Scribd Logo
Upload

Welcome to Scribd!

  • 91 views

    Peoplesoft Security

    Uploaded by

    Rohit Joshi
    PeopleSoft Security

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content

    You might also like

    Peoplesoft Security

    Uploaded by

    Rohit Joshi
    91 views10 pages
    PeopleSoft Security

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    PeopleSoft Security

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as pdf or txt
    91 views10 pages

    Peoplesoft Security

    Uploaded by

    Rohit Joshi
    PeopleSoft Security

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as pdf or txt
    of 10

    24/03/2015

    EnterprisePeopleTools8.50PeopleBook:SecurityAdministration

    UnderstandingPeopleSoftSecurity
    Thischapterdiscusses:
    Securitybasics.
    PeopleSoftonlinesecurity.
    PeopleSoftauthorizationIDs.
    PeopleSoftsignin.
    Implementationoptions.

    SecurityBasics
    Securityisespeciallycriticalforcorebusinessapplications,suchasPeopleSoftapplications.Typically,youdo
    notwanteverydepartmentinyourcompanytohaveaccesstoallyourapplications.Nordoyouwanteveryone
    withinadepartmenttohaveaccesstoallthefunctionsorallthedataofaparticularapplication.Additionally,
    youmaywanttorestrictwhocancustomizeyourapplicationswithPeopleTools.
    PeopleSoftsoftwareprovidessecurityfeatures,includingcomponentsandPeopleToolsapplications,toensure
    thatyoursensitiveapplicationdata,suchasemployeesalaries,performancereviews,orhomeaddresses,does
    notfallintothewronghands.Mostlikely,youuseothersecuritytoolsforyournetworkandrelationaldatabase
    managementsystem(RDBMS).ThesetoolsworktogethertoprotectthePeopleSoftsystemfromunauthorized
    access.
    AsyouimplementthePeopleSoftInternetArchitecture,youneedarobustandscalablemeansbywhichyou
    cangrantauthorizationtousersefficiently.Whenyoudeployyourapplicationstotheinternet,thenumberof
    potentialusersofyoursystemincreasesexponentially.Suddenly,youhavecustomers,vendors,suppliers,
    employees,andprospectsallusingthesamesystem.
    ThePeopleSoftsecurityapproachistailoredfortheinternet.Itenablesyoutoeasilycreateandmaintain
    securitydefinitions,andyoucanperformmanymaintenancetasksprogrammatically.
    Youcanapplysecuritytoallusers,includingemployees,managers,customers,contractors,andsuppliers.You
    groupyourusersaccordingtorolestogivethemdifferentdegreesofaccess.Forinstance,theremightbean
    Employeerole,aManagerrole,andanAdministratorrole.Userswhobelongtoaparticularrolerequirea
    specificsetofpermissions,orauthorizations,withinyoursystem,sothattheycancompletetheirdailytasks.
    YoumustalsosecuretheobjectsanddefinitionsinyourPeopleSoftdevelopmentenvironment.Justasyou
    restrictsetsofendusersfromaccessingparticularpagesandcomponents,youalsorestrictthedefinitionsthat
    yoursitesdeveloperscanaccessusingPeopleSoftApplicationDesigner.Adefinitionreferstoanyofthe
    definitionsthatyoucreatewithinPeopleSoftApplicationDesigner,suchasrecords,pages,orcomponents.
    Eachobjectdefinitionmayhaveindividualsecurityneeds.Forexample,youmayhavealargedevelopment
    staff,butperhapsyouwantonlyafewdeveloperstohaveaccesstospecificrecorddefinitions.
    PeopleSoftSecurityDefinitions
    Becausedeployingyourapplicationstotheinternetsignificantlyincreasesthenumberofpotentialusersyour
    systemmustaccommodate,youneedanefficientmethodofgrantingauthorizationtodifferentusertypes.
    PeopleSoftsecuritydefinitionsprovideamodularmeanstoapplysecurityattributesinascalablemanner.
    AsecuritydefinitionreferstoacollectionofrelatedsecurityattributesthatyoucreateusingPeopleTools
    Security.ThethreemainPeopleSoftsecuritydefinitiontypesare:
    Userprofiles.
    Roles.
    Permissionlists.
    Note.APeopleSoftsecuritydefinitioncalledanAccessProfilealsoexists,butthesearedefinedatthe
    databaselevel.
    http://docs.oracle.com/cd/E15645_01/pt850pbr0/eng/psbooks/tsec/htm/tsec03.htm

    1/10

    24/03/2015

    EnterprisePeopleTools8.50PeopleBook:SecurityAdministration

    UserProfiles
    UserprofilesdefineindividualPeopleSoftusers.
    Eachuserhasanindividualuserprofile,whichinturnislinkedtooneormoreroles.Youaddoneormore
    permissionlists,whichultimatelycontrolwhatausercanandcannotaccess,toeachrole.Afewpermission
    typesareassigneddirectlytotheuserprofile.
    Typically,auserprofilemustbelinkedtoatleastoneroleinordertobeavalidprofile.Themajorityofvalues
    thatmakeupauserprofileareinheritedfromthelinkedroles.
    Roles
    Rolesareintermediateobjectsthatlinkuserprofilestopermissionlists.Youcanassignmultiplerolestoauser
    profile,andyoucanassignmultiplepermissionliststoarole.SomeexamplesofrolesmightbeEmployee,
    Manager,Customer,Vendor,andStudent.
    Amanagerisalsoanemployeeandmayalsobeastudent.Rolesenableyoutomixandmatchaccess
    appropriately.
    Youhavetwooptionswhenassigningroles:assignrolesmanuallyorassignthemdynamically.Whenassigning
    rolesdynamically,youusePeopleCode,LDAP,andPeopleSoftQueryrulestoassignuserprofilestoroles
    programmatically.
    PermissionLists
    Permissionlistsaregroupsofauthorizationsthatyouassigntoroles.Permissionlistsstoresignintimes,page
    access,PeopleToolsaccess,andsoon.
    Apermissionlistmaycontainoneormoretypesofpermissions.Thefewertypesofpermissionsinapermission
    list,themoremodularandscalableyourimplementation.
    Auserprofileinheritsmostofitspermissionsthroughroles,butyouapplysomepermissionlists,suchas
    processprofileorrowlevelsecurity(datapermissions),directlytoauserprofile.
    SeeAlso
    OracleMetaLink3website.

    PeopleSoftOnlineSecurity
    ThePeopleSoftsystemhasmanyelements,suchasbatchprocesses,objectdefinitions,andapplicationdata.
    UsePeopleToolssecuritytoolstocontrolaccesstomostoftheseelements.Tosecureotherelements,youuse
    applicationspecificinterfaces,suchasAdministerSecurity.
    Thissectiondiscusses:
    Signinandtimeoutsecurity.
    Pageanddialogboxsecurity.
    Batchenvironmentsecurity.
    Definitionsecurity.
    Applicationdatasecurity.
    PeopleSoftInternetArchitecturesecurity.

    SigninandTimeoutSecurity
    WhenauserattemptstosignintoPeopleSoft,heorsheentersauserIDandapasswordonthePeopleSoft
    Signonpage.IftheIDandpasswordarevalid,PeopleSoftconnectstheusertotheapplication,andthesystem
    retrievestheappropriateuserprofile.
    Iftheuserattemptstosigninduringaninvalidsignintimeasdefinedintheuser'ssecurityprofile,heorsheis
    notallowedtosignin.Asignintimeisanadjustableintervalduringwhichauserisallowedtosigninto
    PeopleSoft.Forexample,ifagivensignintimeisMondaythroughFridayfrom7a.m.to6p.m.forasetof
    users,thoseuserscannotaccessaPeopleSoftapplicationonSaturdayoronFridayat6:05p.m.Ifauseris
    http://docs.oracle.com/cd/E15645_01/pt850pbr0/eng/psbooks/tsec/htm/tsec03.htm

    2/10

    24/03/2015

    EnterprisePeopleTools8.50PeopleBook:SecurityAdministration

    signedinwhenthesigninperiodexpires,PeopleSoftsignstheuseroutautomatically.
    Aftersigningin,ausercanstayconnectedaslongasthesignintimeallowsandaslongasthebrowserdoes
    notsitidleforlongerthanthetimeoutinterval.Atimeoutintervalspecifieshowlongtheusersmachinecan
    remainidlenokeystrokes,noSQLbeforethePeopleSoftsystemautomaticallysignstheuseroutofthe
    application.
    YouspecifyboththesignintimesandtimeoutintervalusingPeopleToolsSecurity.
    Note.Othertimeoutintervals,unrelatedtosecurity,arecontrolledbyyourwebserverandbyPeopleSoftPure
    InternetArchitecturecomponents.

    PageandDialogBoxSecurity
    YoucanrestrictaccesstoPeopleSoftmenus.Youcansettheaccessrightstotheentiremenu,suchas
    AdministerWorkforceorPeopleToolsSecurity,orjustaspecificitemonthatmenu.Becausetheonlynormal
    waytoaccessaPeopleSoftpageisthroughamenu,ifauserhasnoaccesstoaparticularmenuormenuitem,
    thenyouhaveeffectivelyrestrictedthatuser'saccesstothecorrespondingpage.
    Youcanalsorestrictaccesstospecificactionsorcommandsonapage.Forexample,youmaywantaclerkin
    yoursalesofficetobeabletoaccesscontractdatabutnotbeabletoupdatethedata.Inthiscase,yougrant
    accesstothesetofpages,butyouallowdisplayonlyaccessonly.Inthiscase,theclerkcannotupdateor
    correctanydata.Thisapproachenablesuserstogettheirworkdonewhilemaintainingthesecurityandintegrity
    ofyourbusinessdata.

    BatchEnvironmentSecurity
    IfaparticularusermustrunbatchprocessesusingPeopleSoftProcessScheduler,assigntheappropriate
    processprofiletotheuserprofileandcreateprocessgroupsforyourprocesses.Auserreceivesbothprocess
    groupandprocessprofileauthorizationsthroughpermissionlists.Ausergetspermissiontoprocessgroups
    throughroles,andtheygetaprocessprofilethroughtheprocessprofilepermissionlist.
    Note.Youaddtheprocessprofilepermissionlistdirectlytotheuserprofile,nottoanintermediaryrole.
    ProcessSecurity
    BecausePeopleSoftapplicationstakeadvantageofotherapplications,suchasSQRandCOBOL,yourbatch
    processesshouldberuninasecureenvironment.
    Thethreelevelsofsecurityforbatchprogramsare:
    Eachbatchprogramhasaruncontrolthatyoudefinebeforeyoucanrunthebatchprogram.
    RuncontrolsaresetupusingPeopleSoftProcessScheduler.
    PeopleSoftProcessSchedulerenablesyoutosetupprocessgroups,whicharegroupsofbatch
    processes.
    InPeopleToolsSecurity,youaddprocessgroupstoasecurityprofile.Userscanrunprocessesthat
    belongtotheprocessgroupsassignedtotheirsecurityprofile.
    InyourRDBMSenvironment,youcanrestrictofflineaccesstobatchprocessesusingthesecuritytools
    describedinyourplatformmanuals.
    ReportingSecurity
    PeopleSoftReportManagerusesalogicalspaceonawebservercalledtheReportRepository.PeopleSoft
    ReportManagerenablesyoutogenerateanddistributereportsovertheinternet,anditstorestheoutputinthe
    ReportRepository.Whereveryoudecidetosituateyourrepository,makesurethattheserverisprotectedfrom
    outsideaccess.EnsurethatonlythePeopleSoftsystemcanaccessanddistributethegeneratedreports.The
    ReportRepositoryservletgetsitemsfromthewebserverandputstheminthebrowser.Withreportdistribution,
    youdistributereportsandviewthemaccordingtoyourrole.
    PeopleSoftdeliverstheserolesforthespecificuseinreporting:
    ReportDistAdmin
    ReportSuperUser
    http://docs.oracle.com/cd/E15645_01/pt850pbr0/eng/psbooks/tsec/htm/tsec03.htm

    3/10

    24/03/2015

    EnterprisePeopleTools8.50PeopleBook:SecurityAdministration

    DefinitionSecurity
    UseDefinitionSecuritytogovernaccesstodatabaseobjectdefinitions,suchasrecorddefinitions,field
    definitions,andpagedefinitions,andtoprotectparticularobjectdefinitionsfrombeingmodifiedbycertain
    developers.

    ApplicationDataSecurity
    Definitionsecurityisaformofdatasecurityyouuseittocontrolaccesstoparticularrowsofdata(object
    definitions)inPeopleToolstables.PeopleSoftsoftwarealsoprovidesothermethodstocontroltheapplication
    datathatauserisallowedtoaccessinthePeopleSoftsystem.Thistaskisalsoknownassettingdata
    permissions.
    Withapplicationdatasecurity,youcansetdatapermissionsatthefollowinglevels:
    Tablelevel(forqueriesonly).
    Rowlevel.
    Fieldlevel.
    TableLevelSecurity
    YouusePeopleSoftQuerytobuildSQLqueriesandretrieveinformationfromapplicationtables.Foreach
    PeopleSoftQueryuser,youcanspecifytherecordstheuserisallowedtoaccesswhenbuildingandrunning
    queries.YoudothisbycreatingqueryaccessgroupsinPeopleSoftTreeManagerandthenassigningusersto
    thosegroupswithPeopleSoftQuerysecurity.PeopleSoftQuerysecurityisenforcedonlywhenusing
    PeopleSoftQueryitdoesnotcontrolruntimepageaccesstotabledata.
    RowLevelSecurity
    YoucandesignspecialtypesofSQLviewssecurityviewstocontrolaccesstoindividualrowsofdatastored
    withinapplicationdatabasetables.Rowlevelsecurityenablesyoutospecifythedatathataparticularuseris
    permittedtoaccess.PeopleSoftapplicationsaredeliveredwithbuiltinrowlevelsecurityfunctionsthatare
    tailoredtospecificapplications.
    Forexample,PeopleSoftHumanResourcessecuritytablesenableyoutorestrictuseraccesstoemployee
    rowsofdataaccordingtoorganizationalroles.Youcouldalsopermituserstoviewandupdaterowsfor
    employeesintheirdepartmentsonly.Similarly,inPeopleSoftFinancials,youcanusesecurityviewsto
    determineaccesstobusinessunitsandledgers.Youcanalsousesecuritytablestograntprivilegesbyaccess
    grouptouserswhousePeopleSoftQuerytoaccessdatafromthedatabase.
    Seethedocumentationforyourapplicationfordetailsaboutimplementingrowlevelsecurityforyour
    applications.
    FieldSecurity
    UsePeopleCodetorestrictaccesstoparticularfieldsorcolumnswithinapplicationtables.Forexample,ifyou
    wantacertainclassofusertobeabletoaccesscertainpagesbutnottoviewaparticularfieldonthosepages,
    suchascompensationrate,youcanwritePeopleCodetohidethefieldforthatuserclass.

    PeopleSoftInternetArchitectureSecurity
    PeopleSoftInternetArchitecturesecurityisalsoknownasruntimesecurity.Onlyauthorizeduserscanconnect
    tothewebandapplicationserver,andonlyauthorizedapplicationserverscanconnecttoagivendatabase.
    PeopleSoftsoftwareusesauthenticationtokensembeddedinbrowsercookiestoauthorizeusersandenable
    singlesigninthroughoutthesystem.Tosecurelinksbetweenelementsofthesystem,includingbrowsers,web
    servers,applicationservers,anddatabaseservers,PeopleSoftsoftwareincorporatesacombinationofSSL
    securityandOracleTuxedoandOracleJoltencryption.
    SSLisaprotocoldevelopedbyNetscapethatdefinesaninterfacefordataencryptionbetweennetworknodes.
    ToestablishanSSLencryptedconnection,thenodesmustcompletetheSSLhandshake.Thesimplifiedsteps
    oftheSSLhandshakeareasfollows:
    1. Clientsendsarequesttoconnect.
    2. Serverrespondstotheconnectrequestandsendsasignedcertificate.
    http://docs.oracle.com/cd/E15645_01/pt850pbr0/eng/psbooks/tsec/htm/tsec03.htm

    4/10

    24/03/2015

    EnterprisePeopleTools8.50PeopleBook:SecurityAdministration

    3. Clientverifiesthatthecertificatesignerisinitsacceptablecertificateauthoritylist.
    4. Clientgeneratesasessionkeytobeusedforencryptionandsendsittotheserverencryptedwiththe
    server'spublickey(fromthecertificatereceivedinstep2).
    5. Serverusesaprivatekeytodecrypttheclientgeneratedsessionkey.
    EstablishinganSSLconnectionrequirestwocertificates:onecontainingthepublickeyoftheserver(server
    certificateorpublickeycertificate)andanothertoverifythecertificationauthoritythatissuedtheserver
    certificate(trustedrootcertificate).Theserverneedstobeconfiguredtoissuetheservercertificatewhena
    clientrequestsanSSLconnection,andtheclientneedstobeconfiguredwiththetrustedrootcertificateofthe
    certificateauthoritythatissuedtheservercertificate.
    Thenatureofthoseconfigurationsdependsonboththeprotocolbeingusedandtheclientandserverplatforms.
    InmostcasesyoureplaceHTTPwithLDAP.SSLisalowerlevelprotocolthantheapplicationprotocol,such
    asHTTPorLDAP.SSLworksthesameregardlessoftheapplicationprotocol.
    Note.EstablishingSSLconnectionswithLDAPisnotrelatedtowebservercertificatesorcertificatesusedwith
    PeopleSoftintegration.
    ThesystemusesSSLencryptioninthefollowinglocations:
    Betweenthebrowserandthewebserver.
    Betweentheapplicationserverandtheintegrationgateway.
    Betweentheintegrationgatewayandanexternalsystem.
    ThesystemusesOracleTuxedoandOracleJoltencryptionintheselocations:
    Betweenthewebserverandtheapplicationserver.
    BetweentheintegrationgatewayandaPeopleSoftsystem(OracleJoltonly).
    SecuritybetweentheapplicationserveranddatabaseissuppliedbyRDBMSconnectivity.
    PeopleSoftIntegrationBrokerandportalproductshaveadditionalsecurityconcerns,whichareaddressedinthe
    documentationforthoseproducts.
    SeeAlso
    EnterprisePeopleTools8.50PeopleBook:InternetTechnology
    EnterprisePeopleTools8.50PeopleBook:PeopleSoftIntegrationBroker

    PeopleSoftAuthorizationIDs
    ThePeopleSoftsystemusesvariousauthorizationIDsandpasswordstocontroluseraccess.Youuse
    PeopleToolsSecuritytoassigntwooftheseIDs:theuserIDandthesymbolicID.
    Thissectiondiscusses:
    UserIDs.
    ConnectID.
    AccessIDs.
    SymbolicIDs.
    Administratoraccess.
    SeeAlso
    PeopleSoftSignin

    UserIDs
    APeopleSoftuserIDistheIDyouenteratthePeopleSoftsignindialogbox.YouassigneachPeopleSoftuser
    auserIDandpassword.ThecombinationofthesetwoitemsgrantsusersonlineaccesstothePeopleSoft
    system.ThesystemcanalsouseauserIDstoredwithinanLDAPdirectoryserver.
    http://docs.oracle.com/cd/E15645_01/pt850pbr0/eng/psbooks/tsec/htm/tsec03.htm

    5/10

    24/03/2015

    EnterprisePeopleTools8.50PeopleBook:SecurityAdministration

    TheuserIDisthekeyusedtoidentifytheuserprofiledefinition.

    ConnectID
    TheconnectIDperformstheinitialconnectiontothedatabase.
    Note.PeopleSoftnolongercreatesusersatthedatabaselevel.
    AconnectIDisavaliduserIDthat,whenusedduringsignin,takestheplaceofPeopleSoftuserIDs.Usinga
    connectIDmeansyoudonothavetocreateanewdatabaseuserforeveryPeopleSoftuserthatyouaddtothe
    system.
    Note.AconnectIDisrequiredforadirectconnection(twotierconnection)tothedatabase.Applicationservers
    andtwotierMicrosoftWindowsclientsrequireaconnectID.YouspecifytheconnectIDforanapplication
    serverintheSignonsectionofthePSADMINutility.ForMicrosoftWindowsclients,youspecifytheconnectID
    intheStartuptabofPeopleSoftConfigurationManager.YoucancreateaconnectIDbyrunningthe
    Connect.SQLandGrant.SQLscripts.
    Note.Whenperformingadatabasecompareorcopy,bothdatabasesmusthavethesameconnectID.
    Warning!WithoutaconnectIDspecified,thesystemassumestheworkstationisaccessingPeopleSoft
    throughanapplicationserver.Theoptiontooverridethedatabasetypeisdisabled.

    AccessIDs
    WhenyoucreateanyuserID,youmustassignitanaccessprofile,whichspecifiesanaccessIDand
    password.
    ThePeopleSoftaccessIDistheRDBMSIDwithwhichPeopleSoftapplicationsareultimatelyconnectedto
    yourdatabaseafterthePeopleSoftsystemconnectsusingtheconnectIDandvalidatestheuserIDand
    password.AnaccessIDtypicallyhasalltheRDBMSprivilegesnecessarytoaccessandmanipulatedatafor
    anentirePeopleSoftapplication.TheaccessIDshouldhaveSelect,Update,andDeleteaccess.
    UsersdonotknowtheircorrespondingaccessIDs.TheyjustsigninwiththeiruserIDsandpasswords.Behind
    thescenes,thesystemsignsthemintothedatabaseusingtheaccessID.
    IfuserstrytoaccessthedatabasedirectlywithaquerytoolusingtheiruserorconnectIDs,theyhavelimited
    access.UserandconnectIDsonlyhaveaccesstothefewPeopleSofttablesusedduringsignin,andthat
    accessisSelectlevelonly.Furthermore,PeopleSoftencryptsthesensitivedatathatresidesinthosetables.
    Note.Accessprofilesareusedwhenanapplicationserverconnectstothedatabase,whenaMicrosoft
    Windowsworkstationconnectsdirectlytothedatabase,andwhenabatchjobconnectsdirectlytothe
    database.AccessprofilesarenotusedwhenendusersaccessapplicationsthroughPeopleSoftPureInternet
    Architecture.DuringaPeopleSoftPureInternetArchitecturetransaction,theapplicationservermaintainsa
    persistentconnectiontothedatabase,andtheendusersleveragetheaccessIDthattheapplicationserver
    domainusedtosignintothedatabase.
    Note.PeopleSoftsuggeststhatyouonlyuseoneaccessIDforyoursystem.SomeRDBMSdonotpermit
    morethanonedatabasetableowner.IfyoucreatemorethanoneaccessID,itmayrequirefurtherstepsto
    ensurethatthisIDhasthecorrectrightstoallPeopleSoftsystemtables.

    SymbolicIDs
    PeopleSoftencryptstheaccessIDwhenitisstoredinthePeopleToolssecuritytables.Consequently,an
    encryptedvaluecannotbereadilyreferencedoraccessed.SowhentheaccessID,whichisstoredin
    PSACCESSPRFL,mustberetrievedorreferenced,thequeryselectstheappropriateaccessIDbyusingthe
    symbolicIDasasearchkey.
    ThesymbolicIDactsasanintermediaryentitybetweentheuserIDandtheaccessID.AlltheuserIDsare
    associatedwithasymbolicID,whichinturnisassociatedwithanaccessID.IfyouchangetheaccessID,you
    needtoupdateonlythereferenceoftheaccessIDtothesymbolicIDinthePSACCESSPRFLtable.Youdo
    notneedtoupdateeveryuserprofileinthePSOPRDEFNtable.

    AdministratorAccess
    http://docs.oracle.com/cd/E15645_01/pt850pbr0/eng/psbooks/tsec/htm/tsec03.htm

    6/10

    24/03/2015

    EnterprisePeopleTools8.50PeopleBook:SecurityAdministration

    Asanadministrator,youmustcustomizeyourownuserdefinition.PeopleSoftdeliversatleastonefullaccess
    userIDwitheachdelivereddatabase.YourfirsttaskshouldbetosigninwiththisIDandpersonalizeitforyour
    needsortocreateanew,fullaccessID,beingsuretospecifyanewpassword.Youshouldchangethe
    passwordsofalldeliveredIDsassoonaspossible.
    Note.PeopleSoftdeliveredIDsandpasswordsaredocumentedinyourinstallationmanual.
    WhenyouinstallPeopleSoft,youarepromptedforanRDBMSsystemadministratorIDandpassword.This
    informationisusedtoautomaticallycreateadefaultaccessprofile.Ifyouwillbeusingmorethanoneaccess
    profile,setuptheothersbeforecreatinganynewPeopleSoftsecuritydefinitions.Mostsitesonlyuseone
    accessprofile.
    ThenumberofdatabaselevelIDsyoucreateisuptoyoursiterequirements.However,inmostcases,having
    fewerdatabaselevelIDsreducesmaintenanceissues.
    Forexample,ifyouimplementpureLDAPauthentication,ataminimumyouneedtwodatabaselevelIDsyour
    accessIDandyourconnectID.Withthisscenario,inPeopleSoftyouneedtomaintainonlyasymbolicIDto
    referencetheaccessIDandmaintainauserIDthattheapplicationserverusesduringsignin.Withthisminimal
    approach,eachuserwhoneedsatwotierconnection,torunanupgrade,forexample,couldusethesameuser
    IDthattheapplicationserveruses.

    PeopleSoftSignin
    Thissectiondiscusses:
    PeopleSoftsignin.
    Directoryserverintegration.
    AuthenticationandsignonPeopleCode.
    Singlesignon.

    PeopleSoftSignin
    ThemostcommondirectsignintothePeopleSoftdatabaseistheapplicationserversignin.
    Thesearethebasicstepsthataretakenwhentheapplicationserversignsintothedatabase:
    1. Initialconnection.
    TheapplicationserverstartsandusestheconnectIDanduserIDspecifiedinitsconfigurationfile
    (PSAPPSRV.CFG)toperformtheinitialconnectiontothedatabase.
    2. TheserverperformsaSQLSelectstatementonsecuritytables.
    AftertheconnectIDisverified,theapplicationserverperformsaSelectstatementonPeopleTools
    securitytables,suchasPSOPRDEFN,PSACCESSPRFL,andPSSTATUS.Fromthesetables,the
    applicationservergatherssuchitemsastheuserIDandpassword,symbolicID,accessID,andaccess
    password.Aftertheapplicationserverhastherequiredinformation,itdisconnects.
    3. TheserverreconnectsusingtheaccessID.
    WhenthesystemverifiesthattheaccessIDisvalid,theapplicationserverbeginsthepersistent
    connectiontothedatabasethatallPeopleSoftPureInternetArchitectureandMicrosoftWindowsthree
    tierclientsusetoaccessthedatabase.Typically,theuserssigninginusingaMicrosoftWindows
    workstationaredevelopersusingPeopleSoftApplicationDesigner.
    Note.AMicrosoftWindowsworkstationattemptingatwotierconnectionusesthesameprocessasthe
    applicationserver.
    PeopleSoftrecommendsthatallconnectivitybemadethrougheitherathreetierMicrosoftWindowsclientor
    throughthebrowser.Atwotierconnectionisnolongernecessaryotherthanfortheapplicationserver,
    PeopleSoftProcessScheduler,orforauserwhowillberunningupgradesorPeopleSoftDataMoverscripts.
    SigninPeopleCodedoesnotrunduringatwotierconnection,somaintainingtwotierusersinanLDAPserver
    isnotsupported.
    http://docs.oracle.com/cd/E15645_01/pt850pbr0/eng/psbooks/tsec/htm/tsec03.htm

    7/10

    24/03/2015

    EnterprisePeopleTools8.50PeopleBook:SecurityAdministration

    DirectoryServerIntegration
    PeopleSoftrecognizesthatyoursiteusessoftwareproducedbynumerousvendors,andeachdifferentproduct
    requiressecurityauthorizationsforusers.Mostoftheseproductsadheretothemodelthatincludesuserprofiles
    androles(orgroups)towhichusersbelong.PeopleSoftenablesyoutointegrateyourauthenticationschemefor
    thePeopleSoftsystemwithyourexistinginfrastructure.Youcanreuseuserprofilesandrolesthatarealready
    definedwithinanLDAPdirectoryservice.
    Organizationstypicallystoreuserprofilesinacentralrepositorythatservesuserinformationforallofthe
    programsthatrequireit.ThecentralrepositoryistypicallyanLDAPdirectoryserver.
    Adirectoryserverenablesyoutomaintainasingle,centralizeduserprofilethatyoucanuseacrossallofyour
    PeopleSoftandnonPeopleSoftapplications.Thisapproachreducesredundantmaintenanceofuserinformation
    storedseparatelythroughoutyourenterprise,anditreducesthepossibilityofuserinformationgettingoutof
    synchronization.
    YoualwaysmaintainpermissionlistsandrolesusingPeopleToolsSecurity.However,youcanmaintainuser
    profilesinPeopleToolsSecurityorwithanexternalLDAPserver.
    SeeAlso
    EmployingLDAPDirectoryServices

    AuthenticationandSignonPeopleCode
    YoucanstorePeopleSoftpasswordswithinPeopleTools,inthePSOPRDEFNtable.Youcanalsostoreand
    maintainuserpasswordsandtherestoftheuserprofiledatainanLDAPdirectoryserver.PeopleSoftretrieves
    theinformationstoredinanexternaldirectoryserverusingacombinationoftheUserProfilescomponent
    interfaceandsigninPeopleCode.
    Ifyoudecidetoreuseexistinguserprofilesstoredinadirectoryserver,youdontneedtoperformdual
    maintenanceonthetwocopiesoftheuserdataonecopyintheLDAPserverandonecopyinPSOPRDEFN.
    PeopleSoftensuresthattheuserinformationstayssynchronized.IfyouconfigureLDAPauthentication,you
    maintainyouruserprofilesinLDAPandnotinPeopleToolsSecurity.
    SignonPeopleCodecopiesthemostrecentuserprofiledatafromadirectoryservertothelocaldatabase
    wheneverausersignsin.PeopleSoftapplicationsreferencetheuserinformationstoredinthePeopleSoft
    databaseratherthanmakingacalltotheLDAPdirectoryeachtimethesystemrequiresuserprofileinformation.
    SignonPeopleCodeensuresthelocaldatabasehasacurrentcopyoftheuserprofilebasedontheinformationin
    thedirectory.Eachtimetheusersignsin,signonPeopleCodecheckstoseetoseeiftherowintheuserprofile
    cacheneedstobeupdated.
    Thesigninprocessoccursasfollows:
    1. TheuserentersauserIDandpasswordonthesigninpage.
    2. PeopleToolsattemptstoauthenticatetheuseragainstthePSOPRDEFNtable.
    3. SignonPeopleCoderuns.
    ThedefaultsignonPeopleCodeprogramupdatestheuserprofilebasedonthecurrentdatastoredinthe
    directoryserver.
    YoucanusesignonPeopleCodeandbusinessinterlinkstosynchronizethelocalcopyoftheuserprofilewith
    anydatasourceatsignintimetheprogramthatshipswithPeopleToolsisdesignedtosynchronizetheuser
    profilewithanLDAPdirectoryserveronly.BecausethesigninprogramisPeopleCode,youcanmodifyit,
    incorporatinganyofthePeopleSoftintegrationtechnologiesthatPeopleCodesupports.
    ToeditthesignonPeopleCodeprogram,youopentheLDAPfunctionlibraryrecordandusethePeopleCode
    editortocustomizethePeopleCode.DeveloperswhomodifythesigninPeopleCodeprogramneedtohavea
    goodunderstandingofPeopleCodeandtheintegrationfeaturesitoffers.
    Note.OnlyuserswhosignonthroughPeopleSoftPureInternetArchitectureorthreetierMicrosoftWindows
    clientstakeadvantageofsignonPeopleCode.

    SingleSignon
    PeopleSoftPureInternetArchitectureusesbrowsercookiesforseamlesssinglesignonacrossallPeopleSoft
    http://docs.oracle.com/cd/E15645_01/pt850pbr0/eng/psbooks/tsec/htm/tsec03.htm

    8/10

    24/03/2015

    EnterprisePeopleTools8.50PeopleBook:SecurityAdministration

    nodes.Anodereferstoadatabaseandtheapplicationserversconnectedtoit.Forexample,ausercan
    completeaPeopleSoftHumanResourcestransaction,andthenclickalinkforaPeopleSoftFinancials
    transactionwithouteverreenteringapassword.SinglesignonisespeciallyimportanttothePeopleSoftportal,
    whichaggregatescontentfromseveraldifferentapplicationsanddatasourcesintoasingle,integrateddisplay.
    SeeAlso
    WorkingwithSSLandDigitalCertificates

    ImplementationOptions
    Byusingourintegrationtechnologies,youcanconfigurePeopleSoftsecuritytoworkwithnumerousschemes.
    Thissectiondiscusses:
    Authentication.
    Roleassignments.
    Crosssystemsynchronization.

    Authentication
    ConsiderhowyouplantoauthorizeusersastheysignintoyourPeopleSoftsystem.Doyouwanttostoreand
    maintainthePeopleSoftuserpasswordswithinPeopleSoft,ordoyouplantotakeadvantageofexistinguser
    profilesinanexternaldirectoryserver?
    PeopleSoftBasedAuthentication
    Thisoptionis,generally,thewayPeopleSoftcustomershaveauthorizedusersinpreviousreleases.PeopleSoft
    userpasswordsarestoredandmaintainedsolelywithinPeopleSoft.Althoughthismethoddoesnotrequirea
    largeamountofstorage,itdoesaddadministrationissues,mainlybecausePeopleSoftpasswordsareyet
    anotherpasswordusersneedtoremember.
    WiththisoptionthereareonlytwodatabaselevelIDs,theaccessIDandtheconnectID.Thepasswordsreside
    inthePSOPRDEFNalongwiththeotheruserinformation.
    DirectoryBasedAuthentication
    YoucanalsouseacentralrepositoryforuserinformationinadirectoryserverthatusestheLDAPprotocol.
    TheadvantageofthisoptionisthatauserhasoneuserIDandpasswordthatallowsaccesstonumerous
    softwaresystems.

    RoleAssignments
    Considerhowyouplantoassignauthorizationstoyourusers.Recallthatusersinheritpermissionsthroughthe
    rolestowhichtheyareassigned.Whenyouplanyourauthorizationassignment,youarereallyplanninghowyou
    intendtoassignrolestousers.Youcanassignrolestousersintwoways:thestaticapproachandthedynamic
    approach.
    Static
    Usingthestaticapproach,youassignuserstorolesmanually.Thestaticapproachisnotscalabletothe
    thousandsofusersthatarelikelytouseyoursystemwhenyoudeployapplicationstotheinternet.
    Thestaticapproachrequiresanadministratortomaintaineachuser'ssetofroles.Forthatreason,PeopleSoft
    recommendsthatyouexploreandimplementthedynamicassignmentofroles.
    Dynamic
    Usingthedynamicapproach,thesystemassignsrolesbasedonbusinessrules.Youcanmanuallyruntherule,
    buttypically,youruntherulesfromascheduledbatchprocess.
    Supposeanemployeechangesjobsandbecomesamanagerinanewdepartment.Whenyourunyourdynamic
    rule,thesystemremovestherolesassociatedwiththeemployee'spreviouspositionandthenaddsthe
    appropriaterolesrequiredforthenewposition.Inaddition,youcanhavetherulepublishamessagetoother
    http://docs.oracle.com/cd/E15645_01/pt850pbr0/eng/psbooks/tsec/htm/tsec03.htm

    9/10

    24/03/2015

    EnterprisePeopleTools8.50PeopleBook:SecurityAdministration

    nodes,suchasaPeopleSoftFinancialsnode,thatmightsubscribetochangesinthePeopleSoftHuman
    Resourcesdatabase.
    YoucanusePeopleSoftQuery,LDAP,orPeopleCodetodefinedynamicroleassignment.Ifnecessary,you
    canuseacombinedapproachwiththerulesforassigningroles.Forexample,youcanhaveonerolerulebased
    onLDAP,anotherbasedonaquery,andsoon.Youcanalsohavemultipleruletypesforonerole.Forexample,
    aManagerrolecouldbederivedpartiallyfromanLDAPruleandpartiallyfromaPeopleSoftQueryrule.Asthe
    followinglistdescribes,wheretheinformationthatdrivesyourroleassignmentsisstoreddeterminesthetypes
    ofrolerulesyouuse:
    IfthemembershipdataforyourrolesresidesinyourPeopleSoftdatabase,usePeopleSoftQueryto
    constructyourrolerules.
    OnequerycouldbeMANAGER,anotherEMPLOYEE,andsoon.Whentheruleruns,thesystem
    assignsyouremployeeuserstotheEMPLOYEEroleandthemanageremployeestotheMANAGERrole
    basedontheresultsreturnedfromthequery.
    IfyoualreadyhaveLDAPdirectoryservergroupsorganizedbyregion,department,position,andsoon,
    baseyourrulesontheexistingLDAPstructure.
    Basedonthedirectorysetupandhierarchy,yourruleassignsPeopleSoftuserstotheappropriateroles.
    PeopleSoftusesyourexistingLDAPconfiguration.Youshouldusethisroleruletypeinconjunctionwith
    LDAPauthentication.
    Ifyouhaveuserinformationinotherthirdpartysystems,suchaslegacymainframeapplicationsorUNIX
    accountgroups,usePeopleCode.
    YoucantakeadvantageoftheintegrationtechnologiesthatPeopleCodesupports,suchasbusiness
    interlinksandcomponentinterfaces.Thebusinessinterlinksretrievethedatafromtheexternalsystem
    andwriteittotheroleassignmenttablesinthePeopleSoftdatabase.

    CrossSystemSynchronization
    IfyouhavemultiplePeopleSoftsystems,considerhowtokeepuserinformationsynchronized.Synchronization
    isespeciallyimportantfortheportaldeployment,whereusersarelikelytomovefromonesystemtoanother
    seamlessly.Forinstance,aftercompletingatransactioninPeopleSoftHumanResources,ausermayclicka
    linkthattakesherdirectlytoPeopleSoftFinancials.
    Ifyouareusingdynamicroleassignment,thedynamicrolebatchprogram,bydefault,publishesamessagethat
    indicatesaparticularchange.Youneedtomakesurethatnodesthatrequiresuchinformationchangesare
    configuredtosubscribetothemessagethatpublishesthechangeddata.Forexample,supposePeopleSoft
    Financialsneedsalistofmanagersforaparticulartransaction.Becausethemanagerinformationresidesin
    PeopleSoftHumanResources,PeopleSoftHumanResourcespublishesanychangedinformationtoPeopleSoft
    Financialstokeepthedatasynchronized.
    PeopleSoftsecurityalsopublishesamessagewhenauserprofilechanges(ifthecorrespondingService
    Operationversionisactive),whichismostusefulifyouarenotusingLDAPtostoreuserinformation.Ifyou
    storeuserinformationinthePeopleSoftsystem,themessagemakessurethatpasswordchangesarereplicated
    acrossmultipledatabases.IfyoustoreyouruserinformationinacentralLDAPserver,thenthepasswords,and
    soon,arealreadyinasensesynchronized.
    YoucanupgradepermissionlistsandrolesusingthePeopleSoftApplicationDesignerupgradefeatures.For
    userinformation,PeopleSoftDataMoverscriptsmigrateuserprofilesbetweensystemsforupgradesorbulk
    loads.
    EnterprisePeopleTools8.50PeopleBook:SecurityAdministration Copyright1988,2010,Oracleand/oritsaffiliates.Allrightsreserved.

    http://docs.oracle.com/cd/E15645_01/pt850pbr0/eng/psbooks/tsec/htm/tsec03.htm

    10/10

    You might also like