Security (Working With Roles)

21/09/2016
WorkingWithRoles
WorkingWithRoles
Thischapterprovidesanoverviewofrolesanddiscusseshowto:
Workwithroles.
Defineroleoptions.
CreateaNEWUSERrole.
UnderstandingRoles
Rolesareanintermediateobjectthatexistbetweenpermissionlistsanduserprofiles.Theyaredesignedtoaggregate
permissionlistssothatyoucanarrangepermissionsintomeaningfulcollections.Ifyouimplementdynamicroles,then
rolesenableyoutoaddpermissionstousersdynamically,whichreducesadministrationtasks.
Note.Inpreviousreleases,roleswereassociatedwithPeopleSoftWorkflow.PeopleToolshasexpandedtheir
definitionstoincludesystempermissions.Thereisonlyoneroledefinition,andyoumaintainitwithinSecurity.
RoleusersaretheUserProfilesorusersthathavemembershiptoaparticularrole.Usersinheritmostoftheir
permissionsfromtherolesassignedtotheUserProfile.However,youassignsomePermissionListsdirectlytothe
UserProfile.
YouassigndatapermissionsdirectlytotheUserProfileeitherthroughaPrimaryPermissionslistorRowSecurity
Permissionslist.NavigatorHomepageandProcessProfilepermissionlistsarealsoassigneddirectlytotheuser
profile.
Someusersobtaintheirmembershipbyanadministratoraddingaroletotheiruserprofilemanually,throughthe
Securitypagesdevotedtousers.TheseusersareStaticRoleUsers.
Otherusersmayobtainmembershipinaroleprogrammatically.Youcanrunabatchprocessthatexecutespredefined
rolerulesandassignsrolestouserprofilesaccordingtotheserules.Thisapproachiscalleddynamicmembership,
anduserswhobecomeroleusersofaparticularroleprogrammaticallyareDynamicRoleUsers.
Thedynamicroleassignmentishowtomakeyoursecuritysystemscaletomeetthedemandofaneverincreasing
userpopulation.Otherwise,membersofyourITstaffneedtomanuallymakeeverychangetoauserprofile.Ifyou
havethousandsofusersinyoursystem,thesecurityadministratorbecomesthebottleneck.
WorkingWithRoles
Inthissection,wediscusshowto:
Createanewrole.
Copyarole.
Deletearole.
CreatingaNewRole
To create a new role:
1. SelectPeopleTools,Security,Permissions&Roles,Roles.
2. OnthesearchpageclickAdd a New Value.
3. IntheRole Name editbox,enterthenameofroleyouwanttocreate,andclickAdd.
4. FromthepagesintheRolescomponentselecttheappropriateroleoptions.
5. Saveyourwork.
CopyingRoles
To clone a role:
http://notes02.ntc.edu/servunits/isit/PS8_peoplebooks/eng/psbooks/tsec/book.htm
1/11
21/09/2016
WorkingWithRoles
1. SelectPeopleTools,Security,Permissions&Roles,CopyRoles.
2. Onthesearchpage,searchfortherolethatyouwanttocopy(clone),andclickit.
TheRoleSaveAspageappears.
3. OntheRoleSaveAspage,enteranewnameintheas: editbox.
4. ClickSave.
DeletingRoles
To delete a role:
1. SelectPeopleTools,Security,Permissions&Roles,DeleteRoles.
2. Onthesearchpage,locatethePermissionListthatyouwanttodeleteandclickit.
TheDeletePermissionListpageappears.
3. ClickDelete PermissionList.
4. ClickOKtoconfirmthedeletion,orclickCanceltoabort.
RemovingUsersFromaRole
Ifyouneedtodeletetheusersassignedtoastaticordynamicrole,usetheNO_USERSQuerytolocatetheusers.
Youinvokethisqueryusingthequeryrulewithdynamicroles.
DefiningRoleOptions
Inthissection,wediscusshowto:
Describetherole.
Assignpermissionstoroles.
Displaylistofmembersforarole.
Displaylistofmemberswhobelongtoacurrentroledynamically.
Setroutingoptionsforusers.
Decentralizetheadministrationofroles.
Displayanyadditionallinksforuserprofiles.
Runrolequeries.
Inquirewhenapermissionlistwaslastupdated.
PagesUsedtoDefineRoleOptions
Page Name
Navigation
Usage
General
PeopleTools,Security,Permissions&Roles,
Roles,General.
Describetheroleanddisabletheroleif
neededaswellasaddalongdescriptionto
helpidentifytherole.
PermissionsLists
Roles,PermissionLists.
Grantpermissionstoroles.
Members
Roles,Members.
Displaythecurrentlistofstaticmembersthat
belongtothecurrentrole.
DynamicMembers
Roles,DynamicMembers.
Displaythecurrentlistofmembersthat
belongtothecurrentroledynamicallyasa
resultofbusinessruleinvokedinrealtimeor
batchmode.Ifyouarenotusingthe
2/11
21/09/2016
WorkingWithRoles
DynamicMembersfunctionality,thenthislist
isnotpopulated.
Workflow
Roles,Workflow.
Setroutingoptionsforusers.
RoleGrant
Roles,RoleGrant.
Decentralizetheadministrationofroles.
Links
Roles,Links.
Displayanyadditionallinksforuserprofiles.
RoleQueries
Roles,RoleQueries.
Runqueriesaboutarole.
Audits
Roles,Audits.
Inquirewhenapermissionlistwaslast
updated.
CommonElementsinThisSection
RoleName
TheRoleNameisreadonlyandreflectsthenameyouchosefortherolewhenyou
createdit.
Description
Youhavetheoptionofaddingashortdescriptiontohelpyouidentifyaparticular
Roleontheotherpages.
DescribingtheRole
AccesstheGeneralpage.
Generalpage
RoleName
Displaysthenameoftheroleyouopenedorcreated.
Description
Addadescriptionofrole.Thetextyouaddhereappearsthroughoutthecomponent
atthetopofeachpage.Thereisa30characterlimit.
Note.Thisisarequiredfield.
RoleStatus
Totemporarilydisable,asinfortestingpurposes,selecttheRoleDisabledcheck
boxintheRoleStatusgroupbox.Thesystemselectsthischeckboxafterauser
hashadmultiplefailedloginattempts(ifconfiguredtodoso).
Ifyounolongerneedtherole,deleteit.
Adisabledrolecan'tacceptnewmembers,orusers.Forexample,rolesthatyou
aremodifyingmightbedisabled.Usersbelongingtoadisabledrollcan'tsignonto
thesystemuntilyoureactivatetherole.
LongDescription
Enablesyoutoaddamoredescriptiveexplanationoftherole.Thetextyouadd
hereshouldprovidespecificdetailsdescribingthepurposeoftherole.
AssigningPermissionstoRoles
3/11
21/09/2016
WorkingWithRoles
AccessthePermissionListspage.
PermissionListspage
PermissionList
Displaysthenameofthepermissionlist.
Description
Displaysashortdescriptionofthepermissionlist.
ViewDefinition
Clickthislinktoopenthepermissionlistdefinition.Thisenablesyoutoviewallthe
optionsinthepermissiontomakesureitissuitableforaparticularrole.
Rememberthatauser'saccessisdeterminedbythesumofallthepermissionlistsappliedtoeachroletowhichthey
belong.Forinstance,supposeyouaddpermissionlistXandpermissionlistYtoarole.PermissionlistXhasasignon
timeof8a.m.to5p.m.andpermissionlistYhasasignontimeof1p.m.to9p.m.Inthisscenario,theusers
assignedtothisrolecansignontothesystembetweentheinterval8a.m.to9p.m.Ifthisisyourintention,then
everythingisOK.Alwaysbeawareofthecontentsofeachpermissionlistpriortoaddingthemtoarole.
To add a permission list to a role:
1. Click
2. Inthe Permission Listcolumnclickthelookupbutton.

3. Fromthesearchpage,clickthepermissionlistthatyouwanttoadd.
DisplayingListofMembersforaRole
AccesstheMemberspage.
Memberspage
UserID
DisplaystheuserIDoftherolemember.
Name
DisplaysthenameoftheuserassociatedwiththeuserID.
ViewDefinition
EnablesyoutoviewtheuserIDoftherolemembertomakesurethatyouhave
selectedtheappropriatedefinitionforinclusionintherole.
WhenyouaddaroletoauserprofiletheuserIDanddescription(Name)oftheuserappearsintheMemberslist.
Whenyouremovetherolefromtheuserprofile,thenthecorrespondingUserIDandDescriptiondonotappearinthe
Memberslistforthatrole..
Note.Thispageshowsthoseuserswhoareaddedtoaroleusingthestaticapproach.
DisplayingListofDynamicMembers
AccesstheDynamicMemberspage.
4/11
21/09/2016
WorkingWithRoles
DynamicMemberspage(1of2)
DynamicMemberspage(2of2)
UserID
DisplaystheuserIDoftherolemember.
Description
DisplaysthenameoftheuserassociatedwiththeuserID.
ViewDefinition
EnablesyoutoviewtheuserIDoftherolemembertoensurethatyouhave
selectedtheappropriatedefinitionforinclusionintherole.
Rules
Enablesyoutoselecttheformatoftheruleyouwanttoinvoketoassignroles.A
dynamicroleruleisdefined/codedinPS/Query,PeopleCode,oryourLDAP
directory.ArulecanuseacombinationofQueryandPeopleCodeorQueryand
LDAP,too.
ExecuteonServer
EnablesyoutoselecttheappropriateProcessSchedulerservertoruntherule.
AssigningRoles
Fortheruletosuccessfullyassignaroletotheappropriateusers,youmustselecttheruletypeyouhaveinplacefor
aparticularrole,andthenspecifytheobjectthatcontainstheruleyoucoded.
Note.YoumustdefineyourrolerulesbeforeyouapplytheoptionsintheRulesgroupontheDynamicMemberspage.
Also,ifyoumakeanychangestothenameoftherule,addanewrule,andsoon,saveallchangesbeforeyou
executetherule.
QueryRuleEnabled
SelectthischeckboxifyoudefinedyourrulewithQuery.TheQueryRulegroup
appearsbelowtheRulesgroup.UsetheQuerydropdownlistboxtoselectthe
querythatcontainsyourrolerule.
PeopleCodeRuleEnabled
SelectifyourruleisaPeopleCodeprogram.ThePeopleCodeRulegroupappears.
SpecifytheRecord,Field,Event,andFunctionassociatedwithyourPeopleCode
rolerule.
DirectoryRuleEnabled
Selectifyourroleruleisbasedoninformationinyourdirectoryserver.Witha
directorybasedruleyoumustassigndirectorygroups.ThePeopleCodeRule
appearsbecauseDirectoryrulesareimplementedusingaPeopleCodeprogram,
DynRoleMembers.TheDynRoleMembersPeopleCodeprogramusestheDirectory
businessinterlinktoretrieveuserandgroupinformationfromthedirectory.Toview
theprogram,opentheFUNCLIB_LDAPrecordinPeopleSoftApplicationDesigner.
ClickAssignDirectoryGroupstoselectaparticulardirectorygroupthatexistsin
yourLDAPserverhierarchy.Forexample,supposeyouhaveyourLDAPserver
groupedbygeographicregion.Ifso,yourrulecouldassignanewselfservicerole
toallusersintheNorthAmericagroup.UsetheDirectoryGroupdropdownlistbox
toselecttheappropriatedirectorygroupvalue.Thevaluesarederivedfromthe
LDAPdatathatyouimportusingtheDirectoryGroupImportprocess.
Afteryourunarule,clickRefreshtorepopulatethegridwithupdatedinformation.Becausetherolerulesareexecuted
byanApplicationEngineprogramthatrunsthroughPeopleSoftProcessScheduler,youcanusetheProcessMonitor
linktoviewthestatusoftheprogramrun.
5/11
21/09/2016
WorkingWithRoles
Aftertheprogramruns,itpublishesamessagecontainingthelistofusersintherole,andexits.Theprogramdoesnot
updateanytablesthemessage(subscriptionPeopleCode)performstheactualdatabaseupdates.Tocheckthe
statusofthemessage,usetheMessageMonitorlink.Keepinmindthatjustbecausethedynamicrolesprogram
completedsuccessfully,thatdoesnotnecessarilymeanyourrolesareupdated.Theassociatedmessagemustalso
bedeliveredsuccessfully.
Note.Toclearalldynamicusersfromtherole,PeopleToolsdeliversaquerynamedNO_USERSthatyoucanrunto
deleteallthemembersifnecessary.
QueryRuleExample
ThissectiondescribestheprocessofcreatingaQueryrulethatassignsdynamicrolemembership.Thisgeneral
exampleshouldalsohelptoillustratesimilartechniquesthatyouwoulduseforaPeopleCodeorLDAPrule.
Note.ThefollowingtextassumesaworkingknowledgeofPS/Query.
Inthisexample,weneedtocreateaquerythatselectsuserIDsbasedonjobcriteria.Specifically,weneedtofindall
theusersthatcurrentlyhavethejobcodeKC012(HumanResourceAnalyst),andaddthemtotheappropriaterole.
TheassignedrolegrantsthemaccesstothenecessarycomponentsthataHumanResourceAnalystneeds.
Todoso,we:
Createaview.
Createthequery.
Runthedynamicrule.
Note.TheDynamicRolefunctionalityisnotdesignedtoresolvebindvariables.Whenyouselectaquerywithabind
variableasadynamicrolerule,thesystemissuesanerror.PeopleSoftrecommendsthatyoudonotusequerieswith
bindvariablesasaqueryrulefordynamicroles.ManyofthequeriesthatPeopleSoftdeliversareintendedtobeused
withWorkflow,andmanyofthemcontainbindvariables.Thesequeriesarenotdesignedtowork"outofthebox"as
rolerules.
IfyouaretryingtocreatearolequerybasedonPSOPRALIAS,toavoidissueswithrowlevelsecurity,youshould
usePSOPRALIAS_VWinstead.Itisimportanttonotethatthisviewmustbemanuallykeptinsynchwith
PSOPRALIAS.
Youcancreateaviewfortheinformationthatyourqueryneeds.Forexample,theviewdefinitionmightbesimilarto
thefollowing.
DynamicRoleRuleQueryView
TheassociatedSQLObjectis:
DynamicRoleRuleQueryViewSQLObject
Note.TheOPRIDmustnotbeakeyinthisviewbecausePeopleToolsappendsANDOPRID="currentusersoprid"
inQuery.ThisoccursifweusetherecordOPRALIASdirectlyinthequery.
TheSQLappears:
6/11
21/09/2016
WorkingWithRoles
QueryViewSQL
Afteryoucreatetheview,youaddittotheappropriatequerytree.Inthiscase,weaddthenewviewtotheQUERY_
TREE_HR.
AddingtheviewtoaQueryTree
Withtheviewcreated,youthencreateaquery.Inthisexample,thepropertiesweassigntothequeryenableitto
assignaroletouserswhocurrentlyhavetheJobcodeKC012,HumanResourceAnalyst.
Querydefinition
TheQuerycontainsthefollowingcriteria.
Querycriteria
7/11
21/09/2016
WorkingWithRoles
TheSQLforthequeryis:
QuerySQL
Noticethatbecausetheviewdoesn'thaveOPRIDasakey,theresultingSQLdoesnotcontaintheextra'AND
B.OPRID='PS'.
Note.Whenyousaveaqueryusedforadynamicrolequeryyouneedtospecifythatisa"RoleQuery"inits
properties.
Withtheviewandthequerycreated,youthenneedtosetupthequeryruleinSecurity.Noticeinthefollowing
examplethatQueryRuleEnabledisselectedandthatthequerycreatedintheprevioussectionappearsinthe
QueryRuleeditbox.
Enablingthequeryrule
Afterenablingthequeryrule,youthenwanttotesttheruletomakesurethesystemassignstheappropriaterolesto
theappropriateusers.Topopulatetherolemembershiptable,clickExecuteRule.
SettingWorkflowRoutingOptionsforUsers
AccesstheWorkflowpage.
Workflowpage
Allownotification
8/11
21/09/2016
WorkingWithRoles
ThisoptionrelatestheadhocnotificationfeaturewithPeopleSoftWorkflow.This
optionenablesuserstonotifyothersofdataonaPeopleSoftpagethroughemailor
worklists.
Whencomponentsaredesigned,developershavetheoptionofenablingtheNotify
toolbarontheComponentPropertiesdialogboxinPeopleSoftApplicationDesigner.
Ifthisoptionissetforaparticularcomponent,thenthischeckboxenablessecurity
administratorstoenabletheNotifyfeatureperrole.
Toenablethisfeatureforarole,selectthisoption.Todisablethisfeature,make
surethisoptionisnotselected.Bydefault,thisoptionisenabledforallroles.
AllowRecipientLookup
ThisoptionrelatestheadhocnotificationfeaturewithPeopleSoftWorkflow,and
onlyappliesifAllownotificationisenabledforarole.
Whenausersendsanadhocnotification,thereisanoptiontobrowsethe
databasefortheemailaddressesofotherusersinthePeopleSoftsystem,which
includesvendors,customers,employees,salesleads,andsoon.Insomecases,it
maynotbeappropriatetoexposethisinformation.
Toenablethisfeatureforarole,selectthisoption.Todisablethisfeature,make
surethisoptionisnotselected.Bydefault,thisoptionisenabledforallroles.
UseQuerytoRouteWorkflow Specifywhethertheworkflowroutingsforaparticularroleshouldbedeterminedby
aworkflowquery.Thisdependsonyourworkflowscheme.
SeeAlso
PeopleToolsPeopleBooks:"PeopleSoftWorkflow"
DecentralizingtheAdministrationofRoles
AccesstheRoleGrantpage.
RoleGrantpage
YoucanselectivelydecentralizetheadministrationofrolesbyusingtheRoleGrantpage.WiththeRoleGrantoption,
youdon'tneedtorelyonDynamicRoles,yetyoudon'tneedtobotherasecurityadministratortoassignroleseither.
Forexample,theRoleGrantpageenablesalinemanagertoassignrolestoemployeesonhis/herteamasneededto
copewithchangesintheworkenvironment.
TheRoleGrantpageworksinconjunctionwiththeDistributedUserProfilesandDistributedUserSetuppagesinthe
UserProfilescomponent.
RolesThatCanBeGrantedBy Thisgridcontainstherolesthatthecurrentroleisallowedtogranttootheruser
ThisRole
ID's.Forexample,theLineManagerintheshippingdepartmentmayneedtogrant
aroletoatemporaryworker(ShippingTemp).Typically,therolesthatarolecan
grantshouldbeina"subservient"positiontothegrantingrole.Toaddmultiple
roles,usetheplusbutton
RolesThatCanGrantThis
Role
ThisgridcontainstherolesthatcangrantthecurrentroletootheruserIDs.For
example,ontheroleofShippingTemprole,ShippingClerkappearsintheRoles
ThatCanGrantThisRolegrid.Toaddmultipleroles,usetheplusbutton.
ViewDefinition
Tomakesurethatyouhaveselectedtheappropriatedefinitionforinclusioninthe
role,clickthislinktoviewtheassociateddefinition.
9/11
21/09/2016
WorkingWithRoles
SeeAlso
WorkingWithDistributedUserProfiles
DisplayingAdditionalLinksforUserProfiles
IfyouhaveaddedanyadditionallinksforuserprofilesintheSecurityLinkscomponent,theyappearontheLinks
page.
SeeAlso
SecurityLinks
RunningRoleQueries
Rolequeriesenableyoutorunqueriesthatprovidedetailedinformationregardingarole,suchastheuserIDs
permissionlistsassociatedwitharole.Theavailablequeriesaredocumentedonthepage.
To run a role query:
1. Clickthelinkassociatedwiththequeryyouwanttoexecute.
Thisinvokesanewbrowserwindow.
2. Viewtheinformationthequeryreturns,orselectadownloadoption.
Fordownloading,youhavethefollowingoptions:
ExcelSpreadsheet.DownloadsthequeryresultsasanExcelspreadsheet(.XLS)file.
CSVTextFile.Thisdownloadsthequeryresultsasacommaseparatedvalues(CSV)fileformat.
InquiringWhenaRoleWasLastUpdated
TheAuditpageisareadonlypagethatenablesyoutodeterminewhenaRolewaslastupdatedandbywhom.You
canalsoviewwhohasmadechangestosecuritytablesusingtheDatabaseLevelAuditingfeature.
SeeAlso
PeopleToolsPeopleBooks:DataManagement,"DatabaseLevelAuditing"
CreatingaNEWUSERRole
Whenanewuserentersthesystem,andyouhaveimplementeddynamicrolerules,theuserdoesnotbelongtoany
rolesuntilyourrolerulesexecute.Ifyouhaveanewemployeeenteredintothesystem,atfirstalltheywouldbeable
toaccessisthe"public"pagesyouauthorizefortheNEWUSERrole.Thenwhenyourdynamicrolerulesexecute,
thenewemployeesbecomeamemberoftherolesthatapplytotheirposition.
Note.TheNEWUSERroleisnotarolethatPeopleSoftdelivers.Youcannametheroletosuityourrequirements.
To implement a NEWUSER role:
1. CreateyourNEWUSERrole.
2. Addpermissionliststotherolesothatmembersofthisrolehaveaccesstothepagesthatareappropriateforallusers
withinthesystem,likeMyProfileandanyotherareasthatarenotathreattoyoursystemsecurity.
3. Applytheappropriateroles.
Ifyouareusingdynamicroleassignment,youwaituntilthebatchprogramruns,ifyouareusingstaticrole
assignment,thentheusermustwaituntilanadministratormanuallyappliestheappropriateroles.
Ifyourrolerulesrunonlyoneonceina24hourperiod,itmightnotbeuntilthenextdaythatanewemployee
hasaccesstothesystem.Ifyourrulesrunmorefrequently,itmayonlybeacoupleofhours.Ifit'snot
acceptabletowaitthedurationuntilthenextrunofthedynamicrolerule,youcanuseoneofthefollowing
options:
Addany"required"pagestotheNEWUSERrole.
Reducethedurationbetweenthedynamicruleexecution.
10/11
21/09/2016
WorkingWithRoles
Note.Reducingtheexecutionintervalofthedynamicrulesmayhaveperformanceimpactsdependingonhow
therulesareimplemented.
4. AddaSignonPeopleCodescriptthatdetectsthattheuserneedsaccesstoacertainrole.
YoucanaccomplishthisbyrunningaqueryagainstLDAP,thedatabase,orwherevertheinformationresides.
ThenusetheUserProfilecomponentinterfacetoaddtheappropriaterolestotheuser,accordingthequery
results.
Security
Copyright19882002PeopleSoft,Inc.AllRightsReserved.
11/11

Security (Working With Roles)

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Security (Working With Roles)

Uploaded by

Copyright:

Available Formats

21/09/2016

2. Inthe Permission Listcolumnclickthelookupbutton.

You might also like