Setting Up Roles

This chapter provides an overview of roles and discusses how to:

Manage roles.
Define role options.
Create a NEWUSER role.

Understanding Roles

Roles are an intermediate object that exist between permission lists and user profiles. Roles aggregate permission lists so that you can arrange permissions into meaningful collections. If you implement dynamic roles, then you can add permissions to users dynamically, which reduces administration tasks.

Note. In previous releases, roles were associated with PeopleSoft Workflow. PeopleTools has expanded role definitions to include system permissions. There is only one role definition, and you maintain it within Security.

Role users are the user profiles or users that have membership in a particular role. Users inherit most of their permissions from the roles assigned to the user profile. However, you assign the following permission lists directly to a user profile:

Data permissions.

These are assigned through a primary permissions list or a row security permissions list.
PeopleSoft Navigator homepage permissions.
Process profile permissions.

When you assign roles to profiles manually, through the Security pages, these users are called static role users.

Other users may obtain membership in a role programmatically. You can run a batch process that runs predefined role rules and assigns roles to user profiles according to these rules. This approach is called dynamic membership, and users who become role users of a particular role programmatically are dynamic role users.

Use dynamic role assignment to make your security system scale to large user populations. If you have thousands of users and need to make every change to a user profile manually, the security administrator becomes a bottleneck.

Managing Roles

This section discusses how to:

Copy roles.
Delete roles.
Remove users from roles.

Copying Roles

To copy a role:

Select PeopleTools, Security, Permissions & Roles, Copy Roles.
On the search page, locate and select the role that you want to copy (clone).

The Role Save As page appears.
On the Role Save As page, enter a new name in the as: edit box.
Click Save.

Deleting Roles

To delete a role:

Select PeopleTools, Security, Permissions & Roles, Delete Roles.
On the search page, locate and select the role that to delete.

The Delete Permission List page appears.
Click Delete Permission List.
Click OK to confirm the deletion, or click Cancel to cancel the deletion.

Note. If you attempt to delete a role definition that is currently in use by one or more static or dynamic role users, you must confirm deletion of the role definition. When you confirm, you remove all references to the role.

Removing Users From Roles

To delete the users assigned to a static or dynamic role, use the NO_USERS query to locate the users. You invoke this query using the query rule with dynamic roles.

Defining Role Options

This section discusses how to:

Assign permissions to roles.
Display static role members.
Display dynamic role members.
Set user routing options.
Decentralize role administration.
Display additional links for user profiles.
Run role queries.
View when a role was last updated.

Pages Used to Define Role Options

Page Name	Object Name	Navigation	Usage
General	ROLEDEFN	PeopleTools, Security, Permissions & Roles, Roles, General	Describe the role.
Permissions Lists	ROLE_CLASS	PeopleTools, Security, Permissions & Roles, Roles, Permission Lists	Grant permissions to roles.
Members	ROLE_MEMBER	PeopleTools, Security, Permissions & Roles, Roles, Members	View the current list of static role members.
Dynamic Members	ROLE_DYNMEMBER	PeopleTools, Security, Permissions & Roles, Roles, Dynamic Members	View the current list of dynamic role members. If you aren't using the dynamic roles, this list isn't populated.
Workflow	ROLEWRKFLOW	PeopleTools, Security, Permissions & Roles, Roles, Workflow	Set user routing options.
Role Grant	ROLE_GRANT	PeopleTools, Security, Permissions & Roles, Roles, Role Grant	Decentralize role administration.
Links	ROLE_OTHER	PeopleTools, Security, Permissions & Roles, Roles, Links	View additional links for user profiles.
Role Queries	ROLE_QUERY	PeopleTools, Security, Permissions & Roles, Roles, Role Queries	Run queries about a role.
Audits	ROLE_AUDIT	PeopleTools, Security, Permissions & Roles, Roles, Audits	View when a permission list was last updated.

Assigning Permissions to Roles

Access the Permission Lists page.

To add new permission lists to a role, add more rows. Remember that a user's access is determined by the sum of all the permission lists applied to each role to which the user belongs. For instance, suppose you add permission list X and permission list Y to a role. Permission list X has a sign-in time of 8 a.m. to 5 p.m. and permission list Y has a sign-in time of 1 p.m. to 9 p.m. In this scenario, the users assigned to this role can sign in to the system from 8 a.m. to 9 p.m. Always be aware of the contents of each permission list prior to adding it to a role.

View Definition

Click to open the permission list definition and view the options in the permission, to make sure it is suitable for a particular role.

Displaying Static Role Members

Access the Members page.

If your database contains more than 1000 role members, this page initially retrieves only the first 1000. You can view the other chunks of 1000 members one chunk at a time, either by searching for a user ID or by using the navigation buttons above the Members grid. With the navigation buttons you can display the first chunk, the previous chunk, the next chunk, or the last chunk.

User ID	Enter part or all of a role member user ID to search for.
Search	Click to search through the role members for the first chunk of rows that contains the user ID you entered.
View Definition	Click to view the user ID of the role member and make sure that you have selected the appropriate definition for inclusion in the role.

Displaying Dynamic Role Members

Access the Dynamic Members page.

Use this page to set the rule to invoke to assign roles. A dynamic role rule is defined or coded in PeopleSoftQuery, PeopleCode, or your Lightweight Directory Access Protocol (LDAP) directory. A rule can use a combination of PeopleSoft Query and PeopleCode or PeopleSoft Query and LDAP. For the rule to successfully assign a role to the appropriate users, you must select the rule type you have in place for a particular role, and then specify the object that contains the rule you coded.

Note. You must define your role rules before you apply the options on this page. If you change the name of the rule, add a new rule, and so on, save all changes before you run the rule.

If your database contains more than 1000 dynamic role members, this page initially retrieves only the first 1000. You can view the other chunks of 1000 dynamic members one chunk at a time, either by searching for a user ID or by using the navigation buttons above the Dynamic Members grid. With the navigation buttons you can display the first chunk, the previous chunk, the next chunk, or the last chunk.

User ID	Enter part or all of a role member user ID to search for.
Search	Click to search through the role members for the first chunk of rows that contains the user ID you entered.
View Definition	Click to view the user ID of the role member to ensure that you have selected the appropriate definition for inclusion in the role.
Query Rule Enabled	Select if you defined your rule with PeopleSoft Query. The Query Rule group box appears below the Rules group box. Use the Query drop-down list box to select the query that contains your role rule.
PeopleCode Rule Enabled	Select if your rule is a PeopleCode program. The PeopleCode Rule group box appears. Specify the record, field, event, and function associated with your PeopleCode role rule.
Directory Rule Enabled	Select if your role rule is based on information in your directory server. With a directory-based rule, you must assign directory groups. The PeopleCode Rule group box appears because directory rules are implemented using the DynRoleMembers PeopleCode program. This program uses the Directory business interlink to retrieve user and group information from the directory. To view the program, open the FUNCLIB_LDAP record in PeopleSoft Application Designer. Click Assign Directory Groups to select a particular directory group that exists in your LDAP server hierarchy. For example, if you have your LDAP server grouped by geographic region, your rule could assign a new self-service role to all users in the North America group. Use the Directory Group drop-down list box to select the appropriate directory group value. The values are derived from the LDAP data that you import using the Directory Group Import process.
Execute on Server	Select the appropriate PeopleSoft Process Scheduler server to run the rule.
Refresh	After you run a rule, click to repopulate the grid with updated information.
Process Monitor	Because the role rules are executed by an application engine program that runs through PeopleSoft Process Scheduler, click to view the status of the program run.
Message Monitor	Click to check the status of the role rule program. After the program runs, it publishes a message containing the list of users in the role, and then exits. The program does not update any tables; the message (subscription PeopleCode) performs the actual database updates. Just because the dynamic roles program completed successfully, that does not necessarily mean your roles are updated. The associated message must also be delivered successfully.

Note. To clear all dynamic users from the role, run the delivered NO_USERS query.

Query Rule Example

This section describes the process of creating a PeopleSoft Query rule that assigns dynamic role membership. This example should also help to illustrate similar techniques that you would use for a PeopleCode or LDAP rule.

Note. The following text assumes a working knowledge of PeopleSoft Query.

In this example, we need to find all users that currently have job code KC012 (Human Resource Analyst), and add them to the appropriate role.

To create this rule:

Create a view.
Create the query.
Run the dynamic rule.

Note. The Dynamic Role functionality is not designed to resolve bind variables. When you select a query with a bind variable as a dynamic role rule, the system issues an error. Do not use queries with bind variables as a query rule for dynamic roles. Many of the delivered queries are intended to be used with PeopleSoft Workflow, and many of them contain bind variables. These queries are not designed to work as role rules, but you can modify them to do so.

Note. To create a role query based on PSOPRALIAS and avoid issues with row-level security, use PSOPRALIAS_VW instead. This view must be manually synchronized with PSOPRALIAS.

The view definition for the example role rule might be:

The associated SQL object is:

Note. The OPRID must not be a key in this view because PeopleTools appends AND OPRID = “current users oprid” in PeopleSoft Query. This occurs if we use the record OPRALIAS directly in the query.

The SQL is:

After you create the view, you add it to the appropriate query tree. In this case, you add the new view to the QUERY_ TREE_HR:

After you create the view, you create a query. In this example, the properties assigned to the query enable it to assign a role to users who currently have the job code KC012, Human Resource Analyst. This screen shows the query properties:

The query contains the following criteria:

The SQL for the query is:

Because the view doesn’t have OPRID as a key, the resulting SQL does not contain the extra line AND B.OPRID = PS.

Note. When you save a query used for a dynamic role query, you need to specify that it's a role query.

With the view and the query created, you then set up the query rule on the Roles - Dynamic Members page. Select Query Rule Enabled and select the query in the Query field.

After enabling the query rule, test the rule to make sure the system assigns the appropriate roles to the appropriate users. To populate the role membership table, click Execute Rule.

Setting User Routing Options

Access the Workflow page.

Allow notification

Select to enable PeopleSoft Workflow notification. Users can notify others of data on a PeopleSoft page through email or worklists.

When components are designed, developers can enable the Notify toolbar on the Component Properties dialog box in PeopleSoft Application Designer. If this option is set for a particular component, then this check box enables security administrators to enable the Notify feature per role.

Allow Recipient Lookup

Select to enable role users to browse the database for the email addresses of other users in the PeopleSoft system, which includes vendors, customers, employees, sales leads, and so on. Available only if Allow notification is selected.

Use Query to Route Workflow

Select to determine workflow routings by a workflow query. This depends on your workflow scheme.

Enabling Users to Grant Roles

You use the Role Grant page to assign limited security administration capability to specified users. You designate them as remote security administrators by defining roles that they can grant to other users. Because the settings on this page are part of the implementation of distributed user profiles, the page is documented along with the Distributed User Profiles component.

See Implementing Distributed User Profiles.

Displaying Additional Links for User Profiles

If you have added any links for user profiles in the Security Links component, they appear on the Links page.

Running Role Queries

Use role queries to provide detailed information regarding a role, such as the user IDs and permission lists associated with the role. The available queries are documented on the Role Queries page.

To run a role query:

Click the link associated with the query that you want to run.

This invokes a new browser window.
View the information the query returns, or select a download option.

For downloading, you have the following options:
- Microsoft Excel spreadsheet.
  
  Downloads the query results as a Microsoft Excel spreadsheet (.xls) file.
- CSV text file.
  
  Downloads the query results as a comma-separated values (.csv) file.

Viewing When a Role Was Last Updated

Access the Audit page.

View when a role was last updated and by whom. You can also view who has made changes to security tables by using the Database Level Auditing feature.

Creating a NEWUSER Role

When a new user enters the system, and you have implemented dynamic role rules, the user does not belong to any roles until your role rules execute. When you enter a new user into the system, the user has access only to the "public" pages you authorize for the NEWUSER role. When the dynamic role rules execute, the new user becomes a member of the roles that apply based on the user's employee position.

Note. The NEWUSER role is not a role that PeopleSoft delivers. You can name the role to suit your requirements.

To implement a NEWUSER role:

Create your NEWUSER role.
Add permission lists to the role so that members of this role have access to the pages that are appropriate for all users within the system, like My Profile and any other areas that are not a threat to your system security.
Apply the appropriate roles.

If you are using dynamic role assignment, you wait until the batch program runs, if you are using static role assignment, you must wait until an administrator manually applies the appropriate roles.

If the role rules run only one once in a 24-hour period, it might not be until the next day that a new employee has access to the system. If the rules run more frequently, it may only be a couple of hours. If it’s not acceptable to wait the duration until the next run of the dynamic role rule, you can use one of the following options:

Add any "required" pages to one of the permission lists used by the NEWUSER role.
Reduce the duration between the dynamic rule execution.

Note. Reducing the execution interval of the dynamic rules may have performance impacts depending on how the rules are implemented.
Add a Signon PeopleCode script that detects that the user needs access to a certain role.

You can accomplish this by running a query against LDAP, the database, or the location where the information resides. Use the User Profile component interface to add the appropriate roles to the user, according the query results.