Professional Documents
Culture Documents
1 Day Course
[A comprehensive 2 day tour on the capabilities of the SQR language and its usage in PeopleSoft]
Table of Contents
1.1 REVIEW AGENDA......................................................................................... 3 1.2 PEOPLESOFT WORKFLOW TECHNOLOGY OVERVIEW.............................................. 3 1.3 THE 8 STEPS OF WORKFLOW DEVELOPMENT. ..................................................... 8 1.4 BUILDING WORKFLOW MAPS ........................................................................ 10 1.5 DEFINING ROLES AND USERS......................................................................... 22 1.6 DEFINING WORKLIST RECORDS...................................................................... 25 1.7 DEFINING EVENT TRIGGERS.......................................................................... 44 1.8 USING BATCH WORKFLOW PROCESSING........................................................... 48 2.1 PEOPLESOFT SECURITY............................................................................... 52 2.2 SECURITY ADMINISTRATION.......................................................................... 62 2.3 SETTING UP PERMISSION LISTS...................................................................... 68 2.4 SETTING UP ROLES..................................................................................... 80 2.5 ADMINISTERING USER PROFILES..................................................................... 81 2.6 IMPLEMENTING QUERY SECURITY................................................................... 81 2.7 DEFINITION SECURITY................................................................................. 86
Page 2 of 90
1.1
Review Agenda
In this topic we will cover two areas Workflow workflow enables automation of flow of information Security to maintain and control access to system based on user class and usage profile.
1.2
Many of the daily tasks performed by system users are part of larger tasks that involve a number of steps and multiple people working together, often in a predefined sequence. The term Workflow refers to the larger process, involving several people, the activities required, and the routing of data between the participants. The most common workflow tools used are simply means of communication between parties involved in the process. These communications often happen in the form of telephone calls, transfer of physical (paper) files from one office to another, emails or hand-written notes. These workflow media are easily deployed and the tools mostly do not require any specific skills. However, these kinds of systems rely on every participant in the chain knowing the steps and players involved. If one participant has to be replaced with another person, this knowledge has to be transferred onto the replacement. This can become increasingly difficult in settings where the same person partakes in many workflow processes, or when unforeseen short-term replacement needs arise. If the system and procedures are not well documented, the likelihood of breaking the workflow chain is high. In addition, these manual systems have little to no control features. Often, a person is not expecting to receive a particular item for processing from their workflow predecessor. If the predecessor fails to complete their task in a timely fashion, it is likely that no mechanisms are in place to remind them of the outstanding items. Page 3 of 90
PeopleSoft workflow tools enable the definition of necessary rules and routings within the system. These components are then used to tie together the individual activities necessary to accomplish a complex task. With careful planning and configuration, this infrastructure will deliver the right information
1.3
The 3Rs of Workflow The corner stones of Workflow process automation within the PeopleSoft Student Administration application are the 3Rs Rules, Roles, and Routing. These three components work together to ensure that the organizations business processes are followed, that appropriate actions are taken in a timely manner in response to an event, and that the right individuals in the organization become involved in the process.
The following sections discuss each one of the 3Rs in more detail. Rules The What? Workflow Rules capture the organizations business processes and formulate them using PeopleSoft Workflow tools. They determine the conditions to trigger a workflow process; these conditions are also referred to as Business Events. Workflow Rules also specify what activities are required to process data related to a given business process, and the sequence of these activities. Figure 1 shows an example for the visual representation of a Business Process. Often, these visual representations are referred to as Workflow Maps.
Page 4 of 90
The icons
the flow of data and the sequence of activities involved. In this example, a two-level approval process is triggered by generating a refund either online or through a batch transaction. The Rules are comprised of the conditions under which data flow must be initiated (often this is the completion of the a predecessor activity), and the definition of the follow-up activity. Each activity can in turn consist of multiple steps, possibly linked by their own set of rules.
Figure 2 Sample Activity Figure 2 shows the Quick Admit Process as a sample activity to illustrate the composition of an activity as a collection of atomic steps. Steps are often tasks that can be performed using a particular component or page in a PeopleSoft system. Activities can also define a sequence of steps, Business Events, and Routing specifications, as can be seen in Figure 3.
Page 5 of 90
Roles The Who? Roles describe how people fit into the Workflow. A Role is a class of users who perform the same type of work, such as Undergraduate Recruiters or Cashiers. Business Rules typically specify what role needs to perform a particular activity. For example, a rule can say that the bursar must approve every student refund. Roles direct the work to types of people rather than to specific individuals. Identifying Roles instead of individual users makes workflow more flexible and less maintenance intensive. Associating Roles with users makes it easy to ensure that workflow users have the security privileges they need to access the pages where they complete their work. Roles remain stable, even as people change jobs. Roles utilize the existing PeopleSoft security infrastructure. As such, Role definitions used for Workflow can either make use of static User-to-Role relationships, or employ query to select one or more Role users at the time of Workflow execution.
Routings The How? At the heart of each Workflow definition is a set of Business Events and the Routings associated with them. Routings are instructions that tell the system to forward information to the next step in the business process. They are the systems means of moving data from one place to another, from one activity to the next. Routings specify information destination and formatting: worklist entries, email messages, or electronic forms. In essence: Routings bring the flow into workflow. When creating a routing, the type of routing, data recipients, and data to be sent are defined. The data is usually a subset of the data from the step that is triggering the routing. A mapping specifies how the data from the application page is packaged for delivery to the routing destination.
Page 6 of 90
Page 7 of 90
1.3
This section discusses the steps required to build a workflow. Step One: Designing a Workflow Application Designing a workflow application can include three main steps: 1. Analyze and document your business requirements. 2. Diagram the process flow. 3. Document the workflow object attributes for business processes, activities, steps, events, and email and worklist routings. In the planning phase of your implementation, take advantage of all PeopleSoft sources of information, including the installation guides, PeopleTools documentation, and the PeopleBooks that are specific to your applications. After clearly designing your workflow requirements, you can proceed to building the workflow. Step Two: Build Supporting Definitions If the applications required for your workflow do not already exist, build the definitions that you need for fields, records, pages, components, and menus. Step Three: Create Workflow Maps Create the workflow maps comprising the steps, activities, and business processes required for your workflow as determined in step one. Use PeopleSoft Application Designer to create graphical maps that represent your business process. At this stage, you create maps only for the processes that are involved in the underlying application; you add PeopleSoft Workflow-specific elements to the maps when you define events and routings. Step Four: Define Roles and Role Users
Page 8 of 90
Workflow maps: also known as Navigator maps, are visual representations of your organization's business processes. Maps are necessary to all workflow processes, and they can also be used as navigational aids for end users. Workflow maps, also known as PeopleSoft Navigator maps, are visual
representations of your organization's business processes. Maps are necessary to all workflow processes, and they can also be used as navigational aids for users. There are two types of workflow maps, each representing a different hierarchical level. The top-level map, known as a business process, represents broad areas of functionality. Business processes contain one or more activities, or subprocesses. Activities contain individual steps that represent the specific transactions that complete that activity. PeopleSoft Navigator: is an alternative to the standard portal navigation. With PeopleSoft Navigator, users can see workflow maps and use them to access pages (but not external programs) that are represented within these maps. PeopleSoft Navigator presents maps according to their hierarchical relationships. Users can browse the available maps and navigate to individual pages by clicking the step that represents the page. As users move from map to page and back to map, the Navigator tree remains visible on the left-hand side of the screen:
Page 10 of 90
Defining Maps
Page 12 of 90
Creating a New Map To create a new map: 1. In PeopleSoft Application Designer, select File, New. 2. In the New scrolling list, select the map type: Activity or Business Process. 3. Click OK. 4. Add the icons required to represent the activity or business process. If youre creating a business process, the icons represent other maps, activities, and possibly other business processes. When you add these types of icons to the map, you can specify an existing activity or business process that the icon represents, or you are prompted to create a new one. Even if you do not save the business process on which you are working, the new activities or business processes that you created are saved to the database. Arrange the icons in a logical and visually informative way. If appropriate, add modeling symbols, drawings, arrows, text, or other graphic elements to the map. These elements are useful primarily in maps that are visible in PeopleSoft Navigator. They do not affect workflow processing, nor are they visible in activity guides. 5. Connect the activities, decision points, and subprocesses in the appropriate order: a. Click the Link button. b. Click the two objects sequentially. An arrow appears, pointing from the first object to the second.
Page 13 of 90
Page 14 of 90
Adding Map Objects This section provides an overview of toolbar buttons and discusses how to: Add icons to maps. Connect icons within a map. Add images to maps. Arrange objects on maps. Set icon properties. Control text. Add drawing shapes to maps. Use other map display features. Page 15 of 90
Page 16 of 90
Adding Icons to Maps To add an icon to a map: 1. Click the toolbar button representing the icon that you want to add. 2. Click the map where you want to place the icon. Page 17 of 90
Page 18 of 90
Page 20 of 90
Use the Step Attributes dialog box to select the page or program that the system starts when a user selects this step and the action mode that is used to open the page. To set step attributes: 1. On the Step Definition dialog box, click the Attributes button. 2. Specify whether the user completes this step on a PeopleSoft page or from an external program. When you select Page or External Program, the appropriate section of the dialog box becomes available. If this is an activity guide and youve marked the activity guide option in the activity properties, you must select Page. 3. Provide directions for starting the page or external program. If a user performs the step by completing a PeopleSoft page, select the page from the list boxes in the Processing Page group box. In the Actiondrop-down list box, select the type of activity that the user must perform on the database: Add,, Update/Display, Update Display/All, or Page 21 of 90
1.5
This chapter provides an overview of roles and users and discusses how to: Define a role query. Maintain roles and role users.
You can define a role as a fixed list of individual role users or as a query that selects one or more role users at runtime. This section discusses: User list roles. Query roles. Route controls. Case study: the manager query role
Page 22 of 90
Page 23 of 90
Route Controls: The PeopleSoft Workflow Administrator enables you to define route controls. For example, suppose that you want to route purchase requisitions to different buyers, depending on which vendor supplies the ordered items, which business unit is requesting the items, and which department needs the items. You can define a route control for each factorvendor ID, business unit, and departmentand specify a range of values for each buyer.
Page 24 of 90
1.6
This topic provides an overview of worklist records and discusses how to: Create worklist record definitions. Replicate worklists.
The Worklist: The worklist can include several different types of items at once. For example, a manager might have entries related to approving both employee course enrollments and orders for supplies. Although both types of entries appear in the managers worklist, the underlying data is different. The course enrollment entries might display information about the course name and start date, while the orders might have information about the descriptions and prices of ordered items. Worklist Records: Entries in worklists are stored in database tables. You define the structure content of these tables by creating worklist records. The worklist record determines which fields of information the system stores for each work item and in what order the work items appear. When a business event routes a work item to a worklist, it adds a row to the table. When a user finishes with a work item, the system marks the row as worked. The basic procedure for creating a worklist record definition is the same as for any record definition, but worklist record definitions have some special requirements. Worklist Record Definitions When you create a worklist record definition, you define what a work item in a worklist looks like. The system uses the worklist record definition to: Link each work item with the underlying workflow tracking information, which is stored in a workflow system record (PSWORKLIST).
Page 25 of 90
Page 27 of 90
Page 28 of 90
Adding an Event: To add an event: 1. Open the activity to which you want to add the event. 2. Click the Event button in the toolbar. 3. Click where you want the event to appear on the map. The Event icon appears on the map. 4. Connect the Event icon to the icon for the step that triggers it. a. Click the Connector icon in the palette. Page 29 of 90
TriggerBusinessEvent PeopleCode function. By default, the event name also appears as the display text under the icon on the map. Active When an activity triggers an event, the TriggerBusinessEvent function determines whether the event is active. To temporarily deactivate an event, preventing any of its routings, clear this check box. To restart an inactive event, select it. Event Record Name Select the record definition to which you want to add Workflow Triggered from PeopleCode to trigger the business event
Editing the Business Rules To edit the business rules: 1. Click the Edit Business Rules button. The PeopleCode Editor appears. The name of the first key field in the specified record definition appears in the title bar. 2. Enter the PeopleCode that triggers the business event. 3. Save the PeopleCode. 4. Click OK to close the Event Definition dialog box. Page 30 of 90
Before you create a worklist routing for an activity, create a worklist record definition. The worklist record determines what fields the system stores for each work item. Creating Worklist Routings: To create a worklist routing: 1. Create the business event that triggers the worklist routing. 2. Click the Worklist button on the toolbar. 3. Click where you want the Worklist icon to appear on the map. The Worklist icon appears. 4. Connect the worklist routing to the event that triggers it. a. Click the Connector icon in the palette. b. Click the Event icon, then the Worklist icon. An arrow connects the two icons. Use the Link icon to connect a routing to an event. If you use the Line icon, the system wont recognize the routing. 5. Double-click the Worklist icon, or right-click and select Item Properties. The Worklist Definition dialog box appears. 6. Enter a name and description for the worklist routing. Defining Worklist Attributes: Define worklist attributes on the Worklist Attributes dialog box
Page 31 of 90
To define worklist attributes: 1. On the Worklist Definition dialog box, click Attributes. The Worklist Attributes dialog box appears. 2. Select the worklist record, business process, and activity from the appropriate drop-down list boxes. Worklist Record Business Process Activity Enter the business process name that is associated with the worklist item. Enter the activity name that is associated with the worklist item. When a user selects a work item from the worklist, the system displays the page (or external program) that is associated with the first step in the activity that you specify here. The first step is the one marked as Step 1 Path 1 in the step map. You usually select the next activity in the current business process, but this is not required. You can route to any activity in any business process. This is the Worked by business process and activity, which may not be the same as the business process or activity that triggered Page 32 of 90 Select the record definition to use for storing and displaying work items.
4. Specify the timeout parameters (if timeout processing is active). Timeout Parameters Specifying a timeout condition is optional. If you want all work items to remain in this worklist until a user processes them, leave the controls in this group box blank, or clear the Timeout Process Active check box. Otherwise, specify how long to wait (days, hours, and minutes) for a user to process a work item. The system adds the three values together. If a work item sits in the worklist for longer than the specified amount of time, the system performs the action identified by the check box that you select. Email Assigned Current User Email Supervisor Send an email message to the users supervisor. The supervisor is assigned as the users supervising role user in the user profile, maintained through PeopleSoft Security. In PeopleSoft HRMS applications, the system uses the supervisor from the users PERSONAL_DATA record. Send Timeout Send a new worklist item to the currently assigned users timeout Page 33 of 90 Send an email message to the user to whom the work item is assigned, warning that the item is overdue.
5. Specify what the user must do before the system considers a work item to be worked. Work items remain in a users worklist until they have been worked. User Specified A work item is marked as worked when the user explicitly identifies it as worked by selecting it on the Select Worklist page and clicking the Mark Worked button. This option is useful when the user must return to the same work item several times or wait for supporting information. If the worklist item is replicated from another database, the Mark Worked function is disabled in the target database. Saved A work item is marked as worked when the user saves work on the page that is assigned to the worklist. This option is appropriate for work items that the user can complete right away. Selected A work item is marked as worked as soon as the user selects it from the worklist. This option is appropriate for work items that notify the user of an event; just seeing the item is sufficient. Programmatic A work item is never marked worked directly by the user. It can be marked as worked only with PeopleCode. This setting enables you to provide additional logic to determine when a work item can be considered worked. 6. Click OK to close the Worklist Attributes dialog box and return to the Worklist Properties dialog box. Specifying Field Mappings: Specify field mappings on the Field Map dialog box.
Page 34 of 90
To specify field mappings: 1. Click the Field Mapping button. If the Field Mapping button is unavailable, you havent properly linked the routing to the event that triggers it. The Field Map dialog box appears. Use this dialog box to tell the system where to find the data to create a worklist entry. The Message Map group box lists the fields involved. Name Displays the user ID (OPERID) of the person who receives the worklist routing. It may also display the fields in the worklist record, which includes key data Page 35 of 90
Field Value RecField option. The Record box lists the record definitions that should
With email routings, you can send email messages in response to business events. In some cases, you might want to define two routings for the same event: one that adds an item to someones worklist and one that sends an email message to tell that person about the new worklist item. You can send an email routing to anyone to whom you can send email messages through the mail system. PeopleSoft applications support email routings to any email software that supports the Simple Mail Transfer Protocol (SMTP) standards. Creating an Email Routing: To create an email routing: 1. Create the business event that triggers the email routing. 2. Click the Email button on the toolbar. 3. Click where you want the Email icon to appear on the map. The Email icon appears. 4. Connect the email routing to the event that triggers it.
Page 38 of 90
Mapping Fields:
Page 39 of 90
To map fields: 1. Select Field Mapping. 2. The Field Map dialog box appears. Use this dialog box to tell the system where to find the data to create an email message. The Message Map group box lists the fields involved. Name Value Displays the fields. Indicates where the system finds the data to enter in the fields.
The fields that appear in this dialog box represent the two different types of data that are needed to create an email message: who and what. That is: Who receives the email message? The TO field holds the email address for this person. What is the content of the email message? This includes a SUBJECT line and any additional text that you add. You can also concatenate data into the message. When you first open the dialog box, the Name column displays the fields available for mapping. You must provide a value for the TO field. 3. Select the field into which you want to map a value. 4. Click the Change button, or to add a new field to the map, click Add.
Page 40 of 90
NOTETEXT Indicates the body of the message. The message can have multiple
Field Value RecField option. The Record box lists the record definitions that should
Page 42 of 90
1.7
This chapter provides an overview of event triggers and discusses how to: Write Workflow PeopleCode. Write PeopleCode for approval processes. Use additional PeopleCode functions and variables.
As you define workflow processes, you identify the application pages that trigger business events. Then you must add PeopleCode programs to the pages so that they actually trigger the events. The PeopleCode detects when a business rule has been triggered and determines the appropriate action. This section provides an overview of Workflow PeopleCode and discusses how to: Use the TriggerBusinessEvent function. Create Workflow PeopleCode programs.
Workflow PeopleCode To trigger a business event from a page, you add a PeopleCode program to the workflow event in the record definition for one of the tables to which the page writes. For example, to trigger events from the Course Request page, add Workflow PeopleCode to the TRAINING record definition; TRAINING is the record definition with which the Course Request page fields are associated. If youre triggering business events from a page that includes scrolls, add the Workflow PeopleCode to the record definition at the appropriate scroll level. If, for example, you add it to the record definition that is associated with a level one scroll area, the PeopleCode runs once for each row at that level. A Workflow PeopleCode program can reference record fields from record definitions at the same scroll level or at a lower scroll level. These rules also apply to the SaveEdit PeopleCode for Virtual Approver.
Page 44 of 90
Page 45 of 90
Page 46 of 90
Approval processes are a common form of business process. PeopleSoft has simplified the process of defining approval processes by enabling you to define approval rules on an approval rule setmap. You can then choose a tool to read and implement the approval rules from the map. Using Virtual Approver: As users complete transactions that require approvals, Virtual Approver determines the appropriate approver and sends a workflow routing. As each approver completes the approval, Virtual Approver determines whether additional approvals are needed and, if necessary, sends additional workflow routings. Using the GetApprovers Library Function: The GetApprovers function isn't a regular PeopleCode function. It's a library function, like Virtual Approver. It's located in the FieldFormula event of the APPR_VA0_WRK.APPR_RULE_SET record field. The GetApprovers PeopleCode function checks an approval rules set and determines the entire list of required approvals at once, so that you can develop custom approval tracking applications.
Page 47 of 90
1.8
This chapter provides overviews of workflow batch processes, batch workflow applications, Database Agents conversion, and the Notification Class, and discusses how to create batch workflow applications. When youre working with PeopleSoft applications, you perform some activities interactively (online processes) and the system performs some behind the scenes (batch processes). Batch processes provide three major benefits: You can schedule them to run later, on a recurring schedule. They can process a large number of items all together, unlike online processes, which typically process one item at a time. You can transfer processing to a server so that time-consuming tasks dont monopolize your machine. However, batch processes have one drawback: they connect to the database directly, rather than working through the PeopleSoft pages. If your application validates incoming data or runs custom PeopleCode, you might not want a batch process updating the database in this way. Also, because you trigger business events by saving data on a page, batch processes cant initiate a workflow. Batch Workflow Processing Sometimes, the event that triggers a workflow routing is actually a nonevent. That is, a situation exists, but not because someone has entered data into the system. The most common examples of this type of event are aging processes. For example, an invoice becomes overdue, an employee reaches his five-year anniversary, or a worklist entry remains unworked for over a week. PeopleSoft Application Engine enables you to monitor your database for this type of event. You can create an Application Engine program that runs a SQL query against the PeopleSoft database and passes the results to a component interface.
Page 48 of 90
Page 49 of 90
Page 50 of 90
Page 51 of 90
2.1
PeopleSoft
PeopleTools applications, to ensure that your sensitive application data does not fall into the wrong hands. Most likely, you use other security tools for your network and relational database management system (RDBMS). These tools work together to protect the PeopleSoft system from unauthorized access. The PeopleSoft security approach is tailored for the internet. It enables you to easily create and maintain security definitions, and you can perform many maintenance tasks programmatically. You can apply security to all users, including employees, managers, customers, contractors, and suppliers. You group your users according to roles to give them different degrees of access. For instance, there might be an Employee role, a Manager role, and an Administrator role. Users who belong to a particular role require a specific set of permissions, or authorizations, within your system, so that they can complete their daily tasks. You must also secure the objects and definitions in your PeopleSoft development environment. Just as you restrict sets of end users from accessing particular pages and components, you also restrict the definitions that your sites developers can access using PeopleSoft Application Designer. A definition refers to any of the definitions that you create within PeopleSoft Application Designer, such as records, pages, or components. Each object definition may have individual security needs. For example, you may have a large development staff, but perhaps you want only a few developers to have access to specific record definitions. PeopleSoft Security Definitions Because deploying your applications to the internet significantly increases the number of potential users your system must accommodate, you need an efficient method of granting authorization to different user types. PeopleSoft security definitions provide a modular means to apply security attributes in a scalable manner.
Page 52 of 90
User Profiles User profiles define individual PeopleSoft users. Each user has an individual user profile, which in turn is linked to one or more roles. You add one or more permission lists, which ultimately control what a user can and can't access, to each role. A few permission types are assigned directly to the user profile. Typically, a user profile must be linked to at least one role in order to be a valid profile. The majority of values that make up a user profile are inherited from the linked roles. Roles Roles are intermediate objects that link user profiles to permission lists. You can assign multiple roles to a user profile, and you can assign multiple permission lists to a role. Some examples of roles might be Employee, Manager, Customer, Vendor, and Student. A manager is also an employee, and may also be a student. Roles enable you to mix and match access appropriately. You have two options when assigning roles: assign roles manually or assign them dynamically. When assigning roles dynamically, you use PeopleCode, LDAP, and PeopleSoft Query rules to assign user profiles to roles programmatically. Permission Lists Permission lists are groups of authorizations that you assign to roles. Permission lists store sign-in times, page access, PeopleTools access, and so on.
Page 53 of 90
PeopleSoft Online Security: The PeopleSoft system has many elements, such as batch processes, object definitions, and application data. Use PeopleTools security tools to control access to most of these elements. To secure other elements, you use application-specific interfaces, such as Administer Security. This section discusses: Sign-in and time-out security. Page and dialog box security. Batch environment security. Definition security. Application data security. PeopleSoft Internet Architecture security.
Page 54 of 90
Page 55 of 90
Definition Security
Use Definition Security to govern access to database object definitions, such as record definitions, field definitions, and page definitions, and to protect particular object definitions from being modified by certain developers.
Table-Level Security You use PeopleSoft Query to build SQL queries and retrieve information from application tables. For each PeopleSoft Query user, you can specify the records the user is allowed to access when building and running queries. You do this by creating query access groups in PeopleSoft Tree Manager, and then assigning users to those groups with PeopleSoft Query security. PeopleSoft Query security is enforced only when using PeopleSoft Query; it doesnt control runtime page access to table data. Row-Level Security You can design special types of SQL viewssecurity viewsto control access to individual rows of data stored within application database tables. Row-level security enables you to specify the data that a particular user is permitted to access. PeopleSoft applications are delivered with built-in row-level security functions that are tailored to specific applications. For example, PeopleSoft Human Resources security tables enable you to restrict user access to employee rows of data according to organizational roles. You could also permit users to view and update rows for employees in their departments only. Similarly, in PeopleSoft Financials, you can use security views to determine access to business units and ledgers. You can also use security tables to grant privileges by access group to users who use PeopleSoft Query to access data from the database. See the documentation for your application for details about implementing row-level security for your applications. Field Security Use PeopleCode to restrict access to particular fields or columns within application tables. For example, if you want a certain class of user to be able to access certain pages, but not to view a particular field on those pages, such as compensation rate, you can write PeopleCode to hide the field for that user class. Page 57 of 90
Security between the application server and database is supplied by RDBMS connectivity. PeopleSoft Integration Broker and portal products have additional security concerns, which are addressed in the documentation for those products.
PeopleSoft Authorization Ids: The PeopleSoft system uses various authorization IDs and passwords to control user access. You use PeopleTools Security to assign two of these IDs: the user ID and the symbolic ID.
User Ids
PeopleSoft user ID is the ID you enter at the PeopleSoft sign-in dialog box. You assign each PeopleSoft user a user ID and password. The combination of these two
Page 58 of 90
Connect ID
The connect ID performs the initial connection to the database. A connect ID is a valid user ID that, when used during sign-in, takes the place of PeopleSoft user IDs. Using a connect ID means you dont have to create a new database user for every PeopleSoft user that you add to the system. Warning! Without a connect ID specified, the system assumes that workstation is accessing PeopleSoft through an application server. The option to override the database type is disabled
Access Ids
When you create any user ID, you must assign it an access profile, which specifies an access ID and password. The PeopleSoft access ID is the RDBMS ID with which PeopleSoft applications are ultimately connected to your database after the PeopleSoft system connects using the connect ID and validates the user ID and password. An access ID typically has all the RDBMS privileges necessary to access and manipulate data for an entire PeopleSoft application. The access ID should have Select, Update, and Delete access. Users do not know their corresponding access IDs. They just sign in with their user IDs and passwords. Behind the scenes, the system signs them into the database using the access ID. If users try to access the database directly with a query tool using their user or connect IDs, they have limited access. User and connect IDs only have access to the few PeopleSoft tables used during sign-in, and that access is Select-level only. Furthermore, PeopleSoft encrypts the sensitive data that resides in those tables.
Page 59 of 90
Symbolic Ids
PeopleSoft encrypts the access ID when it is stored in the PeopleTools security tables. Consequently, an encrypted value cant be readily referenced or accessed. So when the access ID, which is stored in PSACCESSPRFL, must be retrieved or referenced, the query selects the appropriate access ID by using the symbolic ID as a search key. The symbolic ID acts as an intermediary entity between the user ID and the access ID. All the user IDs are associated with a symbolic ID, which in turn is associated with an access ID. If you change the access ID, you need to update only the reference of the access ID to the symbolic ID in the PSACCESSPRFL table. You do not need to update every user profile in the PSOPRDEFN table. PeopleSoft Sign-in: The most common direct sign-in to the PeopleSoft database is the application server sign-in. These are the basic steps that are taken when the application server signs in to the database: 1. Initial connection. The application server starts, and uses the connect ID and user ID specified in its configuration file (PSAPPSRV.CFG) to perform the initial connection to the database. 2. The server performs a SQL Select statement on security tables. After the connect ID is verified, the application server performs a Select statement on PeopleTools security tables, such as PSOPRDEFN, PSACCESSPRFL, and PSSTATUS. From these tables, the application server gathers such items as the user ID and password, symbolic ID, access ID, and access password. After the application server has the required information, it disconnects. 3. The server reconnects with the access ID. When the system verifies that the access ID is valid, the application server begins the persistent connection to the database that all Pure Internet Architecture and Windows three-tier clients use to access the database. Page 60 of 90
Single Signon
Pure Internet Architecture uses browser cookies for seamless single signon across all PeopleSoft nodes. A node refers to a database and the application servers connected to it. For example, a user can complete a PeopleSoft Human Resources transaction, and then click a link for a PeopleSoft Financials transaction without ever reentering a password. Single signon is especially important to the PeopleSoft portal, which aggregates content from several different applications and data sources into a single, integrated display.
2.2
Security Administration
Security Administration Overview: This section discusses: User security. Lightweight Directory Access Protocol (LDAP). Authentication and single signon Query and definition security.
Page 62 of 90
Page 63 of 90
Lightweight Directory Access Protocol (LDAP) LDAP is an internet protocol used to access a directory listing. Organizations typically store user profiles in a central repository, or directory server, that serves user information for all of the programs that require it. If your existing computer network uses an LDAP V3 compliant directory server, PeopleSoft supports the use of that server for managing user profiles and authenticating users. PeopleSoft enables you to integrate your authentication scheme for PeopleSoft with your existing infrastructure. You always maintain permission lists and roles using PeopleSoft security. However, you can maintain user profiles in PeopleSoft security or reuse user profiles and roles that are already defined within an LDAP directory server. A directory server enables you to maintain a single, centralized user profile that you can use across all of your PeopleSoft and non-PeopleSoft applications. This approach reduces redundant maintenance of user information stored separately throughout your enterprise, and reduces the possibility of user information getting out of synchronization. You can configure and extend your signon PeopleCode to work with any schema implemented in your directory server. You can assign roles to users manually or assign them dynamically. When assigning roles dynamically, you use PeopleCode, LDAP, and PeopleSoft Query rules to assign user profiles to roles programmatically. Authentication and Single Signon PeopleSoft delivers the most common authentication solutions and packages them with your PeopleSoft application. This saves you the trouble of developing your own solutions and saves you time with your security implementation. These prepackaged solutions include PeopleCode that supports basic sign-in through secure sockets layer (SSL), LDAP authentication, and single signon. Because PeopleSoft applications are designed for internet deployment, many sites must take advantage of the authentication services that exist at the web server Page 64 of 90
Query and Definition Security Security Administration Integrations: This section identifies the Security integration points using: Component interfaces. Messages. Application Engine programs.
Component Interfaces: The following are the delivered component interfaces designed for security integration. DELETE_ROLE This component interface is based on the Delete Role (PURGE_ROLEDEFN) component, and it is used to purge roles. It is keyed by RoleName, and has the Get, Find, Save, Cancel methods. The DELETE_ROLE application message calls this component interface. DELETE_USER_PROFILE This component interface is based on the Delete User Profile (PURGE_USR_PROFILE) component, and it is used to purge User Profiles. It is keyed by User ID, and has the Page 65 of 90
Messages: The following are the delivered messages designed for security integration. DELETE_ROLE This message is called from the Delete Role component. It is used to the delete the role from subscribing databases. The message requires that the DELETE_ROLE component interface be authorized. DELETE_USER_PROFILE This message is called from the Delete User Profile component. It is used to delete the user profile from subscribing databases. This message requires that the DELETE_USER_PROFILE component interface be authorized.
Page 66 of 90
Page 67 of 90
This chapter provides an overview of permission lists and discusses how to: Manage permission lists. Define permissions.
Permission lists are the building blocks of user security authorizations. You typically create permission lists before you create user profiles and roles. When defining permission lists, however, consider the roles and user profiles with which you will use them. Recall that roles are intermediary objects between permission lists and users. You use roles to assign permissions to users dynamically. Permission lists may contain any number of permissions, such as sign-in times, page permissions, and component interface permissions. Permission lists are more flexible and scalable when they contain fewer permissions. The following diagram illustrates how permission lists are assigned to roles, which are then assigned to user profiles. A role may contain numerous permissions, and a user profile may have numerous roles assigned to it. A user inherits all permissions assigned to each role to which the user belongs. User access is determined by the combination of all assigned roles.
Page 68 of 90
Viewing Content References Select PeopleTools, Security, Permissions & Roles, Permission Lists, Pages to access the Pages page, then click the Edit Components link to access the Component Permissions page.
Page 69 of 90
Synchronizing Permission Lists and Content References Use the PORTAL_CSS application engine program to synchronize permission lists with content references for the portal. By default, the system synchronizes changes in permission lists with content references; however, after an upgrade or any time when you want to make sure, you can run the PORTAL_CSS program. There is a process definition of the same name.
Adding Links
Select PeopleTools, Security, Permissions & Roles, Permission Lists, Links to access the Links page. Use this page to add links to other pages within your PeopleSoft system that pertain to a particular permission list. For example, perhaps a PeopleSoft application requires a specific security setting to be attached to a permission list. If this application-specific setting appears on a page not in PeopleTools, Security, add a link to that page so that anyone updating the permission list can easily navigate to it. You create your inventory of links to security settings that exist outside of PeopleTools Security using the Security Links page. After being created and assigned
Page 70 of 90
Page 71 of 90
Page permissions refer to the pages to which a user has access. Pages are contained within components, which are ultimately contained within a menu name. To grant access to a particular page, determine the component it is in and the menu name the component falls under. This enables you to drill down to the appropriate page. After you add a menu name, you grant access to its components and pages on an item-by-item basis. In PeopleSoft applications, menu items represent components. If Page 72 of 90
Granting Access to Components and Pages The following procedure describes how to set access permissions to your PeopleSoft applications and your page-driven PeopleTools. You begin at the component level and drill down to the page level making the appropriate selections as you go. To add access to PeopleSoft components and pages: 1. Locate the menu name of the component to which you want to add access. 2. Click Edit Components. The Components page appears. 3. Locate the component to which you want to grant access. By default, when adding a new permission list, no components are authorized. 4. Click the Edit Pages button associated with each component to which you want to grant access. The Page Permissions page appears. You specify the actions that a user can complete on the page. You have the following options for each page that appears in the Page column: Authorized? Select to enable a user to access the page. Decide the degree to which a user is authorized on a page by selecting Display Only or one or more of the available options in the Actions group.
Page 73 of 90
The PeopleTools Permissions section of this page applies to standalone PeopleTools applications. They aren't Pure Internet Architecture-based, but are Microsoft Windows programs that weren't developed using PeopleSoft Application Designer. They include: Page 74 of 90
To grant access to these PeopleTools features, select the check box next to the appropriate item. With PeopleSoft Application Designer, the procedure for applying permissions is slightly more complex, because security for PeopleSoft Application Designer also controls what object definition types can be accessed and what degree of modifications can be made. The links on this page (Definition Permissions, Tools Permissions, and Miscellaneous Permissions) enable you to provide more detail to PeopleSoft Application Designer access permissions.
Page 75 of 90
Tools Permissions In addition to object definitions, PeopleSoft Application Designer security also involves a collection of tools, such as Build and the PeopleCode Debugger, to which developers need access. The tools within PeopleSoft Application Designer include the following: Build/Data Admin (select Build, Project and Tools, Data Administration). Change Control (select Tools, Change Control). Language Translations (select Tools, Translations). PeopleCode Debugger (select Debug, PeopleCode Debugger Mode). SQL Editor (the PeopleSoft Application Designer utility for adding SQL objects and statements to applications and application engine programs). Upgrade (select Tools, Upgrade). This includes Copy Project, Compare and Report, and so on.
Page 76 of 90
The Query page has links to the Permission List Access Groups page, where you can define the records to which the user can have access in PeopleSoft Query, and the Query Profile page, where you can define the query operations that the user can perform. Defining Access Groups Click Access Group Permissions to access the Permission List Access Groups page.
Page 77 of 90
Query profiles specify available query operations. You can give users the right to run queries but not create them, or to create regular queries but not workflow queries, and you can restrict the SQL operations that users can perform. You control these options through the query profile. Each permission list has its own query profile, and the combination of all permission lists that are assigned to a role determine the total query access for the role. User profiles inherit query access only through the roles that you assign to them.
Page 79 of 90
2.4
Setting Up Roles
Roles are an intermediate object that exist between permission lists and user profiles. Roles aggregate permission lists so that you can arrange permissions into meaningful collections. If you implement dynamic roles, then you can add permissions to users dynamically, which reduces administration tasks. Role users are the user profiles or users that have membership in a particular role. Users inherit most of their permissions from the roles assigned to the user profile. However, you assign the following permission lists directly to a user profile: Data permissions. These are assigned through a primary permissions list or a row security permissions list. PeopleSoft Navigator homepage permissions. Process profile permissions.
When you assign roles to profiles manually, through the Security pages, these users are called static role users. Other users may obtain membership in a role programmatically. You can run a batch process that runs predefined role rules and assigns roles to user profiles according to these rules. This approach is called dynamic membership, and users who become role users of a particular role programmatically are dynamic role users. Use dynamic role assignment to make your security system scale to large user populations. If you have thousands of users and need to make every change to a user profile manually, the security administrator becomes a bottleneck.
Page 80 of 90
2.5
User profiles define individual PeopleSoft users. You define user profiles and then link them to one or more roles. Typically, a user profile must be linked to at least one role to be a usable profile. The majority of values that make up a user profile are inherited from the linked roles. You define user profiles by entering the appropriate values on the user profile pages. The user profile contains values that are specific to a user, such as a user password, an email address, an employee ID, and so on.
2.6
This chapter discusses how to: Define query profiles. Build query access group trees. Work with query trees. Define row-level security and query security records
Page 81 of 90
Page 82 of 90
Page 83 of 90
Page 84 of 90
Defining Row-Level Security and Query Security Records: By default, when you give Query users access to a record definition, they have access to all the rows of data in the table built using the associated record definition. In some cases, though, you want to restrict users from seeing some of those data rows. For example, you might not want your human resources staff to have access to compensation data for vice presidents or above. In other words, you want to enforce row-level security, which is offered by many PeopleSoft applications. This section describes the relationship between row-level security and Query security record definitions. Row-Level Security With row-level security, users can have access to a table without having access to all rows on that table. This type of security is typically applied to tables that hold sensitive data. For example, you might want users to be able to review personal data for employees in their own department, but not for people in other departments. You would give everyone access to the PERSONAL_DATA table, but would enforce rowlevel security so that they could only see rows where the DEPTID matches their own. PeopleSoft applications implement row-level security by using a SQL view that joins the data table with an authorization table. When a user searches for data in the data table, the system performs a related record join between the view and the base table rather than searching the table directly. The view adds a security check to the Page 85 of 90
2.7
Definition Security
We will discuss Definition security. Definition groups and permission lists. Definition security rules. Page 86 of 90
Definition Security settings also works at the field level. To change a field on a record, you must be authorized to update all record definitions that contain the field. For example, to update or rename the EMPLID field on any record definition, you must have access to every record definition that contains the EMPLID field. If you are denied access to the ABSENCE_HIST record definition, which contains EMPLID, you wont be able to modify any field attributes of EMPLID on any other record that contains the field. This ensures the integrity of your system. In a fast-paced development environment, if PeopleTools definitions are not well secured, problems may result. Definition Groups and Permission Lists: Use Definition Security to define definition groups and link them to permission lists that you created in Security. A definition group is a collection of one or more definitions that form a logical group for security purposes. For example, youve created a permission list for analysts who support the PeopleSoft Payroll module, and you call it PAYROLL_DEV. The analysts are allowed to update only payroll definitions. Using Definition Security, you create a definition group containing only payroll definitions, and give it a name, such as PAYROLL_OBJ. Finally, you link PAYROLL_OBJ to PAYROLL_DEV. You can assign multiple definition groups to a single permission list. You can't declare directly that a particular permission list can modify a specific definition type. You do so indirectly by creating a definition group that consists solely of the desired definition type. Also, remember that you can assign a definition to multiple groups as needed. To ensure total definition security, assign every definition to at least one definition group.
Page 87 of 90
In this activity, you will review the activity overview and Modify a department security tree. Update data permission security. Assign department access to a permission list
In this activity, you will modify a department security tree by creating a new effectivedate tree for DEPT_SECURITY with setID SHARE. On the new tree, you will add a new node and move a node. You will then run the batch process to update the security tree. Once the update process has completed, you will change the permission list HCDPUSA to use the new department and test the new permission. To modify a department security tree: Sign in to the HCM database as PS. 1. Select Tree Manager, Tree Manager. 2. Enter DEPT_SECURITY in the tree name field. 3. Select the DEPT_SECURITY tree with SHARE as the setID and January 1, 1990 as the effective date.
4. Click Save As, and enter todays date for the effective date
10. Expand the ALL DEPTS folder. 11. Click 42000 Corporate Headquarters.
12. Click the Insert Child Node icon to insert a new child node.
15. Click OK. 16. Click on 63000 Fire Department, and click the Cut button. 17. Click on 44000 Northwest Division, and click the Paste as Sibling button. 18. Click Save. Results Department 63000 now displays as a sibling of department 44000:
Page 89 of 90
Page 90 of 90