Implementing Definition Security

This chapter provides an overview of definition security and discusses how to:

• Work with definition groups.

• View definition groups.

• Add and remove definitions.

• Assign definition groups to permission lists.

• Enable display only mode.

• View definition access by user and permission list.

Understanding Definition Security

This section discusses:

• Definition security.

• Definition groups and permission lists.

• Definition security rules.

Definition Security

You can restrict developer access to the record definitions, menu definitions, page definitions, and others that make up your applications. Just as you use Security to control who can access the PeopleSoft pages in your system, you use Definition Security to control who can access and update PeopleTools definitions.

There are two tasks involved with definition security:

• Creating definition groups.

• Linking definition groups to predefined permission lists.

Definition security leverages the permission lists created in PeopleTools Security to restrict access to individual PeopleTools database definitions created using a PeopleTools designer utility, such as PeopleSoft Application Designer or PeopleSoft Tree Manager. Definition types include all of the definitions that appear in the following table. Most definition types are created in PeopleSoft Application Designer.

Note. You can restrict access to an entire definition type, such as records or pages, using the PeopleTools page in Security. This works by controlling access to the PeopleSoft Application Designer functionality that works with a particular definition type. For example, if you don't want developers to use application engine programs, don't allow them to access PeopleSoft Application Engine.

Definition Security settings also works at the field level. To change a field on a record, you must be authorized to update all record definitions that contain the field. For example, to update or rename the EMPLID field on any record definition, you must have access to every record definition that contains the EMPLID field. If you are denied access to the ABSENCE_HIST record definition, which contains EMPLID, you won’t be able to modify any field attributes of EMPLID on any other record that contains the field. This ensures the integrity of your system. In a fast-paced development environment, if PeopleTools definitions are not well secured, problems may result.

Before you start using Definition Security, it’s a good idea to define the definition security needs of your users. Consider these types of questions:

• Should all developers have access to all PeopleTools definitions?

• Should payroll developers have access only to payroll definitions?

• Who will be allowed to access PeopleSoft Application Designer?

Definition Groups and Permission Lists

Use Definition Security to define definition groups and link them to permission lists that you created in Security.

A definition group is a collection of one or more definitions that form a logical group for security purposes. For example, you’ve created a permission list for analysts who support the PeopleSoft Payroll module, and you call it PAYROLL_DEV. The analysts are allowed to update only payroll definitions. Using Definition Security, you create a definition group containing only payroll definitions, and give it a name, such as PAYROLL_OBJ. Finally, you link PAYROLL_OBJ to PAYROLL_DEV.

You can assign multiple definition groups to a single permission list.

You can't declare directly that a particular permission list can modify a specific definition type. You do so indirectly by creating a definition group that consists solely of the desired definition type. Also, remember that you can assign a definition to multiple groups as needed. To ensure total definition security, assign every definition to at least one definition group.

Note. PeopleTools databases are delivered with a predefined definition group called PEOPLETOOLS that contains all the PeopleTools definitions. Until you create definition groups of your own, the PEOPLETOOLS definitions are the only definitions that you can secure.

Definition Security Rules

To set up Definition Security properly, it’s helpful to understand how the system interprets definition security settings. The system applies the following rules to determine whether a user is authorized to update a definition:

If the definition passes these system checks, the user is allowed to access and update it—unless it’s a PeopleSoft Application Designer definition, in which case several other security checks are performed first. PeopleSoft Application Designer definitions are also controlled by the PeopleTools in permission lists.

Important! A user gets definition security permissions through the primary permission list, not through roles.

Working With Definition Groups

PeopleSoft Definition Security is a Microsoft Windows-based application that you can access from PeopleSoft Application Designer.

Access the PS Definition Security (Go, Definition Security).

To open an existing definition group:

1. Select File, Open, Group.

   The Definition Security Open dialog box appears.

2. Select a group ID.

3. Click OK.

To create a new definition group:

1. Select File, New Group.

2. Add definitions to the group.

3. Save the group and give it a name in the Save Group As dialog box.

To clone a definition group:

1. Open the definition group you want to clone.

2. Select File, Save As.

   The Save Group As dialog appears.

3. Enter a group ID and click OK.

To rename a definition group:

1. Select File, Rename.

   The Rename Group ID dialog box appears.

2. From the Rename list, select the group that you want to rename.

3. Enter a new group ID in the To edit box.

4. Click OK.

To delete a definition group:

1. Select File, Delete.

   The Definition Security Delete dialog box appears.

2. Select the group ID for the group you want to delete.

3. Click OK.

   A confirmation prompt appears.

Viewing Definition Groups

This section discusses how to:

• Select a view.

• View all definitions.

• View definitions of a specific type.

Selecting a View

You can select how you view a definition group by using the View menu, or by selecting an item from the drop-down list box that appears at the top of the application window when you have a definition group open.

Viewing All Definitions

To see the entire definition group, select View, All Definitions.

You see every definition, regardless of type, assigned to the definition group. There are two columns: Type and Name.

• Type identifies the definition type, as in page, query, and so on.

• Name refers to the name given to the definition when it was created.

Viewing Definitions of a Specific Type

To view definitions of a particular type that belong to a definition group, select View, Pages.

The view window is split vertically into two list boxes. The box on the left contains a list of definitions that belong to the definition group and are of the selected type.

The list box on the right is the Excluded definition_type list. The label for the definition type changes according to the definition type you are viewing. For example, when you view pages, the label is Excluded Pages, and when you view menus, the label reads Excluded Menus, and so on. The Excluded definition_type list box displays the names of all the definitions of the selected type that are not included in the current definition group.

Adding and Removing Definitions

This section discusses how to:

• Add and remove definitions.

• Remove definitions from a definition group.

Adding and Removing Definitions

To add definition types to a definition group, you need to view by the type of definition that you want to add. To add pages to a definition group, select View, Pages.

To add definitions to a definition group:

1. Open the definition group.

2. Select the definition type to view by.

   Use the View menu or the drop-down list box at the top of the application window.

3. Select the definitions to be added.

   In the Excluded definition_type list box, select the definitions to add to the active definition group.

   To select multiple definitions, use Ctrl or Shift keys as you click.

4. Click a left-arrow button to move the definitions into the group.

   To move just the selected definitions, use the single left arrow. To move all excluded definitions into the group, use the double left arrow.

Removing Definitions From a Definition Group

To remove definitions from a definition group:

1. Open the definition group.

2. Select the definition type to view by.

   Use the View menu or the drop-down list box at the top of the application window.

3. Select the definitions to be removed in the list box on the left.

   To select multiple definitions, press Ctrl key while you click.

4. Click one of the right-arrow buttons to move the definitions out of the group.

   To move just the selected definitions, use the single right arrow. To remove all definitions from the group, use the double right arrow.

Assigning Definition Groups to Permission Lists

To link a definition group to a permission list, the permission list must already exist.

To link definition groups to a permission list:

1. Select File, Open, Permission List.

   The Definition Security Open dialog box appears.

2. Select a permission list and click OK

   The window displays two list boxes, similar to what you see when adding or removing definitions.

   The list box on the right shows the existing definition groups that are not currently linked to the active permission list. The list box on the left shows the group IDs that the permission list is currently authorized to access. The group ID is the name that you specified when saving a definition group.

3. Specify the included and excluded groups.

   To enable access to a definition group, select it in the Excluded Group ID list box on the right and move it into the list box on the left. To restrict access to a group, select it on the left and move it into the Excluded Group ID list box on the right. To move just the selected groups, use the single arrows. To move all groups, use the double arrows

   The All Definitions group includes all system definitions. Use it to grant unrestricted access to all databases.

4. Select File, Save to save your changes

Enabling Display Only Mode

Enabling display-only access to a definition group means the definitions in that group can be viewed but not modified. You need to link the definition group to the permission list before you specify a display-only value.

For the All Definitions group, display-only mode applies only to the definition groups in the Excluded Group ID list.

The following example shows a permission list (INVPANLS) with access to all definitions, or All Definitions status. Notice that display only is activated. However, it only applies to those groups in the Excluded Group ID list: the NEWGROUP, ONEMENU, and PEOPLETOOLS groups. This means that the INVPANLS permission list has read and write access to all definitions in the system except for those that appear in the Excluded Group ID list. For those definitions, INVPANLS only has read access.

To enable or disable display-only access:

1. Select Change, Display Only.

   The Definition Security List dialog box appears.

   This dialog box lists all the definition groups assigned to the current permission list.

2. Select the groups in the list that you want to make display-only.

   You can use the All button to select all the groups in the list.

3. Click OK.

Viewing Definition Access by User and Permission List

To view reports that detail specific secured definitions by user or by permission list, access the Common Queries - Definition Security Queries page (PeopleTools, Security, Common Queries-click the Definition Security Queries link).

You can also view reports that detail access to definition types by user or by permission list from the User Profiles and Permission Lists components.

See Running Permission List Queries.

See Running User ID Queries.