Creating User Profile Maps
This section provides an overview of user profile options and discusses how to:
Specify mandatory user properties.
Specify optional user properties.
Associate user IDs and user profile maps.
Understanding User Profile Options
If you are going to authenticate users with the directory server, a PeopleSoft user profile is still required. That is, a row is still required in the table in which PeopleSoft user information is stored (PSOPRDEFN). In this context, you cache LDAP user information inside your PeopleSoft system. The properties that you specify on the Mandatory and Optional User Properties pages are the columns in PSOPRDEFN that the system populates with values from your directory server. These values comprise your user profile options.
PeopleSoft applications use this cache of user information, not your directory server. Whenever a transaction requires user information, the application refers to the local PSOPRDEFN table as opposed to querying the directory server. This improves performance.
After a user signs in to the system and the Signon PeopleCode is carried out, PeopleSoft creates a row for that user in the user definition table by retrieving the LDAP information and creating a local cache. Signon PeopleCode maintains this row automatically; manual updates are not necessary. Any changes made in the directory server are reproduced in the local cache.
Some properties are required when creating a PeopleSoft User Profile; these properties appear on the Mandatory User Properties page. Other properties are optional; these properties appear on the Optional User Properties page.
Note: You must supply user properties to Signon PeopleCode only if you intend to authenticate users with your LDAP directory.
Specifying Mandatory User Properties
Access the Mandatory User Properties page (select Mandatory User Properties tab).and click the
Image: User Profile Map - Mandatory User Properties page
This example illustrates the fields and controls on the User Profile Map - Mandatory User Properties page.
- Authentication Map
Select the authentication map to associate with this user profile mapping. The server and connection information are taken from the authentication map.
Displays the status of the selected user profile map.
Note: Only one user profile map should be active at any time.
- Directory ID
Displays the directory ID associated with the authentication mapping.
- User ID Attribute
Specify the LDAP attribute used to populate the OPRID (user ID) field on PSOPRDEFN.
Important! If you specify a different value here than the Search Attribute value that you specified on the Authentication page, then users will not be able to switch to another application from the Go menu in PeopleSoft Windows clients such as Application Designer.
The second application expects to automatically authenticate a user with the value of %SignonUserId, the system variable that contains the user ID that was used to sign in. However, because the value of OPRID is different from the value of %SignonUserId, the authentication fails with an error message.
Users can still access any PeopleSoft Windows client by launching it directly and signing in using the same Search Attribute value for the user ID.
- ID Type
Enter the default ID type for new users, such as Employee ID, Customer ID, and so on. This field is similar to Symbolic ID.
- ID Type Attribute
Specifies the LDAP attribute in the directory that holds the selected ID value. For instance, the ID value might be Employee ID. Some ID types require additional data when creating a profile of that type. LDAP User Profile Management can retrieve that data from the LDAP directory if it is available.
- Use Default Role
Select this option if you want to use the default role. If you enable this option, the Default Role field becomes available for entry while the Role Attribute field becomes unavailable for entry. You either specify a default role or specify an LDAP attribute on the user entry that holds the valid name of a PeopleSoft role.
- Role Name
Enter the name of a default role to be assigned to new users. This value applies to users the first time that they sign in and have not had any roles dynamically assigned to them. Typically, this role has only basic access authorizations, such as for only the self-service pages. Users should get most of their permissions through dynamically assigned roles.
- Role Attribute
Instead of specifying only a single default role for each and every user, you can enter a value for the LDAP attribute that holds the name of a PeopleSoft role to be assigned to the user.
You can enable your application to automatically apply a role for the user. When signing in to the application, the user provides a value for the search attribute you specified in the authentication map. The system uses that attribute value to search for the user's entry in the LDAP directory, and then imports the groups containing the entry to the PSOPRDEFN table as the user's role.
To enable this automatic role import feature:
Define LDAP groups with names that exactly match the roles defined for your application and assign the user to groups.
Deselect the Use Default Role check box on this page.
Leave the Role Name and Role Attribute fields on this page blank.
- Use Default Language Code
Select if you do not maintain language codes in the directory.
- Language Code
If the default language code is not stored in the directory, select a default value from the drop-down list box.
- LangCD Attribute (language code default)
The name of the LDAP attribute containing a valid language code. The value retrieved from the attribute must be a valid PeopleSoft language code.
Specifying Optional User Properties
Access the Optional User Properties page (select Optional User Properties tab).and click the
Image: User Profile Map - Optional User Properties page
This example illustrates the fields and controls on the User Profile Map - Optional User Properties page.
- User Profile Property
Select the user profile property that you want to add to the local cache. These properties are described in the following table.
- Use Constant Value
To supply a constant value for each user, select this option.
- Attribute Name
Add the name of the attribute as it is represented in your LDAP schema.
- Constant Value
Appears only if you selected Use Constant Value.
- Always Update
Select this option if you always want the system to update the local user cache to reflect the data stored in the directory server every time the user signs in. If Always Update is not selected, the data will be taken from the directory only when the profile is first created.
Click the User Profile Property search button to select one of the following optional user profile properties:
If the user deals with international prices, set the currency code to reflect the native or base currency so that values appear in the currency with which the user is familiar.
Select if a user is part of your workflow system or you have other systems that generate emails for users.
Select if the user is set up to use PeopleSoft with multiple languages.
Displays the homepage permission list that is associated with PeopleSoft Workflow (Navigator Homepage).
PeopleSoft determines which data permissions to grant a user by examining the primary permission list and row security permission list. Which one is used varies by application and data entity (employee, customer, vendor, business unit, and so on). Consult your PeopleSoft application documentation for more details. PeopleSoft also determines mass change and definition security permissions from the primary permission list.
The process profile contains the permissions that a user requires for running batch processes through PeopleSoft Process Scheduler. For example, the process profile authorizes users to view output, update run locations, restart processes, and so on. Only the process profile comes from this permission list, not the list of process groups.
See explanation for the Primary Permission List field.
If the symbolic ID is required for the user, select this option.
Typically, displays the name of the user, such as an employee name or a vendor name.
In some cases, the user ID is an alias in the form of an email address. If so, select this option.
Associating User IDs and User Profile Maps
When a user is authenticated, a user profile must be created in the PeopleSoft database without a password. Every user profile map will be associated with an authentication map. When a user is logged in through a authentication map, the profile is updated with the values in the corresponding user profile map. All the information that populates the user profile comes from the user profile map. You can specify the role, languageCD, description, and so on in the user profile map.
The user ID of the profile that the system creates corresponds to the User Profile Map - User ID Attribute field, which contains an LDAP attribute name.
Consider an entry corresponding to the user sramdass in LDAP:
dn: uid=sramdass, dc=peoplesoft, dc=com cn: sramdass uid: sramdass123 description: peoplesoft user mail: firstname.lastname@example.org telephone: 12345678 objectclass: person password: PASSWORD
Authentication Map Search Attribute: cn
User Profile Map User ID Attribute:mail
You must log in as sramdass/PASSWORD, while the system creates the user profile with the name email@example.com.
Authentication Map Search Attribute: uid
User Profile Map User ID Attribute:telephone
You must log in as sramdass123/PASSWORD while the system creates the user profile with the name 12345678.
Note: The Search Attribute value in the authentication map and the User ID Attribute value in the user profile map need not be the same.