PeopleTools 8.52: PeopleSoft Search Technology

Working with PeopleSoft Search Framework Security Features

This section contains an overview and discusses:

Applying PeopleSoft Permissions.
Setting up authentication and authorization.
Configuring SSL between PeopleSoft and SES.
Setting up role-based search group access.

Understanding Search Framework Security

By default, both the Search Framework and Oracle SES possess innate security features designed to protect all of the data and processes within the systems. This section describes security topics that pertain solely to the integration between Search Framework and SES.

Applying PeopleSoft Permissions

The implementation, maintenance, and use of the Search Framework involve these user types:

Role	Description	Delivered PeopleTools Permission List
Search Administrator	Responsible for managing the deployment of search definitions and search categories, scheduling index builds, monitoring indexes, and establishing connectivity between Search Framework and SES. Note. This user needs to have access to all the queries (records) on which the search definition is based on in order to schedule the index generation.	PTPT3100
Search Developer	Responsible for creating search queries, search definitions and search categories.	PTPT3200
Search Server	SES search instance requiring access to the Search Framework service operations. Note. This is the call back ID configured in the search instance page. This user ID needs to have access to all the queries (records) on all search definitions in order for SES to download data. The Search Server role is required to be able to download attachments.	PTPT3300
End User	Runs search queries while using PeopleSoft applications, using Application Search or Search Pages.	None specific to Search Framework. Restrictions to search results can be implemented by user profile or role.

Note. Search Administrator, Search Developer, and Search Server are roles delivered by PeopleTools.

Working with Authentication and Authorization

Search Framework handles various security related tasks, including:

Authenticating users (development, administration, and end users).
Authenticating systems requesting access to service operations.
Authorizing end user search requests.

When managing search requests with Search Framework, it is important to distinguish between authentication and authorization.

Authentication determines if a user is a legitimate user, who can access the system. Authentication is configured using PeopleSoft user profiles, roles, and permission lists.

Authorization determines the access level for an authenticated user. Once a user is authenticated, the system invokes the authorization rules. You define authorization (access controls) per search definition on the Security tab. For some instances, applying No Security is a valid option. However, for other situations, you need to apply stricter control over what users can and cannot see. You can restrict access by the source (search definition) or by the document (search result).

Source-level security applies to all the documents in the data source. Setting source-level security is useful when you want to prevent global visibility of data source content. When defining a source-level security you specify the users and roles that can view the search results for that search definition. When a user searches the associated index, the system verifies the user’s access level prior to displaying any search results.

Document-level security restricts access to specific search results. The document-level authorization using SES uses security attributes. The attributes are defined using PeopleSoft Query or Connected Query during design time and are used to evaluate access during runtime. While defining a search definition, some of the fields chosen for the query may not be used necessarily for searching, but mainly as security attributes. For example, Department ID or Business Unit are examples of attributes that users may not necessarily search on, but their values can be used in the authorization process to evaluate if a user can view search results for a specific Department ID or Business Unit.

If applying any level of security, you should define an application class for every search definition. The application class is responsible for fetching a list of runtime values based on the security attributes. You associate the application class with a search definition on the Security tab of the search definition.

The following diagram illustrates the elements involved with authorization and authentication and the interaction between them.

Step

Description

1

During the index build, the crawler collects the defined security attributes and access restriction options associated with search definitions. The crawler applies those security attributes to the data sources (indexes).

2

An application end user runs a search query.

3

SES security framework invokes the PeopleSoft security service for user authentication.

4

Based on the authenticated user, SES performs either a source-level or a document-level authorization.

For document level authorization PeopleSoft invokes the Application class defined for the Data Source. This would fetch a list of values for the security attribute which then SES would use for filtering the search results.

Step	Description
1	During the index build, the crawler collects the defined security attributes and access restriction options associated with search definitions. The crawler applies those security attributes to the data sources (indexes).
2	An application end user runs a search query.
3	SES security framework invokes the PeopleSoft security service for user authentication.
4	Based on the authenticated user, SES performs either a source-level or a document-level authorization. For document level authorization PeopleSoft invokes the Application class defined for the Data Source. This would fetch a list of values for the security attribute which then SES would use for filtering the search results.

Configuring SSL between PeopleSoft and SES

You can configure SSL connections between your PeopleSoft system and SES. When you have SSL configured, you then need to set the SSL Option field on the Search Instance Properties page to ENABLE.

To set up SSL, use the instructions provided with PeopleTools PeopleBooks for setting up SSL on PeopleSoft Internet Architecture. Also, refer to the instructions for setting up SSL on SES provided with your Oracle SES documentation.

Setting Up Role-Based Search Group Access

Application Search displays search groups in the Application Search Bar based on the user's role. If a search group assigned to a context belongs to the permissions for a role to which that user belongs, then the search group will appear in the search group drop-down list for that user. You configure search group access by selecting PeopleTools, Security, Permissions & Roles, Permission Lists, Search Groups.

Use the Search Groups grid to add search groups to which you want to add access. Search groups are those search categories that have the Search Group check box selected on the General tab of the search category definition.

Note. This does not define the security, this only gives a mechanism to control what is displayed in the Application Search Bar for a given user.