Professional Documents
Culture Documents
Security can be implemented in the following ways which shall be explained in detail: 1. User security. 2. Lightweight Directory Access Protocol (LDAP). 3. Authentication and single sign on. 4. Pluggable cryptography. 5. Query and definition security. 6. PeopleSoft personalization.
1. User Security:
A security definition refers to a collection of related security attributes that are created using People Tools Security. The three main PeopleSoft security definition object types are:
User Profiles (a set of data describing a particular PeopleSoft user) Roles (intermediate objects that link User Profiles to Permission Lists) Permission Lists (a set of pages and allowable actions on those pages)
The hierarchy that needs to be followed to implement user security is : Definition of permission lists ,followed by creation of roles and finally assigning these roles to User Profiles. A user profile is a definition that represents one PeopleSoft user. Each user is unique; the user profile specifies a number of user attributes, including one or more assigned roles. Each role that's assigned to a given user profile adds its permission lists to the total that apply to that user.
An analysis of the above diagram reveals that version 8.46 is an enhancement and an improved version of the security implement in version 7.5. Operator ID: Operator ID has changed to User ID/User Profile. It has the same functionality just the name has changed. It allows the user to sign into the system. Operator Class: Class is now broken into two parts. 1) Role: A Role is the Who of security. Users within an application can include employees, managers, customers, contractors, suppliers, and so on. The system allows you to group users according to roles. A role is an object that has properties, such as name, description, permission lists, and so on. One of the properties assigned to a role is the list of users assigned to it. For instance, there might be an Employee role, a Manager role, or an Administrator role. Users who belong to a particular role require a specific set of permissions, or authorizations, within the system so that they can complete their daily tasks. 2) Permission List: The Permission List is the What of security. It contains the component, page and actions being granted.
PeopleSoft supports a notion of single sign on between PeopleSoft instances. Within the context of PeopleSoft system, single sign on means that after a user has been authenticated by one PeopleSoft application server, that user can access a second PeopleSoft application server without entering an ID or a password. Although the user is actually accessing different applications and databases, the user navigates seamlessly through the system as each suite of PeopleSoft applications, such as HR, Financials, CRM, and EPM,, reside in its own database.
How It Works
The diagram below shows how the Single Sign-On Agent for PeopleSoft Solutions integrates Services with PeopleSoft Internet Architecture. The agent uses the Security Manager interface For PeopleSoft Application Server to achieve the critical, Tier 2 security integration. A Signon People Code script passes user ID and session information to the Validation Library, which in turn, will query the Policy Server enabling true, end-to-end Access security. A typical process flow is as follows: 1. A user makes a request to a PeopleSoft application through a web server. 2. The Web Agent asks the Policy Server to authenticate and authorize the request.
3. The Policy Server verifies access permissions and returns the PeopleSoft User Name as an HTTP header. 4. The Web Server passes user security context information (credentials) for the DEFAULT_USER to the PeopleSoft Application Server. The PeopleSoft Application Server then begins session by invoking Sign-on PeopleCode. Note: the DEFAULT_USER account has NO access to the system. 5. The Sign-on PeopleCode calls the validation library to verify the session information. 6. The Validation Library then passes the session information to the Policy Server for verification. 7. The Policy Server then returns the result to the Validation Library. 8. The Validation Library returns the result to the PeopleSoft Application Server. 9. If the session was verified, the PeopleSoft Application Server creates a PeopleSoft session cookie and sends it back to the Web server. 10. The Web server sends the cookie back to the users browser for use in subsequent requests.
4. Pluggable Cryptography
Data security comprises the following elements: Privacy keeping data hidden from unauthorized parties. Privacy is normally implemented with some type of encryption. Encryption is the scrambling of information such that no one can read it unless they have a piece of data known as a key. Integrity keeping transmitted data intact. Integrity can be accomplished with simple checksums or, better, with more complex cryptographic checksums known as one-way hashes, and often with digital signatures as well. Authentication verifying the identity of an entity that's transferring data. Authentication can be accomplished using passwords, or with digital signatures, which are by far the most popular and most reliable method of authentication. PeopleSoft pluggable encryption technology (PET) provides a way to use hashes and digital signatures to secure critical PeopleSoft data and communicate securely with other businesses. It enables to extend and improve cryptographic support for data in People Tools, giving strong cryptography with the flexibility to change and grow, by incrementally acquiring stronger and more diverse algorithms for encrypting data. PeopleSoft delivers PET with support for the OpenSSL and PGP encryption libraries. Pluggable Cryptography enables one to secure critical PeopleSoft data and communicate securely with other businesses. It enables to extend and improve cryptographic support for data in People Tools, giving strong cryptography with the flexibility to change and grow, by incrementally acquiring stronger and more diverse algorithms for encrypting data. By using the Tools Pluggable Cryptography for strong encryption/decryption, the system encrypts data using 3DES algorithms and 168-bit encryption keys.
10
Steps to implement pluggable cryptography: 1. Load an encryption library's algorithms into the PET database. 2. Generate accompanying encryption keys, and insert them into the PET key store. 3. Define a sequence, or chain of algorithms by selecting from all the algorithms in the database. 4. Define an encryption profile, which is an instance of an algorithm chain applicable to a specific encryption task. 5. Write People Code to invoke the encryption profile.
11
12
6. PeopleSoft Personalizations
PeopleSoft offers a variety of options that enable end users, especially power users, to configure certain aspects of their PeopleSoft environment to produce a more personalized interface. These options improve a users navigation speed through the system and enable users to select international preferences, such as date and time formats. A group is defined, and its personalization options are categorized, then permission lists are used to control access to them. Users with access to a personalization option can control it through the My Personalizations menu.
2.
3.
Conversion of data automatic assignment of PeopleSoft User Role (permission list PTPT1000) to ALL users. Assign the necessary web libraries to existing permission lists and remove the role from all users. The permission list ALLPANLS no longer exists.
4.
5.
13
6.
Add Menu Portal Admin (PORTAL_ADMIN) to the permission list include Add (PORTAL_ADD_FAV) and Edit (PORTAL_EDIT_FAV) Favorites. Add the permission list(s) to Folder Security in Portal > Structure and Content > My Favorites. Add Menu Portal Admin (PORTAL_ADMIN) to the permission list include access to Search (PORTAL_SEARCH). Run the Build Registry Search Index (Build Search Index) process Run the Portal Security Sync (Portal Security Synch) process. A script (using dynamic sql) was run prior to bringing down the 8.0 database that saved the password and last password change date. The update script was run at golive in the 8.9 database. A query was run in 8.0 to get all the permission lists assigned and manually added in the permission list in 8.9, additionally there are several component interfaces that are also required. Set Component Interface and Menu to No Access in the permission list assigned Application Designer Access under Definition (Object) Permissions.
7.
8.
No results or inaccurate results when using Search. Missing left hand navigation after security move. Preserving passwords and last password change date.
9.
10.
11.
Permission lists assigned the menu CC_BIO_DEMO_DATA did not convert from 8.0.
12
14