7/31/2019 Dynamic Role Rule Security
1/36
Copyright 2003 - The Revere GroupAll Rights Reserved 1
PeopleSoft Security
Dynamic Role Rules
Presenter : Shawn HuffmanTechnical Specialist at The Revere Group
7/31/2019 Dynamic Role Rule Security
2/36
Copyright 2003 - The Revere GroupAll Rights Reserved 2
Presentation Outline
Introduction 2 minutes
Terminology 5 minutes What are dynamic role rules? 5 minutes
Benefits of implementing dynamic role based security 5 minutes
Technical Overview/Configuration 2 minutes
Example/Demo 20 minutes
Close 2 minutes
Q&A 20 minutes
7/31/2019 Dynamic Role Rule Security
3/36
Copyright 2003 - The Revere GroupAll Rights Reserved 3
Components of PS 8 Security
Three major building blocks used when
defining your PeopleSoft security
User Profiles
Roles Permission Lists
7/31/2019 Dynamic Role Rule Security
4/36
Copyright 2003 - The Revere GroupAll Rights Reserved 4
User Profiles
Define the individual users of your PeopleSoft system
Set of data describing a particular user of yourPeopleSoft system
Information about the user such as e-mail address,
language code, and password
Assign process profiles, row-level security or
business unit security at the User Profile level
User Profiles are linked to Roles to grant access tospecific areas within the PeopleSoft application
7/31/2019 Dynamic Role Rule Security
5/36
Copyright 2003 - The Revere GroupAll Rights Reserved 5
Roles
Roles are assigned to User Profiles
Intermediate objects that link User Profiles toPermission Lists
Multiple roles can be assigned to a single User
Profile Examples: Applicant, Employee, Vendor, Accounts
Payable Clerk, and Manager
Roles allow you to mix and match access to yourPeopleSoft system
Roles can be assigned to User Profiles manually or
dynamically
7/31/2019 Dynamic Role Rule Security
6/36Copyright 2003 - The Revere GroupAll Rights Reserved 6
Permission List
Lowest level of PeopleSoft security
Grants access to pages, PeopleTools, and sign-ontimes
Assign actions such as Add, Update/Display, and
Correction
The fewer Permission Lists used, the more modular
and scalable your PS security will be
Multiple Permission Lists can be assigned to a singlerole
Granularity allows you to mix and match
7/31/2019 Dynamic Role Rule Security
7/36Copyright 2003 - The Revere GroupAll Rights Reserved 7
Components of PS 8 Security
Permission Lists
Process Monitor
Query
AP Entry
Vendors Display Only
PS User
Roles
AP Clerk
User Profile
7/31/2019 Dynamic Role Rule Security
8/36Copyright 2003 - The Revere GroupAll Rights Reserved 8
What are dynamic role rules?
The assignment of roles to User Profiles based on
your business rules These business rules run against system(s) to assign
PeopleSoft access
Business rule data can reside in a number of places: PeopleSoft data
3rd party systems
LDAP
Allows your PeopleSoft security structure to changein an automated fashion
The dynamic role rule process removes and grants
access to User Profiles
7/31/2019 Dynamic Role Rule Security
9/36Copyright 2003 - The Revere GroupAll Rights Reserved 9
Methods - Assigning dynamic role rules
There are three technologies you can use to execute
your business rules: PS/Query
LDAP Plug-in
PeopleCode
One, two, or all three of the technologies listed above
can be used
7/31/2019 Dynamic Role Rule Security
10/36Copyright 2003 - The Revere GroupAll Rights Reserved 10
Building Role Rules - PS/Query
PeopleSoft recommends using PS/Query to build role
rules if the membership data resides in yourPeopleSoft database
Access is removed or granted based on the User
Profile IDs retrieved by the query Can be built on Queries and/or Views
Business rules can be built into the View and/or
Query
7/31/2019 Dynamic Role Rule Security
11/36Copyright 2003 - The Revere GroupAll Rights Reserved 11
Assigning Roles - LDAP
Organizations that currently have LDAP directory
server groups defined Plug into current LDAP configuration
Leverages existing directory groups/roles
Easier to maintain
Single directory server leveraged by multipleapplications
Single point of maintenance reduces the risk of user
information getting out of synch Involves PeopleCode expertise/coding
7/31/2019 Dynamic Role Rule Security
12/36Copyright 2003 - The Revere GroupAll Rights Reserved 12
Assigning Roles - PeopleCode
Membership data not contained within the PS
database Data might exist on other 3rd party systems
Extremely flexible
SQLExec functions
Business Interlinks
Component Interfaces
7/31/2019 Dynamic Role Rule Security
13/36Copyright 2003 - The Revere GroupAll Rights Reserved 13
Static role assignments
Roles are assigned to User Profiles manually
Not scalable
All security changes require manual intervention
High administration costs
High margin for human error
7/31/2019 Dynamic Role Rule Security
14/36Copyright 2003 - The Revere GroupAll Rights Reserved 14
Benefits - Dynamic role rules
Roles are assigned to User Profiles
programmatically Scalable (internet friendly)
Less manual work for the PeopleSoft SecurityAdministrator
Eliminating static assignment decreasesadministration costs
Reduces risk of human error
Lessens load on your help desk calls Audit reporting is simplified Schedule your rule execution based on your
environment
7/31/2019 Dynamic Role Rule Security
15/36Copyright 2003 - The Revere GroupAll Rights Reserved 15
Application Messaging
DYNROLE_PUBL publishes messages when
assigning dynamic role rules The DYNROLE_PUBL Application Engine does not
update the database directly
Application Server must be configured to handleApplication Messaging
Status of the Application Messages are viewed in the
Application Messaging Monitor Administrator must monitor the Application Messages
to correct invalid data or errors
7/31/2019 Dynamic Role Rule Security
16/36Copyright 2003 - The Revere GroupAll Rights Reserved 16
DYNROLE_PUBL Execution
PS Database DYNROLE_PUBL
Application EngineUser List
ROLESYNC_MSG
Publish
Database Update
7/31/2019 Dynamic Role Rule Security
17/36Copyright 2003 - The Revere GroupAll Rights Reserved 17
Technical Setup Application Server
Publish and Subscribe servers need to be configured on
the application server
7/31/2019 Dynamic Role Rule Security
18/36Copyright 2003 - The Revere GroupAll Rights Reserved 18
Demo
Dynamic Role Rules using
PS/Query
7/31/2019 Dynamic Role Rule Security
19/36Copyright 2003 - The Revere GroupAll Rights Reserved 19
Example Steps for creating PS/Query rules
Define the business rules
Create a view that retrieves a list of OPRIDs
Create a query (ROLEQRY) that selects from the
view
Attach the ROLEQRY to the Role in MaintainSecurity
Execute DYNROLE_PUBL
Check Application Message Monitor
View Results!!
7/31/2019 Dynamic Role Rule Security
20/36
Copyright 2003 - The Revere GroupAll Rights Reserved 20
Example PS/Query Rules
Dynamically grant access to the Payroll Administrator
role Job codes that perform the Payroll Administrator roleare KC006 and KC008
Create a view that selects all OPRIDs that have a job
code of KC006 or KC008 on their current job record Save the view as SPH_PAYROLL_ADM
7/31/2019 Dynamic Role Rule Security
21/36
Copyright 2003 - The Revere GroupAll Rights Reserved 21
Creating the View
SELECT B.OPRID
FROM PS_JOB A, PSOPRDEFN B
WHERE A.EFFDT = (SELECT MAX(A_ED.EFFDT)FROM PS_JOB A_ED
WHERE A.EMPLID = A_ED.EMPLID
AND A.EMPL_RCD = A_ED.EMPL_RCD
AND A_ED.EFFDT
7/31/2019 Dynamic Role Rule Security
22/36
Copyright 2003 - The Revere GroupAll Rights Reserved 22
Creating the View
Dont forget the following:
Build the view
Add the SPH_PAYROLL_ADM view to one of your
security trees
The query driving the dynamic role rules will be builtusing SPH_PAYROLL_ADM
7/31/2019 Dynamic Role Rule Security
23/36
Copyright 2003 - The Revere GroupAll Rights Reserved 23
Create the Query
Create a new query, selecting OPRID from
SPH_PAYROLL_ADM WHERE logic can be maintained in the view or in the
query
Note: When saving the query, it must be saved as aPUBLIC ROLEQRY
Saved query as PAYROLL_ADM_ROLE_RULE
7/31/2019 Dynamic Role Rule Security
24/36
Copyright 2003 - The Revere GroupAll Rights Reserved 24
Creating the Query
7/31/2019 Dynamic Role Rule Security
25/36
Copyright 2003 - The Revere GroupAll Rights Reserved 25
Assign the Query to the Role
Navigate to PeopleTools Maintain Security Use
Roles Open the Payroll Administrator role
Click on the Dynamic Members tab
Click on the Query Rule Enabled checkbox Populate the Query Rule textbox with
PAYROLL_ADM_ROLE_RULE
Save the role
7/31/2019 Dynamic Role Rule Security
26/36
Copyright 2003 - The Revere GroupAll Rights Reserved 26
Assign the Query to the Role
7/31/2019 Dynamic Role Rule Security
27/36
Copyright 2003 - The Revere GroupAll Rights Reserved 27
Execute DYNROLE_PUBL AE
Navigate to PeopleTools Maintain Security
Process Execute Role Rules Enter the server name (PSNT)
Click on Execute Dynamic Role Rules
The pushbutton initiates the DYNROLE_PUBLapplication engine process
Process Monitor will display Success when the
application engine process completes
7/31/2019 Dynamic Role Rule Security
28/36
Copyright 2003 - The Revere GroupAll Rights Reserved 28
Application Message Monitor
DYNROLE_PUBL application engine publishes
messages to ROLESYNCH_MSG Click on App Msg Monitor to view the status of the
messages
7/31/2019 Dynamic Role Rule Security
29/36
Copyright 2003 - The Revere GroupAll Rights Reserved 29
Application Message Monitor
The Application Message Monitor displays the
different types of messages and the status Messages move from New to Done as they are
processed
Assignment of the dynamic role rules is not complete,until each of the messages is out of New status
Click on the Refresh pushbutton to watch themessage process
7/31/2019 Dynamic Role Rule Security
30/36
Copyright 2003 - The Revere GroupAll Rights Reserved 30
Application Message Monitor
7/31/2019 Dynamic Role Rule Security
31/36
Copyright 2003 - The Revere GroupAll Rights Reserved 31
Application Message Monitor
7/31/2019 Dynamic Role Rule Security
32/36
Copyright 2003 - The Revere GroupAll Rights Reserved 32
View the Dynamic Members
Dynamic members attached to the role can be
viewed when looking at the role definition Navigate to PeopleTools Maintain Security Use
Roles
Click on the Dynamic Members tab
7/31/2019 Dynamic Role Rule Security
33/36
Copyright 2003 - The Revere GroupAll Rights Reserved 33
View the Dynamic Members
7/31/2019 Dynamic Role Rule Security
34/36
Copyright 2003 - The Revere GroupAll Rights Reserved 34
View the User Profile
7/31/2019 Dynamic Role Rule Security
35/36
Copyright 2003 - The Revere GroupAll Rights Reserved 35
Summary
Drive down PeopleSoft Administration costs by
implementing dynamic role rules Define your business rules
Develop your dynamic roles based on the business
rules defined by your organization Three technologies used to develop dynamic roles
PS/Query
PeopleCode
LDAP
Start small Mix and match dynamic and static
Dynamically assign PS/Query or Process Monitor
7/31/2019 Dynamic Role Rule Security
36/36
Questions and Answers
Q&A
Shawn Huffman contact info: