on other 3rd party

systems • Extremely flexible

o SQLExec functions o Business Interlinks o Component Interfaces

Static role assignments • Roles are assigned to User Profiles

manually • Not scalable • All security changes require manual

intervention • High administration costs • High margin for human error

Benefits - Dynamic role rules • Roles are assigned to User Profiles programmatically • Scalable (internet friendly) • Less manual work for the PeopleSoft

Security Administrator • Eliminating static assignment decreases

administration costs • Reduces risk of human error • Lessens load on your help desk calls • Audit reporting is simplified • Schedule your rule execution based on

your environment

Application Messaging • DYNROLE_PUBL publishes

messages when assigning dynamic role rules

• The DYNROLE_PUBL Application Engine does not update the database directly

• Application Server must be configured to handle Application Messaging

• Status of the Application Messages are viewed in the Application Messaging Monitor

• Administrator must monitor the Application Messages to correct invalid data or errors

Technical Setup – Application Server • Publish and Subscribe servers need to

be configured on the application server

Demo Dynamic Role Rules using PS/Query

Example – Steps for creating PS/Query rules • Define the business rules • Create a view that retrieves a list of

OPRIDs • Create a query (ROLEQRY) that selects

from the view • Attach the ROLEQRY to the Role in

Maintain Security • Execute DYNROLE_PUBL • Check Application Message Monitor • View Results!!

Example – PS/Query Rules • Dynamically grant access to the

Payroll Administrator role • Job codes that perform the Payroll

Administrator role are KC006 and KC008

• Create a view that selects all OPRIDs that have a job code of KC006 or KC008 on their current job record

• Save the view as SPH_PAYROLL_ADM

Creating the View SELECT B.OPRID FROM PS_JOB A, PSOPRDEFN B WHERE A.EFFDT = (SELECT MAX(A_ED.EFFDT) FROM PS_JOB A_ED WHERE A.EMPLID = A_ED.EMPLID AND A.EMPL_RCD = A_ED.EMPL_RCD AND A_ED.EFFDT <= GETDATE()) AND A.EFFSEQ = (SELECT MAX(A_ES.EFFSEQ) FROM PS_JOB A_ES WHERE A.EMPLID = A_ES.EMPLID AND A.EMPL_RCD = A_ES.EMPL_RCD AND A.EFFDT = A_ES.EFFDT) AND A.EMPLID = B.EMPLID AND A.JOBCODE IN ('KC008','KC006') AND A.EMPL_STATUS = 'A'

Creating the View Don’t forget the following: • Build the view • Add the SPH_PAYROLL_ADM view to

one of your security trees • The query driving the dynamic role rules

will be built using SPH_PAYROLL_ADM

Create the Query • Create a new query, selecting OPRID

from SPH_PAYROLL_ADM • WHERE logic can be maintained in the

view or in the query • Note: When saving the query, it must be

saved as a PUBLIC ROLEQRY • Saved query as

PAYROLL_ADM_ROLE_RULE

Creating the Query

Assign the Query to the Role • Navigate to PeopleTools Maintain

Security Use Roles • Open the Payroll Administrator role • Click on the Dynamic Members tab • Click on the Query Rule Enabled

checkbox • Populate the Query Rule textbox with

PAYROLL_ADM_ROLE_RULE • Save the role

Assign the Query to the Role

Execute DYNROLE_PUBL AE • Navigate to PeopleTools Maintain

Security Process Execute Role Rules

• Enter the server name (PSNT) • Click on Execute Dynamic Role Rules • The pushbutton initiates the

DYNROLE_PUBL application engine process

• Process Monitor will display “Success” when the application engine process completes

Application Message Monitor • DYNROLE_PUBL application engine

publishes messages to ROLESYNCH_MSG

• Click on App Msg Monitor to view the status of the messages

Application Message Monitor • The Application Message Monitor

displays the different types of messages and the status

• Messages move from “New” to “Done” as they are processed

• Assignment of the dynamic role rules is not complete, until each of the messages is out of “New” status

• Click on the Refresh pushbutton to watch the message process

Application Message Monitor

View the Dynamic Members • Dynamic members attached to the

role can be viewed when looking at the role definition

• Navigate to PeopleTools Maintain Security Use Roles

• Click on the Dynamic Members tab

View the Dynamic Members

View the User Profile

Summary • Drive down PeopleSoft Administration

costs by implementing dynamic role rules

• Define your business rules • Develop your dynamic roles based on

the business rules defined by your organization

• Three technologies used to develop dynamic roles

o PS/Query o PeopleCode o LDAP

• Start small – Mix and match dynamic and static

o Dynamically assign PS/Query or Process Monitor