Security Administration OverviewThis chapter provides overviews of PeopleSoft Enterprise security administration and security administration integrations and discusses security administration implementation.
Security Administration OverviewThis section discusses:
User security.
Lightweight Directory Access Protocol (LDAP).
Authentication and single signon.
Data Encryption.
Query and definition security.
PeopleSoft personalizations.
User SecurityUser security is the core of security administration in PeopleSoft applications. You administer user security using several basic elements.
To establish appropriate user access:
Define permission lists.
Permission lists are the building blocks of user security authorization. A permission list grants a degree of access to a particular combination of PeopleSoft elements, specifying pages, development environments, time periods, administrative tools, personalizations, and so on.
This level of access should be appropriate to a narrowly defined and limited set of tasks, which can apply to a variety of users with a variety of different roles. These users might have overlapping, but not identical, access requirements.
You typically define permission lists before you define roles and user profiles. When defining permission lists, however, consider the roles that you will use them with.
Define roles.
A role is a collection of permission lists. You can assign one or more permission lists to a role. The resulting combination of permissions can apply to all users who share those access requirements. However, the same group of users might also have other access requirements that they don't share with each other. You can assign a given permission list to multiple roles.
You typically define roles after first defining their permission lists, and before defining user profiles. You use roles to assign permissions to users dynamically.
See Setting Up Roles.
Define user profiles.
A user profile is a definition that represents one PeopleSoft user. Each user is unique; the user profile specifies a number of user attributes, including one or more assigned roles. Each role that's assigned to a given user profile adds its permission lists to the total that apply to that user.
You typically define user profiles after defining their roles. You can assign a given role to multiple user profiles. It's worthwhile to define a set of roles that you're confident can be assigned to user profiles that you'll create in the future.
LDAPLDAP is an internet protocol used to access a directory listing. Organizations typically store user profiles in a central repository, or directory server, that serves user information for all of the programs that require it. If your existing computer network uses an LDAP V3 compliant directory server, PeopleSoft supports the use of that server for managing user profiles and authenticating users. PeopleSoft enables you to integrate your authentication scheme for PeopleSoft with your existing infrastructure.
You always maintain permission lists and roles using PeopleSoft security. However, you can maintain user profiles in PeopleSoft security or reuse user profiles and roles that are already defined within an LDAP directory server. A directory server enables you to maintain a single, centralized user profile that you can use across all of your PeopleSoft and non-PeopleSoft applications. This approach reduces redundant maintenance of user information stored separately throughout your enterprise, and reduces the possibility of user information getting out of synchronization.
You can configure and extend your Signon PeopleCode to work with any schema implemented in your directory server. You can assign roles to users manually or assign them dynamically. When assigning roles dynamically, you use PeopleCode, LDAP, and PeopleSoft Query rules to assign user profiles to roles programmatically.
See Employing LDAP Directory Services.
Authentication and Single SignonPeopleSoft delivers the most common authentication solutions and packages them with your PeopleSoft application. This saves you the trouble of developing your own solutions and saves you time with your security implementation. These prepackaged solutions include PeopleCode that supports basic sign in through HTTP over SSL/TLS (HTTPS), LDAP authentication, and single signon.
Because PeopleSoft applications are designed for internet deployment, many sites must take advantage of the authentication services that exist at the web server level. PeopleSoft takes advantage of HTTPS, SSL/TLS, and digital certificates to secure the transmission of data from the web server to an end user's web browser and also to secure the transmission of data between PeopleSoft servers and third-party servers (for business-to-business processing) over the internet.
PeopleSoft applications support these types of single signon:
Among PeopleSoft applications.
A user can signon and be authenticated by one PeopleSoft application server and then, that user can access other PeopleSoft application servers without entering an ID or a password. Although the user is actually accessing different applications and databases, the user navigates seamlessly through the system. Recall that each suite of PeopleSoft applications, such as HCM or CRM, resides in its own database.
Between PeopleSoft and Oracle applications.
A user can sign in to either system and freely access the other without having to sign in to the second system.
Between the desktop and PeopleSoft applications.
A user can sign in to their computer network and be authenticated by their network credentials and then, that user can freely access all PeopleSoft applications. This is desktop single signon.
See Employing Signon PeopleCode and User Exits, Implementing Single Signon, Implementing Kerberos as the Desktop Single Signon Solution.
Data Encryption Data security comprises the following elements:
Privacy—keeping data hidden from unauthorized parties.
Privacy is normally implemented with some type of encryption. Encryption is the scrambling of information such that no one can read it unless they have a piece of data known as a key.
Integrity—keeping transmitted data intact.
Integrity can be accomplished with simple checksums or, better, with more complex cryptographic checksums known as one-way hashes, and often with digital signatures as well.
Authentication—verifying the identity of an entity that's transferring data.
Authentication can be accomplished using passwords, or with digital signatures, which are by far the most popular and most reliable method of authentication.
PeopleSoft Encryption Technology (PET) provides a way for you to use hashes and digital signatures to secure critical PeopleSoft data and communicate securely with other businesses. It enables you to extend and improve cryptographic support for your data in PeopleTools, giving you strong cryptography with the flexibility to change and grow, by incrementally acquiring stronger and more diverse algorithms for encrypting data. PeopleSoft delivers PET with support for the OpenSSL and PGP encryption libraries.
To implement PET:
Load the algorithms of an encryption library into the PET database.
Generate accompanying encryption keys, and insert them into the PET keystore.
Define a sequence, or chain, of algorithms by selecting from all the algorithms in the database.
Define an encryption profile, which is an instance of an algorithm chain applicable to a specific encryption task.
Write PeopleCode to invoke the encryption profile.
Note. Along with the delivered OpenSSL and PGP encryption libraries, a PeopleSoft database may also contain encryption keys for internal use of the PeopleCode Crypt class. These encryption keys do not need to be modified.
See Securing Data with PeopleSoft Encryption Technology.
Query and Definition SecurityYou use PeopleSoft Query to build SQL queries and retrieve information from application tables. For each PeopleSoft Query user, you can specify the records the user is allowed to access when building and running queries. You do this by creating query access groups in PeopleSoft Tree Manager, and then assigning users to those groups with PeopleSoft Query security. PeopleSoft Query security is enforced only when using PeopleSoft Query; it doesn’t control runtime page access to table data.
Use Definition Security to govern access to PeopleSoft Application Designer definitions, such as record definitions, field definitions, and page definitions, and to protect particular definitions from being modified by developers.
See Implementing Query Security, Implementing Definition Security.
PeopleSoft PersonalizationsPeopleSoft offers a variety of options that enable end users, especially power users, to configure certain aspects of their PeopleSoft environment to produce a more personalized interface. These options improve a user’s navigation speed through the system and enable users to select international preferences, such as date and time formats.
You define, group, and categorize personalization options, then use permission lists to control access to them. Users with access to a personalization option can control it through the My Personalizations menu.
See Managing PeopleSoft Personalizations.
Security Administration Integration Points
This section identifies the security integration points using:
Component interfaces.
Service operations.
Application Engine programs.
Component Interfaces
This section describes component interfaces that are delivered with PeopleSoft applications that you can use to manage and administer user profiles and roles.
The DELETE_ROLE component interface is based on the Delete Role (PURGE_ROLEDEFN) component, and it is used to purge roles. It is keyed by RoleName and has the Get, Find, Save, and Cancel methods. The DELETE_ROLE service operation calls this component interface.
The DELETE_USER_PROFILE component interface is based on the Purge Inactive User Profile (PURGE_USR_PROFILE) component, and it is used to remove unused User Profiles. It is keyed by User ID and has the Get, Find, Save, and Cancel methods. The DELETE_USER_PROFILE service operation and the PURGEOLDUSRS Application Engine program call this component interface.
The ROLE_MAINT component interface is based on the Roles (ROLEMAINT) component. It is keyed by RoleName and has the Cancel, Create, Find, Get, and Save methods.
This component interface is based on the My System Profile (USERMAINT_SELF) component. It allows only the current user to access it.
The USERMAINT_SELF component interface is used with the following components: Forgot My Password (EMAIL_PSWD), Change Password (CHANGE_PASSWORD), and Change Expired Password (EXPIRE_CHANGE_PSWD).
The USER_PROFILE component interface is based on the User Profiles (USERMAINT) component. It is keyed by User ID.
The USER_PROFILE component interface is used in User Profile Save As (USER_SAVEAS) and with LDAP authentication.
USER_PROFILE_SYNC
The USER_PROFILE_SYNC component interface is based on the User Profiles (USERMAINT) component. It is keyed by User ID and has the Cancel, Get, and Save methods.
The USER_PROFILE_SYNC component interface is used in User Profile Save As (USER_SAVEAS) and with LDAP authentication.
See Also
Understanding Component Interfaces
Service Operations
This section describes service operations that are delivered with PeopleSoft applications that you can use to manage and administer user profiles and roles.
Keep the following in mind when dealing with these security service operations, except the USER_PROFILE_XFR service operation:
Each service operation has a same-named service definition.
The service operations are asynchronous one-way.
A same-named message is defined in each service operation definition.
At least one handler is defined within each service operation definition, if the node is supposed to consume an inbound service operation.
This service operation is called from the Delete Role component. It is used to delete a role from subscribing databases. The service operation requires that the DELETE_ROLE component interface be authorized.
This service operation is called from the Delete User Profile component. It is used to delete a user profile from subscribing databases. This service operation requires that the DELETE_USER_PROFILE component interface be authorized.
This service operation is published when a Dynamic Role rule is run. It is called after the DYNROL_PUBL application engine program successfully finishes.
Note. As of release 8.49, the ROLESYNCH_MSG service operation is deprecated and replaced with ROLESYNCHEXT_MSG service operation.
This service operation publishes new roles and updates existing roles in the Roles component.
This service operation publishes user profile messages when adds, updates, and deletes occur through the User Profiles component (USERMAINT), the User Profile Save As component, the My System Profile component (USERMAINT_SELF), the Distributed User Profile component (USERMAINT_DIST), the USER_PROFILE component interface, and the USERMAINT_SELF component interface.
User Profile messages may also be published when Password is changed through the Change My Password component (CHANGE_PASSWORD) or Expired Password component (EXPIRE_CHANGE_PSWD) by triggering the USERMAINT_SELF component interface.
This service operation changes the shape of the inbound USER_PROFILE.VERSION_84 message to an internal shape that you configure based on your needs for partial user profile synchronization.
See Also
Application Engine Programs
This section describes the Application Engine programs that designed for use in your security implementation.
The DYNROLE Application Engine program is called when Dynamic Role Rules are executed for a single user from the User Profile component.
You run this program from the Roles page in the Roles component. You can also schedule this program to run as needed through Process Scheduler.
The DYNROLE_PUBL Application Engine program is called when Dynamic Role Rules are executed for a single role from the Role component.
You run this program from the Roles page in the Roles component. You can also schedule this program to run as needed through Process Scheduler.
DYNROLE_SYNC
The DYNROLE_SYNC Application Engine program is designed to run in synchronous mode and is primarily used for the Role Maintenance Component Interface.
The PURGEOLDUSRS Application Engine program deletes users who have not signed on within a period specified in Password Controls.
You run this program by selecting PeopleTools, Security, User Profiles, Purge Inactive User Profiles or by selecting PeopleTools, Security, Password Configuration, Password Controls, and then clicking the Schedule button under Purge Inactive User Profiles. You can also schedule this program to run as needed through Process Scheduler.
Application Engine Program that puts the LDAP Schema definition into the PeopleSoft database.
You run this program by selecting PeopleTools, Security, Directory, Cache Directory Schema.
Application Engine program used to import and export data to and from the LDAP directory into or from a PeopleSoft table. The process is based on an LDAP map.
You run this program by selecting PeopleTools, Security, Directory, Authentication Map.
The USER_SYNC Application Engine program synchronizes user profiles between databases using the USER_PROFILE message. You set up this program on the database that you configured to send or publish user profile information. Once you have set up the program, click Run.
To set up this program, create a new request and enter the following information on the Application Engine Request page:
Program Name: USER_SYNC.
State Record: AE_USRSYNC_AET
Sample Application Engine program used to transform outbound USER_PROFILE messages to conform to shapes acceptable to the subscribing nodes. This program transforms USER_PROFILE.VERSION_84 into message shape - USER_PROFILE.VERSION_81X
See Also
Understanding Application Engine
Security Administration ImplementationThis section discusses:
Preparing to use PeopleSoft security.
Administering security from applications.
Reviewing and monitoring your security implementation.
Preparing to Use PeopleSoft Security
The functionality of security administration for your PeopleSoft applications is delivered as part of the standard installation of PeopleTools, which is provided with all PeopleSoft products.
To start administering security, install your PeopleSoft application according to the installation guide for your database platform.
Other Sources of Information
This section provides information to consider before you begin to manage your data. In addition to implementation considerations presented in this section, take advantage of all PeopleSoft sources of information, including the installation guides, release notes, and PeopleBooks.
Administering Security from Applications
If you administer security information outside of the PeopleSoft security interface, for example, using application-specific pages to define application security, then you have the option of modifying the PeopleSoft security pages to include links to those application-specific pages. These links provide administrators a convenient way to access application-specific security pages without having to spend time navigating to them.
You add the extra security links from a browser by selecting PeopleTools, Security, Security Objects, Security Links. You can add links to the User Profiles component, My System Profile page, the Role component, or the Permission List (ACCESS_CNTRL_LISTX) component. To add links to a security profile, select the appropriate page in the Security Links (SEC_OTHER_SETTINGS) component and add the link information for the target page. After you save the link information, the link appears on the Links page for the appropriate security profile.
|
Enables you to activate and deactivate links. Only those links with the Active Flag selected appear for system users. |
|
|
Description |
Add a description of the page that contains the extra security information. This description is the text that appears on the Links page for the security profile. |
|
Menu Name |
From the drop-down list, add the menu name. This value is the application in which the page resides, such as Administer HR Security. |
|
Menu Bar Name |
From the drop-down list, add the menu bar name, such as Use, Setup, Process, and so on. |
|
Bar Item Name |
From the drop-down list, add the bar item name. For example, the bar item name for this page is Security Links. |
|
Item Name |
From the drop-down list, add the item name. For example, the item names for this component are User, Role, My Profile, and Permission List. |
|
After you have added all the appropriate information, use this link to test the security link. If it does not work correctly, double-check your selections for the previous options. |
To add a Security Link:
Select PeopleTools, Security, Security Objects, Security Links.
Select the security profile type (user, role, or permission list) to which you want to add extra links.
If links exist, click the plus sign button to add a new row.
Add the appropriate link information (Menu Name, Menu Bar name, and so on).
After you enter the appropriate link information, click Test to make sure the link points to the correct target.
Save your work.
Note. If you need to migrate the security links setup data from one database to another, you can use the following Data Mover scripts: SECOTHER_EXPORT.DMS and SECOTHER_IMPORT.DMS. These scripts reside in the PS_HOME\scripts directory.
Reviewing and Monitoring Your Security ImplementationPeopleSoft provides a collection of predefined queries that enable you to review, monitor, and audit system access by user, role, and permission list so that you can detect discrepancies. The Common Queries page enables you to run the following sets of queries:
User ID queries.
Role queries.
Permission list queries.
PeopleTools objects queries.
Definition Security queries.
Access log queries.
To run a query, click the link, enter the appropriate criteria (such as User ID), and click View Results.