Skip to Main Content
Return to Navigation

Understanding Definition Security

This section discusses:

Definition Security

You can restrict developer access to the record definitions, menu definitions, page definitions, and others that make up your applications. Just as you use Security to control who can access the PeopleSoft pages in your system, you use Definition Security to control who can access and update PeopleTools definitions.

There are two tasks involved with definition security:

  • Creating definition groups.

  • Linking definition groups to predefined permission lists.

Definition security leverages the permission lists created in PeopleTools Security to restrict access to individual PeopleTools database definitions created using a PeopleTools designer utility, such as PeopleSoft Application Designer or PeopleSoft Tree Manager. Definition types include all of the definitions that appear in the following table. Most definition types are created in PeopleSoft Application Designer.

Definition Type

Associated Designer Tool

Activities

PeopleSoft Application Designer

Application Engine Programs

PeopleSoft Application Designer

Application Packages

PeopleSoft Application Designer

Approval Rule Sets

PeopleSoft Application Designer

Business Interlinks

PeopleSoft Application Designer

Business Processes

PeopleSoft Application Designer

Components

PeopleSoft Application Designer

Component Interfaces

PeopleSoft Application Designer

Fields

PeopleSoft Application Designer

File Layouts

PeopleSoft Application Designer

HTML

PeopleSoft Application Designer

Images

PeopleSoft Application Designer

Menus

PeopleSoft Application Designer

Messages

PeopleSoft Application Designer

Mobile Pages

Important! PeopleSoft Mobile Agent is a deprecated product. These features exist for backward compatibility only.

PeopleSoft Application Designer

Pages

PeopleSoft Application Designer

Analytic Types

PeopleSoft Application Designer

Projects

PeopleSoft Application Designer

Queries

PeopleSoft Query

Records

PeopleSoft Application Designer

SQL

PeopleSoft Application Designer

Style Sheets

PeopleSoft Application Designer

Tree Structures

PeopleSoft Tree Manager

Trees

PeopleSoft Tree Manager

Translate Tables

PeopleSoft Application Designer

Note: You can restrict access to an entire definition type, such as records or pages, using the PeopleTools page in Security. This works by controlling access to the PeopleSoft Application Designer functionality that works with a particular definition type. For example, if you don't want developers to use application engine programs, don't allow them to access PeopleSoft Application Engine.

Definition Security settings also work at the field level. To change a field on a record, you must be authorized to update all record definitions that contain the field. For example, to update or rename the EMPLID field on any record definition, you must have access to every record definition that contains the EMPLID field. If you are denied access to the ABSENCE_HIST record definition, which contains EMPLID, you won’t be able to modify any field attributes of EMPLID on any other record that contains the field. This ensures the integrity of your system. In a fast-paced development environment, if PeopleTools definitions are not well secured, problems may result.

Before you start using Definition Security, it’s a good idea to define the definition security needs of your users. Consider these types of questions:

  • Should all developers have access to all PeopleTools definitions?

  • Should payroll developers have access only to payroll definitions?

  • Who will be allowed to access PeopleSoft Application Designer?

Definition Groups and Permission Lists

Use Definition Security to define definition groups and link them to permission lists that you created in Security.

A definition group is a collection of one or more definitions that form a logical group for security purposes. For example, you’ve created a permission list for analysts who support the PeopleSoft Payroll module, and you call it PAYROLL_DEV. The analysts are allowed to update only payroll definitions. Using Definition Security, you create a definition group containing only payroll definitions, and give it a name, such as PAYROLL_OBJ. Finally, you link PAYROLL_OBJ to PAYROLL_DEV.

You can assign multiple definition groups to a single permission list.

You can't declare directly that a particular permission list can modify a specific definition type. You do so indirectly by creating a definition group that consists solely of the desired definition type. Also, remember that you can assign a definition to multiple groups as needed. To ensure total definition security, assign every definition to at least one definition group.

Note: PeopleTools databases are delivered with a predefined definition group called PEOPLETOOLS that contains all the PeopleTools definitions. Until you create definition groups of your own, the PEOPLETOOLS definitions are the only definitions that you can secure.

Definition Security Rules

To set up Definition Security properly, it’s helpful to understand how the system interprets definition security settings. The system applies the following rules to determine whether a user is authorized to update a definition:

Rule

Description

1

Is the definition type assigned to any definition group? If not, then anyone has update access to it. For this reason, you should add all definition types to at least one definition group.

2

Is the definition type a part of a definition group assigned to the user’s primary permission list? If not, the system denies access and displays a message, such as “definition_name is not a definition that you are authorized to access.”

3

Do all the definition groups of which the definition type is a member have the display-only option enabled? If so, then the system displays the message “definition_name is not a definition that you are authorized to update.”

The definition type appears with the Save command disabled.

If the definition passes these system checks, the user is allowed to access and update it—unless it’s a PeopleSoft Application Designer definition, in which case several other security checks are performed first. PeopleSoft Application Designer definitions are also controlled by the PeopleTools in permission lists.

Important! A user gets definition security permissions through the primary permission list, not through roles.