Implementing Security in PeopleSoft

Implementing Security in PeopleSoft:

A. Introduction: PeopleSoft Version 8.46................................................................... 1
1. User Security:...................................................................................................... 3
2. LDAP : Lightweight Directory Access Protocol ................................................ 6
3. Authentication and Single Sign on..................................................................... 8
4. Pluggable Cryptography................................................................................... 10
5. Query and Definition Security.......................................................................... 12
6. PeopleSoft Personalizations.............................................................................. 13
B. Updating PeopleSoft Security Version 8.46 to 8.9:.............................................. 13
A. Introduction: PeopleSoft Version 8.46

This document provides guidelines and best practices for the end users to use to secure
PeopleSoft data, specifically guidelines regarding confidentiality, user authentication, and access
control.
Security is especially critical for core business applications, such as PeopleSoft applications.
Typically, what is needed is a need to restrict the usage, viewing and customization of the data
and applications.
PeopleSoft provides security features, including components and People Tools applications, to
ensure that the sensitive application data, such as employee salaries, performance reviews, or
home addresses, do not fall into the wrong hands.
As the PeopleSoft Internet Architecture (PIA) is implemented, a robust and scalable means is
needed by which the users can be grant authorization efficiently.
Security can be applied to all users, including employees, managers, customers, contractors, and
suppliers. Users are grouped according to roles give to them with different degrees of access. For
instance, there might be an Employee role, a Manager role, and an Administrator role. Users who
belong to a particular role require a specific set of permissions, or authorizations, within the
system, so that they can complete their daily tasks.
The objects and definitions in the PeopleSoft development environment must also be secured
from viewing. Restriction can be implemented to block the end users from accessing particular
pages and components, also to restrict the definitions that the sites developers can access using
PeopleSoft Application Designer. A definition refers to any of the definitions that are created
within PeopleSoft Application Designer, such as records, pages, or components. Each object
definition may have individual security needs.
Accessing a PeopleSoft application requires first passing through several layers of network, OS,
and DB security. These capabilities are defined by the technical environment and need to be
configured outside of PeopleSoft. A pictorial representation of the same is given below:
1
Implementing Security in PeopleSoft



Security can be implemented in the following ways which shall be explained in detail:
1. User security.
2. Lightweight Directory Access Protocol (LDAP).
3. Authentication and single sign on.
4. Pluggable cryptography.
5. Query and definition security.
6. PeopleSoft personalization.













2
Implementing Security in PeopleSoft
1. User Security:

A security definition refers to a collection of related security attributes that are created using
People Tools Security. The three main PeopleSoft security definition object types are:

The three main PeopleSoft security definition types are:
User Profiles (a set of data describing a particular PeopleSoft user)
Roles (intermediate objects that link User Profiles to Permission Lists)
Permission Lists (a set of pages and allowable actions on those pages)
The hierarchy that needs to be followed to implement user security is :
Definition of permission lists ,followed by creation of roles and finally assigning these roles
to User Profiles.
A user profile is a definition that represents one PeopleSoft user. Each user is unique; the user
profile specifies a number of user attributes, including one or more assigned roles. Each role that's
assigned to a given user profile adds its permission lists to the total that apply to that user.



















3
Implementing Security in PeopleSoft
A role is a collection of permission lists. One or more permission lists can be assigned to a role.
And similarly a given permission list can be assigned to multiple roles. The resulting combination
of permissions can apply to all users who share those access requirements. However, the same
group of users might also have other access requirements that they don't share with each other.
Roles are used to assign permissions to users dynamically.
Permission lists are the building blocks of user security authorization. A permission list grants a
degree of access to a particular combination of PeopleSoft elements, specifying pages,
development environments, time periods, administrative tools, personalizations, and so on.
This level of access should be appropriate to a narrowly defined and limited set of tasks, which
can apply to a variety of users with a variety of different roles. These users might have
overlapping, but not identical, access requirements.
PeopleSoft security definitions provide a modular means to apply security attributes in a scalable
manner. Each user has an individual user profile, which in turn is linked to one or more roles.
One or more permission lists can be added, which ultimately control what a user can and can't
access, to each role. A few permission types are assigned directly to the user profile. The picture
below provides a mapping of User Security in People Tools version 7.5 and 8.46.











An analysis of the above diagram reveals that version 8.46 is an enhancement and an improved
version of the security implement in version 7.5.
Operator ID: Operator ID has changed to User ID/User Profile. It has the same functionality just
the name has changed. It allows the user to sign into the system.
Operator Class: Class is now broken into two parts.
1) Role: A Role is the Who of security. Users within an application can include
employees, managers, customers, contractors, suppliers, and so on. The system allows
you to group users according to roles. A role is an object that has properties, such as
name, description, permission lists, and so on. One of the properties assigned to a role is
the list of users assigned to it. For instance, there might be an Employee role, a Manager
role, or an Administrator role. Users who belong to a particular role require a specific set
of permissions, or authorizations, within the system so that they can complete their daily
tasks.
2) Permission List: The Permission List is the What of security. It contains the
component, page and actions being granted.
4
Implementing Security in PeopleSoft
Panel: A Panel is now referred to a Page in PeopleSoft 8.46. The change was made to
accommodate web terminology.
Panel Group: A Panel Group is now referred to as a Component in PeopleSoft 8.46. The change
was made to accommodate web terminology.

The picture below exemplifies the relationship between Users, Roles and Permission Lists.
Permission lists are assigned to roles, which are then assigned to user profiles. A role may contain
numerous permissions and a user profile may have numerous roles assigned to it. Because
permission lists are applied to users through roles, a user inherits all the permissions assigned to
each role to which the user belongs. The user's access is determined by the combination of all of
the roles.












5
Implementing Security in PeopleSoft
2. LDAP : Lightweight Directory Access Protocol
LDAP is an Internet protocol used to access a directory listing. Organizations typically store user
profiles in a central repository, or directory server, that serves user information for all of the
programs that require it. Through an LDAP V3 compliant directory server, the data that already
exists and is maintained in the PeopleSoft HRMS database can be shared with the directory.
Complete out-of-the-box integration with leading directory servers. PeopleSoft enables to
integrate the authentication scheme for PeopleSoft with the existing infrastructure.












6
Implementing Security in PeopleSoft
Permission lists and roles will be maintained using PeopleSoft security. However, user profiles
can be maintained in PeopleSoft security or reused user profiles and roles that are already defined
within an LDAP directory server. A directory server enables the maintenance of a single,
centralized user profile that can be used across all of the PeopleSoft and non-PeopleSoft
applications. This approach reduces redundant maintenance of user information stored separately
throughout the enterprise, and reduces the possibility of user information getting out of
synchronization. Also, enabling the user profiles to be easily created and maintained and
authenticated.






















7
Implementing Security in PeopleSoft
3. Authentication and Single Sign on
PeopleSoft delivers the most common authentication solutions and packages them with the
PeopleSoft application. This saves the trouble of developing solutions and saves time with the
security implementation. These prepackaged solutions include People Code that supports basic
sign-in through secure sockets layer (SSL), LDAP authentication, and single sign on.
Because PeopleSoft applications are designed for Internet deployment, many sites must take
advantage of the authentication services that exist at the web server level. PeopleSoft takes
advantage of HTTPS, SSL, and digital certificates to secure the transmission of data from the web
server to an end user's web browser and also to secure the transmission of data between
PeopleSoft servers and third-party servers (for business-to-business processing) over the Internet.

PeopleSoft supports a notion of single sign on between PeopleSoft instances. Within the context
of PeopleSoft system, single sign on means that after a user has been authenticated by one
PeopleSoft application server, that user can access a second PeopleSoft application server without
entering an ID or a password. Although the user is actually accessing different applications and
databases, the user navigates seamlessly through the system as each suite of PeopleSoft
applications, such as HR, Financials, CRM, and EPM,, reside in its own database.

How It Works
The diagram below shows how the Single Sign-On Agent for PeopleSoft Solutions integrates
Services with PeopleSoft Internet Architecture. The agent uses the Security Manager interface
For PeopleSoft Application Server to achieve the critical, Tier 2 security integration. A Signon
People Code script passes user ID and session information to the Validation Library, which in
turn, will query the Policy Server enabling true, end-to-end
Access security.
A typical process flow is as follows:

1. A user makes a request to a PeopleSoft application through a web server.
2. The Web Agent asks the Policy Server to authenticate and authorize the request.

8
Implementing Security in PeopleSoft


3. The Policy Server verifies access permissions and returns the PeopleSoft User Name as an
HTTP header.
4. The Web Server passes user security context information (credentials) for the
DEFAULT_USER to the PeopleSoft Application Server. The PeopleSoft Application Server then
begins session by invoking Sign-on PeopleCode.
Note: the DEFAULT_USER account has NO access to the system.
5. The Sign-on PeopleCode calls the validation library to verify the session information.
6. The Validation Library then passes the session information to the Policy Server for
verification.
7. The Policy Server then returns the result to the Validation Library.
8. The Validation Library returns the result to the PeopleSoft Application Server.
9. If the session was verified, the PeopleSoft Application Server creates a PeopleSoft session
cookie and sends it back to the Web server.
10. The Web server sends the cookie back to the users browser for use in subsequent requests.











9
Implementing Security in PeopleSoft
4. Pluggable Cryptography
Data security comprises the following elements:
Privacy keeping data hidden from unauthorized parties.
Privacy is normally implemented with some type of encryption. Encryption is the scrambling of
information such that no one can read it unless they have a piece of data known as a key.
Integrity keeping transmitted data intact.
Integrity can be accomplished with simple checksums or, better, with more complex
cryptographic checksums known as one-way hashes, and often with digital signatures as well.
Authentication verifying the identity of an entity that's transferring data.
Authentication can be accomplished using passwords, or with digital signatures, which are by far
the most popular and most reliable method of authentication.
PeopleSoft pluggable encryption technology (PET) provides a way to use hashes and digital
signatures to secure critical PeopleSoft data and communicate securely with other businesses. It
enables to extend and improve cryptographic support for data in People Tools, giving strong
cryptography with the flexibility to change and grow, by incrementally acquiring stronger and
more diverse algorithms for encrypting data. PeopleSoft delivers PET with support for the
OpenSSL and PGP encryption libraries. Pluggable Cryptography enables one to secure critical
PeopleSoft data and communicate securely with other businesses. It enables to extend and
improve cryptographic support for data in People Tools, giving strong cryptography with the
flexibility to change and grow, by incrementally acquiring stronger and more diverse algorithms
for encrypting data. By using the Tools Pluggable Cryptography for strong encryption/decryption,
the system encrypts data using 3DES algorithms and 168-bit encryption keys.
10
Implementing Security in PeopleSoft


Steps to implement pluggable cryptography:
1. Load an encryption library's algorithms into the PET database.
2. Generate accompanying encryption keys, and insert them into the PET key store.
3. Define a sequence, or chain of algorithms by selecting from all the algorithms in the
database.
4. Define an encryption profile, which is an instance of an algorithm chain applicable to a
specific encryption task.
5. Write People Code to invoke the encryption profile.






11
Implementing Security in PeopleSoft
5. Query and Definition Security
PeopleSoft Query is used to build SQL queries and retrieve information from application tables.
For each PeopleSoft Query user, the records that the user is allowed to access when building and
running queries can be specified. This is done by creating query access groups in PeopleSoft Tree
Manager, and then assigning users to those groups with PeopleSoft Query security. PeopleSoft
Query security is enforced only when using PeopleSoft Query; it doesnt control runtime page
access to table data.
Definition Security is used to govern access to database object definitions, such as record
definitions, field definitions, and page definitions, and to protect particular object definitions from
being modified by developers.





















12
Implementing Security in PeopleSoft
6. PeopleSoft Personalizations
PeopleSoft offers a variety of options that enable end users, especially power users, to configure
certain aspects of their PeopleSoft environment to produce a more personalized interface. These
options improve a users navigation speed through the system and enable users to select
international preferences, such as date and time formats.
A group is defined, and its personalization options are categorized, then permission lists are used
to control access to them. Users with access to a personalization option can control it through the
My Personalizations menu.
B. Updating PeopleSoft Security Version 8.46 to 8.9:
People Soft 8.9 has come up with one of the most flexible security options.
Considerations while implementing security in PeopleSoft 8.9
Duplication of menus ended causing (at least for FA) lots of rework of Permission Lists.
The old structure & bar labels (use, inquire, process, report) still exist in security, and are
now associated to folders.
Query access now available through client without app designer access. (psqed.exe
instead of pside.exe).
Additional security controls expire password at next login and retain password.
Personalizations are no longer globally defined. Define, group, and categorize
personalization options, using the PeopleTools Personalizations interface. Use permission
lists to control access to them. In the permission list interface there is now a
Personalizations page where you select the personalizations for a permission list.

S. No. Issues (to be considered while implementing
security in 8.9)
Solutions
1. Portal Structure and Content

Creating folders and
using registration
wizard
Running Portal
Security Synch when
moving security
2. Tree Manager for Query tables PeopleTools>Security>Query
Security>Query Access
Manager

3. Conversion of data automatic assignment of
PeopleSoft User Role (permission list
PTPT1000) to ALL users.
Assign the necessary web
libraries to existing permission
lists and remove the role from
all users.
4. Assign the necessary web libraries to existing
permission lists and remove the role from all
users.
Assign the necessary web
libraries to existing permission
lists.
5. The permission list ALLPANLS no longer
exists.
Add role PeopleSoft
Administrator. This role
overrides ALL security and
should only be assigned to a
limited number of people.

13
Implementing Security in PeopleSoft
S. No. Issues (to be considered while implementing
security in 8.9)
Solutions

6. Unable to add\edit favorites. Add Menu Portal Admin
(PORTAL_ADMIN) to the
permission list include Add
(PORTAL_ADD_FAV) and
Edit (PORTAL_EDIT_FAV)
Favorites. Add the permission
list(s) to Folder Security in
Portal >Structure and Content
>My Favorites.

7. Getting an error when using Search. Add Menu Portal Admin
(PORTAL_ADMIN) to the
permission list include access
to Search
(PORTAL_SEARCH).
8. No results or inaccurate results when using
Search.
Run the Build Registry Search
Index (Build Search Index)
process
9. Missing left hand navigation after security
move.
Run the Portal Security Sync
(Portal Security Synch)
process.
10. Preserving passwords and last password change
date.
A script (using dynamic sql)
was run prior to bringing
down the 8.0 database that
saved the password and last
password change date. The
update script was run at go-
live in the 8.9 database.

11. Permission lists assigned the menu
CC_BIO_DEMO_DATA did not convert from
8.0.
A query was run in 8.0 to get
all the permission lists
assigned and manually added
in the permission list in 8.9,
additionally there are several
component interfaces that are
also required.

12 Limited Security settings for Registration
Wizard.
Set Component Interface and
Menu to No Access in the
permission list assigned
Application Designer Access
under Definition (Object)
Permissions.


14