people soft security dynamic roles

8/9/2019 People Soft Security Dynamic Roles

1/33

PeopleSoft Security

Dynamic Role RulesPresenter : Rinkesh

Garg

Functional Consultant of MCA 21group


2/33

Components of PS 8 Security

Three major building blocks used when

defining your PeopleSoft security User Profiles Roles Permission Lists

User Profiles

Define the individual users of yourPeopleSoft system

Set of data describing a particular userof your PeopleSoft system

Information about the user such as e-mail address, language code, and

password Assign process profiles, row-level

security or business unit security at theUser Profile level

User Profiles are linked to Roles to grantaccess to specific areas within the

PeopleSoft application


3/33

Roles Roles are assigned to User Profiles

Intermediate objects that link UserProfiles to Permission Lists

Multiple roles can be assigned to asingle User Profile

Examples: Applicant, Employee,Vendor, Accounts Payable Clerk, and

Manager Roles allow you to mix and match

access to your PeopleSoft system

Roles can be assigned to User Profilesmanually or dynamically

Permission List Lowest level of PeopleSoft security

Grants access to pages, PeopleTools,and sign-on times

Assign actions such as Add, Update/Display, and Correction

The fewer Permission Lists used, themore modular and scalable your PSsecurity will be


4/33

Multiple Permission Lists can beassigned to a single role

Granularity allows you to mix andmatch


5/33


6/33

What are dynamic role rules? The assignment of roles to User

Profiles based on your business rules

These business rules run againstsystem(s) to assign PeopleSoft access

Business rule data can reside in anumber of places: PeopleSoft data

3rd party systems LDAP

Allows your PeopleSoft securitystructure to change in an automatedfashion

The dynamic role rule process removes

and grants access to User Profiles


7/33

Methods - Assigning dynamic rolerules

There are three technologies you canuse to execute your business rules:o PS/Queryo LDAP Plug-ino PeopleCode

One, two, or all three of the technologies

listed above can be used


8/33

Building Role Rules - PS/Query PeopleSoft recommends using

PS/Query to build role rules if themembership data resides in yourPeopleSoft database

Access is removed or granted based onthe User Profile IDs retrieved by thequery

Can be built on Queries and/or Views Business rules can be built into the View

and/or Query


9/33

Assigning Roles - LDAP Organizations that currently have LDAP

directory server groups defined

Plug into current LDAP configuration

Leverage existing directory groups/roles

Easier to maintain

Single directory server leveraged bymultiple applications

Single point of maintenance reduces therisk of user information getting out ofsynch

Involves PeopleCode expertise/coding


10/33

Assigning Roles - PeopleCode Membership data not contained within

the PS database

Data might exist on other 3rd partysystems

Extremely flexibleo SQLExec functionso Business Interlinkso

Component Interfaces


11/33

Static role assignments Roles are assigned to User Profiles

manually

Not scalable

All security changes require manualintervention

High administration costs

High margin for human error


12/33


13/33

Application Messaging

DYNROLE_PUBL publishes

messages when assigning dynamicrole rules

The DYNROLE_PUBL ApplicationEngine does not update thedatabase directly

Application Server must be

configured to handle ApplicationMessaging

Status of the Application Messagesare viewed in the ApplicationMessaging Monitor

Administrator must monitor theApplication Messages to correctinvalid data or errors


14/33


15/33

Technical Setup Application Server

Publish and Subscribe servers need tobe configured on the application server


16/33

Demo

Dynamic Role Rulesusing

PS/Query


17/33

Example Steps for creatingPS/Query rules

Define the business rules Create a view that retrieves a list of

OPRIDs

Create a query (ROLEQRY) that selectsfrom the view

Attach the ROLEQRY to the Role in

Maintain Security Execute DYNROLE_PUBL

Check Application Message Monitor

View Results!!


18/33


19/33

Creating the ViewSELECT B.OPRIDFROM PS_JOB A, PSOPRDEFN BWHERE A.EFFDT = (SELECTMAX(A_ED.EFFDT)FROM PS_JOB A_EDWHERE A.EMPLID = A_ED.EMPLIDAND A.EMPL_RCD = A_ED.EMPL_RCDAND A_ED.EFFDT


20/33

Creating the ViewDont forget the following: Build the view Add the SPH_PAYROLL_ADM view to

one of your security trees

The query driving the dynamic role ruleswill be built using SPH_PAYROLL_ADM


21/33

Create the Query Create a new query, selecting OPRID

from SPH_PAYROLL_ADM

WHERE logic can be maintained in theview or in the query

Note: When saving the query, it must besaved as a PUBLIC ROLEQRY

Saved query as

PAYROLL_ADM_ROLE_RULE


22/33

Creating the Query


23/33

Assign the Query to the Role Navigate to PeopleTools Maintain

Security Use Roles

Open the Payroll Administrator role

Click on the Dynamic Members tab

Click on the Query Rule Enabled

checkbox Populate the Query Rule textbox with

PAYROLL_ADM_ROLE_RULE

Save the role


24/33

Assign the Query to the Role


25/33

Execute DYNROLE_PUBL AE

Navigate to PeopleToolsMaintainSecurity Process Execute Role

Rules Enter the server name (PSNT)

Click on Execute Dynamic Role Rules

The pushbutton initiates theDYNROLE_PUBL application engineprocess

Process Monitor will display Successwhen the application engine processcompletes


26/33

Application Message Monitor DYNROLE_PUBL application engine

publishes messages toROLESYNCH_MSG

Click on App Msg Monitor to view thestatus of the messages


27/33

Application Message Monitor The Application Message Monitor

displays the different types of messagesand the status

Messages move from New to Doneas they are processed

Assignment of the dynamic role rules isnot complete, until each of the

messages is out of New statusClick on the Refresh pushbutton to

watch the message process


28/33

Application Message Monitor


29/33

View the Dynamic Members

Dynamic members attached to the

role can be viewed when looking atthe role definition

Navigate to PeopleTools MaintainSecurity Use Roles

Click on the Dynamic Members tab


30/33

View the Dynamic Members


31/33

View the User Profile


32/33

Summary

Drive down PeopleSoft Administrationcosts by implementing dynamic rolerules

Define your business rules

Develop your dynamic roles based onthe business rules defined by your

organization Three technologies used to develop

dynamic roleso PS/Queryo PeopleCodeo LDAP

Start small Mix and match dynamicand staticoDynamically assign PS/Query or

Process Monitor


33/33

people soft security dynamic roles

Documents