Implementing Security in PeopleSoft

Implementing Security in PeopleSoft:

A. 1. 2. 3. 4. 5. 6. B. Introduction: PeopleSoft Version 8.46 ................................................................... 1 User Security:...................................................................................................... 3 LDAP : Lightweight Directory Access Protocol ................................................ 6 Authentication and Single Sign on ..................................................................... 8 Pluggable Cryptography ................................................................................... 10 Query and Definition Security .......................................................................... 12 PeopleSoft Personalizations.............................................................................. 13 Updating PeopleSoft Security Version 8.46 to 8.9:.............................................. 13

A. Introduction: PeopleSoft Version 8.46

This document provides guidelines and best practices for the end users to use to secure PeopleSoft data, specifically guidelines regarding confidentiality, user authentication, and access control. Security is especially critical for core business applications, such as PeopleSoft applications. Typically, what is needed is a need to restrict the usage, viewing and customization of the data and applications. PeopleSoft provides security features, including components and People Tools applications, to ensure that the sensitive application data, such as employee salaries, performance reviews, or home addresses, do not fall into the wrong hands. As the PeopleSoft Internet Architecture (PIA) is implemented, a robust and scalable means is needed by which the users can be grant authorization efficiently. Security can be applied to all users, including employees, managers, customers, contractors, and suppliers. Users are grouped according to roles give to them with different degrees of access. For instance, there might be an Employee role, a Manager role, and an Administrator role. Users who belong to a particular role require a specific set of permissions, or authorizations, within the system, so that they can complete their daily tasks. The objects and definitions in the PeopleSoft development environment must also be secured from viewing. Restriction can be implemented to block the end users from accessing particular pages and components, also to restrict the definitions that the sites developers can access using PeopleSoft Application Designer. A definition refers to any of the definitions that are created within PeopleSoft Application Designer, such as records, pages, or components. Each object definition may have individual security needs. Accessing a PeopleSoft application requires first passing through several layers of network, OS, and DB security. These capabilities are defined by the technical environment and need to be configured outside of PeopleSoft. A pictorial representation of the same is given below:

Implementing Security in PeopleSoft

Security can be implemented in the following ways which shall be explained in detail: 1. User security. 2. Lightweight Directory Access Protocol (LDAP). 3. Authentication and single sign on. 4. Pluggable cryptography. 5. Query and definition security. 6. PeopleSoft personalization.

Implementing Security in PeopleSoft

1. User Security:
A security definition refers to a collection of related security attributes that are created using People Tools Security. The three main PeopleSoft security definition object types are:

The three main PeopleSoft security definition types are:

User Profiles (a set of data describing a particular PeopleSoft user) Roles (intermediate objects that link User Profiles to Permission Lists) Permission Lists (a set of pages and allowable actions on those pages)

The hierarchy that needs to be followed to implement user security is : Definition of permission lists ,followed by creation of roles and finally assigning these roles to User Profiles. A user profile is a definition that represents one PeopleSoft user. Each user is unique; the user profile specifies a number of user attributes, including one or more assigned roles. Each role that's assigned to a given user profile adds its permission lists to the total that apply to that user.

Implementing Security in PeopleSoft

A role is a collection of permission lists. One or more permission lists can be assigned to a role. And similarly a given permission list can be assigned to multiple roles. The resulting combination of permissions can apply to all users who share those access requirements. However, the same group of users might also have other access requirements that they don't share with each other. Roles are used to assign permissions to users dynamically. Permission lists are the building blocks of user security authorization. A permission list grants a degree of access to a particular combination of PeopleSoft elements, specifying pages, development environments, time periods, administrative tools, personalizations, and so on. This level of access should be appropriate to a narrowly defined and limited set of tasks, which can apply to a variety of users with a variety of different roles. These users might have overlapping, but not identical, access requirements. PeopleSoft security definitions provide a modular means to apply security attributes in a scalable manner. Each user has an individual user profile, which in turn is linked to one or more roles. One or more permission lists can be added, which ultimately control what a user can and can't access, to each role. A few permission types are assigned directly to the user profile. The picture below provides a mapping of User Security in People Tools version 7.5 and 8.46.

An analysis of the above diagram reveals that version 8.46 is an enhancement and an improved version of the security implement in version 7.5. Operator ID: Operator ID has changed to User ID/User Profile. It has the same functionality just the name has changed. It allows the user to sign into the system. Operator Class: Class is now broken into two parts. 1) Role: A Role is the Who of security. Users within an application can include employees, managers, customers, contractors, suppliers, and so on. The system allows you to group users according to roles. A role is an object that has properties, such as name, description, permission lists, and so on. One of the properties assigned to a role is the list of users assigned to it. For instance, there might be an Employee role, a Manager role, or an Administrator role. Users who belong to a particular role require a specific set of permissions, or authorizations, within the system so that they can complete their daily tasks. 2) Permission List: The Permission List is the What of security. It contains the component, page and actions being granted.

Implementing Security in PeopleSoft

Panel: A Panel is now referred to a Page in PeopleSoft 8.46. The change was made to accommodate web terminology. Panel Group: A Panel Group is now referred to as a Component in PeopleSoft 8.46. The change was made to accommodate web terminology. The picture below exemplifies the relationship between Users, Roles and Permission Lists. Permission lists are assigned to roles, which are then assigned to user profiles. A role may contain numerous permissions and a user profile may have numerous roles assigned to it. Because permission lists are applied to users through roles, a user inherits all the permissions assigned to each role to which the user belongs. The user's access is determined by the combination of all of the roles.

Implementing Security in PeopleSoft

2. LDAP : Lightweight Directory Access Protocol

LDAP is an Internet protocol used to access a directory listing. Organizations typically store user profiles in a central repository, or directory server, that serves user information for all of the programs that require it. Through an LDAP V3 compliant directory server, the data that already exists and is maintained in the PeopleSoft HRMS database can be shared with the directory. Complete out-of-the-box integration with leading directory servers. PeopleSoft enables to integrate the authentication scheme for PeopleSoft with the existing infrastructure.

Implementing Security in PeopleSoft

Permission lists and roles will be maintained using PeopleSoft security. However, user profiles can be maintained in PeopleSoft security or reused user profiles and roles that are already defined within an LDAP directory server. A directory server enables the maintenance of a single, centralized user profile that can be used across all of the PeopleSoft and non-PeopleSoft applications. This approach reduces redundant maintenance of user information stored separately throughout the enterprise, and reduces the possibility of user information getting out of synchronization. Also, enabling the user profiles to be easily created and maintained and authenticated.

Implementing Security in PeopleSoft

3. Authentication and Single Sign on

PeopleSoft delivers the most common authentication solutions and packages them with the PeopleSoft application. This saves the trouble of developing solutions and saves time with the security implementation. These prepackaged solutions include People Code that supports basic sign-in through secure sockets layer (SSL), LDAP authentication, and single sign on. Because PeopleSoft applications are designed for Internet deployment, many sites must take advantage of the authentication services that exist at the web server level. PeopleSoft takes advantage of HTTPS, SSL, and digital certificates to secure the transmission of data from the web server to an end user's web browser and also to secure the transmission of data between PeopleSoft servers and third-party servers (for business-to-business processing) over the Internet.

PeopleSoft supports a notion of single sign on between PeopleSoft instances. Within the context of PeopleSoft system, single sign on means that after a user has been authenticated by one PeopleSoft application server, that user can access a second PeopleSoft application server without entering an ID or a password. Although the user is actually accessing different applications and databases, the user navigates seamlessly through the system as each suite of PeopleSoft applications, such as HR, Financials, CRM, and EPM,, reside in its own database.

How It Works
The diagram below shows how the Single Sign-On Agent for PeopleSoft Solutions integrates Services with PeopleSoft Internet Architecture. The agent uses the Security Manager interface For PeopleSoft Application Server to achieve the critical, Tier 2 security integration. A Signon People Code script passes user ID and session information to the Validation Library, which in turn, will query the Policy Server enabling true, end-to-end Access security. A typical process flow is as follows: 1. A user makes a request to a PeopleSoft application through a web server. 2. The Web Agent asks the Policy Server to authenticate and authorize the request.

Implementing Security in PeopleSoft

3. The Policy Server verifies access permissions and returns the PeopleSoft User Name as an HTTP header. 4. The Web Server passes user security context information (credentials) for the DEFAULT_USER to the PeopleSoft Application Server. The PeopleSoft Application Server then begins session by invoking Sign-on PeopleCode. Note: the DEFAULT_USER account has NO access to the system. 5. The Sign-on PeopleCode calls the validation library to verify the session information. 6. The Validation Library then passes the session information to the Policy Server for verification. 7. The Policy Server then returns the result to the Validation Library. 8. The Validation Library returns the result to the PeopleSoft Application Server. 9. If the session was verified, the PeopleSoft Application Server creates a PeopleSoft session cookie and sends it back to the Web server. 10. The Web server sends the cookie back to the users browser for use in subsequent requests.

Implementing Security in PeopleSoft

4. Pluggable Cryptography
Data security comprises the following elements: Privacy keeping data hidden from unauthorized parties. Privacy is normally implemented with some type of encryption. Encryption is the scrambling of information such that no one can read it unless they have a piece of data known as a key. Integrity keeping transmitted data intact. Integrity can be accomplished with simple checksums or, better, with more complex cryptographic checksums known as one-way hashes, and often with digital signatures as well. Authentication verifying the identity of an entity that's transferring data. Authentication can be accomplished using passwords, or with digital signatures, which are by far the most popular and most reliable method of authentication. PeopleSoft pluggable encryption technology (PET) provides a way to use hashes and digital signatures to secure critical PeopleSoft data and communicate securely with other businesses. It enables to extend and improve cryptographic support for data in People Tools, giving strong cryptography with the flexibility to change and grow, by incrementally acquiring stronger and more diverse algorithms for encrypting data. PeopleSoft delivers PET with support for the OpenSSL and PGP encryption libraries. Pluggable Cryptography enables one to secure critical PeopleSoft data and communicate securely with other businesses. It enables to extend and improve cryptographic support for data in People Tools, giving strong cryptography with the flexibility to change and grow, by incrementally acquiring stronger and more diverse algorithms for encrypting data. By using the Tools Pluggable Cryptography for strong encryption/decryption, the system encrypts data using 3DES algorithms and 168-bit encryption keys.

10

Implementing Security in PeopleSoft

Steps to implement pluggable cryptography: 1. Load an encryption library's algorithms into the PET database. 2. Generate accompanying encryption keys, and insert them into the PET key store. 3. Define a sequence, or chain of algorithms by selecting from all the algorithms in the database. 4. Define an encryption profile, which is an instance of an algorithm chain applicable to a specific encryption task. 5. Write People Code to invoke the encryption profile.

11

Implementing Security in PeopleSoft

5. Query and Definition Security

PeopleSoft Query is used to build SQL queries and retrieve information from application tables. For each PeopleSoft Query user, the records that the user is allowed to access when building and running queries can be specified. This is done by creating query access groups in PeopleSoft Tree Manager, and then assigning users to those groups with PeopleSoft Query security. PeopleSoft Query security is enforced only when using PeopleSoft Query; it doesnt control runtime page access to table data. Definition Security is used to govern access to database object definitions, such as record definitions, field definitions, and page definitions, and to protect particular object definitions from being modified by developers.

12

Implementing Security in PeopleSoft

6. PeopleSoft Personalizations
PeopleSoft offers a variety of options that enable end users, especially power users, to configure certain aspects of their PeopleSoft environment to produce a more personalized interface. These options improve a users navigation speed through the system and enable users to select international preferences, such as date and time formats. A group is defined, and its personalization options are categorized, then permission lists are used to control access to them. Users with access to a personalization option can control it through the My Personalizations menu.

B. Updating PeopleSoft Security Version 8.46 to 8.9:

People Soft 8.9 has come up with one of the most flexible security options. Considerations while implementing security in PeopleSoft 8.9 Duplication of menus ended causing (at least for FA) lots of rework of Permission Lists. The old structure & bar labels (use, inquire, process, report) still exist in security, and are now associated to folders. Query access now available through client without app designer access. (psqed.exe instead of pside.exe). Additional security controls expire password at next login and retain password. Personalizations are no longer globally defined. Define, group, and categorize personalization options, using the PeopleTools Personalizations interface. Use permission lists to control access to them. In the permission list interface there is now a Personalizations page where you select the personalizations for a permission list. S. No. 1. Issues (to be considered while implementing security in 8.9) Portal Structure and Content Solutions Creating folders and using registration wizard Running Portal Security Synch when moving security PeopleTools>Security>Query Security>Query Access Manager Assign the necessary web libraries to existing permission lists and remove the role from all users. Assign the necessary web libraries to existing permission lists. Add role PeopleSoft Administrator. This role overrides ALL security and should only be assigned to a limited number of people.

2.

Tree Manager for Query tables

3.

Conversion of data automatic assignment of PeopleSoft User Role (permission list PTPT1000) to ALL users. Assign the necessary web libraries to existing permission lists and remove the role from all users. The permission list ALLPANLS no longer exists.

4.

5.

13

Implementing Security in PeopleSoft

S. No. Issues (to be considered while implementing security in 8.9) Unable to add\edit favorites. Solutions

6.

Add Menu Portal Admin (PORTAL_ADMIN) to the permission list include Add (PORTAL_ADD_FAV) and Edit (PORTAL_EDIT_FAV) Favorites. Add the permission list(s) to Folder Security in Portal > Structure and Content > My Favorites. Add Menu Portal Admin (PORTAL_ADMIN) to the permission list include access to Search (PORTAL_SEARCH). Run the Build Registry Search Index (Build Search Index) process Run the Portal Security Sync (Portal Security Synch) process. A script (using dynamic sql) was run prior to bringing down the 8.0 database that saved the password and last password change date. The update script was run at golive in the 8.9 database. A query was run in 8.0 to get all the permission lists assigned and manually added in the permission list in 8.9, additionally there are several component interfaces that are also required. Set Component Interface and Menu to No Access in the permission list assigned Application Designer Access under Definition (Object) Permissions.

7.

Getting an error when using Search.

8.

No results or inaccurate results when using Search. Missing left hand navigation after security move. Preserving passwords and last password change date.

9.

10.

11.

Permission lists assigned the menu CC_BIO_DEMO_DATA did not convert from 8.0.

12

Limited Security settings for Registration Wizard.

14