Understanding User Profiles
This chapter provides an overview of user profiles and discusses how to:
Set up access profiles.
Set up user profile types.
Work with user profiles.
Specify user profile attributes.
Work with passwords.
Implement distributed user profiles.
Transfer users between databases.
Track user sign in and sign out activity.
Purge inactive user profiles .
Preserve historical data.
Understanding User Profiles
User profiles define individual PeopleSoft users. You define user profiles and then link them to one or more roles. Typically, a user profile must be linked to at least one role to be a usable profile. The majority of values that make up a user profile are inherited from the linked roles.
Note. A user profile may have no roles; for example, a user who is not allowed access to the PeopleSoft application. You still want workflow-generated email sent to the user.
You define user profiles by entering the appropriate values on the user profile pages. The user profile contains values that are specific to a user, such as a user password, an email address, an employee ID, and so on.
The user ID and description appear at the top of each page to help you recall which user profile you are viewing or modifying as you move through the pages.
Setting Up Access Profiles
This section provides an overview of access profiles and discusses how to:
Use the Access Profiles dialog box.
Set access profile properties.
Work with access profiles.
Understanding Access ProfilesEvery user profile must be assigned to an access profile, by way of a Symbolic ID. The Access ID consists of a relational database management system (RDBMS) ID and a password. Access profiles provide the necessary IDs and passwords for the database logon operations that occur in the background. Access IDs are used:
When an application server initializes and connects to a PeopleSoft database.
When a developer or power user signs in to the PeopleSoft database directly (two-tier).
When batch programs connect to the database.
Users signing in to the system through PeopleSoft Pure Internet Architecture take advantage of the Access ID that the application server used for connecting to the database.
Access profiles enable you to minimize the number of users who need to know system administrator passwords. In fact, only one person needs to know these passwords. That person can create the required access profiles—by providing the necessary passwords when prompted—and all other security administrators can assign users to the predefined access profiles. The Access ID and password are encrypted in the database in the PSACCESSPRFL table.
Before you begin creating your user profiles, roles, and permission lists, you need to set up your access profiles in the database. Ultimately, the access profile is the profile that your users use to connect to your PeopleSoft database. Without being associated with an access profile, users cannot sign in, even with a test ID. This association is by way of the symbolic ID, which is a proxy ID for the Access ID and Access password.
The ID that you use must be defined at the RDBMS level as a valid RDBMS ID. You do not use PeopleSoft or PeopleTools software to create an RDBMS ID; create it using the utilities and procedures defined by your RDBMS platform. After you create the RDBMS ID, use the PeopleTools access profiles utility to link your RDBMS ID to the access profile. This profile is created when you first install your database.
Using the Access Profiles Dialog Box
Access the Access Profiles dialog box in Application Designer (Tools, Miscellaneous Definitions, Access Profiles).
|
Close |
Click to exit this dialog box. |
|
New |
Click to create a new access profile definition. |
|
Edit |
Click to edit an access profile definition. |
|
Delete |
Click to delete an access profile definition. |
Setting Access Profile Properties
When you create or modify an Access Profile using the Access Profiles dialog, you need to understand the properties that comprise an access profile. After reading this section, you will be familiar with these properties.
Access the Add Access Profile dialog box (click the New button in the Access Profiles dialog box).
Working with Access Profiles
This section discusses how to create a new Access Profile definition, change an Access Profile password, and delete an Access Profile in the PeopleSoft system.
To create a new Access Profile definition:
In PeopleSoft Application Designer, select Tools, Miscellaneous Definitions, Access Profiles.
The Access Profiles dialog box appears.
Click New.
The Add Access Profile dialog box appears.
This dialog box prompts you for the Symbolic ID, name, and password of the new access profile.
Enter a Symbolic ID.
The Symbolic ID is used as the key to retrieve the encrypted ACCESSID and ACCESSPSWD from PSACCESSPRFL.
Enter an Access Profile ID.
This ID must be a valid RDBMS ID with system administrator privileges.
Enter and confirm a password.
The access password is the password string for the RDBMS ID/Access Profile ID. The Confirm Password field is required, and its value must match that of the Access Password field.
Click OK.
Note. You should use only one Access ID for your system. Some RDBMSs do not permit more than one database table owner. If you create more than one Access ID, additional steps may be required to ensure that this ID has the correct rights to all PeopleSoft system tables.
To change an Access Profile password:
In Application Designer, select Tools, Miscellaneous Definitions, Access Profiles.
The Access Profiles dialog box appears.
In the Access Profiles: list, highlight the profile that you want to modify, and click Edit.
The Change Access Profile dialog box appears.
This dialog box prompts you for the old password, the new password, and then a confirmation of the new password for the access profile.
Enter and confirm the new password.
The access password is the password string for the ID. The Confirm Password field is required, and its value must match that of the Access Password field.
Click OK.
To delete an Access Profile:
Select Tools, Miscellaneous Definitions, Access Profiles.
The Access Profiles dialog box appears.
Highlight the access profile that you want to remove, and click Delete.
You are prompted to confirm the deletion.
Click Yes at the prompt dialog box if you want to delete the selected access profile.
Important! Make sure you don't delete the only available Access ID or you will not be able to log on to PeopleSoft software in any capacity.
Setting Up User Profile Types
This section provides an overview of user profile types and discusses how to define user profile types.
Understanding User Profile Types
When deploying your applications to the internet, you potentially can generate thousands of different user profiles. In some situations, you may need to aggregate your user profiles by category. For example, ID types enable you to use employee ID numbers that begin at 1 as well as customer ID numbers that begin at 1.
User profile types also provide a way to link user profiles with data stored in application-specific records. PeopleSoft applications primarily need this link for self-service transactions. For example, you want employees to see only their own benefits, or you want customers to view and pay only their own bills. Customer ID, Employee ID, and so on are the keys for the application data. User profile types enable the system to find the correct ID based on the user profile. The system needs the value because personal data and vendor contact data may have the same key field. Because personal data and vendor contact data resides in different records, no edit exists that will prevent the two records from having the same key.
This table lists the profile types that PeopleSoft delivers:
|
ID Type |
Description |
|
BID |
Bidder |
|
CNT |
Customer Contact |
|
CST |
Customer |
|
EJA |
External Job Applicant |
|
EMP |
Employee |
|
NON |
None |
|
ORG |
Organization ID |
|
PER |
Person (CRM) |
|
VND |
Vendor |
|
PTN |
Partner |
Page Used to Set Up User Profile Types|
Page Name |
Definition Name |
Navigation |
Usage |
|
User Profile Types |
PSOPRALIASTYPE |
PeopleTools, Security, Security Objects, User Profile Types |
Define user profile types. |
Defining User Profile Types
Access the User Profile Types page (PeopleTools, Security, Security Objects, User Profile Types).
Working With User ProfilesThis section discusses how to:
Create a new user profile.
Copy a user profile.
Delete a user profile.
Bypass tables during the Delete User Profile process.
Creating a New User Profile
To create a new user profile:
Select PeopleTools, Security, User Profiles, User Profiles to access the Find Existing Values page.
Click Add a New Value.
On the Add a New Value page, enter the new user ID in the User ID field and click Add.
The user ID can contain up to 30 characters. The name that you specify cannot contain white space or any of the following characters:
; : & , < > \ / " [ ] ( )
Also, you cannot create a user ID named PPLSOFT; this user ID is reserved for use within PeopleTools.
Specify the appropriate values from the pages in the User Profiles component (USERMAINT), and click Save.
Copying a User ProfileTo copy a user profile:
Select PeopleTools, Security, User Profiles, Copy User Profiles to access the Find an Existing Value search page.
Select the user ID that you want to copy.
On the User Profile Save As page, enter the new user ID, a description, and the password that the new user ID should use to sign in to the system.
Note. If Copy ID Type Information is not selected, the system does not save the EMPLID value to the PSOPRDEFN table.
Deleting a User ProfileTo delete a user profile:
Select PeopleTools, Security, User Profiles, Delete User Profiles to access the Delete User Profile page.
Make sure that you have selected the correct user profile.
Click Delete User Profile to remove information related to this particular user profile that appears in every PeopleTools and application data table in which the OPRID field is a key field.
Note. Query the PS_TBLSELECTION_VW view to list the tables in which the OPRID field is a key field.
To prevent user information in a specific table from being deleted, you can designate tables that the delete user process bypasses.
See Also
Bypassing Tables During the Delete User Profile ProcessAccess the Bypass Tables page (PeopleTools, Security, Security Objects, Tables to Skip).
When you delete a user profile and its related information, you might not want to delete tables that contain rows of user profile data. For instances such as these, you can specify the tables for the delete process to skip.
To bypass tables during the Delete User Profile process:
Click the prompt button to select the record name to skip.
Note. The prompt displays only records that contain the OPRID field as a key field. The view behind this prompt is the PS_TBLSELECTION_VW.
Insert additional rows for other table names, as necessary.
Click the Save button.
See Also
Preserving Historical User Profile Data
Specifying User Profile Attributes
This section discusses how to:
Set general user profile attributes.
Set ID type and attribute value.
Set roles.
Specify workflow settings.
View when a user profile was last updated.
Display additional links.
Run user ID queries.
Pages Used to Specify User Profile Attributes|
Page Name |
Definition Name |
Navigation |
Usage |
|
General |
USER_GENERAL |
PeopleTools, Security, User Profiles, User Profiles, General |
Set general user profile attributes. |
|
ID |
PSOPRALIAS |
PeopleTools, Security, User Profiles, User Profiles, ID |
Set ID type and attribute value. |
|
Roles |
USER_ROLES |
PeopleTools, Security, User Profiles, User Profiles, Roles |
Add roles to a user profile. This task defines user access in the PeopleSoft system. Through roles, the user inherits permission lists. |
|
Workflow |
USER_WORKFLOW |
PeopleTools, Security, User Profiles, User Profiles, Workflow |
Specify workflow settings for a user. |
|
Audit |
USER_AUDIT |
PeopleTools, Security, User Profiles, User Profiles, Audit |
Determine when and who last updated a profile. |
|
Links |
USER_OTHER |
PeopleTools, Security, User Profiles, User Profiles, Links |
Display any additional links added. |
|
User ID Queries |
USER_QUERY |
PeopleTools, Security, User Profiles, User Profiles, User ID Queries |
Run queries about a user profile. |
Setting General User Profile Attributes
Access the General page (select PeopleTools, Security, User Profiles, User Profiles and click the General tab).
|
Select this check box to deactivate a user profile for any reason. The user cannot sign in until you have deselected this option. Note. The system automatically selects this check box if you are using password controls and the user exceeds the maximum number of failed logon attempts. The administrator needs to manually open the user profile and deselect this check box to reinstate the user. |
|
|
Enter a value to retrieve the appropriate encrypted access ID and access password. This value determines which access ID and password are used to log the user onto the database after the system validates the user ID. The access ID is required only when a user needs to connect directly to the database (in two-tier). The access ID is not required with the portal or if you use a Lightweight Directory Access Protocol (LDAP) directory server to manage user IDs. With PeopleSoft Pure Internet Architecture, the application server maintains the connection to the database, so the application server must submit an access ID. |
|
|
Enter the password string that the user must supply when signing in. The value in the Confirm Password field must match that in the User Password field. The maximum password length is 32 characters. Note. These values are required to sign in to the system, but you can save the profile without populating these fields. |
|
|
Password Expired? |
If you are using PeopleSoft password controls, this option enables you to force users to change their passwords in the following situations:
Note. To use this option, you must enable the Password Expires in 'x' Days PeopleSoft password control. When a user's password has expired, the Password Expired check box becomes enabled and selected. By deselecting the check box and saving the change, you can renew the password, although we do not recommend this practice. |
|
Enter a fully qualified email ID (email address) as a user ID alias. For example, tom.x.sawyer@oracle.com could be the user ID used to sign in to the system. The maximum character length is 70. |
|
|
If a user is part of the workflow system or you have other systems that generate email for users, click this link to enter an email address for a user. You can enter multiple email addresses for a user, but you must select one as the primary email address. The system allows only one email address per type. For example, you cannot enter two home email addresses. The Email Addresses interface has the following controls:
|
|
Select a value. The language code on the User Profile page has a limited use. For example, when a user runs a batch job, the system needs to know in which language to generate the reports for the user who submitted the job. In PeopleSoft Pure Internet Architecture, the user’s language preference is based on the selection that the user makes on the signon page. For Microsoft Windows workstations, the user’s language preference is derived from the Display tab in PeopleSoft Configuration Manager. For the Microsoft Windows environment, the value specified as language code in the user profile acts as a default in case the language code is not specified in PeopleSoft Configuration Manager. |
|
|
If the user works with international currencies, select a currency code to reflect the native or base currency. Values will appear in the currency with which the user is familiar. |
|
|
Select the mobile homepage that should appear after users sign in to their mobile device. Important! PeopleSoft Mobile Agent is a deprecated product. These features exist for backward compatibility only. |
|
|
Select to specify that some users, such as expert or power users, can defer all processing of the data that they enter. This selection enables users to reduce the number of trips to the server for data processing, regardless of how the developer set field deferred or interactive processing. You enable this option in a component in Application Designer, and you specify which users have this option using the Enable Expert Entry check box. Deselect this check box to prevent a user from specifying deferred processing. |
|
|
Select this option to designate users who can change identities in a PeopleSoft system. This feature applies only when accessing PeopleSoft applications using a browser; it has no effect on two-tier or three-tier connections. The default for this feature is hidden. You display this check box by changing the Enable Switch User options on the PeopleTools Options page. See General Options. |
|
Enter a value associated with PeopleSoft Workflow. |
|
|
Displays a value that contains the permissions that a user requires for running batch processes through PeopleSoft Process Scheduler. For example, the process profile is where users are authorized to view output, update run locations, restart processes, and so on. Note. Only the process profile comes from this permission list, not the list process groups. |
|
|
Primary and Row Security |
Displays which data permissions to grant a user by examining the primary permission list and row security permission list. Which one is used varies by application and data entity (employee, customer, vendor, business unit, and so on). Consult your application documentation for more details. The system also determines mass change (if needed), and definition security permissions from the primary permission list. |
Setting ID Type and Attribute Value
Access the ID page (select PeopleTools, Security, User Profiles, User Profiles and click the ID tab).
ID Types and Values
|
ID Type and Attribute Value |
Select the ID type and attribute value. Separating user profiles by ID type enables you to have multiple categories of user profiles with ID numbers all within a range of 1–1000, for example, and it also enables you to grant data permission by entity (customer, employee, and so on). When users sign in to your benefits or payroll deductions application, they see only information that applies to them. A user profile is a set of data about an entity—a user—who interacts with the system. The human resources (HCM) system, which keeps track of your employee data, is designed to focus more on your employee user types. On the other hand, your financials system is designed to keep track of customer and supplier user types. ID types enable you to link user types with the records that are most relevant when a user interacts with the system. In the Attribute Value field, select the value associated with the attribute name. In this case, the value reflects the employee number, but it could be a customer number or vendor number. |
The User Description section enables you to help identify the user.
|
Description |
Add a description, such as the name of an individual or an organization, for the user profile. |
|
Set Description |
Click this link to populate the field with a description from the database. |
Note. Before you assign a user type to a user, you must create user types.
See Also
Setting Roles
Access the Roles page (select PeopleTools, Security, User Profiles, User Profiles and click the Roles tab).
|
Role Name |
Displays the name of the role added to the user profile. |
|
Description |
Displays a description of the role added to the user profile. |
|
Dynamic |
Selected if the system assigned a particular role dynamically. |
|
Specify a route control profile for each role assigned to a user. For example, suppose that you have a role named EXPENSE_REP. If you want a particular expense representative to handle all of the expense reports submitted by people whose last names begin with A, you could assign the user a specific route control profile to send the user reports submitted by individuals with last names beginning with A. |
|
|
Click to view the role definition associated with this user profile. |
See Understanding Route Control Development.
See Using the PeopleSoft Administrator Role.
Use these options to test and manually carry out business rules for dynamically updating roles and assigning them to user profiles. You design your role rules using Query Manager, PeopleCode, or LDAP directory rules.
|
Select the Process Scheduler server that should run your role rule. |
|
|
Click to test the rules and verify if they will produce the desired results for a particular user. None of the roles are actually assigned, but the system provides you a report as to what roles will be assigned when you run the rule. |
|
|
Click to run the rules and manually assign the appropriate roles to a particular user. Typically, you implement role rules on a regular schedule through PeopleSoft Process Scheduler. |
|
|
Click to view the status of the process carrying out the role rule and the messages that the process invoked. |
Specifying Workflow Settings
Access the Workflow page (select PeopleTools, Security, User Profiles, User Profiles and click the Workflow tab).
Workflow Attributes
|
Select an alternate role user to receive routings sent to this role user. Use this option when the role user is temporarily out (for example, on vacation or on leave). If the field contains a role user name, the system automatically forwards new work items for whoever is assigned as the current role user to the alternate role user. Note. The system forwards new work items to the alternate role user. It does not reassign items already in the user’s worklist. Note. When applying an alternate user ID in your workflow settings, make note of the fact that the system only sends workflow routings to the immediate alternate user ID. The system does not send routings down multiple levels of alternate user IDs. For example, assume user A specifies user B as the alternate user ID while user A is out of the office. Also assume that user B is out of the office at a time during user A’s absence, and user B specifies user C as an alternate user ID for this time. In this case, the system does not send workflow routings originally intended for user A to user C.
Note. The Alternate User Id routing functionality is only
meant to work with Role based applications, such as Virtual Approver (VA)
Workflow in PeopleTools and Enterprise Component Approval Framework. In VA
Workflow, the route is to Roles, not specific Users. And where the Enterprise
Component Approval Framework worklist use Roles, the Alternate User ID routing
functionality works. |
|
|
Enter the date on which the current role user is going to begin and return from a temporary vacancy. This field specifies the time period that the alternate user ID is used. |
|
|
Select the user ID of the user’s supervisor from this drop-down list box. The system uses this value when it needs to forward information to the user’s supervisor. The system uses the PERSONAL_DATA record to determine the user’s supervisor. Note. If you are using PeopleSoft Human Capital Management (PeopleSoft HCM) applications, this field should not appear. If it does, you must set your workflow system defaults. |
|
|
Specify the routing types that this role user can receive. The Routing Preferences box shows the two places where the system can deliver work items: to a worklist or to an email mailbox. If the user does not have access to one or both of these places, deselect the check box. For example, if this person is not a PeopleSoft user, deselect Worklist User. |
|
Reassign Work To |
Use to reassign pending work for this role user if positions change or a user is temporarily out, such as on leave or on vacation. If this user has work items waiting (as shown by the Total Pending Worklist Entries in your Workflow interface), select this check box and select the user to whom work items should be forwarded from the drop-down list box. When you save the page, the system reassigns existing worklist entries to the specified user. Note. If you don’t reassign pending work items, they remain unprocessed. |
|
Total Pending Worklist Entries |
Displays worklist items that require a user's attention. |
See Also
Administering PeopleSoft Workflow
Viewing When a User Profile Was Last Updated
Access the Audit page (select PeopleTools, Security, User Profiles, User Profiles and click the Audit tab).
The Audit page is a display-only page that enables you to determine:
When a profile was last updated.
Who updated the profile.
Displaying Additional Links
Access the Links page (select PeopleTools, Security, User Profiles, User Profiles and click the Links tab).
Use this page to access links to other pages within your PeopleSoft system. For example, perhaps a PeopleSoft application requires a specific security setting to be associated with a user profile. If this application-specific setting appears on a page not in PeopleTools Security, add a link to the application page so that anyone updating the user profile can easily navigate to the page.
Note. The Links page is read-only. You create the inventory of links to pages that exist outside of PeopleTools Security by using the Security Links component.
If you added links for user profiles in the Security Links component, they appear on the Links page.
Running User ID Queries
Access the User ID Queries page (select PeopleTools, Security, User Profiles, User Profiles and click the User ID Queries tab).
User ID queries enable you to run queries that provide detailed information about a user profile, such as the permission lists and roles associated with the user profile. The available queries are documented on the page.
To run a user ID query:
Click the link associated with the query that you want to run.
This action invokes a new browser window.
View the information that the query returns to the new browser window or select a download option.
For downloading, you have the following options:
Excel Spreadsheet: Downloads the query results as an Excel spreadsheet (.xls) file.
CSV Text File (comma-separated values text file): Downloads the query results as a CSV (.csv) file.
Working With PasswordsThis section discusses how to:
Set password controls.
Change passwords.
Create email text for forgotten passwords.
Create hints for forgotten passwords.
Delete hints for forgotten passwords.
Set up the site for forgotten passwords.
Request new passwords.
Setting Password Controls
Access the Password Controls page (PeopleTools, Security, Password Configuration, Password Controls).
You use the Password Controls page to set any password restrictions, such as duration or minimum password length, that you want to impose on your end users. These options apply when you are maintaining your user profiles within PeopleSoft applications, not within a directory server.
Signon PeopleCode
|
Select to enable the PeopleSoft password expiration and account lockout fields. The other password controls are not enabled by this box. If you do not want these password controls, for example, you already have a third-party utility that performs equivalent features, then do not select this check box.
Note. If you change the status of the Enabled check
box, you must restart the application server. |
|
Never Expires |
Select to disable password expiration options for all users. |
|
Expires in |
Select to enable password expiration options for all users. You must enter a value between 1 (the default value) and 365 in the Days field to specify the number of days that a password is valid. Users signing on after a password expires must change their password to sign in. You must select a warning option. |
|
Without Warning |
Select to disable notification of impending password expiration. |
|
Warn for |
Select to enable notification of impending password expiration. The value that you enter in the Days field determines when the system begins notifying users of impending password expiration. |
PeopleSoft delivers a default permission list named PSWDEXPR (Password Expired). When a user's password expires, the system automatically removes all of the user's roles and permission lists, and temporarily assigns them the PSWDEXPR permission list only.
A user whose password has expired can access only items in the PSWDEXPR permission list, which typically grants access to the Change Password component (CHANGE_PASSWORD) only. For the duration of the session, as in until the user changes the password, the user is restricted solely to the PSWDEXPR permission list.
Note. The actual user profile stored in the database is not changed in any way when the password expires. You do not need to redefine the profile. When the password is changed, the system restores the user profile's previous roles and permission lists.
Account Lockout
|
Enter the maximum number of failed sign in attempts to allow before the system disables the user profile. For example, if you set the Failed Logons value to 3, and a user fails three sign in attempts, she is automatically locked out of the system. Even if she correctly enter a user ID and password on the fourth attempt, she is not permitted to sign in. This feature reduces the risk of any intruders using brute force to break into your system. After an account is locked out, a system administrator must open the user profile and deselect the Account Locked check box manually. |
Password May Match
|
Select to enable users to use their own user ID as a password. |
|
|
Primary Email |
Select to enable users to use the email address that is associated with their user profile (as designated by the Primary Email Account check box on the Email Address page) as a password. See General Attributes. |
Note. Clearing these controls helps you prevent hackers from guessing passwords based on a list of employee names.
Use these fields to specify the number and types of characters that passwords must include. Passwords can include up to 32 characters.
|
Minimum Length |
Enter the value that determines the fewest number of characters that a user must enter when creating his password. If the minimum length is set to 0, then the PeopleSoft password controls do not enforce a minimum length on the password; however, the password cannot be blank. When you create a new user or a user changes a password, the system checks this value. If it is not zero, then the system tests the password to ensure it meets length requirements and if it does not, an error message appears. |
|
Specials |
Enter the required number of special characters that the password must include. The allowable special characters are:
|
|
Digits |
Enter the required number of integers, such as 1 or 2, that the password must include. |
|
Lower Case |
Enter the required number of minuscule letters, such as 'q' or 'i,' that the password must include. |
|
Upper Case |
Enter the required number of majuscule letters, such as 'Q' or 'I,' that the password must include. |
Leading, intermediate, and trailing white spaces are not supported in PeopleSoft passwords. If you want to include intermediate white spaces, you must comment out the following USERMAINT.GBL.PSOPRDEFN.SaveEdit Component PeopleCode:
&find = Find(" ", PSOPRDEFN.OPRID); If &find > 0 Then Error MsgGet(48, 14, "Message not found."); End-If;
Warning! When these statements are commented out, users can include white spaces in passwords. Although you can use the preceding PeopleCode modification as a workaround, it is strongly recommended that you not do so. This modification can cause unexpected behaviors that are problematic for batch processes, upgrades, application server configuration files, and two-tier applications, such as PeopleSoft Application Designer, Data Mover, Application Engine.
|
Passwords to Retain |
Enter the number of user passwords to retain in the password history table (PSPSWDHISTORY). If the user attempts to reuse a password that is stored in the password history table, the application issues an error and prompts the user to enter a different password. When the number of retained passwords for a user surpasses the number indicated in the Passwords to Retain field, the system deletes the oldest password and then stores the current password as the newest password. |
Note. If the password history table contains values and you change the Passwords to Retain field value to 0, the system deletes the password history for all users.
Purge User Profiles
|
Enter the maximum number of days that a user can go without accessing the application, after which the system marks the profile as inactive. After you set the value and save the page, click the Schedule button to access and automate the PURGEOLDUSRS Application Engine program that performs the delete process. If you maintain user profiles in a directory server, a row is added to the PSOPRDEFN table for the system to access while the user interacts with the system. However, when the user is deleted from the directory server, you must manually delete the row in PSOPRDEFN associated with the deleted user profile. |
Changing Passwords
Access the Change My Password page (from the homepage, click Change My Password). The PeopleSoft system enables users to change their passwords as needed.
To change a PeopleSoft password:
From the homepage, click Change My Password.
On the Change Password page, enter the current password in the Current Password field.
In the New Password field, enter a new password.
Confirm the new password by entering it again in the Confirm Password field.
Click Change Password.
Creating Email Text for Forgotten Passwords
Before the system emails a new, randomly generated password to a user, you want to make sure they are who they claim to be. The Forgotten Password feature enables you to pose a standard question to users requesting a new password to verify the user's authenticity. If the user enters the appropriate response, then the system automatically emails a new password.
When a user has forgotten a PeopleSoft password, the system sends the user a new password within an email message. You can have numerous password hints, but typically, you send all new passwords using the same email message template. Because of this, PeopleSoft provides a separate page just for composing the standard email text that you use for your template.
Access the Forgot My Password Email Text page (PeopleTools, Security, Password Configuration, Forgot My Password Email Text).
Add the following text string in the Email Text field:
<<%PASSWORD>>
The system inserts the new password here. The %PASSWORD variable resolves to the generated value.
Note. You might instruct the user to change the password to something easier to remember after they sign in to the system with the randomly generated password. Only users who have the Allow Password to be Emailed option enabled on the Permission List - General page can receive a new password using this feature.
Creating Hints for Forgotten Passwords
Access the Forgot My Password Hint page (PeopleTools, Security, Password Configuration, Forgotten Password Hint).
With these hints set up, users can access the Forgot My Password page. If the user answers the question correctly, a new password is sent through the email system.
To create a forgotten password hint:
Click Add a New Value.
On the Add a New Value page, enter a three-character ID in the Password Hint ID field.
Click Add.
Select the Active check box.
Enter your question to verify that the user is who he or she claims to be.
Click Save.
Deleting Hints for Forgotten PasswordsTo delete a password hint:
Select PeopleTools, Security, User Profiles, Delete Forgotten Password Hint.
Enter the specific code for the hint or perform a search for it.
On the Delete Forgot My Password Hint page, select the appropriate hint.
Click Delete.
Setting Up the Site for Forgotten Passwords
PeopleSoft recommends setting up a site specifically designed for users who have forgotten their passwords. This site would require no password to enter, but it would provide access only to forgotten password pages.
To set up a forgotten password site:
Set up a separate PeopleSoft Pure Internet Architecture site on your web server.
Set up a direct connection to the site, such as a link to it.
In the web profile, enable public access and specify a public user ID and password for automatic authentication.
This direct user should have limited access, for example, only to the Email New Password component. Users go directly to it, and a new password is emailed.
Place a link to the forgotten password site within the public portion of the PeopleSoft portal or on another public web site.
Notify your user community of the link.
Note. The site should have this format: http://webserver/psp/sitename/portalname/localnodename/c/MAINTAIN_SECURITY .EMAIL_PSWD.GBL?
Requesting New Passwords
To request a new password, access the hidden Forgot My Password page (EMAIL_PSWD2).. The system randomly generates a new password and emails it to the user.
Before the system can email the user a new password, complete these tasks:
Create a forgotten password hint.
Specify an email address in the user profile.
Grant permission to have a new password emailed.
Note. The security administrator must select the Allow Password to be Emailed check box in at least one of the user's permission lists. If this setting is not selected, the user is not allowed to receive the new password through email. If the user is allowed to receive new passwords through email, the user can request a new password.
See Setting General Permissions.
To request a new password:
Click the Forgotten Password link on the PeopleSoft signon page (or direct the user to the Forgotten Password link.)
On the Forgot My Password page, enter your user ID.
Click Continue.
On the Email New Password page, verify that the system is set to send the new password to the appropriate email address.
If the appropriate email address does not appear, contact your system administrator. System administrators must make sure that the email address is correctly represented for each user who intends to use this feature.
Note. Use Application Designer to change any display properties of the fields on the EMAIL_PSWD2 page.
Respond to the user validation question.
Note. The user must have set up the forgotten password help.
Click Email New Password.
Implementing Distributed User Profiles
This section provides an overview of distributed user profiles and discusses how to:
Define user profile access for remote security administrators.
Define remote security administrator role grant capability.
Administer distributed user profiles.
Understanding Distributed User ProfilesAs your user population increases in size, it can become impractical for one person to centrally administer all of your system's user profiles. You can distribute some or all user profile administration tasks by enabling selected users to use the Distributed User Profiles component (USERMAINT_DIST) to control the granting of selected roles to other users.
The pages in the Distributed User Profiles component are identical to the corresponding pages in the User Profiles component, except that its User Roles page does not include links for editing the assigned roles. You can restrict who can use the component, which users they can administer, and what roles they can grant, based on the roles to which they themselves belong. For example, you might specify that users in the Line Manager role can grant the Shipping Clerk role to other users. The effect of this is to designate line managers as remote security administrators who can administer the user profiles of shipping clerks. In addition to granting and managing roles, a remote security administrator can administer all parts of a user profile, including passwords, email addresses, and workflow.
Important! Distributing user profile administration might affect regulatory compliance (for example, Sarbanes Oxley). You are responsible for determining and accounting for any effect of using this feature.
To implement distributed user profiles:
Use permission lists and roles to configure security to give selected remote security administrators access to the Distributed User Profiles component.
Note. The PIA navigation path to this component is PeopleTools, Security, User Profiles, Distributed User Profiles.
Use the Set Distributed User Profile Search Record page to define which user profiles can be administered with the Distributed User Profiles component.
See Defining User Profile Access for Remote Security Administrators.
Use the Role Grant page in the Roles component (ROLEMAINT) to specify which roles your remote security administrators can grant with the Distributed User Profiles component.
See Defining Remote Security Administrator Role Grant Capability.
Defining User Profile Access for Remote Security AdministratorsTo define user profile access:
Define a search record that returns only the user IDs that you want remote security administrators to be able to administer.
Note. Initially, PSOPRDEFN_SRCH is the default search record for this purpose. You can accept the default and skip this step, but that action enables access to every user profile in your system. We encourage you to define a more restrictive search record.
In a browser, select PeopleTools, Security, User Profiles, Distributed User Setup to access the Set Distributed User Profile Search Record page.
In the New Search Record field, select the search record that you defined in Step 1, and then save.
When remote security administrators access the Distributed User Profiles component, this search record enforces row-level security to restrict the set of user IDs that they can select and administer.
See Also
Defining Remote Security Administrator Role Grant CapabilityIn a browser, select PeopleTools, Security, Permissions and Roles, Roles, Role Grant to access the Roles - Role Grant page.
You use this page to specify which roles can be granted using the Distributed User Profiles component and which users can grant them. This page is part of a role definition; you can configure this role to be a remote security administrator, a role that a remote security administrator can grant to users, or both.
|
Roles That Can Be Granted By This Role |
By specifying one or more roles in this grid, you effectively designate users who belong to roles, and who have access to the Distributed User Profiles component, as remote security administrators. Add rows to enable this role to grant as many roles as appropriate. For example, you might want users who belong to the Shipping Manager role to be able to grant the Shipping Clerk (Temporary) role and the Packing Clerk (Temporary) role to other users. Note. This grid is complementary to the Roles That Can Grant This Role grid, and it propagates its values accordingly. Using the example given, on the Role Grant page for the Shipping Clerk (Temporary) role and the Packing Clerk (Temporary) role, the Roles That Can Grant This Role grid now specifies Shipping Manager. |
|
Roles That Can Grant This Role |
By specifying one or more roles in this grid, you effectively designate users who belong to roles. and who have access to the Distributed User Profiles component,as remote security administrators, able to grant roles to users. Add more rows to enable additional roles to grant this role. For example, you might want users who belong to the Security Administrator role to be able to grant the Shipping Manager role to other users. Note. This grid is complementary to the Roles That Can Be Granted By This Role grid, and it propagates its values accordingly. Using the example given, on the Role Grant page for the Security Administrator role, the Roles That Can Be Granted By This Role grid now specifies Shipping Manager. |
|
View Definition |
Click to view the associated role definition and ensure that you have selected the appropriate role to grant or to serve as a remote security administrator. |
Administering Distributed User ProfilesIn a browser, select PeopleTools, Security, User Profiles, Distributed User Profiles to access the Distributed User Profiles component.
Remote security administrators can fully edit the user profiles that they access through the Distributed User Profiles component, including granting roles.
The users who remote security administrators can administer are determined by the search record you specified on the Set Distributed User Profile Search Record page.
The roles that a given remote security administrator can grant are determined by the selections that you made on the Roles - Role Grant page.
See Also
Specifying User Profile Attributes
Transferring Users Between Databases
You occasionally need to copy security information from one database to another. Typically, you do this as part of an upgrade or to transfer security information from your production environment to your development or testing environment. PeopleTools provides a set of Data Mover (DMS) scripts designed to export and import user profile security information. The provided scripts transfer user profile data from a source to a target database using these tables:
PSOPRDEFN
PSOPRALIAS
PSROLEUSER
PSUSERATTR
PSUSEREMAIL
PSUSERPRSNLOPTN
ROLEXLATOPR
PS_RTE_CNTL_RUSER
Note. Use Application Designer upgrade feature to upgrade both roles and permission lists.
One script exports User Profile data from the source database. The source database refers to the database that contains the User Profiles that you want to migrate. The target database refers to the database to which you are copying the user information.
After exporting the security information from the source database, you then run the import script against the target database. The target database refers to the database to which you want to transfer the security data. The scripts involved in transferring security information from one database to another are:
This script exports User Profiles from the source database and stores them in a Data Mover DAT file. The output file is named USEREXPORT.DAT.
This script reads the file created by USEREXPORT.DMS and copies the User Profile data into the target database.
You will find this set of scripts in the <PS_HOME>/scripts folder.
Considerations
Before running scripts to export and import your security information, you should consider these topics:
If the target database already contains a row of data with identical keys to a row transferred by the import script, then the duplicate row will not be transferred to the target. The scripts make no attempt to merge the duplicate row; the row is not transferred.
To ensure that you do not have data rows with duplicate keys, ensure that a User Profile in the source database does not exist in the target database with the same name.
You should not have data rows with duplicate keys in your source and target databases when you begin the copy, as unexpected results may occur that will compromise database integrity.
Because the PeopleTools table structures change between major releases (6.X to 7.X or 7.X to 8.X), you cannot transfer users between databases that run different versions of PeopleTools. Before starting the migration process, upgrade your source and target databases so the release levels match.
Complete the following procedure to run the user transfer scripts:
Using Data Mover, sign in to the source database and run USEREXPORT.DMS for user definitions.
You can edit this script to specify the location and file name of the output file and the log file.
Using Data Mover, sign in to the target database and run USERIMPORT.DMS for user definitions.
You can edit the script to specify the location and file name of the input file and the log file. The name and location of the input file must match the output file you specified in Step 2.
After copying user and role definitions, run the PeopleTools audits, including DDDAUDIT and SYSAUDIT, to check the consistency of your database.
Tracking User Sign In and Sign Out Activity
Access the Access Log Queries page (select PeopleTools, Security, Common Queries and click the Access Log Queries link on the Review Security Information page).
PeopleSoft Security provides three audit logs that track user sign in and sign out activity in PeopleSoft applications.
Select one of the following logs:
Access Activity by User
View a single user's sign in and sign out activity. This log includes the users' client IP addresses, sign in times, and sign out times.
Access Activity by Day
View one or more days of all user sign in and sign out activity. This log includes the users' IDs, client IP addresses, sign in times, and sign out times.
Active User List
View the users who are currently signed in to the application in the browser. This log includes users' IDs, client IP addresses, sign in times, and duration in minutes.
These logs are generated using data from the PSACCESSLOG table. If you are not interested monitoring access activity, you can delete the PSACCESSLOG table. Deleting this table has no negative effect.
Note. If you delete the PSACCESSLOG table and then decide that you would like to track user sign in and sign out activity, you must recreate the table using the same exact column names and order as were in the previous PSACCESSLOG table: OPRID, LOGIPADDRESS, LOGINDTTM, LOGOUTDTTM. Use Application Designer to open the PSACCESSLOG record definition and create the table.
Purging Inactive User Profiles
Access the Purge Inactive User Profiles page (PeopleTools, Security, User Profiles, Purge Inactive User Profiles).
Note. Before accessing this page, you must enter a run control ID.
See Understanding Run Control IDs.
This page enables you to access, run, and schedule the PURGEOLDUSRS Application Engine program. The PURGEOLDUSRS program deletes user profiles having an inactive status that exceeds the period specified in the Purge Inactive User Profiles section on the Password Controls page.
The Setup Purge Frequency for Inactive User Profiles link takes you to the Password Controls page, where you can enter a period (in days) under Purge Inactive User Profiles.
The Purge Inactive Users page is similar to the Delete User Profile page in that it invokes the process that removes all references to the user in any PeopleTools or application data table in which the OPRID field is a key. Before deleting user profiles, archive historical data according to local, state, and federal laws. Be sure to list historical and archival tables on the Tables to Skip page.
See Also
Bypassing Tables During the Delete User Profile Process
Using PeopleSoft Data Archive Manager
Preserving Historical User Profile Data
Although, you probably do not want to keep the permissions or sign-on access information for every user who has ever existed in the system, you generally do need to retain certain historical user profile data from your system. For example, local, state, and federal laws might demand that you retain certain employee history information. As another example, you might audit changes that users make to vital company data in the event you need to check that information a few months later if you discover some interesting financial allocations.
Use Data Archive Manager to archive and restore user profile data.
See History Tables.
Important! Remember that deleting and purging user profile data deletes every row of data associated with a particular user profile from every table in which the OPRID field is a key field, including archived tables if they remain in your production database.
To preserve user profile information in a table for which the OPRID field is a key field, use the Bypass Tables page .
See Bypassing Tables During the Delete User Profile Process.