Getting Started with Security Administration

This chapter provides overviews of security administration and security administration integrations and discusses security administration implementation.

Security Administration Overview

This section discusses:

User security.
Lightweight Directory Access Protocol (LDAP).
Authentication and single signon.
Pluggable cryptography.
Query and definition security.
PeopleSoft personalizations.

User Security

User security is the core of security administration in PeopleSoft applications. You administer user security using several basic elements.

To establish appropriate user access:

Define permission lists.

Permission lists are the building blocks of user security authorization. A permission list grants a degree of access to a particular combination of PeopleSoft elements, specifying pages, development environments, time periods, administrative tools, personalizations, and so on.

This level of access should be appropriate to a narrowly defined and limited set of tasks, which can apply to a variety of users with a variety of different roles. These users might have overlapping, but not identical, access requirements.

You typically define permission lists before you define roles and user profiles. When defining permission lists, however, consider the roles that you will use them with.

See Setting Up Permission Lists.
Define roles.

A role is a collection of permission lists. You can assign one or more permission lists to a role. The resulting combination of permissions can apply to all users who share those access requirements. However, the same group of users might also have other access requirements that they don't share with each other. You can assign a given permission list to multiple roles.

You typically define roles after first defining their permission lists, and before defining user profiles. You use roles to assign permissions to users dynamically.

See Setting Up Roles.
Define user profiles.

A user profile is a definition that represents one PeopleSoft user. Each user is unique; the user profile specifies a number of user attributes, including one or more assigned roles. Each role that's assigned to a given user profile adds its permission lists to the total that apply to that user.

You typically define user profiles after defining their roles. You can assign a given role to multiple user profiles. It's worthwhile to define a set of roles that you're confident can be assigned to user profiles that you'll create in the future.

See Administering User Profiles.

LDAP

LDAP is an internet protocol used to access a directory listing. Organizations typically store user profiles in a central repository, or directory server, that serves user information for all of the programs that require it. If your existing computer network uses an LDAP V3 compliant directory server, PeopleSoft supports the use of that server for managing user profiles and authenticating users. PeopleSoft enables you to integrate your authentication scheme for PeopleSoft with your existing infrastructure.

You always maintain permission lists and roles using PeopleSoft security. However, you can maintain user profiles in PeopleSoft security or reuse user profiles and roles that are already defined within an LDAP directory server. A directory server enables you to maintain a single, centralized user profile that you can use across all of your PeopleSoft and non-PeopleSoft applications. This approach reduces redundant maintenance of user information stored separately throughout your enterprise, and reduces the possibility of user information getting out of synchronization.

You can configure and extend your signon PeopleCode to work with any schema implemented in your directory server. You can assign roles to users manually or assign them dynamically. When assigning roles dynamically, you use PeopleCode, LDAP, and PeopleSoft Query rules to assign user profiles to roles programmatically.

See Employing LDAP Directory Services.

Authentication and Single Signon

PeopleSoft delivers the most common authentication solutions and packages them with your PeopleSoft application. This saves you the trouble of developing your own solutions and saves you time with your security implementation. These prepackaged solutions include PeopleCode that supports basic sign-in through secure sockets layer (SSL), LDAP authentication, and single signon.

Because PeopleSoft applications are designed for internet deployment, many sites must take advantage of the authentication services that exist at the web server level. PeopleSoft takes advantage of HTTPS, SSL, and digital certificates to secure the transmission of data from the web server to an end user's web browser and also to secure the transmission of data between PeopleSoft servers and third-party servers (for business-to-business processing) over the internet.

PeopleSoft supports single signon within PeopleSoft applications. Within the context of your PeopleSoft system, single signon means that after a user has been authenticated by one PeopleSoft application server, that user can access a second PeopleSoft application server without entering an ID or a password. Although the user is actually accessing different applications and databases, the user navigates seamlessly through the system. Recall that each suite of PeopleSoft applications, such as HCM or CRM, resides in its own database.

See Employing Signon PeopleCode and User Exits, Setting up Digital Certificates and Single Signon.

Pluggable Cryptography

Data security comprises the following elements:

Privacy — keeping data hidden from unauthorized parties.

Privacy is normally implemented with some type of encryption. Encryption is the scrambling of information such that no one can read it unless they have a piece of data known as a key.
Integrity — keeping transmitted data intact.

Integrity can be accomplished with simple checksums or, better, with more complex cryptographic checksums known as one-way hashes, and often with digital signatures as well.
Authentication — verifying the identity of an entity that's transferring data.

Authentication can be accomplished using passwords, or with digital signatures, which are by far the most popular and most reliable method of authentication.

PeopleSoft pluggable encryption technology (PET) provides a way for you to use hashes and digital signatures to secure critical PeopleSoft data and communicate securely with other businesses. It enables you to extend and improve cryptographic support for your data in PeopleTools, giving you strong cryptography with the flexibility to change and grow, by incrementally acquiring stronger and more diverse algorithms for encrypting data. PeopleSoft delivers PET with support for the OpenSSL and PGP encryption libraries.

To implement pluggable cryptography:

Load an encryption library's algorithms into the PET database.
Generate accompanying encryption keys, and insert them into the PET keystore.
Define a sequence, or chain of algorithms by selecting from all the algorithms in the database.
Define an encryption profile, which is an instance of an algorithm chain applicable to a specific encryption task.
Write PeopleCode to invoke the encryption profile.

See Securing Data with Pluggable Cryptography.

Query and Definition Security

You use PeopleSoft Query to build SQL queries and retrieve information from application tables. For each PeopleSoft Query user, you can specify the records the user is allowed to access when building and running queries. You do this by creating query access groups in PeopleSoft Tree Manager, and then assigning users to those groups with PeopleSoft Query security. PeopleSoft Query security is enforced only when using PeopleSoft Query; it doesn’t control runtime page access to table data.

Use Definition Security to govern access to database object definitions, such as record definitions, field definitions, and page definitions, and to protect particular object definitions from being modified by developers.

See Implementing Query Security, Implementing Definition Security.

PeopleSoft Personalizations

PeopleSoft offers a variety of options that enable end users, especially power users, to configure certain aspects of their PeopleSoft environment to produce a more personalized interface. These options improve a user’s navigation speed through the system and enable users to select international preferences, such as date and time formats.

You define, group, and categorize personalization options, then use permission lists to control access to them. Users with access to a personalization option can control it through the My Personalizations menu.

See Managing PeopleSoft Personalizations.

Security Administration Integrations

This section identifies the Security integration points using:

Component interfaces.
Messages.
Application Engine programs.

Component Interfaces

The following are the delivered component interfaces designed for security integration.

DELETE_ROLE

This component interface is based on the Delete Role (PURGE_ROLEDEFN) component, and it is used to purge roles. It is keyed by RoleName, and has the Get, Find, Save, Cancel methods. The DELETE_ROLE application message calls this component interface.

DELETE_USER_PROFILE

This component interface is based on the Delete User Profile (PURGE_USR_PROFILE) component, and it is used to purge User Profiles. It is keyed by User ID, and has the Get, Find, Save, Cancel methods. The Delete_User_Profile application message and the PURGEOLDUSERS Application Engine program call this component interface.

ROLE_MAINT

This component interface is based on the Roles (ROLEMAINT) component. It is keyed by RoleName and has the Cancel, Create, Find, and Get methods.

USERMAINT_SELF

This component interface is based on the My Profile (USERMAINT_SELF) component. It allows only the current user to access it.

This CI is used with the following components: Forgot My Password (EMAIL_PSWD), Change Password (CHANGE_PASSWORD), and Change Expired Password (EXPIRE_CHANGE_PSWD).

USER_PROFILE

This component interface is based on the User Profiles (USERMAINT) component. It is keyed by User ID.

This CI is used in User Profile Save As, and with LDAP authentication.

Messages

The following are the delivered messages designed for security integration.

DELETE_ROLE

This message is called from the Delete Role component. It is used to the delete the role from subscribing databases. The message requires that the DELETE_ROLE component interface be authorized.

Note. Currently the PeopleCode that publishes this message from the Delete Role component is commented out. If you would like to publish deletes to another database, you need to uncomment the following PeopleCode found in the PURGE_ROLEDEFN.GBL SavePostChange Component PeopleCode.

/*******************************************************************     
The PeopleCode to publish new User IDs, and changes made to User IDs, has been
commented out to prevent unnecessary publishing.
If you would like to take advantage of the DELETE_ROLE message, un-comment
the following peoplecode.
********************************************************************/
/*
If %Mode = "U" Then
   &ROLECHANGE = GetLevel0();
   &MSG = CreateMessage(Message.DELETE_ROLE);
   &MSG.CopyRowsetDelta(&ROLECHANGE);
   &MSG.Publish();
End-If;
*/

DELETE_USER_PROFILE

This message is called from the Delete User Profile component. It is used to delete the user profile from subscribing databases. This message requires that the DELETE_USER_PROFILE component interface be authorized.

Note. PeopleSoft delivers the PeopleCode to publish this message from the Delete User Profile component, however, it is currently commented out. If you would like to publish deletes to another database, you need to uncomment the following PeopleCode found in the PRG_USR_PROFILE.OPRID SavePostChange (Record PeopleCode).

/*******************************************************************     
The PeopleCode to publish deleted User IDs, has been
commented out to prevent unnecessary publishing.
If you would like to take advantage of DELETE_USER_PROFILE message, un-comment
the following peoplecode.
********************************************************************/
/*&RS_DELETE = GetLevel0();
&MSG = CreateMessage(Message.DELETE_USER_PROFILE);
&MSG.CopyRowsetDelta(&RS_DELETE);
&MSG.Publish();
*/

ROLESYNCH_MSG

This message is published when a Dynamic Role Rule is run. It is called after the DYNROL_PUBL Application Engine program successfully finishes.

ROLE_MAINT

This Application Message publishes new Roles, and updates to existing Roles made in the Roles component.

Currently, the PeopleCode to publish this Message is commented out. If you would like to take advantage of the ROLE_MAINT message, you need to uncomment the PeopleCode found in ROLEMAINT.GBL SavePostChange component PeopleCode.

/*******************************************************************     
PeopleCode to publish new Roles, and changes made to Roles has been
commented out to prevent unnecessary publishing.
If you would like to take advantage of ROLE_MAINT message, uncomment
the following peoplecode.
********************************************************************/

/*If %Mode = "A" Then
   &ROLECHANGE = GetLevel0();
   &MSG = CreateMessage(Message.ROLE_MAINT);
   &MSG.CopyRowset(&ROLECHANGE);
   &MSG.Publish();
Else
   &ROLECHANGE = GetLevel0();
   &MSG = CreateMessage(Message.ROLE_MAINT);
   &MSG.CopyRowsetDelta(&ROLECHANGE);
   &MSG.Publish();
End-If;*/

USER_PROFILE

This Application Message publishes new User Profiles and updates existing User Profiles when using the User Profiles component (USERMAINT), the User Profile Save As component, the My Profile component, the Distributed User Profile (USERMAINT_DIST) component, the USER_PROFILE Component Interface and the USERMAINT_SELF component interface.

Currently, the PeopleCode to publish this Message is commented out. If you would like to take advantage of the USER_PROFILE message, you need to uncomment code in more than one component.

Uncomment code in USERMAINT.GBL SavePostChange component PeopleCode:

/*******************************************************************     
The PeopleCode to publish new User IDs, and changes made to User IDs, has been
commented out to prevent unnecessary publishing.
If you would like to take advantage of USER_PROFILE message, un-comment
the following peoplecode (if statment only).
********************************************************************/
/*
If %Mode = "A" Then
   &USERPROFILECHANGE = GetLevel0();
   &MSG = CreateMessage(Message.USER_PROFILE);
   &MSG.CopyRowset(&USERPROFILECHANGE);
   &MSG.Publish();
Else
   &USERPROFILECHANGE = GetLevel0();
   &MSG = CreateMessage(Message.USER_PROFILE);
   &MSG.CopyRowsetDelta(&USERPROFILECHANGE);
   &MSG.Publish();
End-If;*/

Uncomment code in USERMAINT_SELF.GBL SavePostChange component PeopleCode:

rem call USER_PROFILE application message to synch user changes;
/*******************************************************************     
The PeopleCode to publish changes made to User IDs has been
commented out to prevent unnecessary publishing.
If you would like to take advantage of USER_PROFILE message, un-comment
the following peoplecode
********************************************************************/
/*
If %Mode = "U" Then
   &USERPROFILECHANGE = GetLevel0();
   &MSG = CreateMessage(Message.USER_PROFILE);
   &MSG.CopyRowsetDelta(&USERPROFILECHANGE);
   &MSG.Publish();
End-If;
*/

Uncomment code in USERMAINT_DIST.GBL SavePostChange component PeopleCode:

/*******************************************************************     
The PeopleCode to publish new User IDs, and changes made to User IDs, has been
commented out to prevent unnecessary publishing.
If you would like to take advantage of USER_PROFILE message, un-comment
the following peoplecode (if statment only).
********************************************************************/
/*
If %Mode = "A" Then
   &USERPROFILECHANGE = GetLevel0();
   &MSG = CreateMessage(Message.USER_PROFILE);
   &MSG.CopyRowset(&USERPROFILECHANGE);
   &MSG.Publish();
Else
   &USERPROFILECHANGE = GetLevel0();
   &MSG = CreateMessage(Message.USER_PROFILE);
   &MSG.CopyRowsetDelta(&USERPROFILECHANGE);
   &MSG.Publish();
End-If;
*/

Application Engine Programs

PeopleSoft delivers Application Engine programs designed for security integration.

DYNROLE

The DYNROLE Application Engine program is called when Dynamic Role Rules are published from the User Profile.

DYNROLE_PUBL

The DYNROLE_PUBL Application Engine program is called when the Dynamic Role Rules are published from the Role.

PURGEOLDUSERS

The PURGEOLDUSERS Application Engine program deletes users that have not signed on within a period specified on Password Controls.

LDAPSCHEMA

Application Engine Program that puts the LDAP Schema definition into the PeopleSoft database.

Security Administration Implementation

This section discusses:

Preparing to use PeopleSoft security.
Administering security from applications.

Preparing to Use PeopleSoft Security

The functionality of security administration for your PeopleSoft applications is delivered as part of the standard installation of PeopleTools, which is provided with all PeopleSoft products.

To start administering security, install your PeopleSoft application according to the installation guide for your database platform.

Other Sources of Information

This section provides information to consider before you begin to manage your data. In addition to implementation considerations presented in this section, take advantage of all PeopleSoft sources of information, including the installation guides, release notes, and PeopleBooks.

Administering Security from Applications

If you administer security information outside of the PeopleSoft security interface, for example using application-specific pages to define application security, you have the option of modifying the PeopleSoft security menus to include links to those pages. This provides administrators a convenient way to access application-specific security pages without having to spend time navigating to them.

You add the extra security links from a browser by selecting PeopleTools, Security, Security Objects, Security Links. You can add links to the User Profiles component, My System Profile page, the Role component, or the Permission List (ACCESS_CNTRL_LISTX) component. To add links to a security profile, select the appropriate page in the Security Links (SEC_OTHER_SETTINGS) component and add the link information for the target page. After you save the link information, the link appears on the Links page for the appropriate security profile.

Active Flag

Enables you to activate and deactivate links. Only those links with the Active Flag checked appear for system users.

Description

Add a description of the page that contains the extra security information. This description is the text that appears on the Links page for the security profile.

Menu Name

From the drop-down list add the menu name. This is the application in which the page resides, such as Administer HR Security.

Menu Bar Name

From the drop-down list add the menu bar name, such as Use, Setup, Process, and so on.

Bar Item Name

From the drop-down list add the bar item name. For example, the bar item name for this page is Security Links.

Item Name

From the drop-down list add the item name. For example, the item names for this component are User, Role, My Profile, and Permission List.

Test

After you have added all the appropriate information, use this link to test the security link. If it does not work correctly, double check your selections for the previous options.

To add a Security Link:

Select PeopleTools, Security, Security Objects, Security Links.
Select the security profile type (user, role, or permission list) to which you want to add extra links.
If there are existing links, click the plus sign button to add a new row.
Add the appropriate link information (Menu Name, Menu Bar name, and so on) information.
After you've entered the appropriate link information, click Test to make sure the link is pointing to the correct target.
Save your work.

Note. If you need to migrate the security links setup data from one database to another. You can use the following Data Mover scripts, SECOTHER_EXPORT.DMS and SECOTHER_IMPORT.DMS. These scripts reside in the PS_HOME\scripts directory.

Active Flag	Enables you to activate and deactivate links. Only those links with the Active Flag checked appear for system users.
Description	Add a description of the page that contains the extra security information. This description is the text that appears on the Links page for the security profile.
Menu Name	From the drop-down list add the menu name. This is the application in which the page resides, such as Administer HR Security.
Menu Bar Name	From the drop-down list add the menu bar name, such as Use, Setup, Process, and so on.
Bar Item Name	From the drop-down list add the bar item name. For example, the bar item name for this page is Security Links.
Item Name	From the drop-down list add the item name. For example, the item names for this component are User, Role, My Profile, and Permission List.
Test	After you have added all the appropriate information, use this link to test the security link. If it does not work correctly, double check your selections for the previous options.