Understanding PeopleSoft Application Security
This chapter provides an overview of PeopleSoft application security and discusses how to:
Specify system security options.
(Optional) Define security views.
Define row-level security.
Grant access to users.
Understanding PeopleSoft Application Security
PeopleSoft applications use multilevel security to enable you to successfully manage shared data environments. You set up data access at different entry points within your system and define the most efficient path to data across business groups, tables, departments, pages, and so forth. You have full control over security definitions, selecting options to create a matrix that enables or restricts user access to data through a series of authorizations.
Security access covers three areas: networks, databases, and applications. Network security controls the overall point of entry into your system hardware and software resources. Database security narrows the scope of a user's information access. At the application level, security extends to the field level.
These are the PeopleSoft application security levels:
Workstation user.
Network server security.
Database management (RDBMS) security.
PeopleSoft application security.
Users can access defined sets of functions, pages, and fields. For example, auditors can review inquiry pages and generate reports, controllers can run PeopleSoft business processes, and management information systems staff can configure and maintain pages and records.
This section discusses:
Security terms.
Row-level security in PeopleSoft financials.
Permission lists.
Security TermsThis table describes the various types of PeopleSoft application security:
|
Security Type |
Location |
Function |
|
Network |
Network software |
Controls entry into the network and authorizes rights to use shared resources. |
|
Relational Database Management System (RDBMS) |
Operating system |
Controls access to the database. |
|
User |
PeopleTools |
Controls access to application pages, functions, and business components. |
|
Object |
PeopleTools |
Controls access to objects or object groups used in application development. |
|
Query |
PeopleTools |
Defines table row sets accessible for performing system queries. |
|
Row-level |
PeopleTools and PeopleSoft applications |
Controls access to the subset of data rows within tables that the user is authorized to review or update. |
|
Field-level |
PeopleCode |
Controls access to individual fields on pages. |
Row-Level Security in PeopleSoft FinancialsTo establish security, you must first decide the level that you want, which key fields to secure, and whether security will be defined through user IDs or permission lists. With row-level support, you can implement security to restrict individual users or permission lists from specific rows of data that are controlled by the following key fields:
Business unit
SetID
Ledger (and ledger group)
Book
Project
Pay cycle
Planning Instance
You can also limit access to specific subsets of rows. For example, you can specify user ID security to limit an auditor in Paris to the business unit for your European division. Or, if you have a team of auditors, you can assign them all to one primary permission list and then specify permission list security to enforce appropriate limits on the information that they can access.
The sheer volume of users assigned to a level of security can help you determine whether to use security based on user ID or permission list. If 1,000 users have identical access requirements, explore the use of permission list security. By assigning these users to a single role, you can make subsequent changes in their access requirements just once instead of 1,000 times.
Note. Applying row-level security does not restrict the data selected by batch processes.
Permission ListsThese tables show the sample permission lists and the corresponding menus and components available to users.
Note. The permission lists that you associate with a user through role assignment are not used for row-level security in PeopleSoft financials. Only the primary permission list for a user is relevant when setting up row-level access by permission list.
This table lists the permissions granted to the various general ledger users:
|
Permission List ID |
Description |
Menus |
Components |
|
EPGL1000 |
GL Transactions/Processes |
Process Journals |
Journal Entry |
This table lists the permissions granted to the Accounting Manager role:
|
Permission List ID |
Description |
Menus |
Components |
|
EPGL9100 |
Establish Business Units-GL |
Establish Business Units |
General Ledger Definition, Ledgers For A Unit, General Ledger Units, Ledgers For A Unit, Record Groups, TableSet Controls, TableSet IDs |
|
EPGL9000 |
General Ledger |
Design ChartFields |
Account, Product, Scenarios, Statistics Code, ChartField Editing Template, Combination Definition, Combination Rule, Combination Group, SpeedTypes, Build Combination Data, Message Log, Combination Data, Background Process, AltAcct Xref, Department, Project, Configure ChartFields |
|
EPGL9000 |
General Ledger |
Define General Options |
Account Types, Accounting Entry Definition, Calendar Builder, Currency Code, Currency Exchange Calculator, Detail Calendar, Document Type, Dun and Bradstreet, File Locations, Installation Options, Journal Code, Journal Generator Template, Journal Source, Journal Type, Market Rate Type, Market Rates, Position Accounting, Schedules, State, Summary Calendar, TimeSpans, Units of Measure, Cross/Reciprocal Rate Calc, Document Sequence Range, Operator Preferences |
|
EPGL9000 |
General Ledger |
Adjust Budgets |
Detail Budget Maintenance, Budget Copy Definition, Budget Copy Group, Budget Copy Request, Message Log, Budget Copy Calculation Log |
|
EPGL3000 |
Commitment Control |
Manage Commitment Control |
Source Transaction Definition, Control Budget Definition, Budget Attributes, Associated Budgets, ChartField Value Sets, Budget Closing Rules, Security Field Setup |
|
EPGL2000 |
Allocations |
Perform Allocations |
Allocations, Allocation Group, Allocation Request, Copy/Rename/Delete Step, Message Log, Shared Table Statistics, Allocation Step |
|
EPGL1100 |
Review Ledgers/Reports |
Consolidate Results |
Elimination Sets, Minority Interest Sets, Consolidation Definition, Subsidiary Ownership |
|
EPGL1100 |
Review Ledgers/Reports |
Maintain Ledgers |
Translation Rule, Translation Step, Translate Within Ledgers, MultiCurrency Group, Process MultiCurrency, Translation Definition Report, Translation Calculation Log Report, Translate w/in Ledger Step Report, Translate w/in Ledger Calc Log Report, Journal Closing Status Report |
|
EPGL1110 |
Review Ledgers/Reports |
Maintain Ledgers |
Revaluation Step, MultiCurrency Group, Process MultiCurrency, Payables Revaluation, Receivables Revaluation, Payables Revaluation Inquiry, Receivables Revaluation Inquiry, Revaluation Definition Report, Revaluation Calculation Log |
|
EPGL1100 |
Review Ledgers/Reports |
Maintain Ledgers |
Process Ledger Archive, Process Flat File Ledger Load, Process Ledger File Create, Process Publish Ledger, Ledger Template, Detail Ledger, Detail Ledger Group, Archive Ledger Log Inquiry, Ledger Template Report, Detail Ledger Definition Report |
|
EPGL1100 |
Review Ledgers/Reports |
Maintain Ledgers |
Average Daily Balance Definition, Process Average Daily Balance, ADB-Definition, ADB-Processes |
|
EPGL1100 |
Review Ledgers/Reports |
Maintain Ledgers |
Summary Ledger Definition, Process Summary Ledger, Ledger Set, Summary Ledger Status Inquiry, Summary Ledger Definition Report, Summary Ledger Detail Report |
|
EPGL1100 |
Review Ledgers/Reports |
Maintain Ledgers |
ChartField Value Sets, Closing Rules, Process Closing, Closing Rules Report, Closing Trial Balance Report |
|
EPGL1100 |
Review Ledgers/Reports |
Process Journals |
Ledger Inquiry, Ledger Period Compare, Ledger Group Inquiry |
|
EPGL1000 |
GL Transactions/Processes |
Process Journals |
Journal Entry, Process Copy Journal |
|
EPGL1000 |
GL Transactions/Processes |
Process Journals |
Process Journal Generator |
|
EPGL1000 |
GL Transactions/Processes |
Process Journals |
Standard Journal Entry, Process Standard Journals, Standard Journals Inquiry, Standard Journals Report |
|
EPGL1000 |
GL Transactions/Processes |
Process Journals |
Received Files, Process Load Journals, Process Batch Journal Import, Process Import Workbooks |
|
EPGL1000 |
GL Transactions/Processes |
Process Journals |
Journal Entry Approval |
|
EPGL1000 |
GL Transactions/Processes |
Process Journals |
Journal Suspense Correction, Process Mark Journals for Posting, Process Mark Journals for Unposting, Process Journal Edit, Process Journal Budget Check, Process Unlock Journals, Process Journal Post, Suspense Cross Reference Inquiry |
|
EPGL1000 |
GL Transactions/Processes |
Process Journals |
Process Journal Archive, Archive Journal Log |
|
EPGL1000 |
GL Transactions/Processes |
Process Journals |
Journal Inquiry, Journal Status Inquiry, Payroll Journal Entries Inquiry, Generic Accounting Entries Inquiry, Journal Entry Detail Report, Journal Entry Edit Errors Report, Posted Journals - Summary Report, Ledger vs. Journal Integrity Report, Trial Balance Report, Statutory Trial Balance Report, Stat General Ledger Activity Report, Statutory Journal Activity Report, Stat Journal Contra Activity Report, Suspended Activity Report, InterUnit Activity Report |
|
EPGL1000 |
GL Transactions/Processes |
Process Journals |
Open Items, Process Open Item Reconciliation, Open Item Status Inquiry, Open Item Listing Report |
|
CPPT1040 |
Report Manager |
Report Manager |
Report List |
|
CPPT1050 |
Process Scheduler |
Process Scheduler |
Process Type Definitions, Process Definitions, Job Definitions, Recurrence Definitions, Server Definitions, Report Node Definitions, System Settings, Batch Timings, Sample Processing |
|
CPPT1010 |
nVision Reporting |
nVision |
Define Layout, Edit Report, Run Report, Save Report, Delete Report, Open Scope, Edit Scope, Save Scope, Delete Scope |
|
CPPT1020 |
Report Books |
Report Books |
Report Book Definition, Drilldown Layout Registration, Run Drilldown, Report Request, Scope Definition |
|
CPPT1030 |
Tree Manager |
Tree Manager |
New, Open, Rename, Delete, Print, Tree Node, Tree Level |
Specifying System Security OptionsUse the Security Options component (SECURITY_OPTIONS) to specify system security options.
This section discusses how to:
Specify security options.
Apply security options.
Pages Used to Specify System Security Options
|
Page Name |
Object Name |
Navigation |
Usage |
|
SECURITY_OPTIONS |
Set Up Financials/Supply Chain, Security, Security Options, Security Options |
Select the type of security that you plan to implement—by user or permission list—and the key fields to secure. Unlike most of the pages used to set up the system, this page is not keyed by setID or business unit. |
|
|
RUN_FIN9001 |
Set Up Financials/Supply Chain, Security, Apply Security Setups, Apply Security |
Run the process to apply your options. No parameters are required. |
Specifying Security Options
Access the Security Options page.
Type of Security
|
No Security |
Select to disable PeopleSoft application security. All users authorized to access a page can select any setID, business unit, or ledger. |
|
User ID Level Security |
Select to enable security by user ID. Users are limited to accessing application pages or prompt values associated with the setIDs, business units, projects, and ledgers specified by their user IDs. |
|
Permission List Level Security |
Select to enable security by permission list. Users are limited to key fields specified by the primary permission list to which you assign their user IDs. This means that all users assigned to a particular permission list have the same level of security. |
Note. The selection must be either user ID or permission list and the selection is across all products.
|
Business Unit |
Select to implement security on the Business Unit field. This is the primary key for all transaction data. |
|
Setid |
Select to implement security on the Setid field. This is the primary key for all accounting structure and rules tables. |
|
Ledger |
Select to implement security on the Ledger field. This is the key for all ledger balances. |
|
Book |
Select to implement security on the Book field. This code is specific to a business unit. This field refers to Book as used in Asset Management. |
|
Pay Cycle |
Select to implement security on the Pay Cycle field. Pay cycles can be daily, weekly, monthly, or at other intervals. |
|
Planning Instance |
Select to implement security on the Planning Instance field. |
|
Project |
Select to implement security on the Project field. This is the primary key for all PeopleSoft Enterprise Projects Costing data. |
|
Project Security Type |
Determines how a project will be selected when defining security for a user and permission list. Select Use list to select from a list of projects. Select Use tree to select from a tree detailing projects. |
Applying Security Options
Access the Apply Security page.
Specify the default language of your database and run the process. This changes all the key field prompt tables to your specified security views.
See Also
Enterprise PeopleTools PeopleBook: PeopleSoft Security Administration
Enterprise PeopleTools PeopleBook: PeopleSoft PeopleCode Language Reference
Defining Security Views
This section provides an overview of security views and discusses how to define security views.
Note. Defining new security views is optional.
Understanding Security ViewsUse the Security View Names component (SECURITY_VIEWS) to define security views.
Views are SQL statements that filter out data rows whose key values are not accessible by certain users. This allows users to access data horizontally across more than one table, seeing only appropriate subsets of values (setIDs, business units, or ledgers) from the edit tables.
Business units, setIDs, and ledgers are maintained and accessed on pages as primary keys throughout your system. Prompt edit tables give users a list of values from which to choose, and selection is limited to values for which access has been granted. PeopleSoft row-level application security enables you to specify through the edit tables that only certain values are available in a particular view.
PeopleSoft applications are delivered with no security views on the prompt tables of the key fields in your system. You can enable certain security options or even build your own views. Once you set up views, you can specify which users or permission lists can access certain secured field values.
Security view names have one of the following three file extensions to reflect the type of security views for prompting:
|
Extension |
Description |
|
NONVW |
Indicates that no security is chosen for the field using this view as the prompt table. |
|
OPRVW |
Indicates that user ID security is chosen for the field using this view as the prompt table. |
|
CLSVW |
Indicates that permission list security is chosen for the field using this view as the prompt table. |
Page Used to Define Security Views
|
Page Name |
Object Name |
Navigation |
Usage |
|
SECURITY_VIEWS |
Set Up Financials/Supply Chain, Security, Security View Names, Security Views |
For each type of security, specify the security views for your system. The Apply Security Setups process changes the prompt edit tables based on the security view names that you specify here. Update this page only if you add new security views to your system. |
Defining Security Views
Access the Security Views page.
Note. There is no need to access this page unless you have customized security views.
|
Search Text |
Displays the view name prefixes supplied by your applications. During the Apply Security Setups process, the system searches for prompt edit tables that begin with these prefixes. If an edit table name begins with a prefix from this list, the edit table is changed to match the security type that you selected when you specified security options. |
|
Type |
Select the type of field secured by each view. Values are: Analysis, Book, Ledger, Pay Cycle, Plan Inst, Project, SetID, and Unit. The system stores the list in the SEC_VIEW_NAMES table, where you can review or update the information. |
Defining Row-Level SecurityUse the following components to define row-level security:
Unit Security by Perm List (unit security by permission list) (SEC_BU_CLS)
Unit Security by User ID (SEC_BU_OPR)
TableSet Security by Perm List (tableset security by permission list) (SEC_SETID_CLS)
TableSet Security by User ID (SEC_SETID_OPR)
Ledger Security by Perm List (ledger security by permission list) (SEC_LEDGER_CLS)
Ledger Security by User ID (SEC_LEDGER_OPR)
nVision Ledger Security (LEDGER_SECURITY)
ChartField Pagelet Security (GL_PE_CF_SEC_COMP)
Pay Cycle by user ID (SEC_PYCYCL_OPR)
Pay Cycle by permission list (SEC_PYCYCL_CLS)
Project Security (SEC_PROJECT)
Use the following component interfaces to load data into the respective component tables:
Use the SEC_BU_CLS component interface to load data into the tables for the Unit Security by Perm List component.
Use the SEC_BU_OPR component interface to load data into the tables for the Unit Security by User ID component.
Use the SEC_LEDGER_CLS component interface to load data into the tables for the Ledger Security by Perm List component.
Use the SEC_LEDGER_OPR component interface to load data into the tables for the Ledger Security by User ID component.
Use the SECURITY_NVISION_LEDGER component interface to load data into the tables for the nVision Ledger Security component.
Use the SECURITY_CF_PAGELET component interface to load data into the tables for the ChartField Pagelet Security component.
Once you select security options and, if necessary, update security view names, define the secured field values for each user or permission list. You grant access to business units, tablesets, ledgers, business unit books, and pay cycles by using permission lists or user IDs. When securing key fields in your application, the page that you use depends on which level of system security you select. If you select permission list security, secure fields on the permission list security pages. If you select user-level security, secure fields on the user ID security pages.
Note. When granting row-level access for business unit, setID, ledger, book, planning instance, and pay cycle to permission lists, the system uses the user's primary permission list.
Warning! Values entered in secured fields are not checked against row-level security permissions when run controls are reused. After a user initially creates a run control, the user can still run processes on a secured field value even if row-level security access to that field is subsequently taken away. If you make security profile changes, verify the run controls that use secured data and remove run controls for secured field values to which a user should no longer have access.
Pages Used to Define Row-Level Security
|
Page Name |
Object Name |
Navigation |
Usage |
|
SEC_BU_CLS |
Set Up Financials/Supply Chain, Security, Unit by Permission List, Business Unit Security by Permission List |
Grant access to a business unit by using a permission list. |
|
|
SEC_BU_OPR |
Set Up Financials/Supply Chain, Security, Unit by User ID, Business Unit Security By User ID |
Grant access to a business unit by using a user ID. |
|
|
SEC_SETID_CLS |
Set Up Financials/Supply Chain, Security, TableSet by Permission List, TableSet Security by Permission List |
Grant access to a tableset by using a permission list. |
|
|
SEC_SETID_OPR |
Set Up Financials/Supply Chain, Security, TableSet by User ID, TableSet Security by User ID |
Grant access to a tableset by using a user ID. |
|
|
SEC_LEDGER_CLS |
Set Up Financials/Supply Chain, Security, Ledger by Permission List, Ledger Security by Permission List |
Grant access to a ledger or ledger group by using a permission list. |
|
|
SEC_LEDGER_OPR |
Set Up Financials/Supply Chain, Security, Ledger by User ID, Ledger Security by User ID |
Grant access to a ledger or ledger group by using a user ID. |
|
|
LEDGER_SECURITY |
Set Up Financials/Supply Chain, Security, nVision Ledger Security |
Specify the business units and ledgers accessible in the creation of PS/nVision reports by securing an nVision ledger field by user rather than role. Because the scope of a PS/nVision report may cross business unit and ledger boundaries, you may need to specify particular security access for users who generate reports with field data that they cannot access when performing other tasks. |
|
|
SEC_PROJECT_OPR |
Set Up Financials/Supply Chain, Security, Project Security, Project Security |
Grant access by user ID to project role. There are two versions of the page, depending on whether Use List or Use Tree is selected as the project security type on the Security Options page. |
|
|
SEC_PROJLST_CLS |
Set Up Financials/Supply Chain, Security, Project Security, Project Security |
This is a second version of the page. Grant access by permission list to project role. |
|
|
SEC_BUBOOK_CLS |
Set Up Financials/Supply Chain, Security, Book by Permission List, BU Book/Perm List |
Grant access to a business unit book by using a permission list. |
|
|
SEC_BUBOOK_OPR |
Set Up Financials/Supply Chain, Security, Book by User ID, BU Book by User ID |
Grant access to a business unit book by using a user ID. |
|
|
SEC_PYCYCL_CLS |
Set Up Financials/Supply Chain, Security, Pay Cycle by Permission List, Pay Cycle by Permission List |
Grant access to a pay cycle by using a permission list. |
|
|
SEC_PYCYCL_OPR |
Set Up Financials/Supply Chain, Security, Pay Cycle by User ID, Pay Cycle by User ID |
Grant access to a pay cycle by using a user ID. |
|
|
GM_SEC_DEPT_OPR |
Set Up Financials/Supply Chain, Security, Grants Security, Grants Operator Security |
Grant access by departments by user ID. |
|
|
GM_PM_SEC_DEPT_OPR |
Set Up Financials/Supply Chain, Security, Proposal Management Security, Proposal Management Security |
Grant access by departments by user ID. |
|
|
SEC_PRBINS_OPR |
Set Up Financials/Supply Chain, Security, Problem Instance by User ID, Planning Instance |
Grant access to planning instance by user ID. |
|
|
SEC_PRBINS_CLS |
Set Up Financials/Supply Chain, Security, Problem Instance by Perm List, Planning Instance |
Grant access to planning instance by permission list. |
|
|
GL_PE_CF_SEC_PAGE |
Set Up Financials/Supply Chain, Security, ChartField Pagelet Security, ChartField Pagelet Security |
Grant access by departments and operating units by user ID. |
Granting Access to UsersThis section discusses how to:
Grant business unit access.
Grant tableset access.
Grant ledger access.
Grant nVision reporting access.
Grant project access.
Grant business unit book access.
Grant pay cycle access.
Grant grants access.
Grant proposal management access.
Grant planning instance access.
Grant ChartField pagelet access.
Granting Business Unit AccessAccess the Business Unit by Permission List page.
For each primary permission list, select the accessible business units.
Access the Business Unit by User ID page.
For each user ID, select the accessible business units.
Granting Tableset AccessAccess the SetID by Permission List page.
For each primary permission list, select each accessible setID.
Access the SetID by User ID page.
For each user ID, select each accessible setID.
Granting Ledger AccessAccess the Ledger/Permission List page.
For each primary permission list, select each accessible ledger type. Commitment and Summary ledger types require a ledger name. Detail ledger types require a ledger group name.
Access the Ledger by User ID page.
For each user ID, select each accessible ledger type. Commitment and Summary ledger types require a ledger name. Detail ledger types require a ledger group name.
Granting nVision Reporting Access
Access the nVision Security page.
For each user ID, select each accessible business unit and corresponding ledger. You can specify multiple ledgers for each business unit.
Granting Project AccessWhile the purpose of all these pages is to provide row-level security, the appearance of the pages varies based on the method of project row-level security that you implement.
This table lists the purpose of each project security method and the actions that you take on the Security Options page and Project Security page to implement each method:
|
Security Method |
Purpose |
Security Options Page Actions |
Project Security Page Actions |
|
Team-based security |
Grants access to projects based on an employee's membership in a project team. |
|
View a read-only list of all projects for which the user is a team member, and the member's security profile for each project. |
|
User, tree-based security |
Grants access to projects based on selected nodes on a project tree. |
|
Define security for a user. Specify the project tree that the system uses for controlling project security, select nodes (projects) on the tree to grant each user access to specific projects, and select the user's project role on each project. |
|
Permission list, list-based security |
Grants access to permission lists that enable users to access projects that are attached to that permission list. |
|
Define security for a permission list. Within a specific permission list to which users have access, specify the business units, project IDs, and project roles. |
|
Permission list, tree-based security |
Grants access to permission lists that enable users to access projects that belong to a tree that is attached to that permission list. |
|
Define security for a permission list. Specify the project tree, project (tree node), and project role. |
A user's project security profile further defines the degree and type of access that the user has to project data.
See Securing Data in Project Costing.
Granting Business Unit Book AccessAccess the BU Book/Perm List page.
For each primary permission list, select each accessible business unit and corresponding book name. You can specify access to multiple books for each business unit.
Access the BU Book by User ID page.
For each user ID, select each accessible business unit and corresponding book name. You can specify access to multiple books for each business unit.
Granting Pay Cycle AccessAccess the PayCycle by Permission List page.
For each primary permission list, select the accessible pay cycles.
Access the PayCycle by User ID page.
For each user ID, select the accessible pay cycles.
Granting Grants AccessAccess the Grants Operator Security page.
For each user ID, enter the grants security tree setID, tree name, and the effective date of the tree. On the lower section of the page, enter the departments and an appropriate access code. You can enter as many departments as needed.
This is one step in a multistep security process that is described in detail in the PeopleSoft Enterprise Grants 8.9 PeopleBook.
See Also
Granting Proposal Management Access
Access the Proposal Management Security page.
For each user ID, enter the proposal security tree setID, tree name, and the effective date of the tree. On the lower section of the page, enter the departments and an appropriate access code. You can enter as many departments as needed.
This is one step in a multistep security process that is described in detail in the PeopleSoft Enterprise Proposal Management 8.9 PeopleBook.
See Also
Securing Your Proposal Management System
Granting Planning Instance Access
Access the Planning Instance page.
If you access problem instance by user ID, you can grant access to planning instances by user ID.
If you access problem instance by permission list, you can grant access to planning instances by permission list.
Security for planning instances is further described in Supply Planning documentation.
See Also
PeopleSoft Enterprise Supply Planning 8.9 PeopleBook
Granting ChartField Pagelet Access
Access the ChartField Pagelet Security page.
For a particular user ID, you can grant access to departments and operating units that you specify to be viewed on the PeopleSoft General Ledger Actuals vs Budgeted pagelet on a personalized homepage.
See Also
Using Roles and Permission Lists for the Financials Portal Pack