Understanding Definition Security

This topic provides an overview of definition security.

Definition security enables you to secure record definitions, menu definitions, page definitions, and other definitions that make up your applications.

Just as you use security to control who can access the PeopleSoft pages in your system, you use definition security to control who can access and update PeopleTools definitions.

You can implement definition security in the browser client or in the Microsoft Windows client. Browser client definition security was introduced in PeopleTools 8.54 and provides additional functionality than in the legacy Windows client application. While Windows client definition security may still function, any new enhancements and functionality will be made to the browser client definition security.

To access browser client definition security navigate to PeopleTools > Security > Definition Security.

You can access definition security on the Windows client two ways:

  • Execute the PSOSE.exe file in the Windows client.

  • In PeopleSoft Application Designer navigate select Go > Definition Security.

For information about the features and functionality of browser client definition security and Windows client definition security, see Comparing Browser Client and Windows Client Definition Security.

To implement definition security, you define definition groups and then link them to permission lists that you’ve created in security.

A definition group is a collection of one or more definitions that form a logical group for security purposes. For example, you’ve created a permission list for analysts who support the PeopleSoft Payroll module, and you call it PAYROLL_DEV. The analysts are allowed to update only payroll definitions. Using Definition Security, you create a definition group containing only payroll definitions, and give it a name, such as PAYROLL_OBJ. Finally, you link PAYROLL_OBJ to PAYROLL_DEV.

You can assign multiple definition groups to a single permission list. And you can assign a single definition group to multiple permission lists.

Definition groups must be assigned to the primary permission list defined for a user profile. The primary permission list is defined on the User Profile – General page, in the Permission List section of the page in the Primary field.

You can't declare directly that a particular permission list can modify a specific definition type. You do so indirectly by creating a definition group that consists solely of the desired definition type. Also, remember that you can assign a definition to multiple groups as needed. To ensure total definition security, assign every definition to at least one definition group.

Note: PeopleTools databases are delivered with a predefined definition group called PEOPLETOOLS that contains all the PeopleTools definitions. Until you create definition groups of your own, the PEOPLETOOLS definitions are the only definitions that you can secure.

To set up definition security properly, it’s helpful to understand how the system interprets definition security settings. The system applies the following rules to determine whether a user is authorized to update a definition:




Is the definition type assigned to any definition group? If not, then anyone has update access to it. For this reason, you should add all definition types to at least one definition group.


Is the definition type a part of a definition group assigned to the user’s primary permission list? If not, the system denies access and displays a message, such as “definition_name is not a definition that you are authorized to access.”


Do all the definition groups of which the definition type is a member have the display-only option enabled? If so, then the system displays the message “definition_name is not a definition that you are authorized to update.”

The definition type appears with the Save command disabled.

If the definition passes these system checks, the user is allowed to access and update it—unless it’s a PeopleSoft Application Designer definition, in which case several other security checks are performed first. PeopleSoft Application Designer definitions are also controlled by the PeopleTools in permission lists.

Important! A user gets definition security permissions through the primary permission list, not through roles. Access to definition types is granted through roles.