Understanding QAS SecurityThe application data tables available for QAS service operations use Query Security. This chapter provides an overview of QAS security and discusses:
QAS security service operations.
How to use QAS administration.
Understanding QAS SecurityThis section discusses the three parts that are included in QAS security:
Query security
Service Operation security
WS-Security
Process Profile
This section also discusses QAS security flow.
Query SecurityPeopleSoft Query uses query access group trees to control security of the tables in your PeopleSoft database. You define a hierarchy of record components, based on logical or functional groupings, and then give users access to one or more branches of the tree. Users can use PeopleSoft Query to retrieve information only from record definitions they have access to based on the query access tree assignment.
See Also
Service Operation Security
QAS service operations are delivered with User/Password Required enabled and WS Security Req Verification set to Encrypt and Digitally Sign or HTTPS..
Client applications using QAS service operations must either digitally encrypt and sign the request or send the request over HTTPS.
Service operations are secured by means of permission lists. PeopleSoft applications deliver the permission list PTPT2200 (QAS access), which has full access to all QAS service operations and the application engine program QASEXEQRY. The role QAS Admin contains the permission list PTPT2200. Any users assigned the role QAS Admin can access the QAS service operations.
WS-SecurityWeb services security (WS-Security) is implemented on the integration gateway for inbound and outbound integrations with third-party systems. QAS service operations use WS-Security.
See WS-Security.
Process ProfileThe service operation QAS_EXECUTEQRY_SYNCPOLL_OPER schedules the application engine program QASEXEQRY to run in Process Scheduler, therefore the user initiating the request must have permission to run QASEXEQRY in the Process Profile.
See QAS_EXECUTEQRYSYNCPOLL_OPER.
QAS Security FlowThis diagram illustrates the QAS request inbound flow from a third-party system in the Integration Broker:
QAS request from a third-party security flow
When any transaction arrives at the integration gateway, the PeopleSoft system checks for the existence of a WS-Security SOAP header. If it exists, the integration gateway validates the digital signature if it exists, and decrypts the UsernameToken and optional password to restore the user ID information to clear text format. The integration gateway then passes the user ID information, and UsernameToken password if provided by the sender, to the application server, where additional security processing is performed.
If a user name and password are supplied in the SOAP header, the user is validated in the PeopleSoft system.
If no user ID and password are supplied, the request is rejected.
The PeopleSoft system then validates whether the user's permission list grants access to the QAS service operation.
If the user is authorized to the service operation, then Query Access security is used and the request is processed.
QAS Security Service OperationsQuery access security is defined on permission lists. Roles contain one or more permission lists and the user is assigned roles. Several service operations are available that a third party can use to list roles and role users.
QAS_AUTHTOKEN_OPER
This service operation is used to retrieve the user ID for a PSToken. This service operation is used when a Business Object Enterprise (BOE) report is run through the Process Scheduler. The PSToken is sent in the HTTP header over HTTPS. BOE will use this service operation to determine the user ID requesting the report.
Request Message: QAS_AUTHTOKEN_REQ_MSG
|
Element Name |
Description |
|
PSTOKEN |
PeopleSoft authorization token. |
Example Request:
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:⇒ qas="http://xmlns.oracle.com/Enterprise/Tools/schemas/QAS_AUTHTOKEN_REQ_⇒ MSG.VERSION_1"> <soapenv:Header/> <soapenv:Body> <qas:QAS_AUTHTOKEN_REQ_MSG> <PSTOKEN>owAAAAQDAgEBAAAAvAIAAAAAAAAsAAAABABTaGRyAk4AbQg4AC4AMQAwABRKm1RLE0z⇒ Cq6JFYA⇒ oVWo7oKO6qVGMAAAAFAFNkYXRhV3icy2VgYGBhZmJkBNJ7mBjAgCuQwZXBhcGXwZ+BzZXBj8GdQQAkEs/g⇒ A⇒ xRxZnAE0iZGDAZAaMmgCySNgKQRgxmYbcqgByUNwaQlUMYQrNaAgQEAbO8LPQ==; http%3a%2f%2fple-⇒ in⇒ fodev-08.peoplesoft.com%3a8010%2fpsp%2fqedmo%2femployee%2fqe_local%2frefresh=list:⇒ ;⇒ HPTabName=DEFAULT</PSTOKEN> </qas:QAS_AUTHTOKEN_REQ_MSG> </soapenv:Body> </soapenv:Envelope>
Response Message: QAS_AUTHTOKEN_RESP_MSG
|
Element |
Description |
|
LoginUser |
Returns the user ID for the PSToken. |
Example Response:
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:⇒ soapenc="http://schemas.xmlsoap.org/soap/encoding/" xmlns:xsd="http://www.w3.org/⇒ 2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> <soapenv:Body> <qss:QAS_AUTHTOKEN_RESP_MSG xmlns:qss="http://xmlns.oracle.com/Enterprise⇒ /Tools⇒ /schemas/QAS_AUTHTOKEN_RESP_MSG.VERSION_1"> <LoginUser>QEDMO</LoginUser> </qss:QAS_AUTHTOKEN_RESP_MSG> </soapenv:Body> </soapenv:Envelope>
QAS_LISTROLE_OPERUse this service operation to get a list of roles, along with descriptions.
Request Message: QAS_LISTROLE_REQ_MSG
|
Element name |
Description |
|
SearchString |
Search string used for specifying the role name or the first few characters of the role name. If no value is entered, all roles will be returned. This value is case-sensitive. |
Example Request:
This is an example of a request to select all roles that begin with QAS.
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:⇒ qas="http://xmlns.oracle.com/Enterprise/Tools/schemas/QAS_LISTROLE_REQ_⇒ MSG.VERSION_1" xmlns:qas1="http://xmlns.oracle.com/Enterprise/Tools/schemas/QAS_⇒ LISTROLE_REQ.VERSION_1"> <soapenv:Header/> <soapenv:Body> <qas:QAS_LISTROLE_REQ_MSG> <!--Zero or more repetitions:--> <qas:QAS_LISTROLE_REQ> <qas1:PTQASWRK class="R"> <!--Optional:--> <qas1:SearchString>QAS</qas1:SearchString> </qas1:PTQASWRK> </qas:QAS_LISTROLE_REQ> </qas:QAS_LISTROLE_REQ_MSG> </soapenv:Body> </soapenv:Envelope>
Response Message: QAS_LISTROLE_RESP_MSG
|
Element Name |
Description |
|
RoleName |
Role name. |
|
Description |
Role description. |
Example Response:
<?xml version="1.0"?> <QAS_LISTROLE_RESP_MSG xmlns="http://xmlns.oracle.com/Enterprise/Tools/schemas/QAS_⇒ ⇒ ⇒ ⇒ LISTROLE_RESP_MSG.VERSION_1"> <QAS_LISTROLE_RESP> <PTQASWRK class="R" xmlns="http://xmlns.oracle.com/Enterprise/Tools⇒ /schemas/QAS_LISTROLE_RESP.VERSION_1"> <RoleName>QAS Admin</RoleName> <Description>QAS Administrators</Description> </PTQASWRK> </QAS_LISTROLE_RESP> </QAS_LISTROLE_RESP_MSG>
QAS_LISTUSERROLES_OPERUse this service operation to get a list of roles for a given user, along with descriptions.
Request Message: QAS_LISTUSERROLES_REQ_MSG
|
Element Name |
Description |
|
UserName Required element |
Complete user name. Required and case-sensitive. |
|
SearchString |
Search string used for specifying the role name or the first few characters of the role name. If no value is entered, all roles for the user will be returned. This value is case-sensitive. |
Example Request:
This is an example of a request to select all roles for the userPSADMIN.
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:⇒ qas="http://xmlns.oracle.com/Enterprise/Tools/schemas/QAS_LISTUSERROLES_REQ_⇒ MSG.VERSION_1" xmlns:qas1="http://xmlns.oracle.com/Enterprise/Tools/schemas/QAS_⇒ LISTUSERROLES_REQ.VERSION_1"> <soapenv:Header/> <soapenv:Body> <qas:QAS_LISTUSERROLES_REQ_MSG> <!--Zero or more repetitions:--> <qas:QAS_LISTUSERROLES_REQ> <qas1:PTQASWRK class="R"> <qas1:UserName>PSADMIN</qas1:UserName> <!--Optional:--> <qas1:SearchString></qas1:SearchString> </qas1:PTQASWRK> </qas:QAS_LISTUSERROLES_REQ> </qas:QAS_LISTUSERROLES_REQ_MSG> </soapenv:Body> </soapenv:Envelope>
Response Message: QAS_LISTUSERROLES_RESP_MSG
|
Element Name |
Description |
|
RoleName |
Role name. |
|
Description |
Role description. |
Example Response:
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:⇒ soapenc="http://schemas.xmlsoap.org/soap/encoding/" xmlns:xsd="http://www.w3.org⇒ /2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> <soapenv:Body> <QAS_LISTUSERROLES_RESP_MSG xmlns="http://xmlns.oracle.com/Enterprise/Tools⇒ /schemas/QAS_LISTUSERROLES_RESP_MSG.VERSION_1"> <QAS_LISTUSERROLES_RESP> <PTQASWRK class="R" xmlns="http://xmlns.oracle.com/Enterprise/Tools⇒ /schemas/QAS_LISTUSERROLES_RESP.VERSION_1"> <RoleName>PeopleSoft Administrator</RoleName> <Description>PeopleSoft Admin Privileges</Description> </PTQASWRK> </QAS_LISTUSERROLES_RESP> <QAS_LISTUSERROLES_RESP> <PTQASWRK class="R" xmlns="http://xmlns.oracle.com/Enterprise/Tools⇒ /schemas/QAS_LISTUSERROLES_RESP.VERSION_1"> <RoleName>PeopleSoft User</RoleName> <Description>PeopleSoft User</Description> </PTQASWRK> </QAS_LISTUSERROLES_RESP> </QAS_LISTUSERROLES_RESP_MSG> </soapenv:Body> </soapenv:Envelope>
QAS_LISTUSER_OPERUse this service operation to get a list of users, along with descriptions.
Request Message: QAS_LISTUSER_REQ_MSG
|
Element Name |
Description |
|
SearchString |
Search string used for specifying the user name or the first few characters of the user name. If no value is entered, all users will be returned. This value is case-sensitive. |
Example Request:
This is an example of a request to select all users that begin with PS.
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"⇒ xmlns:qas="http://xmlns.oracle.com/Enterprise/Tools/schemas/QAS_LISTUSER_⇒ REQ_MSG.VERSION_1" xmlns:qas1="http://xmlns.oracle.com/Enterprise/Tools/schemas⇒ /QAS_LISTUSER_REQ.VERSION_1"> <soapenv:Header/> <soapenv:Body> <qas:QAS_LISTUSER_REQ_MSG> <qas:QAS_LISTUSER_REQ> <qas1:PTQASWRK class="R"> <!--Optional:--> <qas1:SearchString>PS</qas1:SearchString> </qas1:PTQASWRK> </qas:QAS_LISTUSER_REQ> </qas:QAS_LISTUSER_REQ_MSG> </soapenv:Body> </soapenv:Envelope>
Response Message: QAS_LISTUSER_RESP_MSG
|
Element Name |
Description |
|
UserName |
User name. |
|
Description |
User description. |
Example Response:
<?xml version="1.0"?> <QAS_LISTUSER_RESP_MSG xmlns="http://xmlns.oracle.com/Enterprise/Tools/schemas/QAS_⇒ ⇒ ⇒ ⇒ LISTUSER_RESP_MSG.VERSION_1"> <QAS_LISTUSER_RESP> <PTQASWRK class="R" xmlns="http://xmlns.oracle.com/Enterprise/Tools⇒ /schemas/QAS_LISTUSER_RESP.VERSION_1"> <UserName>PSADMIN</UserName> <Description>PeopleSoft Administrator</Description> </PTQASWRK> </QAS_LISTUSER_RESP> </QAS_LISTUSER_RESP_MSG>
QAS_LISTROLEUSERS_OPERUse this service operation to get a list of users for a given role, along with descriptions.
Request Message: QAS_LISTROLEUSERS_REQ_MSG
|
Element Name |
Description |
|
RoleName Required element |
Complete role name. Required and case-sensitive. |
|
SearchString |
Optional search string used for specifying the user name or the first few characters of the user name. If no value is entered, all users for the role will be returned. This value is case-sensitive. |
Example Request:
This is an example of a request to select all users that begin with PS and have the role PeopleSoft Administration.
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:⇒ qas="http://xmlns.oracle.com/Enterprise/Tools/schemas/QAS_LISTROLEUSERS_REQ_⇒ MSG.VERSION_1" xmlns:qas1="http://xmlns.oracle.com/Enterprise/Tools/schemas/QAS_⇒ LISTROLEUSERS_REQ.VERSION_1"> <soapenv:Header/> <soapenv:Body> <qas:QAS_LISTROLEUSERS_REQ_MSG> <!--Zero or more repetitions:--> <qas:QAS_LISTROLEUSERS_REQ> <qas1:PTQASWRK class="R"> <qas1:RoleName>PeopleSoft Administrator</qas1:RoleName> <!--Optional:--> <qas1:SearchString>PS</qas1:SearchString> </qas1:PTQASWRK> </qas:QAS_LISTROLEUSERS_REQ> </qas:QAS_LISTROLEUSERS_REQ_MSG> </soapenv:Body> </soapenv:Envelope>
Response Message: QAS_LISTROLEUSERS_RESP_MSG
|
Element Name |
Description |
|
UserName |
User name. |
|
Description |
User description. |
Example Response:
<?xml version="1.0"?> <QAS_LISTROLE_RESP_MSG xmlns="http://xmlns.oracle.com/Enterprise/Tools/schemas/QAS_⇒ ⇒ ⇒ ⇒ LISTROLE_RESP_MSG.VERSION_1"> <QAS_LISTROLE_RESP> <PTQASWRK class="R" xmlns="http://xmlns.oracle.com/Enterprise/Tools⇒ /schemas/QAS_LISTROLE_RESP.VERSION_1"> <RoleName>QAS Admin</RoleName> <Description>QAS Administrators</Description> </PTQASWRK> </QAS_LISTROLE_RESP> </QAS_LISTROLE_RESP_MSG>
QAS_LOGIN_OPERThis service operation is available for a client application to sign on to the PeopleSoft database and use QAS service operations to create and execute queries.
To use this service operation, the user must install and configure certificates.
See Understanding SSL/TLS and Digital Certificates.
Request Message: QAS_LOGIN_REQ_MSG
|
Element Name |
Description |
|
UserVerificationAttempt |
Do not enter a value. |
Example Request:
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:⇒ qas="http://xmlns.oracle.com/Enterprise/Tools/schemas/QAS_LOGIN_REQ_MSG.VERSION_1"> <soapenv:Header/> <soapenv:Body> <qas:UserVerificationAttempt></qas:UserVerificationAttempt> </soapenv:Body> </soapenv:Envelope>
Response Message:
|
Element Name |
Description |
|
IsValidUser |
Returns Y if the user is validated. |
Example Response:
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:⇒ soapenc="http://schemas.xmlsoap.org/soap/encoding/" xmlns:xsd="http://www.w3.org/⇒ 2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001⇒ /XMLSchema-instance"> <soapenv:Body> <qss:QAS_LOGIN_RESP_MSG xmlns:qss="http://xmlns.oracle.com/Enterprise/Tools/⇒ schemas/QAS_LOGIN_RESP_⇒ MSG.VERSION_1"> <isValidUser>Y</isValidUser> </qss:QAS_LOGIN_RESP_MSG> </soapenv:Body> </soapenv:Envelope>
Using QAS AdministrationThe QAS Administration page is used to monitor QAS query execution. To access the QAS administration page, the user must have permission to access the QAS Administration page (PSQASADMIN).
After executing a query, the client application is responsible for canceling the query, which will delete the row from the PSQASRUN table. If the rows are not deleted by the client application, the QAS Administrator can delete the rows using the QAS Administration page.
To access the QAS Administration page, select PeopleTools, Utilities, Administration, QAS Administration (PSQASADMIN).
This page displays the run status for QAS service operations that execute queries on the PeopleSoft system. Depending on the execution type and output format, you will see various run statuses.
This table lists the run statuses by output format.
|
Output Format |
Status |
Description |
|
FILE |
running |
The report is running in Process Scheduler. |
|
FILE |
posting |
The report was posted to the report repository. |
|
FILE or NONFILE |
error |
The query encountered an error. If the query does not exist or the user does not have access to the query, an error will occur. |
|
NONFILE |
success |
The query data is stored in the Integration Broker runtime tables. |
Use the Clear button to delete entries from the page.