Professional Documents
Culture Documents
WorkingWithRoles
WorkingWithRoles
Thischapterprovidesanoverviewofrolesanddiscusseshowto:
Workwithroles.
Defineroleoptions.
CreateaNEWUSERrole.
UnderstandingRoles
Rolesareanintermediateobjectthatexistbetweenpermissionlistsanduserprofiles.Theyaredesignedtoaggregate
permissionlistssothatyoucanarrangepermissionsintomeaningfulcollections.Ifyouimplementdynamicroles,then
rolesenableyoutoaddpermissionstousersdynamically,whichreducesadministrationtasks.
Note.Inpreviousreleases,roleswereassociatedwithPeopleSoftWorkflow.PeopleToolshasexpandedtheir
definitionstoincludesystempermissions.Thereisonlyoneroledefinition,andyoumaintainitwithinSecurity.
RoleusersaretheUserProfilesorusersthathavemembershiptoaparticularrole.Usersinheritmostoftheir
permissionsfromtherolesassignedtotheUserProfile.However,youassignsomePermissionListsdirectlytothe
UserProfile.
YouassigndatapermissionsdirectlytotheUserProfileeitherthroughaPrimaryPermissionslistorRowSecurity
Permissionslist.NavigatorHomepageandProcessProfilepermissionlistsarealsoassigneddirectlytotheuser
profile.
Someusersobtaintheirmembershipbyanadministratoraddingaroletotheiruserprofilemanually,throughthe
Securitypagesdevotedtousers.TheseusersareStaticRoleUsers.
Otherusersmayobtainmembershipinaroleprogrammatically.Youcanrunabatchprocessthatexecutespredefined
rolerulesandassignsrolestouserprofilesaccordingtotheserules.Thisapproachiscalleddynamicmembership,
anduserswhobecomeroleusersofaparticularroleprogrammaticallyareDynamicRoleUsers.
Thedynamicroleassignmentishowtomakeyoursecuritysystemscaletomeetthedemandofaneverincreasing
userpopulation.Otherwise,membersofyourITstaffneedtomanuallymakeeverychangetoauserprofile.Ifyou
havethousandsofusersinyoursystem,thesecurityadministratorbecomesthebottleneck.
WorkingWithRoles
Inthissection,wediscusshowto:
Createanewrole.
Copyarole.
Deletearole.
CreatingaNewRole
To create a new role:
1. SelectPeopleTools,Security,Permissions&Roles,Roles.
2. OnthesearchpageclickAdd a New Value.
3. IntheRole Name editbox,enterthenameofroleyouwanttocreate,andclickAdd.
4. FromthepagesintheRolescomponentselecttheappropriateroleoptions.
5. Saveyourwork.
CopyingRoles
To clone a role:
http://notes02.ntc.edu/servunits/isit/PS8_peoplebooks/eng/psbooks/tsec/book.htm
1/11
21/09/2016
WorkingWithRoles
1. SelectPeopleTools,Security,Permissions&Roles,CopyRoles.
2. Onthesearchpage,searchfortherolethatyouwanttocopy(clone),andclickit.
TheRoleSaveAspageappears.
3. OntheRoleSaveAspage,enteranewnameintheas: editbox.
4. ClickSave.
DeletingRoles
To delete a role:
1. SelectPeopleTools,Security,Permissions&Roles,DeleteRoles.
2. Onthesearchpage,locatethePermissionListthatyouwanttodeleteandclickit.
TheDeletePermissionListpageappears.
3. ClickDelete PermissionList.
4. ClickOKtoconfirmthedeletion,orclickCanceltoabort.
RemovingUsersFromaRole
Ifyouneedtodeletetheusersassignedtoastaticordynamicrole,usetheNO_USERSQuerytolocatetheusers.
Youinvokethisqueryusingthequeryrulewithdynamicroles.
DefiningRoleOptions
Inthissection,wediscusshowto:
Describetherole.
Assignpermissionstoroles.
Displaylistofmembersforarole.
Displaylistofmemberswhobelongtoacurrentroledynamically.
Setroutingoptionsforusers.
Decentralizetheadministrationofroles.
Displayanyadditionallinksforuserprofiles.
Runrolequeries.
Inquirewhenapermissionlistwaslastupdated.
PagesUsedtoDefineRoleOptions
Page Name
Navigation
Usage
General
PeopleTools,Security,Permissions&Roles,
Roles,General.
Describetheroleanddisabletheroleif
neededaswellasaddalongdescriptionto
helpidentifytherole.
PermissionsLists
PeopleTools,Security,Permissions&Roles,
Roles,PermissionLists.
Grantpermissionstoroles.
Members
PeopleTools,Security,Permissions&Roles,
Roles,Members.
Displaythecurrentlistofstaticmembersthat
belongtothecurrentrole.
DynamicMembers
PeopleTools,Security,Permissions&Roles,
Roles,DynamicMembers.
Displaythecurrentlistofmembersthat
belongtothecurrentroledynamicallyasa
resultofbusinessruleinvokedinrealtimeor
batchmode.Ifyouarenotusingthe
http://notes02.ntc.edu/servunits/isit/PS8_peoplebooks/eng/psbooks/tsec/book.htm
2/11
21/09/2016
WorkingWithRoles
DynamicMembersfunctionality,thenthislist
isnotpopulated.
Workflow
PeopleTools,Security,Permissions&Roles,
Roles,Workflow.
Setroutingoptionsforusers.
RoleGrant
PeopleTools,Security,Permissions&Roles,
Roles,RoleGrant.
Decentralizetheadministrationofroles.
Links
PeopleTools,Security,Permissions&Roles,
Roles,Links.
Displayanyadditionallinksforuserprofiles.
RoleQueries
PeopleTools,Security,Permissions&Roles,
Roles,RoleQueries.
Runqueriesaboutarole.
Audits
PeopleTools,Security,Permissions&Roles,
Roles,Audits.
Inquirewhenapermissionlistwaslast
updated.
CommonElementsinThisSection
RoleName
TheRoleNameisreadonlyandreflectsthenameyouchosefortherolewhenyou
createdit.
Description
Youhavetheoptionofaddingashortdescriptiontohelpyouidentifyaparticular
Roleontheotherpages.
DescribingtheRole
AccesstheGeneralpage.
Generalpage
RoleName
Displaysthenameoftheroleyouopenedorcreated.
Description
Addadescriptionofrole.Thetextyouaddhereappearsthroughoutthecomponent
atthetopofeachpage.Thereisa30characterlimit.
Note.Thisisarequiredfield.
RoleStatus
Totemporarilydisable,asinfortestingpurposes,selecttheRoleDisabledcheck
boxintheRoleStatusgroupbox.Thesystemselectsthischeckboxafterauser
hashadmultiplefailedloginattempts(ifconfiguredtodoso).
Ifyounolongerneedtherole,deleteit.
Adisabledrolecan'tacceptnewmembers,orusers.Forexample,rolesthatyou
aremodifyingmightbedisabled.Usersbelongingtoadisabledrollcan'tsignonto
thesystemuntilyoureactivatetherole.
LongDescription
Enablesyoutoaddamoredescriptiveexplanationoftherole.Thetextyouadd
hereshouldprovidespecificdetailsdescribingthepurposeoftherole.
AssigningPermissionstoRoles
http://notes02.ntc.edu/servunits/isit/PS8_peoplebooks/eng/psbooks/tsec/book.htm
3/11
21/09/2016
WorkingWithRoles
AccessthePermissionListspage.
PermissionListspage
PermissionList
Displaysthenameofthepermissionlist.
Description
Displaysashortdescriptionofthepermissionlist.
ViewDefinition
Clickthislinktoopenthepermissionlistdefinition.Thisenablesyoutoviewallthe
optionsinthepermissiontomakesureitissuitableforaparticularrole.
Rememberthatauser'saccessisdeterminedbythesumofallthepermissionlistsappliedtoeachroletowhichthey
belong.Forinstance,supposeyouaddpermissionlistXandpermissionlistYtoarole.PermissionlistXhasasignon
timeof8a.m.to5p.m.andpermissionlistYhasasignontimeof1p.m.to9p.m.Inthisscenario,theusers
assignedtothisrolecansignontothesystembetweentheinterval8a.m.to9p.m.Ifthisisyourintention,then
everythingisOK.Alwaysbeawareofthecontentsofeachpermissionlistpriortoaddingthemtoarole.
To add a permission list to a role:
1. Click
DisplayingListofMembersforaRole
AccesstheMemberspage.
Memberspage
UserID
DisplaystheuserIDoftherolemember.
Name
DisplaysthenameoftheuserassociatedwiththeuserID.
ViewDefinition
EnablesyoutoviewtheuserIDoftherolemembertomakesurethatyouhave
selectedtheappropriatedefinitionforinclusionintherole.
WhenyouaddaroletoauserprofiletheuserIDanddescription(Name)oftheuserappearsintheMemberslist.
Whenyouremovetherolefromtheuserprofile,thenthecorrespondingUserIDandDescriptiondonotappearinthe
Memberslistforthatrole..
Note.Thispageshowsthoseuserswhoareaddedtoaroleusingthestaticapproach.
DisplayingListofDynamicMembers
AccesstheDynamicMemberspage.
http://notes02.ntc.edu/servunits/isit/PS8_peoplebooks/eng/psbooks/tsec/book.htm
4/11
21/09/2016
WorkingWithRoles
DynamicMemberspage(1of2)
DynamicMemberspage(2of2)
UserID
DisplaystheuserIDoftherolemember.
Description
DisplaysthenameoftheuserassociatedwiththeuserID.
ViewDefinition
EnablesyoutoviewtheuserIDoftherolemembertoensurethatyouhave
selectedtheappropriatedefinitionforinclusionintherole.
Rules
Enablesyoutoselecttheformatoftheruleyouwanttoinvoketoassignroles.A
dynamicroleruleisdefined/codedinPS/Query,PeopleCode,oryourLDAP
directory.ArulecanuseacombinationofQueryandPeopleCodeorQueryand
LDAP,too.
ExecuteonServer
EnablesyoutoselecttheappropriateProcessSchedulerservertoruntherule.
AssigningRoles
Fortheruletosuccessfullyassignaroletotheappropriateusers,youmustselecttheruletypeyouhaveinplacefor
aparticularrole,andthenspecifytheobjectthatcontainstheruleyoucoded.
Note.YoumustdefineyourrolerulesbeforeyouapplytheoptionsintheRulesgroupontheDynamicMemberspage.
Also,ifyoumakeanychangestothenameoftherule,addanewrule,andsoon,saveallchangesbeforeyou
executetherule.
QueryRuleEnabled
SelectthischeckboxifyoudefinedyourrulewithQuery.TheQueryRulegroup
appearsbelowtheRulesgroup.UsetheQuerydropdownlistboxtoselectthe
querythatcontainsyourrolerule.
PeopleCodeRuleEnabled
SelectifyourruleisaPeopleCodeprogram.ThePeopleCodeRulegroupappears.
SpecifytheRecord,Field,Event,andFunctionassociatedwithyourPeopleCode
rolerule.
DirectoryRuleEnabled
Selectifyourroleruleisbasedoninformationinyourdirectoryserver.Witha
directorybasedruleyoumustassigndirectorygroups.ThePeopleCodeRule
appearsbecauseDirectoryrulesareimplementedusingaPeopleCodeprogram,
DynRoleMembers.TheDynRoleMembersPeopleCodeprogramusestheDirectory
businessinterlinktoretrieveuserandgroupinformationfromthedirectory.Toview
theprogram,opentheFUNCLIB_LDAPrecordinPeopleSoftApplicationDesigner.
ClickAssignDirectoryGroupstoselectaparticulardirectorygroupthatexistsin
yourLDAPserverhierarchy.Forexample,supposeyouhaveyourLDAPserver
groupedbygeographicregion.Ifso,yourrulecouldassignanewselfservicerole
toallusersintheNorthAmericagroup.UsetheDirectoryGroupdropdownlistbox
toselecttheappropriatedirectorygroupvalue.Thevaluesarederivedfromthe
LDAPdatathatyouimportusingtheDirectoryGroupImportprocess.
Afteryourunarule,clickRefreshtorepopulatethegridwithupdatedinformation.Becausetherolerulesareexecuted
byanApplicationEngineprogramthatrunsthroughPeopleSoftProcessScheduler,youcanusetheProcessMonitor
linktoviewthestatusoftheprogramrun.
http://notes02.ntc.edu/servunits/isit/PS8_peoplebooks/eng/psbooks/tsec/book.htm
5/11
21/09/2016
WorkingWithRoles
Aftertheprogramruns,itpublishesamessagecontainingthelistofusersintherole,andexits.Theprogramdoesnot
updateanytablesthemessage(subscriptionPeopleCode)performstheactualdatabaseupdates.Tocheckthe
statusofthemessage,usetheMessageMonitorlink.Keepinmindthatjustbecausethedynamicrolesprogram
completedsuccessfully,thatdoesnotnecessarilymeanyourrolesareupdated.Theassociatedmessagemustalso
bedeliveredsuccessfully.
Note.Toclearalldynamicusersfromtherole,PeopleToolsdeliversaquerynamedNO_USERSthatyoucanrunto
deleteallthemembersifnecessary.
QueryRuleExample
ThissectiondescribestheprocessofcreatingaQueryrulethatassignsdynamicrolemembership.Thisgeneral
exampleshouldalsohelptoillustratesimilartechniquesthatyouwoulduseforaPeopleCodeorLDAPrule.
Note.ThefollowingtextassumesaworkingknowledgeofPS/Query.
Inthisexample,weneedtocreateaquerythatselectsuserIDsbasedonjobcriteria.Specifically,weneedtofindall
theusersthatcurrentlyhavethejobcodeKC012(HumanResourceAnalyst),andaddthemtotheappropriaterole.
TheassignedrolegrantsthemaccesstothenecessarycomponentsthataHumanResourceAnalystneeds.
Todoso,we:
Createaview.
Createthequery.
Runthedynamicrule.
Note.TheDynamicRolefunctionalityisnotdesignedtoresolvebindvariables.Whenyouselectaquerywithabind
variableasadynamicrolerule,thesystemissuesanerror.PeopleSoftrecommendsthatyoudonotusequerieswith
bindvariablesasaqueryrulefordynamicroles.ManyofthequeriesthatPeopleSoftdeliversareintendedtobeused
withWorkflow,andmanyofthemcontainbindvariables.Thesequeriesarenotdesignedtowork"outofthebox"as
rolerules.
IfyouaretryingtocreatearolequerybasedonPSOPRALIAS,toavoidissueswithrowlevelsecurity,youshould
usePSOPRALIAS_VWinstead.Itisimportanttonotethatthisviewmustbemanuallykeptinsynchwith
PSOPRALIAS.
Youcancreateaviewfortheinformationthatyourqueryneeds.Forexample,theviewdefinitionmightbesimilarto
thefollowing.
DynamicRoleRuleQueryView
TheassociatedSQLObjectis:
DynamicRoleRuleQueryViewSQLObject
Note.TheOPRIDmustnotbeakeyinthisviewbecausePeopleToolsappendsANDOPRID="currentusersoprid"
inQuery.ThisoccursifweusetherecordOPRALIASdirectlyinthequery.
TheSQLappears:
http://notes02.ntc.edu/servunits/isit/PS8_peoplebooks/eng/psbooks/tsec/book.htm
6/11
21/09/2016
WorkingWithRoles
QueryViewSQL
Afteryoucreatetheview,youaddittotheappropriatequerytree.Inthiscase,weaddthenewviewtotheQUERY_
TREE_HR.
AddingtheviewtoaQueryTree
Withtheviewcreated,youthencreateaquery.Inthisexample,thepropertiesweassigntothequeryenableitto
assignaroletouserswhocurrentlyhavetheJobcodeKC012,HumanResourceAnalyst.
Querydefinition
TheQuerycontainsthefollowingcriteria.
Querycriteria
http://notes02.ntc.edu/servunits/isit/PS8_peoplebooks/eng/psbooks/tsec/book.htm
7/11
21/09/2016
WorkingWithRoles
TheSQLforthequeryis:
QuerySQL
Noticethatbecausetheviewdoesn'thaveOPRIDasakey,theresultingSQLdoesnotcontaintheextra'AND
B.OPRID='PS'.
Note.Whenyousaveaqueryusedforadynamicrolequeryyouneedtospecifythatisa"RoleQuery"inits
properties.
Withtheviewandthequerycreated,youthenneedtosetupthequeryruleinSecurity.Noticeinthefollowing
examplethatQueryRuleEnabledisselectedandthatthequerycreatedintheprevioussectionappearsinthe
QueryRuleeditbox.
Enablingthequeryrule
Afterenablingthequeryrule,youthenwanttotesttheruletomakesurethesystemassignstheappropriaterolesto
theappropriateusers.Topopulatetherolemembershiptable,clickExecuteRule.
SettingWorkflowRoutingOptionsforUsers
AccesstheWorkflowpage.
Workflowpage
Allownotification
http://notes02.ntc.edu/servunits/isit/PS8_peoplebooks/eng/psbooks/tsec/book.htm
8/11
21/09/2016
WorkingWithRoles
ThisoptionrelatestheadhocnotificationfeaturewithPeopleSoftWorkflow.This
optionenablesuserstonotifyothersofdataonaPeopleSoftpagethroughemailor
worklists.
Whencomponentsaredesigned,developershavetheoptionofenablingtheNotify
toolbarontheComponentPropertiesdialogboxinPeopleSoftApplicationDesigner.
Ifthisoptionissetforaparticularcomponent,thenthischeckboxenablessecurity
administratorstoenabletheNotifyfeatureperrole.
Toenablethisfeatureforarole,selectthisoption.Todisablethisfeature,make
surethisoptionisnotselected.Bydefault,thisoptionisenabledforallroles.
AllowRecipientLookup
ThisoptionrelatestheadhocnotificationfeaturewithPeopleSoftWorkflow,and
onlyappliesifAllownotificationisenabledforarole.
Whenausersendsanadhocnotification,thereisanoptiontobrowsethe
databasefortheemailaddressesofotherusersinthePeopleSoftsystem,which
includesvendors,customers,employees,salesleads,andsoon.Insomecases,it
maynotbeappropriatetoexposethisinformation.
Toenablethisfeatureforarole,selectthisoption.Todisablethisfeature,make
surethisoptionisnotselected.Bydefault,thisoptionisenabledforallroles.
UseQuerytoRouteWorkflow Specifywhethertheworkflowroutingsforaparticularroleshouldbedeterminedby
aworkflowquery.Thisdependsonyourworkflowscheme.
SeeAlso
PeopleToolsPeopleBooks:"PeopleSoftWorkflow"
DecentralizingtheAdministrationofRoles
AccesstheRoleGrantpage.
RoleGrantpage
YoucanselectivelydecentralizetheadministrationofrolesbyusingtheRoleGrantpage.WiththeRoleGrantoption,
youdon'tneedtorelyonDynamicRoles,yetyoudon'tneedtobotherasecurityadministratortoassignroleseither.
Forexample,theRoleGrantpageenablesalinemanagertoassignrolestoemployeesonhis/herteamasneededto
copewithchangesintheworkenvironment.
TheRoleGrantpageworksinconjunctionwiththeDistributedUserProfilesandDistributedUserSetuppagesinthe
UserProfilescomponent.
RolesThatCanBeGrantedBy Thisgridcontainstherolesthatthecurrentroleisallowedtogranttootheruser
ThisRole
ID's.Forexample,theLineManagerintheshippingdepartmentmayneedtogrant
aroletoatemporaryworker(ShippingTemp).Typically,therolesthatarolecan
grantshouldbeina"subservient"positiontothegrantingrole.Toaddmultiple
roles,usetheplusbutton
RolesThatCanGrantThis
Role
ThisgridcontainstherolesthatcangrantthecurrentroletootheruserIDs.For
example,ontheroleofShippingTemprole,ShippingClerkappearsintheRoles
ThatCanGrantThisRolegrid.Toaddmultipleroles,usetheplusbutton.
ViewDefinition
Tomakesurethatyouhaveselectedtheappropriatedefinitionforinclusioninthe
role,clickthislinktoviewtheassociateddefinition.
http://notes02.ntc.edu/servunits/isit/PS8_peoplebooks/eng/psbooks/tsec/book.htm
9/11
21/09/2016
WorkingWithRoles
SeeAlso
WorkingWithDistributedUserProfiles
DisplayingAdditionalLinksforUserProfiles
IfyouhaveaddedanyadditionallinksforuserprofilesintheSecurityLinkscomponent,theyappearontheLinks
page.
SeeAlso
SecurityLinks
RunningRoleQueries
Rolequeriesenableyoutorunqueriesthatprovidedetailedinformationregardingarole,suchastheuserIDs
permissionlistsassociatedwitharole.Theavailablequeriesaredocumentedonthepage.
To run a role query:
1. Clickthelinkassociatedwiththequeryyouwanttoexecute.
Thisinvokesanewbrowserwindow.
2. Viewtheinformationthequeryreturns,orselectadownloadoption.
Fordownloading,youhavethefollowingoptions:
ExcelSpreadsheet.DownloadsthequeryresultsasanExcelspreadsheet(.XLS)file.
CSVTextFile.Thisdownloadsthequeryresultsasacommaseparatedvalues(CSV)fileformat.
InquiringWhenaRoleWasLastUpdated
TheAuditpageisareadonlypagethatenablesyoutodeterminewhenaRolewaslastupdatedandbywhom.You
canalsoviewwhohasmadechangestosecuritytablesusingtheDatabaseLevelAuditingfeature.
SeeAlso
PeopleToolsPeopleBooks:DataManagement,"DatabaseLevelAuditing"
CreatingaNEWUSERRole
Whenanewuserentersthesystem,andyouhaveimplementeddynamicrolerules,theuserdoesnotbelongtoany
rolesuntilyourrolerulesexecute.Ifyouhaveanewemployeeenteredintothesystem,atfirstalltheywouldbeable
toaccessisthe"public"pagesyouauthorizefortheNEWUSERrole.Thenwhenyourdynamicrolerulesexecute,
thenewemployeesbecomeamemberoftherolesthatapplytotheirposition.
Note.TheNEWUSERroleisnotarolethatPeopleSoftdelivers.Youcannametheroletosuityourrequirements.
To implement a NEWUSER role:
1. CreateyourNEWUSERrole.
2. Addpermissionliststotherolesothatmembersofthisrolehaveaccesstothepagesthatareappropriateforallusers
withinthesystem,likeMyProfileandanyotherareasthatarenotathreattoyoursystemsecurity.
3. Applytheappropriateroles.
Ifyouareusingdynamicroleassignment,youwaituntilthebatchprogramruns,ifyouareusingstaticrole
assignment,thentheusermustwaituntilanadministratormanuallyappliestheappropriateroles.
Ifyourrolerulesrunonlyoneonceina24hourperiod,itmightnotbeuntilthenextdaythatanewemployee
hasaccesstothesystem.Ifyourrulesrunmorefrequently,itmayonlybeacoupleofhours.Ifit'snot
acceptabletowaitthedurationuntilthenextrunofthedynamicrolerule,youcanuseoneofthefollowing
options:
Addany"required"pagestotheNEWUSERrole.
Reducethedurationbetweenthedynamicruleexecution.
http://notes02.ntc.edu/servunits/isit/PS8_peoplebooks/eng/psbooks/tsec/book.htm
10/11
21/09/2016
WorkingWithRoles
Note.Reducingtheexecutionintervalofthedynamicrulesmayhaveperformanceimpactsdependingonhow
therulesareimplemented.
4. AddaSignonPeopleCodescriptthatdetectsthattheuserneedsaccesstoacertainrole.
YoucanaccomplishthisbyrunningaqueryagainstLDAP,thedatabase,orwherevertheinformationresides.
ThenusetheUserProfilecomponentinterfacetoaddtheappropriaterolestotheuser,accordingthequery
results.
Security
http://notes02.ntc.edu/servunits/isit/PS8_peoplebooks/eng/psbooks/tsec/book.htm
Copyright19882002PeopleSoft,Inc.AllRightsReserved.
11/11