PeopleSoft HCM
Security Overview
© 2017 – SpearMC Consulting
2
Security
Principal PeopleSoft Functional Consultant
I am a certified PeopleSoft HCM consultant with over 15
years of experience across multiple industries
I have done 6 end to end HCM implementations involving
multiple modules, and have been involved in equal number
of upgrades. Working on version 8.3 to 9.2 (PI 25)
Specializations:
Modules: HR, Manage Positions, Talent Acquisition, T&L,
Absence Management, ePerformance, Profile, eComp,
ESS/MSS (Fluid) and Security
Frameworks: GSS, AWE, Activity Guide, Page Composer,
Pivot Grids and Alerts and Notification
Awards
Oracle Innovation Awards for Fluid, Guided Self Service
About Your Presenter – Vishal Mehta
© 2017 – SpearMC Consulting
3
Security
Introductions
Course Overview
Course Lessons
– User Roles: Overview of User Access Hierarchy
– Row-Level Security: Brief Introduction (Tools/ HCM Application)
– Query Manager Highlights
Agenda
© 2017 – SpearMC Consulting
4
Security
About this Course
Interactive and Dynamically paced
– This course is for YOU – let me know if you need more explanation or examples
Applied over theory
– Focus on helping you get what you need to accomplish your job
A “hands-on” course
– Have your PeopleSoft environment ready for your own exploration
© 2017 – SpearMC Consulting
5
Security
Controls:
– Online Security (access to pages)
• Including programmatic online access (fields hidden, etc)
– Process (Batch) Security
• What processes can be run
• How users interact with Process Scheduler
– PeopleTools
• Access to each tool
• Access to types of objects
• Migration, code control
• Definition Security: Access to specific objects
– Query
• Access to PS Query
• Types of operations allowed
• Row-Level Security
Security Overview
© 2017 – SpearMC Consulting
6
Security
Users > Roles > Permission Lists
Special Permission Lists: User > Permission List
Online Security Visualized
User Profile
Process Profile
(Perm List)
Primary Perm List
Navigator Homepage
Row Security
Roles
Permission Lists Page
(Online) Access
Tools Access
Sign-On Times
CI Perms
Web Services
Query Access
Security
© 2017 – SpearMC Consulting
7
Security
One for each user
Can either create from scratch or copy existing
Where special permission list associations are made (see next)
User Profiles
PeopleTools > Security > User Profiles > Copy User Profiles
PeopleTools > Security > User Profiles > User Profiles
© 2017 – SpearMC Consulting
8
Security
Defined at the User Profile level
– Associated directly with a User, not their Role, like other permission lists
Navigator Homepage
– Pulls the “Navigator Homepage” business process defined for the specified
permission lists
Process Profile
– Used for batch process security: authorizes users to view output, update run
locations, and restart processes
– Required for running any batch process
Primary
– Users inherit Sign-in Timeouts, mass change definitions, definition security and
additional (configurable by module) settings from here.
Row Security
– Used within the application for data permission security, “by class*”
User Profile Permission Lists
© 2017 – SpearMC Consulting
9
Security
Container for Permission Lists
Connects Users to Permission Lists
Roles: Overview
Role A
PermList1
PermList2
User
Role B
PermList4
PermList5
PermList1
© 2017 – SpearMC Consulting
10
Security
Add Permission Lists to the Role
Review members in the Members tab
Roles: Assigning Members
© 2017 – SpearMC Consulting
11
Security
Basic building block of online security
Attaches either to Roles or directly to a User Profile
Detailed permission list access is added to PSAUTHITEM (by CLASSID)*
Access to each of the major areas in PeopleSoft:
– Query security profile
– Query access groups
– Portal/Page Access authority
– Process security groups
– Sign in times
– Windows development tools
– Component interfaces
– Message channels
– Web libraries, Web Services
– Personalizations
– Ability to receive passwords via email
Permission Lists: Overview
© 2017 – SpearMC Consulting
12
Security
Grants access to pages
Pages are only accessed through the path from Menu to Component
This can be very confusing, and is a product of the legacy mapping of
menu items to components before PS 7.5 (inception of the portal)
Permission Lists: Online Security
© 2017 – SpearMC Consulting
13
Security
Summary of all Security Queries
Also within each of the major object definitions (Permission List, Role,
User, etc.)
Open the queries (name of the query is at the top of the page when click
on the link to run it) and review the actual SQL/tables
– Refer near the end of this presentation for a summary of all security-related tables
– Also see Security ERD included as part of class deliverables
Security Queries
PeopleTools > Security > Common Queries
© 2017 – SpearMC Consulting
14
Security
Any means of limiting access to some of the data in an area
– For example, allowing users to only see invoices within their Business Unit
Implemented in multiple ways within the system
– Automatic: Restrictions are applied via PeopleTools when following specific design
steps
• Impacts both search records to components as well as records used in PS Query
– Application Level: Within HR, application modules have pre-built mechanisms to
restrict by Business Unit, Department, User, Class, and more
– Custom: Any mechanism could be developed using PeopleTools to tailor data
access to your specific need
Row-Level Security: Overview
© 2017 – SpearMC Consulting
15
Security
Requirements
– One of the following fields as key:
• OPRID (User ID)
• OPRCLASS (Primary Permission List on User Profile)
• ROWSECCLASS (Row Security Permission List on User Profile)
– That field should NOT be a list-box item
Results
– PeopleSoft Query
• Any query using this record will automatically append to the where clause filtering criteria
on each included field restricting it to match the current user
• For example: A Query on PSOPRCLS will automatically append “where OPRID = {this
userid} and OPRCLASS = {primary perm list for this user}”
– Search Record for a Component
• The same filtering described for Query will also be applied to the search results for the
page; only in this case, the filtering is hidden to the user*
Row-Level Security: Automatic (Query and Search Record)
© 2017 – SpearMC Consulting
16
Security
Special row-level security which is unique to HCM
Configured here:
Setup depends if you are securing by Dept Tree or other data
HCM Row Security: Core Row Level Security (In Brief!)
Set Up HCM > Security > Core Row Level Security
Security by
Dept Tree
All Other Data
Controlled by Row Security
Perm on User Profile
Perms in any Role
assigned to the user
Assigning Data to
Permission
* Security by Dept Tree * Security by Perm. List
Refresh Process * Refresh SJT_CLASS_ALL
* Refresh SJT_OPR_CLS * Refresh SJT_OPR_CLS
*All navigations start with:
Set Up HCM > Security > Core Row Level Security >
© 2017 – SpearMC Consulting
17
Security
Create/Modify a DEPT_SECURITY tree for each SETID
– Provides the organization (roll-up hierarchy)
– Requires these fixed values:
– Name: DEPT_SECURITY, Structure ID: DEPARTMENT
Edit Dept Tree access by Permission List
- Enter the Row Security Permission List (set on User Profile - General)
- Add each SETID/NODE, and indicate if you are granting or restricting access
(Access Code)
Run the process to refresh the security cross-ref table in the database
– Used by the security views which restrict data by user
HCM Row Security: Changing Dept Tree Access
Set Up HCM > Security > Core Row Level Security > Security by Dept Tree
Set Up HCM > Security > Core Row Level Security > Refresh SJT_CLASS_ALL
Tree Manager > Tree Manager
© 2017 – SpearMC Consulting
18
Security
Query Security Record is frequently used to restrict Query access to
sensitive data
These records typically return what departments, defined via “Core Row
Level Security”.
PS Query to this record (along the matching keys) when and apply the
tools filter (OPRID or OPRCLASS = …) to the SQL.
– Click View SQL to verify this for yourself.
Row-Level Security: Query Security Record (HCM)
© 2017 – SpearMC Consulting
19
Security
In App Designer, open Record EMPLOYEES
Open Record Properties to the Use tab
– Query Security Record: EMPLMT_SRCH_QRY
Open EMPLMT_SRCH_QRY, then right-click to open EMPL_QRY_SBR
Note: Joins on matching keys, OPRID is key but NOT a List Box Item
Query Security Record: HCM Example
© 2017 – SpearMC Consulting
20
Security
Navigate to Query Manager
Click to create new Query
Add record EMPLOYEES
Add these fields
– EMPLID
– NAME
– SETID_DEPT
– DEPTID
– SETID_LOCATION
– LOCATION
Query Example: Employees (Build)
© 2017 – SpearMC Consulting
21
Security
Click “View SQL”
Automatically added:
– Join to Query Security Record
– Filter on the current User ID
Query Example: Employees (Verify Data Restriction)
© 2017 – SpearMC Consulting
22
Security
Save the Query
– Save it as Private
– Place it in the folder “EOY_Reports”
Query Example: Employees (Save)
© 2017 – SpearMC Consulting
23
Security
Criteria Tab: Add Criteria
Select field “LOCATION”
Query Example: Employees (Prompt)
© 2017 – SpearMC Consulting
24
Security
Click the “Run” tab
Enter “K1GLCCA” for the Location (Demo data)
Review the output
Bonus: Change Dept security and re-run!
– Hint: See earlier slide “Changing Dept Tree Access”
Query Example: Employees (Run and Inspect)
© 2017 – SpearMC Consulting
25
Security
Copying (Sharing) a Query with another user
– From search results, click to select, then choose “Copy to User”
– Note: You can only copy private queries
Using Query folders
– Helps to organize your queries (similar to file folders)
– Assigning:
• Specify the folder during save
• Move Query to a Folder using similar steps as “Copy to User” (above)
Managing Queries: Organizing in Folders and Copying
© 2017 – SpearMC Consulting
26
Security
Static vs Dynamic Groups
– Use dynamic when you want membership to change automatically
• Refreshed before a batch process or online per request
– Static Group members do not change until directly modified
Defined here:
Add/Remove Groups to multiple Permission Lists
– Use “Security by Group” tab in either config page above
Review current members
– Use “Current Group Members” tab in either config page above
TL Row-Level Security (in brief!) - 1
Set Up HCM > Security > Time and Labor Security > Static Group
Set Up HCM > Security > Time and Labor Security > Dynamic Group
© 2017 – SpearMC Consulting
27
Security
Assigning groups to Permission Lists
Open by Row Security Permission List
Add/Change Static and Dynamic
Groups
TL Row-Level Security (in brief!) - 2
Set Up HCM > Security > Time and Labor Security > TL Permission List Security
© 2017 – SpearMC Consulting
28
Security
Updating Group Members
– Dynamic:
• Automatically refreshed (using current group definition) on each batch process
• Online pages do not trigger this update
• Can be forced to update on request:
o Option 1: Trigger online across all dynamic groups:
o Option 2: Click “Refresh Dynamic Group” on the Current Group Members tab
– Static:
• Click “Add to Group” within the Selection Criteria page
• Directly modify members in the Current Group Members tab
TL Row-Level Security (in brief!) - 3
Set Up HCM > Security > Time and Labor Security > Refresh Dynamic Group
© 2017 – SpearMC Consulting
29
Security
Frequently faster to use than the online tools
Quickly find any combination of criteria by querying the appropriate
tables
Security Tools Tables
Security Tables Keyed by Purpose
PSOPRDEFN OPRID Operator definition
PSROLEUSER ROLEUSER (OPRID), ROLENAME User to Role Relationship
PSROLECLASS ROLENAME, CLASSID Role to Permission List Relationship
PSAUTHITEM CLASSID, MENUNAME, BARNAME,
BARITEMNAME, PNLITEMNAME Perm List to each individual authorization
PS_ROLEXLATOPR ROLEUSER (OPRID) Everything on the Workflow tab, including email,
supervisor (for routing)
PSCLASSDEFN CLASSID Permission List Definition
PSROLEDEFN ROLENAME Role Definition
PSPGEACCESSDESC AUTHORIZEDACTIONS Access descriptions
PSMENUITEM MENUNEM, BARNAME, BARITEMNAME
Has the menu item details – useful to find the
menu details for any component
(PNLGRPNAME)
© 2017 – SpearMC Consulting
30
Security
PeopleBook: Security Administration
– The PDF is included as part of your class deliverables
PeopleSoft HCM 9.2 > Application Fundamentals >
– Understanding PeopleSoft Security
– Understanding Data Permission Security
PeopleSoft HCM 9.2 > PeopleSoft Time and Labor >
– Understanding Static and Dynamic Groups
Via My Oracle Support
– Whitepapers
– Knowledge Base
– Last Resort: Open a case
Getting More Help: PeopleBooks
© 2017 – SpearMC Consulting
31
.
Questions
Summary
This documentation may provide access to or information on content, products, and services from third parties. SpearMC is not responsible for and expressly disclaims all warranties of any kind with respect to third-party content, products, and services. SpearMC will not be responsible for any loss, costs, or damages incurred due to your access to or use of third-party content, products, or services. This documentation may contain links to Web sites of other companies or organizations that SpearMC does not own or control. SpearMC neither evaluates nor makes any representations regarding the accessibility of these Web sites. This documentation may also contain the following: •copyrighted material owned by third parties that has been licensed to SpearMC, •copyrighted material created by third parties that has been assigned to and is now owned by SpearMC, and •trademarks and other intellectual property owned by third parties and licensed to SpearMC. Oracle is a registered trademark of Oracle Corporation and/or its affiliates. Other names may be trademarks of their respective owners. © 2018 – SpearMC Consulting
Disclaimers