people soft security dynamic roles
TRANSCRIPT
-
8/9/2019 People Soft Security Dynamic Roles
1/33
PeopleSoft Security
Dynamic Role RulesPresenter : Rinkesh
Garg
Functional Consultant of MCA 21group
-
8/9/2019 People Soft Security Dynamic Roles
2/33
Components of PS 8 Security
Three major building blocks used when
defining your PeopleSoft security User Profiles Roles Permission Lists
User Profiles
Define the individual users of yourPeopleSoft system
Set of data describing a particular userof your PeopleSoft system
Information about the user such as e-mail address, language code, and
password Assign process profiles, row-level
security or business unit security at theUser Profile level
User Profiles are linked to Roles to grantaccess to specific areas within the
PeopleSoft application
-
8/9/2019 People Soft Security Dynamic Roles
3/33
Roles Roles are assigned to User Profiles
Intermediate objects that link UserProfiles to Permission Lists
Multiple roles can be assigned to asingle User Profile
Examples: Applicant, Employee,Vendor, Accounts Payable Clerk, and
Manager Roles allow you to mix and match
access to your PeopleSoft system
Roles can be assigned to User Profilesmanually or dynamically
Permission List Lowest level of PeopleSoft security
Grants access to pages, PeopleTools,and sign-on times
Assign actions such as Add, Update/Display, and Correction
The fewer Permission Lists used, themore modular and scalable your PSsecurity will be
-
8/9/2019 People Soft Security Dynamic Roles
4/33
Multiple Permission Lists can beassigned to a single role
Granularity allows you to mix andmatch
-
8/9/2019 People Soft Security Dynamic Roles
5/33
-
8/9/2019 People Soft Security Dynamic Roles
6/33
What are dynamic role rules? The assignment of roles to User
Profiles based on your business rules
These business rules run againstsystem(s) to assign PeopleSoft access
Business rule data can reside in anumber of places: PeopleSoft data
3rd party systems LDAP
Allows your PeopleSoft securitystructure to change in an automatedfashion
The dynamic role rule process removes
and grants access to User Profiles
-
8/9/2019 People Soft Security Dynamic Roles
7/33
Methods - Assigning dynamic rolerules
There are three technologies you canuse to execute your business rules:o PS/Queryo LDAP Plug-ino PeopleCode
One, two, or all three of the technologies
listed above can be used
-
8/9/2019 People Soft Security Dynamic Roles
8/33
Building Role Rules - PS/Query PeopleSoft recommends using
PS/Query to build role rules if themembership data resides in yourPeopleSoft database
Access is removed or granted based onthe User Profile IDs retrieved by thequery
Can be built on Queries and/or Views Business rules can be built into the View
and/or Query
-
8/9/2019 People Soft Security Dynamic Roles
9/33
Assigning Roles - LDAP Organizations that currently have LDAP
directory server groups defined
Plug into current LDAP configuration
Leverage existing directory groups/roles
Easier to maintain
Single directory server leveraged bymultiple applications
Single point of maintenance reduces therisk of user information getting out ofsynch
Involves PeopleCode expertise/coding
-
8/9/2019 People Soft Security Dynamic Roles
10/33
Assigning Roles - PeopleCode Membership data not contained within
the PS database
Data might exist on other 3rd partysystems
Extremely flexibleo SQLExec functionso Business Interlinkso
Component Interfaces
-
8/9/2019 People Soft Security Dynamic Roles
11/33
Static role assignments Roles are assigned to User Profiles
manually
Not scalable
All security changes require manualintervention
High administration costs
High margin for human error
-
8/9/2019 People Soft Security Dynamic Roles
12/33
-
8/9/2019 People Soft Security Dynamic Roles
13/33
Application Messaging
DYNROLE_PUBL publishes
messages when assigning dynamicrole rules
The DYNROLE_PUBL ApplicationEngine does not update thedatabase directly
Application Server must be
configured to handle ApplicationMessaging
Status of the Application Messagesare viewed in the ApplicationMessaging Monitor
Administrator must monitor theApplication Messages to correctinvalid data or errors
-
8/9/2019 People Soft Security Dynamic Roles
14/33
-
8/9/2019 People Soft Security Dynamic Roles
15/33
Technical Setup Application Server
Publish and Subscribe servers need tobe configured on the application server
-
8/9/2019 People Soft Security Dynamic Roles
16/33
Demo
Dynamic Role Rulesusing
PS/Query
-
8/9/2019 People Soft Security Dynamic Roles
17/33
Example Steps for creatingPS/Query rules
Define the business rules Create a view that retrieves a list of
OPRIDs
Create a query (ROLEQRY) that selectsfrom the view
Attach the ROLEQRY to the Role in
Maintain Security Execute DYNROLE_PUBL
Check Application Message Monitor
View Results!!
-
8/9/2019 People Soft Security Dynamic Roles
18/33
-
8/9/2019 People Soft Security Dynamic Roles
19/33
Creating the ViewSELECT B.OPRIDFROM PS_JOB A, PSOPRDEFN BWHERE A.EFFDT = (SELECTMAX(A_ED.EFFDT)FROM PS_JOB A_EDWHERE A.EMPLID = A_ED.EMPLIDAND A.EMPL_RCD = A_ED.EMPL_RCDAND A_ED.EFFDT
-
8/9/2019 People Soft Security Dynamic Roles
20/33
Creating the ViewDont forget the following: Build the view Add the SPH_PAYROLL_ADM view to
one of your security trees
The query driving the dynamic role ruleswill be built using SPH_PAYROLL_ADM
-
8/9/2019 People Soft Security Dynamic Roles
21/33
Create the Query Create a new query, selecting OPRID
from SPH_PAYROLL_ADM
WHERE logic can be maintained in theview or in the query
Note: When saving the query, it must besaved as a PUBLIC ROLEQRY
Saved query as
PAYROLL_ADM_ROLE_RULE
-
8/9/2019 People Soft Security Dynamic Roles
22/33
Creating the Query
-
8/9/2019 People Soft Security Dynamic Roles
23/33
Assign the Query to the Role Navigate to PeopleTools Maintain
Security Use Roles
Open the Payroll Administrator role
Click on the Dynamic Members tab
Click on the Query Rule Enabled
checkbox Populate the Query Rule textbox with
PAYROLL_ADM_ROLE_RULE
Save the role
-
8/9/2019 People Soft Security Dynamic Roles
24/33
Assign the Query to the Role
-
8/9/2019 People Soft Security Dynamic Roles
25/33
Execute DYNROLE_PUBL AE
Navigate to PeopleToolsMaintainSecurity Process Execute Role
Rules Enter the server name (PSNT)
Click on Execute Dynamic Role Rules
The pushbutton initiates theDYNROLE_PUBL application engineprocess
Process Monitor will display Successwhen the application engine processcompletes
-
8/9/2019 People Soft Security Dynamic Roles
26/33
Application Message Monitor DYNROLE_PUBL application engine
publishes messages toROLESYNCH_MSG
Click on App Msg Monitor to view thestatus of the messages
-
8/9/2019 People Soft Security Dynamic Roles
27/33
Application Message Monitor The Application Message Monitor
displays the different types of messagesand the status
Messages move from New to Doneas they are processed
Assignment of the dynamic role rules isnot complete, until each of the
messages is out of New statusClick on the Refresh pushbutton to
watch the message process
-
8/9/2019 People Soft Security Dynamic Roles
28/33
Application Message Monitor
-
8/9/2019 People Soft Security Dynamic Roles
29/33
View the Dynamic Members
Dynamic members attached to the
role can be viewed when looking atthe role definition
Navigate to PeopleTools MaintainSecurity Use Roles
Click on the Dynamic Members tab
-
8/9/2019 People Soft Security Dynamic Roles
30/33
View the Dynamic Members
-
8/9/2019 People Soft Security Dynamic Roles
31/33
View the User Profile
-
8/9/2019 People Soft Security Dynamic Roles
32/33
Summary
Drive down PeopleSoft Administrationcosts by implementing dynamic rolerules
Define your business rules
Develop your dynamic roles based onthe business rules defined by your
organization Three technologies used to develop
dynamic roleso PS/Queryo PeopleCodeo LDAP
Start small Mix and match dynamicand staticoDynamically assign PS/Query or
Process Monitor
-
8/9/2019 People Soft Security Dynamic Roles
33/33