Administering User Profiles

This chapter provides an overview of user profiles and discusses how to:

Set up access profiles.
Work with user profiles.
Specify user profile attributes.
Implement distributed user profiles.
Work with full user profile synchronization.
Work with passwords.
Work with user profile options.
Transfer users between databases.
Track users' sign-in and sign-out activity.

Understanding User Profiles

User profiles define individual PeopleSoft users. You define user profiles and then link them to one or more roles. Typically, a user profile must be linked to at least one role to be a usable profile. The majority of values that make up a user profile are inherited from the linked roles.

Note. It’s possible to have a user profile with no roles. This might be a user who isn’t allowed access to the PeopleSoft application; however, you still want workflow-generated email sent to the user.

You define user profiles by entering the appropriate values on the user profile pages. The user profile contains values that are specific to a user, such as a user password, an email address, an employee ID, and so on.

The user ID and description appear at the top of each page to help you recall which user profile you are viewing or modifying as you move through the pages.

Setting Up Access Profiles

This section provides an overview of access profiles and discusses how to:

Use the Access Profiles dialog box.
Set access profile properties.
Work with access profiles.

Understanding Access Profiles

Every user profile must be assigned to an access profile, by way of a Symbolic ID. The Access ID consists of an RDBMS ID and a password, and these IDs must have system administrator privileges. Access profiles provide the necessary IDs and passwords for the behind-the-scenes database logon that occurs. Access IDs are used in the following situations:

When an application server initializes and connects to the PeopleSoft database.
When a developer or power user signs in to the PeopleSoft database directly (two-tier).
When batch programs connect to the database.

Users signing in to the system through PeopleSoft Pure Internet Architecture take advantage of the Access ID that the application server used for connecting to the database.

Access profiles enable you to minimize the number of users who need to know system administrator passwords. In fact, only one person needs to know these passwords. That person can create the required access profiles—by providing the necessary passwords, when prompted—and all other security administrators can simply assign users to the pre-defined access profiles. The Access ID and password are encrypted in the database in the PSACCESSPRFL table.

Before you begin creating your user profiles, roles and permission lists, you first need to set up your access profiles on the database. Ultimately, the access profile is the profile that your users use to connect to your PeopleSoft database. Without being associated with an access profile, users can't sign in, not even with a test ID. This association is by way of the symbolic ID, which is a proxy ID for the Access ID and Access password.

The ID that you use must be defined at the RDBMS level as a valid RDBMS ID possessing system administrator rights. You don’t use PeopleSoft or PeopleTools software to create the RDBMS ID. You need to create it using the utilities and procedures defined by your RDBMS vendor. After you have created the RDBMS ID with system administration authority, then you use the PeopleTools access profiles utility to link your RDBMS ID to the access profile. This is created when you first install your database.

Using the Access Profiles Dialog Box

You manage access profiles using the Access Profiles dialog, which you open from Application Designer by selecting Tools, Miscellaneous Definitions, Access Profiles.

Close

Exit this dialog.

New

Create a new access profile definition.

Edit

Edit an existing access profile definition.

Delete

Delete an existing access profile definition.

Setting Access Profile Properties

When you create or modify an Access Profile using the Access Profiles dialog, you need to understand the properties that comprise an access profile. After reading this section, you will be familiar with these properties.

Symbolic ID

The Symbolic ID is used as the key to retrieve the encrypted ACCESSID and ACCESSPSWD from PSACCESSPRFL. For initial installation, you should set it equal to the Database Name.

Access Profile ID

The Access Profile ID must be a valid RDBMS ID with system administrator privileges, and the Access Profile ID must match the associated RDBMS ID. The system assumes that the RDBMS ID that you choose is the same as the Access Profile ID.

The Access ID must be a different logon ID than the User ID. There is logic within PeopleTools such that if Access ID = User ID, PeopleTools does not log off and log on again, nor does the system issue a SET CURRENT SQLID = ‘owner ID’.

DB2 Note. In DB2 terminology, Access ID is the primary ID and Owner ID is a secondary Auth ID. If the Access ID does not equal the owner ID, secondary authorization security exists in DB2 to issue a SET CURRENT SQLID command. DB2 will qualify tables (required) with the Owner ID provided by SET CURRENT SQLID statements issued by the PeopleSoft software. If the access ID equals owner ID, the secondary authorization exits are not required. DB2 will qualify the table name with the access ID.

Access Password

The Access Password is the password associated with your RDBMS ID/Access Profile ID and is the password that the Access ID uses to sign in to the database.

Working with Access Profiles

This section discusses the procedures that you complete while adding, modifying, or removing access profiles in your PeopleSoft system.

To create a new access profile definition:

In PeopleSoft Application Designer, select Tools, Miscellaneous Definitions, Access Profiles.

The Access Profiles dialog box appears.
Click New.

The Add Access Profile dialog box appears.

This dialog box prompts you for the Symbolic ID, name, and password of the new access profile.
Enter a Symbolic ID.

The Symbolic ID is used as the key to retrieve the encrypted ACCESSID and ACCESSPSWD from PSACCESSPRFL.
Enter an Access Profile ID.

This ID must be a valid RDBMS ID with system administrator privileges.
Enter and confirm a password.

The access password is the password string for the RDBMS ID/Access Profile ID. The Confirm Password field required and its value must match that of the Access Password field.
Click OK.

Note. You should use only one Access ID for your system. Some RDBMS do not permit more than one DB table owner. If you create more than one Access ID it may require further steps to ensure that this ID has the correct rights to ALL PeopleSoft system tables.

To change an Access Profile password:

In Application Designer, select Tools, Miscellaneous Definitions, Access Profiles.

The Access Profiles dialog box appears.
In the Access Profiles: list, highlight the profile that you want to modify, and click Edit.

The Change Access Profile dialog box appears.

This dialog box prompts you for the old password, the new password, and then a confirmation of the new password for the access profile.
Enter and confirm the new a password.

The access password is the password string for the ID. The Confirm Password field is required and its value must match that of the Access Password field.
Click OK.

To delete an Access Profile:

Select Tools, Miscellaneous Definitions, Access Profiles.

The Access Profiles dialog box appears.
Highlight the access profile that you want to remove, and click Delete.

You are prompted to confirm the deletion.

Click Yes at the prompt dialog box if you want to delete the selected access profile.

Important! Make sure you don't delete the only available Access ID or you will not be able to logon to PeopleSoft software in any capacity.

Working With User Profiles

This section discusses how to:

Create a new user profile.
Copy a user profile.
Delete a user profile.

Creating a New User Profile

To create a new user profile:

Select PeopleTools, Security, User Profiles, User Profiles to access the Find Existing Values page.
Click Add a New Value.
On the Add a New Value page, enter the new user ID in the User ID edit box, and click Add.

The user ID can contain up to 30 characters. The name that you specify can't contain any white space, or any of the following characters:
```
; : & , < > \ / " [ ] ( )
```
Also, you can't create a user ID named PPLSOFT; this is a reserved user ID used within PeopleTools.
Specify the appropriate values from the pages in the User Profiles component (USERMAINT), and click Save.

Copying a User Profile

To copy a user profile:

Select PeopleTools, Security, User Profiles, Copy User Profiles to access the Find an Existing Value search page.
Select the user ID that you want to copy.
On the User Profile Save As page, enter the new user ID, description, and the password that the new user ID should use to sign in to the system.

Note. If Copy ID Type Information is not selected, the system does not save the EMPLID value to the PSOPRDEFN table.

Deleting a User Profile

To delete a user profile:

Select PeopleTools, Security, User Profiles, Delete User Profiles to access the Delete User Profile page.
Make sure that you have selected the correct user profile.
Click Delete User Profile to remove information related to this particular user profile that appears in every security table in the system, PeopleTools, and application tables.

To prevent specific information from being deleted, you can specify tables that the delete user process bypasses.

Bypassing Tables During the Delete User Profile Process

When you delete a user profile and related information, there might be tables that contain rows of user profile data that you do not want to delete. For example, you may want to retain certain user profile history data. You can select the tables that the process skips.

To bypass tables during the Delete User Profile process:

Select PeopleTools, Security, Security Objects, Tables to Skip.
Click the prompt button to select the record name to skip.

Note. The prompt displays only records that contain the OPRID field as a key field. The view behind this prompt is the PS_TBLSELECTION_VW.
Click the Save button.

Specifying User Profile Attributes

This section discusses how to:

Set general user profile attributes.
Set ID type and attribute value.
Set roles.
Specify workflow settings.
Inquire about user profile audit information.
Display additional links.
Run user ID queries.

Pages Used to Specify User Profile Attributes

Page Name	Object Name	Navigation	Usage
General	USER_GENERAL	PeopleTools, Security, User Profiles, User Profiles, General	Set general user profile attributes.
ID	PSOPRALIAS	PeopleTools, Security, User Profiles, User Profiles, ID	Set ID type and attribute value.
Roles	USER_ROLES	PeopleTools, Security, User Profiles, User Profiles, Roles	Add roles to a user profile. This task defines user access in the PeopleSoft system. Through roles, the user inherits permission lists.
Workflow	USER_WORKFLOW	PeopleTools, Security, User Profiles, User Profiles, Workflow	Specify workflow settings for a user.
Audit	USER_AUDIT	PeopleTools, Security, User Profiles, User Profiles, Audit	Determine when and who last updated a profile.
Links	USER_OTHER	PeopleTools, Security, User Profiles, User Profiles, Links	Display any additional links added.
User ID Queries	USER_QUERY	PeopleTools, Security, User Profiles, User Profiles, User ID Queries	Run queries about a user profile.

Setting General User Profile Attributes

Access the General page.

Logon Information

Account Locked Out?	Select this check box to deactivate a user profile for any reason. The user can't sign in until you have cleared this option. Note. This check box is also automatically selected by the system if you're using password controls and the user exceeds the maximum number of failed logon attempts. The administrator needs to manually open the user profile and clear this check box to reinstate the user.
Symbolic ID	Associated with a user’s encrypted access ID and access password. The correct symbolic ID must be entered to retrieve the appropriate access ID and password. This value determines which access ID and password are used to log the user onto the database after the system validates the user's user ID. The access ID is required only when a user needs to connect directly to the database (in two-tier). The access ID is not required with the portal or if you use a Lightweight Directory Access Protocol (LDAP) directory server to manage user IDs. With PeopleSoft Pure Internet Architecture, the application server maintains the connection to the database, so the application server must submit an access ID.
Password and Confirm Password	Enter the password string that the user must supply when signing in. The value in the Confirm Password field must match that in the User Password field. The maximum password length is 32 characters. Note. These values are required to sign on to the system, but you can save the profile without populating these fields.
Password Expired?	If you are using PeopleSoft password controls, this option enables you to force users to change their passwords in the following situations: The first time that a user signs in to PeopleSoft software. The next time that a user signs in. The first time that a user signs in after the system has emailed the user a randomly generated password. Note. To use this option, you must enable the Password Expires in 'x' Days PeopleSoft password control. When a user's password has expired, the Password Expired check box becomes enabled and selected. By clearing the check box, and saving the change, the password can be renewed (though this practice is not recommended).
User ID Aliases	Enables you to use a fully qualified email ID (email address) as a user ID alias. For example, [email protected] could be the user ID used to sign in to the system. The maximum character length is 70.
Edit Email Addresses	If a user is part of the workflow system or you have other systems that generate email for users, enter an email address for a user with this link. You can enter multiple email addresses for a user, but one must be selected as the primary email address. The system allows only one email address per type. For example, you can't enter two home email addresses. The Email Addresses interface has the following controls: Primary Email Account: If you enter multiple email accounts, one must be selected as the primary account. Email Type: Select from Blackberry, Business, Home, Other, or Work. The Blackberry email type is used with the Workflow/RIM technology. Email Address: Enter the email address in this edit box.

General Attributes

Language Code	The language code on the User Profile page has a limited use. For example, when a user runs a batch job, the system needs to know in which language to generate the reports for the user who submitted the job. In Pure Internet Architecture, the user’s language preference is based on the selection that the user makes on the signon page. For Microsoft Windows workstations, the user’s language preference is derived from the Display tab in PeopleSoft Configuration Manager. For the Microsoft Windows environment, the value specified as language code in the user profile acts as a default in case the language code isn’t specified in PeopleSoft Configuration Manager.
Currency Code	If the user deals with international prices, set the currency code to reflect the native or base currency. This enables values to appear in the currency with which the user is familiar.
Default Mobile Page	Select the mobile homepage that should appear after users sign on to their mobile device.
Enable Expert Entry	You can specify that some users, such as your expert or power users, have the option of deferring all processing of the data that they enter. This enables users to reduce the amount of trips to the server for data processing, regardless of how the developer set field deferred or interactive processing. You enable this option in a component in Application Designer, and you specify which users have this option using the Enable Expert Entry check box. If you want a particular user to be able to specify deferred processing, select the check box. If not, leave the check box clear.

Permission Lists

Navigator Homepage

Associated with PeopleSoft Workflow.

Process Profile

Contains the permissions that a user requires for running batch processes through PeopleSoft Process Scheduler. For example, the process profile is where users are authorized to view output, update run locations, restart processes, and so on.

Note. Only the process profile comes from this permission list, not the list process groups.

Primary and Row Security

The system determines which data permissions to grant a user by examining the primary permission list and row security permission list. Which one is used varies by application and data entity (employee, customer, vendor, business unit, and so on). Consult your application documentation for more detail.

The system also determines mass change (if needed), and definition security permissions from the primary permission list.

Setting ID Type and Attribute Value

Access the ID page.

ID Types and Values

ID Types and Values

Select the ID type and attribute value. Separating user profiles by ID type enables you to have multiple categories of user profiles with ID numbers all within a range of 1–1000, for example, and it also enables you to grant data permission by entity (customer, employee, and so on). So when users sign in to your benefits or payroll deductions application, they see only information that applies to them.

A user profile is a set of data about an entity—a user—that interacts with the system. The human resources (HR) system, which keeps track of your employee data, is designed to focus more on your employee user types. On the other hand, your financials system is designed to keep track of customer and supplier user types. ID types enable you to link user types with the records that are most relevant when a user interacts with the system.

The Attribute Value field is where you select the value associated with the attribute name. In this case, the value reflects the employee number, but it could be a customer number or vendor number.

User Description

The User Description section enables you to help identify the user.

Description	You can add a description, such as a name of an individual or an organization, for the user profile.
Set Description	Click this link to populate the edit box with an existing description in the database.

Note. Before you assign a user type to a user, you must create user types.

See Also

Working With User Profile Options

Setting Roles

Access the Roles page.

Role Name

Displays the name of the role added to the user profile.

Description

Displays a description of the role added to the user profile.

Dynamic

Selected if the system has assigned a particular role dynamically.

Route Control

For each role assigned to a user, you can specify a route control profile. For example, suppose that you have a role named EXPENSE_REP. If you wanted a particular expense representative to handle all of the expense reports submitted by people who had last names beginning with A, you could assign the user a specific route control profile to send the user reports submitted by individuals with a last name beginning with A.

View Definition

Enables you to view the role definition associated with this user profile.

See Understanding Route Control Development.

See Using the PeopleSoft Administrator Role.

Dynamic Role Rule

Use the Dynamic Role Rule options to test and manually carry out business rules for dynamically updating roles and assigning them to user profiles. You design your role rules using Query Manager, PeopleCode, or LDAP directory rules

Execute on Server	Select the Process Scheduler server that should run your role rule.
Test Rule(s)	Use this button to test the rules and verify if they're going to produce the desired results for a particular user. None of the roles are actually assigned, but the system provides you a report as to what roles will be assigned when you run the rule.
Execute Rule(s)	Use this button to run the rules and assign the appropriate roles to a particular user. This is the manual approach. Typically, you implement role rules through PeopleSoft Process Scheduler on a regularly scheduled basis.
Process Monitor and Message Monitor (service operations monitor)	Enables you to view the status of the process carrying out the role rule and the messages that the process invoked.

Specifying Workflow Settings

Access the Workflow page.

Workflow Attributes

Alternate User ID	Select an alternate role user to receive routings sent to this role user. Use this option when the role user is temporarily out (for example, on vacation or on leave). If the edit box contains a role user name, the system automatically forwards new work items for whoever is assigned as the current role user to the alternate role user. Note. The system forwards new work items to the alternate role user. It doesn’t reassign items already in the user’s worklist. Note. When applying an alternate user ID in your workflow settings, make note of the fact that the system only sends workflow routings to the immediate alternate user ID. The system does not send routings down multiple levels of alternate user IDs. For example, assume user A specifies user B as the alternate user ID while user A is out of the office. Also assume that user B happens to be out of the office at a time during user A’s absence, and user B specifies user C as an alternate user ID. In this case, the system does not send workflow routings originally intended for user A to user C. Note. The Alternate User ID feature is only intended for and only works in conjunction with the Virtual Approver. For example, it does not work with worklists outside of Virtual Approver, or with TriggerBusinessEvent workflow, or with notifications.
From Date and To Date	Enter the date on which the current role user is going to begin and return from a temporary vacancy. This edit box specifies the time period that the alternate user ID is used.
Supervising User ID	Select the user ID of the user’s supervisor from this drop-down list box. The system uses this value when it needs to forward information to the user’s supervisor. The system uses the PERSONAL_DATA record to determine the user’s supervisor. Note. If you’re using PeopleSoft Human Capital Management (PeopleSoft HCM) applications, this field shouldn’t appear. If it does, you must set your workflow system defaults.
Routing Preferences	Specify which types of routings this role user can receive. The Routing Preferences box shows the two places where the system can deliver work items: to a worklist or to an email mailbox. If the user doesn’t have access to one or both of these places, clear the check box. For example, if this person isn’t a PeopleSoft user, clear Worklist User.

Reassign Work

Re-assign Work To

Use to reassign pending work for this role user if positions change or a user is temporarily out, such as on leave or on vacation.

If this user has work items waiting (as shown by the Total Pending Worklist Entries in your Workflow interface), select this check box and select the user to whom work items should be forwarded from the drop-down list box. When you save the page, the system reassigns existing worklist entries to the specified user.

Note. If you don’t reassign pending work items, they remain unprocessed.

Total Pending Worklist Entries

Displays worklist items that require a user's attention.

See Also

Defining Roles and Users

Inquiring About User Profile Audit Information

The Audit page is a display-only page that enables you to determine:

When a profile was last updated.
Who updated the profile.

Displaying Additional Links

If you added links for user profiles in the Security Links component, they appear on the Links page.

Running User ID Queries

User ID queries enable you to run queries that provide detailed information regarding a user profile, such as the permission lists and roles associated with a user profile. The available queries are documented on the page.

To run a user ID query:

Click the link associated with the query that you want to run.

This invokes a new browser window.
View the information that the query returns to the new browser window, or select a download option.

For downloading, you have the following options:
- Excel Spreadsheet: Downloads the query results as an Excel spreadsheet (.xls) file.
- CSV Text File (comma-separated values text file): This downloads the query results as a CSV (.csv) file.

Implementing Distributed User Profiles

This section provides an overview of distributed user profiles and discusses how to:

Define user profile access for remote security administrators.
Define remote security administrator role grant capability.
Administer distributed user profiles.

Understanding Distributed User Profiles

As your user population increases in size, it can become impractical for one person to centrally administer all of your system's user profiles. You can distribute some or all user profile administration tasks by enabling selected users to use the Distributed User Profiles component (USERMAINT_DIST) to control the granting of selected roles to other users.

The pages in the Distributed User Profiles component are identical to the corresponding pages in the User Profiles component, except that its User Roles page doesn't include links for editing the assigned roles. You can restrict who can use the component, which users they can administer, and what roles they can grant, based on the roles to which they themselves belong. For example, you might specify that users in the Line Manager role can grant the Shipping Clerk role to other users. The effect of this is to designate line managers as remote security administrators who can administer the user profiles of shipping clerks. In addition to granting and managing roles, a remote security administrator can administer all parts of a user profile, including passwords, email addresses, and workflow.

Important! Distributing user profile administration might affect regulatory compliance (for example, Sarbanes Oxley). You are responsible for determining and accounting for any impact of using this feature.

To implement distributed user profiles:

Use permission lists and roles to configure security to give your selected remote security administrators access to the Distributed User Profiles component.

Note. The PIA navigation path to this component is PeopleTools, Security, User Profiles, Distributed User Profiles.
Use the Set Distributed User Profile Search Record page to define which user profiles can be administered with the Distributed User Profiles component.

See Defining User Profile Access for Remote Security Administrators.
Use the Role Grant page in the Roles component (ROLEMAINT) to specify which roles your remote security administrators can grant with the Distributed User Profiles component.

See Defining Remote Security Administrator Role Grant Capability.

Defining User Profile Access for Remote Security Administrators

To define user profile access:

Define a search record that returns only the user IDs that you want remote security administrators to be able to administer.

Note. Initially, PSOPRDEFN_SRCH is the default search record for this purpose. You can accept the default and skip this step, but that enables access to every user profile on your system. You're strongly encouraged to define a search record that's more restrictive.

See PeopleTools 8.49 PeopleBook: PeopleSoft Application Designer, "Creating Component Definitions," Understanding Search Records
In a browser, select PeopleTools, Security, User Profiles, Distributed User Setup to access the Set Distributed User Profile Search Record page.
In the New Search Record field, select the search record that you defined in step 1, then save.

When remote security administrators access the Distributed User Profiles component, this search record enforces row-level security to restrict the set of user IDs that they can select and administer.

See Also

Understanding Search Records

Defining Remote Security Administrator Role Grant Capability

In a browser, select PeopleTools, Security, Permissions and Roles, Roles, Role Grant to access the Roles - Role Grant page.

You use this page to specify which roles can be granted using the Distributed User Profiles component, and which users can grant them. This page is part of a role definition — you can configure this role to be a remote security administrator, or to be a role that a remote security administrator can grant to users, or both.

Roles That Can Be Granted By This Role

By specifying one or more roles for this field, you effectively designate users who belong to this role — and who have access to the Distributed User Profiles component — as remote security administrators. Add rows to enable this role to grant as many roles as appropriate. For example, you might want users that belong to the Shipping Manager role to be able to grant the Shipping Clerk (Temporary) role and the Packing Clerk (Temporary) role to other users.

Note. This field is complementary to the Roles That Can Grant This Role field, and propagates its values accordingly. Using the example given, on the Role Grant page for the Shipping Clerk (Temporary) role and the Packing Clerk (Temporary) role, the Roles That Can Grant This Role field now specifies Shipping Manager.

Roles That Can Grant This Role

By specifying one or more roles for this field, you effectively designate users who belong to those roles — and who have access to the Distributed User Profiles component — as remote security administrators, able to grant this role to users. Add more rows to enable additional roles to grant this role. For example, you might want users that belong to the Security Administrator role to be able to grant the Shipping Manager role to other users.

Note. This field is complementary to the Roles That Can Be Granted By This Role field, and propagates its values accordingly. Using the example given, on the Role Grant page for the Security Administrator role, the Roles That Can Be Granted By This Role field now specifies Shipping Manager.

View Definition

Click to view the associated role definition and ensure that you've selected the appropriate role to grant or to serve as a remote security administrator.

Administering Distributed User Profiles

In a browser, select PeopleTools, Security, User Profiles, Distributed User Profiles to access the Distributed User Profiles component.

Remote security administrators can fully edit the user profiles that they access through the Distributed User Profiles component, including granting roles.

The users that remote security administrators can administer are determined by the search record you specified on the Set Distributed User Profile Search Record page.

The roles that a given remote security administrator can grant are determined by the selections that you made on the Roles - Role Grant page.

See Also

Specifying User Profile Attributes

Configuring User Profile Synchronization Between Databases

PeopleSoft enables you to synchronize users between databases using the USER_PROFILE service operation.

To set up full user profile synchronization, you access PeopleSoft Integration Broker and configure one database to send user profile data and another database to receive user profile data. Applications accomplish user profile synchronization by using the USER_PROFILE service operation.

When you modify existing or enter new profiles on the sending database, PeopleCode publishes the USER_PROFILE service operation, and sends the data to the receiving database. The receiving database consumes the service operation and updates user profiles with the data from the sending database.

To set up full user profile synchronization, perform these tasks in all participating databases:

Configure PeopleSoft Integration Broker.

See Using the Integration Broker Quick Configuration Page.
In PeopleSoft Integration Broker, activate and configure the routings for the appropriate version of the USER_PROFILE service operation.

See Managing Routing Definitions.

User Profile Synchronization Exceptions

Adding and deleting user profiles on the publishing node cause corresponding changes on the subscribing nodes. Modifying user profiles on the publishing node causes corresponding changes on the subscribing nodes with these exceptions.

Changes to the primary E-mail Type are ignored if a primary email exists in the subscribing node.
Changes to a User ID Type are ignored if the user ID type is not valid on the subscribing node. Instead, the subscribing node inserts an ID type of None, provided that the subscribing node does not have a row for None already.
In general, changes that produce invalid field values in the subscribing node are ignored by the subscribing node.

Note. User Profiles contain sensitive information. Design and implement user profile synchronization across different nodes with special care. As delivered, user synchronization behavior may not be acceptable in all cases.

Working With Passwords

This section discusses how to:

Set password controls.
Change passwords.
Create email text for forgotten passwords.
Create hints for forgotten passwords.
Delete hints for forgotten passwords.
Set up the site for forgotten passwords.
Request new passwords.

Setting Password Controls

Select PeopleTools, Security, Password Configuration, Password Controls to access the Password Controls page.

You use the Password Controls page to set any password restrictions such as duration or minimum length of a password that you might want to impose on your end users. These options apply when you are maintaining your user profiles within PeopleSoft, not within a directory server.

Enable Signon PeopleCode	Select this check box to enable the following PeopleSoft password controls: Age and Account Lockout. The other password controls are not enabled by this box. If you do not want these password controls, as in you already have a third-party utility that performs equivalent features, clear this check box. Note. If you change the status of the Enable Signon PeopleCode check box, you must restart the application server. You can extend or customize the controls by modifying the PeopleCode.
Password Expiration	You define a number of days (between 1 and 365) that a password is valid. To do this, select the Password Expires in ‘N’ Days option. Users logging on after a password expires must change their password to log on. If you don't want the password to expire, then select Password Never Expires. When a password expires the user can't sign in to the system and is prompted to change it. If you want to specify a duration in which the system warns users that their password is about to expire, you have the following options: If you want to specify a warning period, select Warn for 'N' days, and enter the number of days in the edit box. If you don't want any warning period, select Do not warn of expiration. PeopleSoft delivers a default permission list named PSWDEXPR (Password Expired). When a password expires for a user, the system automatically removes all of the user's roles and permission lists and temporarily assigns them the PSWDEXPR permission list only. A user whose password has expired can access only items in the PSWDEXPR permission list, which typically grants access to the Change Password component (CHANGE_PASSWORD) only. For the duration of the session, as in until the user changes the password, the user is restricted solely to the PSWDEXPR permission list. Note. The actual user profile stored in the database is not changed in any way when the password expires. You don't need to redefine the profile. When the password is changed the system restores the user profile's previous roles and permission lists.
Account Lockout	This control enables you to lock an account after n number of failed logon attempts. For example, if you set the Maximum Logon Attempts value to 3, and a user fails three signon attempts, they are automatically locked out of the system. Even if they correctly enter a user ID and password on the fourth attempt, the user is not permitted to logon. This feature reduces the risk of any intruders using brute force to break into your system. It also provides a reminder to users to remember the passwords they chose. After the account is locked out, a system administrator needs to open the user profile and clear the Account Locked check box manually.
Miscellaneous	The Allow password to match User ID control enables administrators to make sure users don't use their own user ID as a password. This helps you to prevent hackers from guessing passwords based on a list of employee names.
Minimum Length	Administrators can opt to set a minimum length for passwords maintained by the PeopleSoft system. If the minimum length is set to 0, the PeopleSoft password controls do not enforce a minimum length on the user’s password. This does not, however, imply that the password can be blank. When you create a new user or a user changes a password, the system checks this value. If it is not zero, the system tests the password to ensure it meets length requirements, and if not, an error message appears.
Character Requirements	Administrators can require a set number of digits or special characters within a password. Special characters refer to symbols such as # and @, and digits refer to numbers (integers), such as 1 or 2. Here is the list of special characters you can include within a password: ! @ # $ % ^ & * ( ) - _ = + \ \|[ ] {} ; : / ? . > < Note. The maximum password length is 32 characters.
Purge Inactive User Profiles	This setting enables you to purge the system of user profiles that have not been used in a specified amount of time. If you maintain user profiles in a directory server, a row is added to the PSOPRDEFN table for the system to access while the user interacts with the system. However, when the user is deleted from the directory server, you must also delete the row in PSOPRDEFN associated with the deleted user profile. Note. The Application Engine program that performs this operation is named PURGEOLDUSERS.
Password History	This control enables you to define the number of user passwords to retain in the password history table. If the user attempts to reuse a password that is stored in the password history table, the application issues an error and prompts the user to enter a different password. When the user reaches the maximum number of passwords as indicated in the Number of Passwords to Retain field, the system deletes the oldest password and then stores the current password. Note. If the password history table contains values and you change theNumber of Passwords to Retain field value to 0, the system deletes the all password history for all users.

Changing Passwords

The PeopleSoft system enables users to change their passwords as needed.

To change a PeopleSoft password:

From the portal navigation pane, select Change My Password.
On the Change Password page, enter the current password in the Current Password edit box.
In the New Password edit box, enter the new password.
Confirm the new password by entering it again in the Confirm Password edit box.
Click Change Password.

Creating Email Text for Forgotten Passwords

Before the system emails a new, randomly generated password for a forgetful user, you want to make sure they are who they claim to be. The Forgotten Password feature enables you to pose a standard question to users requesting a new password to verify the user's authenticity. If the user enters the appropriate response, then the system automatically emails a new password.

When a user has forgotten a PeopleSoft password, the system sends the user a new password within an email message. You can have numerous password hints, but typically, you send all new passwords using the same email message template. Because of this, PeopleSoft provides a separate page just for composing the standard email text that you use for your template:

Add the following text string in the Email Text edit box:

<<%PASSWORD>>

This is where the system inserts the new password. The %PASSWORD variable resolves to the generated value.

Note. You might instruct the user to change the password to something easier to remember after they sign on to the system with the randomly generated password. Only users that have the Allow Password to be Emailed (on the General page) option enabled in a permission list can receive a new password using this feature.

Creating Hints for Forgotten Passwords

Select PeopleTools, Security, User Profile, Forgot My Password Hint to access the Forgot My Password Hint page.

With these hints set up, users, upon forgetting their password, access the Forgot My Password page. The user answers the question correctly and gets a new password sent through your email system.

To create a forgotten password hint:

Click Add a New Value.
On the Add a New Value page, enter a three-character ID in the Password Hint ID edit box.
Click Add.
Select the Active check box.
Enter your question to verify that the user is who he or she claims to be.
Click Save.

Deleting Hints for Forgotten Passwords

To delete a password hint:

Select PeopleTools, Security, User Profiles, Delete Forgotten Password Hint.
Enter the specific code for the hint or perform a search for it.
On the Delete Forgot My Password Hint page, select the appropriate hint.
Click Delete.

Setting Up the Site for Forgotten Passwords

PeopleSoft recommends setting up a site specifically designed for users who have forgotten their passwords. This site would require no password to enter, but provides access only to the forgotten password pages.

To set up a forgotten password site:

Set up a separate Pure Internet Architecture site on your web server.
Set up a direct connection to the site, as in a link that leads right to it.
In the web profile, enable public access and specify a public user ID and password for automatic authentication.

This “direct” user should have limited access, as in only to the Email New Password component. Users go directly to it, and get a new password mailed.
Place a link to the forgotten password site within the public portion of the PeopleSoft portal, or on another public website.
Notify your user community of the link.

Requesting New Passwords

To request a new password, direct the user to the Forgot My Password page (EMAIL_PSWD2), which is a hidden page. The system randomly generates a new password and emails it to the user.

Before the system can email the user a new password, complete these tasks:

Create a forgotten password hint.
Specify an email address in the user profile.
Grant permission to have a new password emailed.

Note. The security administrator must select the Allow Password to be Emailed check box in at least one of the user's permission lists. If this setting is not selected, the user is not allowed to receive the new password through email. If the user is allowed to receive new passwords through email, the user can request a new password.

See Setting General Permissions.

To request a new password:

Click the Forgotten Password link on the PeopleSoft signon page (or direct the user to the Forgotten Password link.)
On the Forgot My Password page, enter your user ID.
Click Continue.
On the Email New Password page, verify that the system is set to send the new password to the appropriate email address.

If the appropriate email address does not appear, contact your system administrator. System administrators must make sure that the email address is correctly represented for each user who intends to use this feature.

Note. Use Application Designer to change any display properties of the fields on the EMAIL_PSWD2 page.
Respond to the user validation question.
Click Email New Password.

Working With User Profile Options

This section provides an overview of user profile types and discusses how to:

Define user profile types.
Preserve historical profile data.

Understanding User Profile Types

When deploying your applications to the internet, you have the potential to generate thousands of different user profiles. In some situations, it may be necessary to aggregate your user profiles in a categorical fashion. For example, having ID types enables you to have employee ID numbers beginning at 1 as well as customer ID numbers beginning at 1.

User profile types also provide a means to link user profiles with data stored in application specific records. PeopleSoft applications need this link mostly for self-service transactions. For example, you want employees to see just their own benefits, or you want customers to view and pay their own bills. Customer ID, Employee ID, and so on are the keys for the application data. User profile types enable the system to find the correct ID based on the user profile. The system needs the value because there’s no guarantee that personal data and vendor contact data won’t have the same key field. Because the personal data and vendor contact data resides in different records, there’s no edit that prevents the two records from having the same key.

PeopleSoft delivers the following profile types:

ID Type	Description
BID	Bidder
CNT	Customer Contact
CST	Customer
EJA	External Job Applicant
EMP	Employee
NON	None
ORG	Organization ID
PER	Person (CRM)
VND	Vendor
PTN	Partner

Defining User Profile Types

Select PeopleTools, Security, Security Objects, User Profile Types to access the User Profile Types page.

ID Type

The ID type is the abbreviated form the profile type name.

Description

The Description edit box enables you to add an intuitive name for a profile type. This is the value that appears on the ID Page in the User Profiles component. There's a 30-character limit.

Enabled?

You disable and enable a profile type by selecting this check box. Once enabled, you can assign it to user profiles. If it is disabled then it does not appear in the drop-down list box on the ID page for user profiles.

Note. Don't enable the ID type until the fields and tables in the Field Information section have been defined and built with Application Designer.

Sequence Number

This option is used by the Set Description function. On the User Profiles, ID page you can click a Set Description link to generate the user description based on the values in the Description field name for the user types assigned to the user. The sequence number determines which user type to use when the user is assigned to multiple user types. The user description is set to the value in the Description field name of the user type with the lowest sequence number and nonblank value. For example, if a user is assigned to user types of Employee (seq no 1) and Customer Contact (seq no 3), the description would be set to PERSONAL_DATA.NAME, unless it is blank. If PERSONAL_DATA.NAME is blank, the description would be set to CONTACT.NAME1.

Note. For user types with multiple fields, the system uses the Description field name corresponding to the last field. For example, the Customer Contact user type has two fields: SETID and CONTACT_ID. The Set User Description function uses the Description field name CONTACT.NAME1 corresponding to the last field, CONTACT_ID.

Description (Long)

The Description edit box provides an opportunity to provide details about a given profile type. There's a 250-character limit.

Field Information

The fields that you select enable the User Profiles component to prompt for an ID value when you select a type on the ID page. Let’s say that the user selects Employee from the ID page. In this case, the system needs to know the valid ID values to prompt the user with. The Edit Table column specifies the record, the Field Name column specifies the field. You can specify multiple fields if the ID has multiple keys, as in when the keys for customer information are Customer ID and SETID.

Preserving Historical Profile Data

There are many occasions when you need to delete a user profile from your system. For example, perhaps an employee retires or an employee leaves the organization. Regardless of the situation, you don't want to keep the unnecessary user data in your system. It's a good idea to purge your system of obsolete user data, such as personal queries, to reclaim space for new user data. This process targets all tables that are keyed by user ID.

However, in the case of an employee, you may not want to keep their page or signon access information in the system, but you might be interested in keeping user data stored in an audit table that tracks changes made to vital company data. You may need to check that information a few months later as you might discover some interesting financial allocations, and if so, you'll want to know who's responsible.

Note. Keep in mind that the automated process of deleting a user profile deletes every row of data in your system associated with a particular user profile. You want to make sure that any information you might need in the future is safe.

Select PeopleTools, Security, Security Objects, Tables to Skip to access the Bypass Tables page.

To preserve a table that stores data associated with user profiles, add a row to the Bypass Tables page and select either a PeopleTools security table or a PeopleSoft application security table from the Record (Table) Name drop-down list box.

Transferring Users Between Databases

You'll occasionally need to copy security information from one database to another. Typically, you’ll do this as part of an upgrade or to transfer security information from your production environment to your development or testing environment. PeopleTools provides a set of Data Mover (DMS) scripts designed to export and import your security information. The provided scripts transfer user profiles from a source to a target database.

Note. Application Designer's upgrade feature offers upgrade support for both Roles and permission lists.

There is one script to export User Profile data from the source database. The source database refers to the database that contains the User Profiles that you want to migrate. The target database refers to the database to which you are copying the user information.

After exporting the security information from the source database, you then run the import script against the target database. The target database refers to the database to which you want to transfer the security data. The scripts involved in transferring security information from one database to another appear in the following list:

USEREXPORT.DMS. Exports User Profiles from the source database and stores them in a Data Mover DAT file. The output file is named USEREXPORT.DAT.
USERIMPORT.DMS. Reads the file created by USEREXPORT.DMS and copies the User Profile data into the target database.

You will find this set of scripts in PS_HOME\scripts.

This section describes the procedure for running these scripts, and it outlines what needs to be in place prior to running the scripts. It also presents some items to consider prior to running the scripts.

Considerations

Before running scripts to export and import your security information, you should consider these topics:

Duplicate Rows

If the target database already contains a row of data with identical keys to a row transferred by the import script, the duplicate row will not be transferred to the target. The scripts make no attempt to merge the duplicate row; the row is not transferred.

To ensure that you don’t have data rows with duplicate keys, you need to make sure that there’s not a User Profile in the source database with the same name in the target database.

You should not have data rows with duplicate keys in your source and target database when you begin the copy as this can lead to unexpected results which compromise database integrity.
Release Levels

Because the PeopleTools table structures change between major releases (6.X to 7.X or 7.X to 8.X), you can’t transfer users between databases that run different versions of PeopleTools. Before starting the migration process, upgrade your source and target database so the release levels match.

Running the Scripts

Complete the following procedure to run the user transfer scripts.

To run the scripts

Using Data Mover, sign on to the source database and run USEREXPORT.DMS for user definitions.

You can edit this script to specify the location and file name of the output file and the log file.
Using Data Mover, sign on to the target database and run USERIMPORT.DMS for user definitions.

You can edit the script to specify the location and file name of the input file and the log file. The name and location of the input file must match the output file you specified in step 2.
After copying user and role definitions, it is recommended that you run the PeopleTools audits.

This includes DDDAUDIT and SYSAUDIT to check the consistency of your database.

Tracking User Sign-in and Sign-out Activity

PeopleSoft Security provides two audit logs which track users' sign-in and sign-out activity in PeopleSoft. Signin activity includes timeouts, browser closings, and browser freezes.

Access these logs by navigating in a browser to PeopleTools, Security, Common Queries, Access Log Queries. Select one of the following logs:

Access Activity by User

View a single user's sign-in and sign-out activity. This log includes a user's Client IP address, sign-in times and sign-out times.
Access Activity by Day

View one or more days of all user sign-in and sign-out activity. This log includes User IDs, Client IP addresses, sign-in times and sign-out times.

These logs are generated using data from the PSACCESSLOG table. If you are not interested in employing this functionality, delete the PSACCESSLOG table. Deleting this table does not cause any negative impact.

Note. If you deleted the PSACCESSLOG table and would like to track Users' sign-in and sign-out activity again, you must recreate the table using the same exact column names and order as were in the previous PSACCESSLOG table: OPRID, LOGIPADDRESS, LOGINDTTM, LOGOUTDTTM.

Purging Inactive User Profiles

The Purge Inactive User Profiles page enables you to purge inactive users from your system. To access this page use the following navigation options:

Select PeopleTools, Security, User Profiles, Purge Inactive User Profiles.
Select PeopleTools, Security, Password Configuration, Password Controls, and click Schedule under Purge Inactive User Profiles.

Note. Before accessing this page you will need to enter a run control ID.

This page enables you to launch automatically the PURGEOLDUSRS Application Engine program. The PURGEOLDUSRS program deletes user profiles having an inactive status that exceeds the period specified in the Purge Inactive User Profiles section on the Password Controls page.

The Setup Purge Frequency for Inactive User Profiles link takes you to the Password Controls page where you can enter a period (in days) under Purge Inactive User Profiles.

See Also

Working With Passwords

Close	Exit this dialog.
New	Create a new access profile definition.
Edit	Edit an existing access profile definition.
Delete	Delete an existing access profile definition.

Role Name	Displays the name of the role added to the user profile.
Description	Displays a description of the role added to the user profile.
Dynamic	Selected if the system has assigned a particular role dynamically.
Route Control	For each role assigned to a user, you can specify a route control profile. For example, suppose that you have a role named EXPENSE_REP. If you wanted a particular expense representative to handle all of the expense reports submitted by people who had last names beginning with A, you could assign the user a specific route control profile to send the user reports submitted by individuals with a last name beginning with A.
View Definition	Enables you to view the role definition associated with this user profile.

ID Type	The ID type is the abbreviated form the profile type name.
Description	The Description edit box enables you to add an intuitive name for a profile type. This is the value that appears on the ID Page in the User Profiles component. There's a 30-character limit.
Enabled?	You disable and enable a profile type by selecting this check box. Once enabled, you can assign it to user profiles. If it is disabled then it does not appear in the drop-down list box on the ID page for user profiles. Note. Don't enable the ID type until the fields and tables in the Field Information section have been defined and built with Application Designer.
Sequence Number	This option is used by the Set Description function. On the User Profiles, ID page you can click a Set Description link to generate the user description based on the values in the Description field name for the user types assigned to the user. The sequence number determines which user type to use when the user is assigned to multiple user types. The user description is set to the value in the Description field name of the user type with the lowest sequence number and nonblank value. For example, if a user is assigned to user types of Employee (seq no 1) and Customer Contact (seq no 3), the description would be set to PERSONAL_DATA.NAME, unless it is blank. If PERSONAL_DATA.NAME is blank, the description would be set to CONTACT.NAME1. Note. For user types with multiple fields, the system uses the Description field name corresponding to the last field. For example, the Customer Contact user type has two fields: SETID and CONTACT_ID. The Set User Description function uses the Description field name CONTACT.NAME1 corresponding to the last field, CONTACT_ID.
Description (Long)	The Description edit box provides an opportunity to provide details about a given profile type. There's a 250-character limit.
Field Information	The fields that you select enable the User Profiles component to prompt for an ID value when you select a type on the ID page. Let’s say that the user selects Employee from the ID page. In this case, the system needs to know the valid ID values to prompt the user with. The Edit Table column specifies the record, the Field Name column specifies the field. You can specify multiple fields if the ID has multiple keys, as in when the keys for customer information are Customer ID and SETID.