Feed Security

This section provides an overview of feed security.

Feeds can be published by two different methodologies: the Feed Publishing Wizard and Publish as Feed pages. Security is different for each of these methodologies:

  • Users with access to the PTPT1300 (Portal Administrators) permission list have access to the Feed Publishing Wizard by default.

  • The hidden Publish as Feed pages are accessed through the Publish as Feed link found on the property maintenance component for each type of PeopleSoft data that can be published as a feed. Therefore, access to publishing feeds in this manner depends on authorized access to the components and pages where the link is found.

The two levels of feed security are:

  • Feed-level security.

  • Data-level security.

Feed-Level Security

The Feed Publishing Framework manages feed-level security. Feed-level security determines which feeds are visible to the user when accessing the My Feeds page or any related hover menus. You can configure feed security to be:

  • Public.

    Public feeds run under context of the default user that is associated with the ANONYMOUS node.

    See Defining Node Parameters.

  • Realtime.

    Every time a user accesses a feed during search or execution, the data source object determines whether the current user has access to the feed. This security option has an advantage in that the feed security is always in sync with the data source. This security option can greatly affect performance of feed searches and should only be used when the data security is constantly changing, or the data security could not be defined using role or permission list based security model.

  • Permission list and roles.

    You assign access to the feed based on permission lists and roles.

Data-Level Security

By default, the authenticated user who requests a feed is used for generating the feed data. Data-level security is checked by each application class that supports a feed data type when the runtime engine executes it to collect feed data. It is always checked in real time. Users who have access to a feed but not the data will receive a feed document that contains no entries. Different users who subscribe to the same feed might receive different feed data, depending on their permissions. You can sync the feed data security to the feed definition using the Publish Feed Definition pages.

Important! Developers are responsible for building data-level security into the data source application class logic; data-level security is not automatic.

In the Feed Publishing Wizard, you can override the default feed authorization by specifying a user ID and password to be used for requests for this feed. Doing so ensures every user who requests the feed sees the same result. This setting can be useful for public feeds.

Warning! Use care when selecting a user ID for this override as this can potentially give unauthorized users access to feed data that they would not normally be able to see.

See Step 4: Specifying Publishing Options.

Security for Creating Feed Data Types

Security for creating new feed data types is based on permission lists. To create new feed data types, the user must be authorized to access pages in the PTFP_DATATYPE component on the PTFP_FEED_PUBLISHING menu.

Note: Users with access to the PTPT1300 (Portal Administrators) permission list have access to these pages by default.

See Understanding Permission Lists.