Security Administration Overview
This section discusses:
Lightweight Directory Access Protocol (LDAP).
Authentication and single signon.
Query and definition security.
User security is the core of security administration in PeopleSoft applications. You administer user security using several basic elements.
To establish appropriate user access:
Define permission lists.
Permission lists are the building blocks of user security authorization. A permission list grants a degree of access to a particular combination of PeopleSoft elements, specifying pages, development environments, time periods, administrative tools, personalizations, and so on.
This level of access should be appropriate to a narrowly defined and limited set of tasks, which can apply to a variety of users with a variety of different roles. These users might have overlapping, but not identical, access requirements.
You typically define permission lists before you define roles and user profiles. When defining permission lists, however, consider the roles that you will use them with.
A role is a collection of permission lists. You can assign one or more permission lists to a role. The resulting combination of permissions can apply to all users who share those access requirements. However, the same group of users might also have other access requirements that they don't share with each other. You can assign a given permission list to multiple roles.
You typically define roles after first defining their permission lists, and before defining user profiles. You use roles to assign permissions to users dynamically.
See Understanding Roles.
Define user profiles.
A user profile is a definition that represents one PeopleSoft user. Each user is unique; the user profile specifies a number of user attributes, including one or more assigned roles. Each role that's assigned to a given user profile adds its permission lists to the total that apply to that user.
You typically define user profiles after defining their roles. You can assign a given role to multiple user profiles. It's worthwhile to define a set of roles that you're confident can be assigned to user profiles that you'll create in the future.
LDAP is an internet protocol used to access a directory listing. Organizations typically store user profiles in a central repository, or directory server, that serves user information for all of the programs that require it. If your existing computer network uses an LDAP V3 compliant directory server, PeopleSoft supports the use of that server for managing user profiles and authenticating users. PeopleSoft enables you to integrate your authentication scheme for PeopleSoft with your existing infrastructure.
You always maintain permission lists and roles using PeopleSoft security. However, you can maintain user profiles in PeopleSoft security or reuse user profiles and roles that are already defined within an LDAP directory server. A directory server enables you to maintain a single, centralized user profile that you can use across all of your PeopleSoft and non-PeopleSoft applications. This approach reduces redundant maintenance of user information stored separately throughout your enterprise, and reduces the possibility of user information getting out of synchronization.
You can configure and extend your Signon PeopleCode to work with any schema implemented in your directory server. You can assign roles to users manually or assign them dynamically. When assigning roles dynamically, you use PeopleCode, LDAP, and PeopleSoft Query rules to assign user profiles to roles programmatically.
PeopleSoft delivers the most common authentication solutions and packages them with your PeopleSoft application. This saves you the trouble of developing your own solutions and saves you time with your security implementation. These prepackaged solutions include PeopleCode that supports basic sign in through HTTP over SSL/TLS (HTTPS), LDAP authentication, and single signon.
Because PeopleSoft applications are designed for internet deployment, many sites must take advantage of the authentication services that exist at the web server level. PeopleSoft takes advantage of HTTPS, SSL/TLS, and digital certificates to secure the transmission of data from the web server to an end user's web browser and also to secure the transmission of data between PeopleSoft servers and third-party servers (for business-to-business processing) over the internet.
PeopleSoft applications support these types of single signon:
Among PeopleSoft applications.
A user can signon and be authenticated by one PeopleSoft application server and then, that user can access other PeopleSoft application servers without entering an ID or a password. Although the user is actually accessing different applications and databases, the user navigates seamlessly through the system. Recall that each suite of PeopleSoft applications, such as HCM or CRM, resides in its own database.
Between PeopleSoft and Oracle applications.
A user can sign in to either system and freely access the other without having to sign in to the second system.
Between the desktop and PeopleSoft applications.
A user can sign in to their computer network and be authenticated by their network credentials and then, that user can freely access all PeopleSoft applications. This is desktop single signon.
Data security comprises the following elements:
Privacy—keeping data hidden from unauthorized parties.
Privacy is normally implemented with some type of encryption. Encryption is the scrambling of information such that no one can read it unless they have a piece of data known as a key.
Integrity—keeping transmitted data intact.
Integrity can be accomplished with simple checksums or, better, with more complex cryptographic checksums known as one-way hashes, and often with digital signatures as well.
Authentication—verifying the identity of an entity that's transferring data.
Authentication can be accomplished using passwords, or with digital signatures, which are by far the most popular and most reliable method of authentication.
PeopleSoft Encryption Technology (PET) provides a way for you to use hashes and digital signatures to secure critical PeopleSoft data and communicate securely with other businesses. It enables you to extend and improve cryptographic support for your data in PeopleTools, giving you strong cryptography with the flexibility to change and grow, by incrementally acquiring stronger and more diverse algorithms for encrypting data. PeopleSoft delivers PET with support for the OpenSSL and PGP encryption libraries.
To implement PET:
Load the algorithms of an encryption library into the PET database.
Generate accompanying encryption keys, and insert them into the PET keystore.
Define a sequence, or chain, of algorithms by selecting from all the algorithms in the database.
Define an encryption profile, which is an instance of an algorithm chain applicable to a specific encryption task.
Write PeopleCode to invoke the encryption profile.
Note: Along with the delivered OpenSSL and PGP encryption libraries, a PeopleSoft database may also contain encryption keys for internal use of the PeopleCode Crypt class. These encryption keys do not need to be modified.
You use PeopleSoft Query to build SQL queries and retrieve information from application tables. For each PeopleSoft Query user, you can specify the records the user is allowed to access when building and running queries. You do this by creating query access groups in PeopleSoft Tree Manager, and then assigning users to those groups with PeopleSoft Query security. PeopleSoft Query security is enforced only when using PeopleSoft Query; it doesn’t control runtime page access to table data.
Use Definition Security to govern access to PeopleSoft Application Designer definitions, such as record definitions, field definitions, and page definitions, and to protect particular definitions from being modified by developers.
PeopleSoft offers a variety of options that enable end users, especially power users, to configure certain aspects of their PeopleSoft environment to produce a more personalized interface. These options improve a user’s navigation speed through the system and enable users to select international preferences, such as date and time formats.
You define, group, and categorize personalization options, then use permission lists to control access to them. Users with access to a personalization option can control it through the My Personalizations menu.