dynamic role rule security

7/31/2019 Dynamic Role Rule Security

1/36

Copyright 2003 - The Revere GroupAll Rights Reserved 1

PeopleSoft Security

Dynamic Role Rules

Presenter : Shawn HuffmanTechnical Specialist at The Revere Group


2/36


Presentation Outline

Introduction 2 minutes

Terminology 5 minutes What are dynamic role rules? 5 minutes

Benefits of implementing dynamic role based security 5 minutes

Technical Overview/Configuration 2 minutes

Example/Demo 20 minutes

Close 2 minutes

Q&A 20 minutes


3/36


Components of PS 8 Security

Three major building blocks used when

defining your PeopleSoft security

User Profiles

Roles Permission Lists


4/36


User Profiles

Define the individual users of your PeopleSoft system

Set of data describing a particular user of yourPeopleSoft system

Information about the user such as e-mail address,

language code, and password

Assign process profiles, row-level security or

business unit security at the User Profile level

User Profiles are linked to Roles to grant access tospecific areas within the PeopleSoft application


5/36


Roles

Roles are assigned to User Profiles

Intermediate objects that link User Profiles toPermission Lists

Multiple roles can be assigned to a single User

Profile Examples: Applicant, Employee, Vendor, Accounts

Payable Clerk, and Manager

Roles allow you to mix and match access to yourPeopleSoft system

Roles can be assigned to User Profiles manually or

dynamically


6/36Copyright 2003 - The Revere GroupAll Rights Reserved 6

Permission List

Lowest level of PeopleSoft security

Grants access to pages, PeopleTools, and sign-ontimes

Assign actions such as Add, Update/Display, and

Correction

The fewer Permission Lists used, the more modular

and scalable your PS security will be

Multiple Permission Lists can be assigned to a singlerole

Granularity allows you to mix and match



Components of PS 8 Security

Permission Lists

Process Monitor

Query

AP Entry

Vendors Display Only

PS User

Roles

AP Clerk

User Profile



What are dynamic role rules?

The assignment of roles to User Profiles based on

your business rules These business rules run against system(s) to assign

PeopleSoft access

Business rule data can reside in a number of places: PeopleSoft data

3rd party systems

LDAP

Allows your PeopleSoft security structure to changein an automated fashion

The dynamic role rule process removes and grants

access to User Profiles



Methods - Assigning dynamic role rules

There are three technologies you can use to execute

your business rules: PS/Query

LDAP Plug-in

PeopleCode

One, two, or all three of the technologies listed above

can be used



Building Role Rules - PS/Query

PeopleSoft recommends using PS/Query to build role

rules if the membership data resides in yourPeopleSoft database

Access is removed or granted based on the User

Profile IDs retrieved by the query Can be built on Queries and/or Views

Business rules can be built into the View and/or

Query



Assigning Roles - LDAP

Organizations that currently have LDAP directory

server groups defined Plug into current LDAP configuration

Leverages existing directory groups/roles

Easier to maintain

Single directory server leveraged by multipleapplications

Single point of maintenance reduces the risk of user

information getting out of synch Involves PeopleCode expertise/coding



Assigning Roles - PeopleCode

Membership data not contained within the PS

database Data might exist on other 3rd party systems

Extremely flexible

SQLExec functions

Business Interlinks

Component Interfaces



Static role assignments

Roles are assigned to User Profiles manually

Not scalable

All security changes require manual intervention

High administration costs

High margin for human error



Benefits - Dynamic role rules

Roles are assigned to User Profiles

programmatically Scalable (internet friendly)

Less manual work for the PeopleSoft SecurityAdministrator

Eliminating static assignment decreasesadministration costs

Reduces risk of human error

Lessens load on your help desk calls Audit reporting is simplified Schedule your rule execution based on your

environment



Application Messaging

DYNROLE_PUBL publishes messages when

assigning dynamic role rules The DYNROLE_PUBL Application Engine does not

update the database directly

Application Server must be configured to handleApplication Messaging

Status of the Application Messages are viewed in the

Application Messaging Monitor Administrator must monitor the Application Messages

to correct invalid data or errors



DYNROLE_PUBL Execution

PS Database DYNROLE_PUBL

Application EngineUser List

ROLESYNC_MSG

Publish

Database Update



Technical Setup Application Server

Publish and Subscribe servers need to be configured on

the application server



Demo

Dynamic Role Rules using

PS/Query



Example Steps for creating PS/Query rules

Define the business rules

Create a view that retrieves a list of OPRIDs

Create a query (ROLEQRY) that selects from the

view

Attach the ROLEQRY to the Role in MaintainSecurity

Execute DYNROLE_PUBL

Check Application Message Monitor

View Results!!


20/36


Example PS/Query Rules

Dynamically grant access to the Payroll Administrator

role Job codes that perform the Payroll Administrator roleare KC006 and KC008

Create a view that selects all OPRIDs that have a job

code of KC006 or KC008 on their current job record Save the view as SPH_PAYROLL_ADM


21/36


Creating the View

SELECT B.OPRID

FROM PS_JOB A, PSOPRDEFN B

WHERE A.EFFDT = (SELECT MAX(A_ED.EFFDT)FROM PS_JOB A_ED

WHERE A.EMPLID = A_ED.EMPLID

AND A.EMPL_RCD = A_ED.EMPL_RCD

AND A_ED.EFFDT


22/36


Creating the View

Dont forget the following:

Build the view

Add the SPH_PAYROLL_ADM view to one of your

security trees

The query driving the dynamic role rules will be builtusing SPH_PAYROLL_ADM


23/36


Create the Query

Create a new query, selecting OPRID from

SPH_PAYROLL_ADM WHERE logic can be maintained in the view or in the

query

Note: When saving the query, it must be saved as aPUBLIC ROLEQRY

Saved query as PAYROLL_ADM_ROLE_RULE


24/36


Creating the Query


25/36


Assign the Query to the Role

Navigate to PeopleTools Maintain Security Use

Roles Open the Payroll Administrator role

Click on the Dynamic Members tab

Click on the Query Rule Enabled checkbox Populate the Query Rule textbox with

PAYROLL_ADM_ROLE_RULE

Save the role


26/36


Assign the Query to the Role


27/36


Execute DYNROLE_PUBL AE

Navigate to PeopleTools Maintain Security

Process Execute Role Rules Enter the server name (PSNT)

Click on Execute Dynamic Role Rules

The pushbutton initiates the DYNROLE_PUBLapplication engine process

Process Monitor will display Success when the

application engine process completes


28/36


Application Message Monitor

DYNROLE_PUBL application engine publishes

messages to ROLESYNCH_MSG Click on App Msg Monitor to view the status of the

messages


29/36



The Application Message Monitor displays the

different types of messages and the status Messages move from New to Done as they are

processed

Assignment of the dynamic role rules is not complete,until each of the messages is out of New status

Click on the Refresh pushbutton to watch themessage process


30/36




31/36




32/36


View the Dynamic Members

Dynamic members attached to the role can be

viewed when looking at the role definition Navigate to PeopleTools Maintain Security Use

Roles

Click on the Dynamic Members tab


33/36


View the Dynamic Members


34/36


View the User Profile


35/36


Summary

Drive down PeopleSoft Administration costs by

implementing dynamic role rules Define your business rules

Develop your dynamic roles based on the business

rules defined by your organization Three technologies used to develop dynamic roles

PS/Query

PeopleCode

LDAP

Start small Mix and match dynamic and static

Dynamically assign PS/Query or Process Monitor


36/36

Questions and Answers

Q&A

Shawn Huffman contact info:

[email protected]

dynamic role rule security

Documents