PeopleSoft Security

Dynamic Role Rules

Presenter : Rinkesh
Garg
Functional Consultant of MCA – 21
group
Components of PS 8 Security
• Three major building blocks used when
defining your PeopleSoft security
– User Profiles
– Roles
– Permission Lists

User Profiles
• Define the individual users of your
PeopleSoft system
• Set of data describing a particular user
of your PeopleSoft system
• Information about the user such as e-
mail address, language code, and
password
• Assign process profiles, row-level
security or business unit security at the
User Profile level
• User Profiles are linked to Roles to grant
access to specific areas within the
PeopleSoft application
Roles
• Roles are assigned to User Profiles
• Intermediate objects that link User
Profiles to Permission Lists
• Multiple roles can be assigned to a
single User Profile
• Examples: Applicant, Employee,
Vendor, Accounts Payable Clerk, and
Manager
• Roles allow you to mix and match
access to your PeopleSoft system
• Roles can be assigned to User Profiles
manually or dynamically

Permission List
• Lowest level of PeopleSoft security
• Grants access to pages, PeopleTools,
and sign-on times
• Assign actions such as Add, Update
/Display, and Correction
• The fewer Permission Lists used, the
more modular and scalable your PS
security will be
• Multiple Permission Lists can be
assigned to a single role
• Granularity allows you to “mix and
match”
What are dynamic role rules?
• The assignment of roles to User
Profiles based on your business rules
• These business rules run against
system(s) to assign PeopleSoft access
• Business rule data can reside in a
number of places:
– PeopleSoft data
– 3rd party systems
– LDAP
• Allows your PeopleSoft security
structure to change in an automated
fashion
• The dynamic role rule process removes
and grants access to User Profiles
Methods - Assigning dynamic role
rules
• There are three technologies you can
use to execute your business rules:
o PS/Query
o LDAP Plug-in
o PeopleCode
• One, two, or all three of the technologies
listed above can be used
Building Role Rules - PS/Query
• PeopleSoft recommends using
PS/Query to build role rules if the
membership data resides in your
PeopleSoft database
• Access is removed or granted based on
the User Profile IDs retrieved by the
query
• Can be built on Queries and/or Views
• Business rules can be built into the View
and/or Query
Assigning Roles - LDAP
• Organizations that currently have LDAP
directory server groups defined
• Plug into current LDAP configuration
• Leverage existing directory groups/roles
• Easier to maintain
• Single directory server leveraged by
multiple applications
• Single point of maintenance reduces the
risk of user information getting out of
synch
• Involves PeopleCode expertise/coding
Assigning Roles - PeopleCode
• Membership data not contained within
the PS database
• Data might exist on other 3rd party
systems
• Extremely flexible
o SQLExec functions
o Business Interlinks
o Component Interfaces
Static role assignments
• Roles are assigned to User Profiles
manually
• Not scalable
• All security changes require manual
intervention
• High administration costs
• High margin for human error
Benefits - Dynamic role rules
• Roles are assigned to User Profiles
programmatically
• Scalable (internet friendly)
• Less manual work for the PeopleSoft
Security Administrator
• Eliminating static assignment decreases
administration costs
• Reduces risk of human error
• Lessens load on your help desk calls
• Audit reporting is simplified
• Schedule your rule execution based on
your environment
Application Messaging
• DYNROLE_PUBL publishes
messages when assigning dynamic
role rules
• The DYNROLE_PUBL Application
Engine does not update the
database directly
• Application Server must be
configured to handle Application
Messaging
• Status of the Application Messages
are viewed in the Application
Messaging Monitor
• Administrator must monitor the
Application Messages to correct
invalid data or errors
Technical Setup – Application Server
• Publish and Subscribe servers need to
be configured on the application server
Demo
Dynamic Role Rules
using
PS/Query
Example – Steps for creating
PS/Query rules
• Define the business rules
• Create a view that retrieves a list of
OPRIDs
• Create a query (ROLEQRY) that selects
from the view
• Attach the ROLEQRY to the Role in
Maintain Security
• Execute DYNROLE_PUBL
• Check Application Message Monitor
• View Results!!
Example – PS/Query Rules
• Dynamically grant access to the
Payroll Administrator role
• Job codes that perform the Payroll
Administrator role are KC006 and
KC008
• Create a view that selects all OPRIDs
that have a job code of KC006 or KC008
on their current job record
• Save the view as SPH_PAYROLL_ADM
Creating the View
SELECT B.OPRID
FROM PS_JOB A, PSOPRDEFN B
WHERE A.EFFDT = (SELECT
MAX(A_ED.EFFDT)
FROM PS_JOB A_ED
WHERE A.EMPLID = A_ED.EMPLID
AND A.EMPL_RCD = A_ED.EMPL_RCD
AND A_ED.EFFDT <= GETDATE())
AND A.EFFSEQ = (SELECT
MAX(A_ES.EFFSEQ)
FROM PS_JOB A_ES
WHERE A.EMPLID = A_ES.EMPLID
AND A.EMPL_RCD = A_ES.EMPL_RCD
AND A.EFFDT = A_ES.EFFDT)
AND A.EMPLID = B.EMPLID
AND A.JOBCODE IN ('KC008','KC006')
AND A.EMPL_STATUS = 'A'
Creating the View
Don’t forget the following:
• Build the view
• Add the SPH_PAYROLL_ADM view to
one of your security trees
• The query driving the dynamic role rules
will be built using SPH_PAYROLL_ADM
Create the Query
• Create a new query, selecting OPRID
from SPH_PAYROLL_ADM
• WHERE logic can be maintained in the
view or in the query
• Note: When saving the query, it must be
saved as a PUBLIC ROLEQRY
• Saved query as
PAYROLL_ADM_ROLE_RULE
Creating the Query
Assign the Query to the Role
• Navigate to PeopleTools Maintain
Security Use Roles
• Open the Payroll Administrator role
• Click on the Dynamic Members tab
• Click on the Query Rule Enabled
checkbox
• Populate the Query Rule textbox with
PAYROLL_ADM_ROLE_RULE
• Save the role
Assign the Query to the Role
Execute DYNROLE_PUBL AE
• Navigate to PeopleTools Maintain
Security Process Execute Role
Rules
• Enter the server name (PSNT)
• Click on Execute Dynamic Role Rules
• The pushbutton initiates the
DYNROLE_PUBL application engine
process
• Process Monitor will display “Success”
when the application engine process
completes
Application Message Monitor
• DYNROLE_PUBL application engine
publishes messages to
ROLESYNCH_MSG
• Click on App Msg Monitor to view the
status of the messages
Application Message Monitor
• The Application Message Monitor
displays the different types of messages
and the status
• Messages move from “New” to “Done”
as they are processed
• Assignment of the dynamic role rules is
not complete, until each of the
messages is out of “New” status
• Click on the Refresh pushbutton to
watch the message process
Application Message Monitor
View the Dynamic Members
• Dynamic members attached to the
role can be viewed when looking at
the role definition
• Navigate to PeopleTools Maintain
Security Use Roles
• Click on the Dynamic Members tab
View the Dynamic Members
View the User Profile
Summary
• Drive down PeopleSoft Administration
costs by implementing dynamic role
rules
• Define your business rules
• Develop your dynamic roles based on
the business rules defined by your
organization
• Three technologies used to develop
dynamic roles
o PS/Query
o PeopleCode
o LDAP
• Start small – Mix and match dynamic
and static
o Dynamically assign PS/Query or
Process Monitor