Understanding Security Integration

This chapter discusses:

• Security architecture.

• Single signon.

• Security synchronization.

Security Architecture

To understand security synchronization, it is first necessary to compare the PeopleSoft and Oracle Business Activity Monitoring (Oracle BAM) security architectures.

PeopleSoft Security Architecture

PeopleSoft security architecture associates users with roles. Roles are, in turn, associated with permission lists that are made up of specific authorizations such as access to particular pages.

This diagram illustrates the PeopleSoft security objects and their relationships:

PeopleSoft security architecture

Dashboard Security Architecture

The dashboard equivalent of a role is a group. However, rather than being associated with a permission list that references one or more pages, a group is associated directly with a dashboard report or data object (table), or with a folder containing multiple reports or data objects.

Note. To view data in a report, a user must have access to both the report and the data object from which the report pulls information. Access to the data object doesn't give the user the ability to modify the object unless the user also has access to the Architect tool.

The dashboard system also differs from PeopleSoft in that group membership is not required for access to specific reports, data objects, and folders: individual users can be given access directly. However, when you use the security synchronization process to manage dashboard security, all access other than that of the primary security administrator is given through groups.

The dashboard system also includes a security object called a role, but it is different from a PeopleTools role. Dashboard roles are somewhat similar to permission lists in that they incorporate specific authorizations. However, the authorizations in a dashboard role are not for specific objects such as reports. Instead, roles are used for broad categories of access such as the ability to use Architect, Administrator, or Active Studio. Users are given these access levels either through direct association with a dashboard role or through membership in a group that is associated with a dashboard role.

This diagram illustrates the dashboard security objects and their relationships:

Dashboard security architecture

Comparison of PeopleSoft and Dashboard Security Architecture

This diagram maps PeopleSoft security objects to their corresponding dashboard security objects:

Security object comparison

See Also

Enterprise PeopleTools PeopleBook: Security Administration

Oracle BAM Administrator's Guide

Single Signon

Single signon capabilities enable PeopleSoft users to access the dashboard system using links on the PeopleSoft menu even though the dashboard is physically external to the PeopleSoft system and maintains its own security profiles.

To support single signon capabilities, the dashboard integration framework provides a mechanism for sending PeopleSoft user data to the dashboard system. This enables your organization to continue maintaining your user profiles in one place using PeopleTools. Giving PeopleSoft users access to the dashboard system is simply a matter of associating the users with dashboard-specific PeopleTools roles and running the security synchronization process.

The PeopleSoft menu includes the following links for accessing various components of the dashboard system:

• My Dashboards (this link is at the root of the PeopleSoft menu; it is the link that end-users click to access dashboard reports).

• Setup CRM, Product Related, Dashboard, Report Viewer.

• Setup CRM, Product Related, Dashboard, Active Studio.

• Setup CRM, Product Related, Dashboard, Architect.

• Setup CRM, Product Related, Dashboard, Administrator.

Security Synchronization

This section discusses:

• The security synchronization process.

• Object-level security.

• Row-level security.

Note. The security synchronization process uses the same messaging framework that sends all other data from PeopleSoft to the dashboard system. Therefore, the messaging framework must be functional before the security synchronization process runs.

The Security Synchronization Process

The dashboard integration framework enables you to maintain user information in the PeopleSoft system and then send information over to the dashboard system to keep the two systems synchronized.

Determination of Required Security Updates

To support the security synchronization process, PeopleSoft maintains a table that lists dashboard users and the groups to which they belong. Essentially, this table is a mirror of the last known security profiles in the /System/Security/User Group data object in the dashboard system.

At the beginning of the security synchronization process, the system compares the mirror table to the PeopleTools security tables. This comparison results in information about what dashboard data objects need to be added, deleted, or modified to bring the dashboard system up to date. After making the changes in the dashboard system, the security synchronization process updates the mirror table.

Note. During normal dashboard operations, the security synchronization process keeps the dashboard and PeopleSoft security data synchronized. If, however, the data gets out of sync (for example, if data corruption forces you to reinitialize the ADC), you can easily start over by clearing both the /System/Security/User Group data object in the dashboard system and the PSCDBROLEUSER table in the PeopleSoft system and then running the security synchronization process again.

Creation of Dashboard Roles

The security synchronization process creates three fixed dashboard roles and sets their access levels. These roles are:

• Administrator: Has full access to all Oracle BAM tools.

• Implementer: Has access to all Oracle BAM tools except for Administrator, the tool that is used to manage security.

• Viewer: Is able to view reports, but has no other access.

Note. Do not modify or delete these dashboard roles because your changes will be lost the next time you run the security synchronization process.

User Synchronization

When you set up dashboard installation options, you identify PeopleTools roles to use for each of the three dashboard roles that the initial load process creates.

The dashboard integration framework includes three PeopleTools roles that you can use for this purpose: Dashboard Administrator, Dashboard Implementer, and Dashboard User. These roles also give users access to the menu links that are the only way for PeopleSoft users to access the dashboard system.

Note. PeopleSoft CRM dashboard applications deliver additional CRM-specific roles. These roles work the same as the delivered PeopleTools roles, but they also grant access to CRM-specific dashboard setup pages. PeopleSoft CRM implementations should use the application-specific roles instead of the roles that the dashboard integration framework delivers. Refer to your application documentation for more information.

Any PeopleSoft user who is associated with any of the three PeopleTools roles is considered a dashboard user. The synchronization process creates and deletes dashboard user logons based on this association on the PeopleSoft side.

Synchronization of PeopleTools Roles and Dashboard Groups

For every PeopleSoft user who is a dashboard user, the synchronization process creates dashboard groups for every one of the users roles. This includes the three PeopleTools roles that are used to identify dashboard users as well as the user's other roles. The synchronization process also adds dashboard users to these groups so that user-to-group associations on the dashboard side exactly match the user-to-role associations on the PeopleSoft side.

The groups for the three high-level dashboard roles are automatically associated with their corresponding roles. The other groups are used for object-level security.

This diagram provides a security synchronization example:

Synchronization of PeopleTools roles and dashboard groups

In this example, the user has four PeopleTools roles, one of which is Dashboard User, the high-level role that provides access to the dashboard viewer. The synchronization process created dashboard groups that correspond to each of the four PeopleTools roles; and, on the dashboard side, the user belongs to those four groups.

Because the dashboard installation options specify that Dashboard User is the PeopleTools role that is used to give access to the dashboard viewer, the corresponding group is automatically associated with the predefined User role. The synchronization process itself does not do anything with the other groups, which are used for object-level security.

Synchronization Permission and First-Time Synchronization

Because the synchronization process updates security settings in the dashboard system, only users who already have Administrator access to the dashboard can initiate the synchronization process. As delivered, there is only one user with this access: PTCDBADMIN. This user ID is delivered as part of the CRM dashboard installation process and has full access to all parts of the dashboard system. Therefore, you must use the PTCDBADMIN user ID the first time that you run the security synchronization process.

Other users who are assigned to the Administrator role in the dashboard system as a result of the initial security synchronization process can perform subsequent security synchronizations.

If you upgrade or otherwise reinstall PeopleTools, the delivered settings for the PTCDBADMIN role are overwritten until you rerun the data mover script that creates these settings. The dashboard installation documentation explains this step.

See PeopleSoft Enterprise Customer Relationship Management 9 Supplemental Installation Guide

Object-Level Security

As delivered, the reports and data objects in PeopleSoft dashboard applications are secured at the folder level using groups that are derived from existing PeopleTools roles. For example, PeopleSoft Sales Dashboard reports are available only to users who, in the PeopleSoft system, have the delivered PeopleTools role of Sales Dashboard User.

This diagram illustrates the use of groups for object security:

Object-level security for reports and data objects

In this example, a sales manager has, in addition to the general-purpose Dashboard User role, the additional roles: Sales Dashboard User, Sales Manager, and Salesperson. The synchronization process created groups for all three roles and added the manager to all of these groups. Because the manager is associated with the Sales Dashboard User group, the manager automatically has access to the reports and data objects in the PeopleSoft Sales Dashboard application.

Important! The delivered permissions for dashboard objects are based on the PeopleTools roles that are delivered with your PeopleSoft application. If your organization does not use these roles, or uses other roles in addition to these roles, you must use the Architect tool to modify permissions manually for the delivered reports and data objects. This task is simplified by keeping permissions at the folder level rather than the object level.

The manager's other roles, Sales Manager and Salesperson, have been created as groups in the dashboard system, but they aren't used for anything. Remember, PeopleSoft users who have the Salesperson role but not the Dashboard User role are not given dashboard user IDs at all. Therefore, the Salesperson group in the dashboard system includes only a subset of the people who belong to the Salesperson role in the PeopleSoft system.

Row-Level Security

Row-level security refers to the filtering of specific data from dashboard reports. For example, sales managers see only the data from their own sales teams.

Row-level security, including business unit security, is not part of the dashboard integration framework; it is delivered with specific dashboard applications. For information about row-level security, including business unit security, refer to your dashboard application documentation.