Accessing PeopleSoft Application Tables

The application data tables available for QAS service operations use Query Security. This chapter provides an overview of QAS security and discusses:

Click to jump to parent topicUnderstanding QAS Security

This section discusses the three parts that are included in QAS security:

This section also discusses QAS security flow.

Click to jump to top of pageClick to jump to parent topicQuery Security

PeopleSoft Query uses query access group trees to control security of the tables in your PeopleSoft database. You define a hierarchy of record components, based on logical or functional groupings, and then give users access to one or more branches of the tree. Users can use PeopleSoft Query to retrieve information only from record definitions they have access to based on the query access tree assignment.

See Also

PeopleSoft Query Security

Click to jump to top of pageClick to jump to parent topicService Operation Security

QAS service operations are delivered with User/Password Required enabled and WS Security Req Verification set to Encrypt and Digitally Sign or HTTPS..

Client applications using QAS service operations must either digitally encrypt and sign the request or send the request over HTTPS.

Service operations are secured by means of permission lists. PeopleSoft applications deliver the permission list PTPT2200 (QAS access), which has full access to all QAS service operations and the application engine program QASEXEQRY. The role QAS Admin contains the permission list PTPT2200. Any users assigned the role QAS Admin can access the QAS service operations.

Click to jump to top of pageClick to jump to parent topicWS-Security

Web services security (WS-Security) is implemented on the integration gateway for inbound and outbound integrations with third-party systems. QAS service operations use WS-Security.

See WS-Security.

Click to jump to top of pageClick to jump to parent topicProcess Profile

The service operation QAS_EXECUTEQRY_SYNCPOLL_OPER schedules the application engine program QASEXEQRY to run in Process Scheduler, therefore the user initiating the request must have permission to run QASEXEQRY in the Process Profile.

See QAS_EXECUTEQRYSYNCPOLL_OPER.

Click to jump to top of pageClick to jump to parent topicQAS Security Flow

This diagram illustrates the QAS request inbound flow from a third-party system in the Integration Broker:

QAS request from a third-party security flow

When any transaction arrives at the integration gateway, the PeopleSoft system checks for the existence of a WS-Security SOAP header. If it exists, the integration gateway validates the digital signature if it exists, and decrypts the UsernameToken and optional password to restore the user ID information to clear text format. The integration gateway then passes the user ID information, and UsernameToken password if provided by the sender, to the application server, where additional security processing is performed.

If a user name and password are supplied in the SOAP header, the user is validated in the PeopleSoft system.

If no user ID and password are supplied, the request is rejected.

The PeopleSoft system then validates whether the user's permission list grants access to the QAS service operation.

If the user is authorized to the service operation, then Query Access security is used and the request is processed.

Click to jump to parent topicQAS Security Service Operations

Query access security is defined on permission lists. Roles contain one or more permission lists and the user is assigned roles. Several service operations are available that a third party can use to list roles and role users.

Click to jump to top of pageClick to jump to parent topicQAS_AUTHTOKEN_OPER

This service operation is used to retrieve the user ID for a PSToken. This service operation is used when a Business Object Enterprise (BOE) report is run through the Process Scheduler. The PSToken is sent in the HTTP header over HTTPS. BOE will use this service operation to determine the user ID requesting the report.

Request Message: QAS_AUTHTOKEN_REQ_MSG

Element Name

Description

PSTOKEN

PeopleSoft authorization token.

Example Request: 

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:⇒
qas="http://xmlns.oracle.com/Enterprise/Tools/schemas/QAS_AUTHTOKEN_REQ_MSG.VERSION_1">
   <soapenv:Header/>
   <soapenv:Body>
      <qas:QAS_AUTHTOKEN_REQ_MSG>
<PSTOKEN>owAAAAQDAgEBAAAAvAIAAAAAAAAsAAAABABTaGRyAk4AbQg4AC4AMQAwABRKm1RLE0zCq6JFYA⇒
oVWo7oKO6qVGMAAAAFAFNkYXRhV3icy2VgYGBhZmJkBNJ7mBjAgCuQwZXBhcGXwZ+BzZXBj8GdQQAkEs/gA⇒
xRxZnAE0iZGDAZAaMmgCySNgKQRgxmYbcqgByUNwaQlUMYQrNaAgQEAbO8LPQ==; http%3a%2f%2fple-in⇒
fodev-08.peoplesoft.com%3a8010%2fpsp%2fqedmo%2femployee%2fqe_local%2frefresh=list:;⇒
 HPTabName=DEFAULT</PSTOKEN>
      </qas:QAS_AUTHTOKEN_REQ_MSG>
   </soapenv:Body>
</soapenv:Envelope>

Response Message: QAS_AUTHTOKEN_RESP_MSG

Element

Description

LoginUser

Returns the user ID for the PSToken.

Example Response: 

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:⇒
soapenc="http://schemas.xmlsoap.org/soap/encoding/" xmlns:xsd="http://www.w3.org/⇒
2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
   <soapenv:Body>
      <qss:QAS_AUTHTOKEN_RESP_MSG xmlns:qss="http://xmlns.oracle.com/Enterprise/Tools⇒
/schemas/QAS_AUTHTOKEN_RESP_MSG.VERSION_1">
         <LoginUser>QEDMO</LoginUser>
      </qss:QAS_AUTHTOKEN_RESP_MSG>
   </soapenv:Body>
</soapenv:Envelope>

Click to jump to top of pageClick to jump to parent topicQAS_LISTROLE_OPER

Use this service operation to get a list of roles, along with descriptions.

Request Message: QAS_LISTROLE_REQ_MSG

Element name

Description

SearchString

Search string used for specifying the role name or the first few characters of the role name. If no value is entered, all roles will be returned. This value is case-sensitive.

Example Request:

This is an example of a request to select all roles that begin with QAS. 

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:⇒
qas="http://xmlns.oracle.com/Enterprise/Tools/schemas/QAS_LISTROLE_REQ_⇒
MSG.VERSION_1" xmlns:qas1="http://xmlns.oracle.com/Enterprise/Tools/schemas/QAS_⇒
LISTROLE_REQ.VERSION_1">
   <soapenv:Header/>
   <soapenv:Body>
      <qas:QAS_LISTROLE_REQ_MSG>
         <!--Zero or more repetitions:-->
         <qas:QAS_LISTROLE_REQ>
            <qas1:PTQASWRK class="R">
               <!--Optional:-->
               <qas1:SearchString>QAS</qas1:SearchString>
            </qas1:PTQASWRK>
         </qas:QAS_LISTROLE_REQ>
      </qas:QAS_LISTROLE_REQ_MSG>
   </soapenv:Body>
</soapenv:Envelope>

Response Message: QAS_LISTROLE_RESP_MSG

Element Name

Description

RoleName

Role name.

Description

Role description.

Example Response: 

<?xml version="1.0"?>
<QAS_LISTROLE_RESP_MSG xmlns="http://xmlns.oracle.com/Enterprise/Tools/schemas/QAS_⇒
LISTROLE_RESP_MSG.VERSION_1">
    <QAS_LISTROLE_RESP>
        <PTQASWRK class="R" xmlns="http://xmlns.oracle.com/Enterprise/Tools⇒
/schemas/QAS_LISTROLE_RESP.VERSION_1">
            <RoleName>QAS Admin</RoleName>
            <Description>QAS Administrators</Description>
        </PTQASWRK>
    </QAS_LISTROLE_RESP>
</QAS_LISTROLE_RESP_MSG>

Click to jump to top of pageClick to jump to parent topicQAS_LISTUSERROLES_OPER

Use this service operation to get a list of roles for a given user, along with descriptions.

Request Message: QAS_LISTUSERROLES_REQ_MSG

Element Name

Description

UserName

Required element

Complete user name. Required and case-sensitive.

SearchString

Search string used for specifying the role name or the first few characters of the role name. If no value is entered, all roles for the user will be returned. This value is case-sensitive.

Example Request:

This is an example of a request to select all roles for the userPSADMIN. 

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:⇒
qas="http://xmlns.oracle.com/Enterprise/Tools/schemas/QAS_LISTUSERROLES_REQ_⇒
MSG.VERSION_1" xmlns:qas1="http://xmlns.oracle.com/Enterprise/Tools/schemas/QAS_⇒
LISTUSERROLES_REQ.VERSION_1">
   <soapenv:Header/>
   <soapenv:Body>
      <qas:QAS_LISTUSERROLES_REQ_MSG>
         <!--Zero or more repetitions:-->
         <qas:QAS_LISTUSERROLES_REQ>
            <qas1:PTQASWRK class="R">
               <qas1:UserName>PSADMIN</qas1:UserName>
               <!--Optional:-->
               <qas1:SearchString></qas1:SearchString>
            </qas1:PTQASWRK>
         </qas:QAS_LISTUSERROLES_REQ>
      </qas:QAS_LISTUSERROLES_REQ_MSG>
   </soapenv:Body>
</soapenv:Envelope>

Response Message: QAS_LISTUSERROLES_RESP_MSG

Element Name

Description

RoleName

Role name.

Description

Role description.

Example Response: 

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:⇒
soapenc="http://schemas.xmlsoap.org/soap/encoding/" xmlns:xsd="http://www.w3.org⇒
/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
   <soapenv:Body>
      <QAS_LISTUSERROLES_RESP_MSG xmlns="http://xmlns.oracle.com/Enterprise/Tools⇒
/schemas/QAS_LISTUSERROLES_RESP_MSG.VERSION_1">
         <QAS_LISTUSERROLES_RESP>
            <PTQASWRK class="R" xmlns="http://xmlns.oracle.com/Enterprise/Tools⇒
/schemas/QAS_LISTUSERROLES_RESP.VERSION_1">
               <RoleName>PeopleSoft Administrator</RoleName>
               <Description>PeopleSoft Admin Privileges</Description>
            </PTQASWRK>
         </QAS_LISTUSERROLES_RESP>
         <QAS_LISTUSERROLES_RESP>
            <PTQASWRK class="R" xmlns="http://xmlns.oracle.com/Enterprise/Tools⇒
/schemas/QAS_LISTUSERROLES_RESP.VERSION_1">
               <RoleName>PeopleSoft User</RoleName>
               <Description>PeopleSoft User</Description>
            </PTQASWRK>
         </QAS_LISTUSERROLES_RESP>
      </QAS_LISTUSERROLES_RESP_MSG>
   </soapenv:Body>
</soapenv:Envelope>

Click to jump to top of pageClick to jump to parent topicQAS_LISTUSER_OPER

Use this service operation to get a list of users, along with descriptions.

Request Message: QAS_LISTUSER_REQ_MSG

Element Name

Description

SearchString

Search string used for specifying the user name or the first few characters of the user name. If no value is entered, all users will be returned. This value is case-sensitive.

Example Request:

This is an example of a request to select all users that begin with PS. 

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"⇒
 xmlns:qas="http://xmlns.oracle.com/Enterprise/Tools/schemas/QAS_LISTUSER_⇒
REQ_MSG.VERSION_1" xmlns:qas1="http://xmlns.oracle.com/Enterprise/Tools/schemas⇒
/QAS_LISTUSER_REQ.VERSION_1">
   <soapenv:Header/>
   <soapenv:Body>
      <qas:QAS_LISTUSER_REQ_MSG>
         <qas:QAS_LISTUSER_REQ>
            <qas1:PTQASWRK class="R">
               <!--Optional:-->
               <qas1:SearchString>PS</qas1:SearchString>
            </qas1:PTQASWRK>
         </qas:QAS_LISTUSER_REQ>
      </qas:QAS_LISTUSER_REQ_MSG>
   </soapenv:Body>
</soapenv:Envelope>

Response Message: QAS_LISTUSER_RESP_MSG

Element Name

Description

UserName

User name.

Description

User description.

Example Response: 

<?xml version="1.0"?>
<QAS_LISTUSER_RESP_MSG xmlns="http://xmlns.oracle.com/Enterprise/Tools/schemas/QAS_⇒
LISTUSER_RESP_MSG.VERSION_1">
    <QAS_LISTUSER_RESP>
        <PTQASWRK class="R" xmlns="http://xmlns.oracle.com/Enterprise/Tools⇒
/schemas/QAS_LISTUSER_RESP.VERSION_1">
            <UserName>PSADMIN</UserName>
            <Description>PeopleSoft Administrator</Description>
        </PTQASWRK>
    </QAS_LISTUSER_RESP>
</QAS_LISTUSER_RESP_MSG>

Click to jump to top of pageClick to jump to parent topicQAS_LISTROLEUSERS_OPER

Use this service operation to get a list of users for a given role, along with descriptions.

Request Message: QAS_LISTROLEUSERS_REQ_MSG

Element Name

Description

RoleName

Required element

Complete role name. Required and case-sensitive.

SearchString

Optional search string used for specifying the user name or the first few characters of the user name. If no value is entered, all users for the role will be returned. This value is case-sensitive.

Example Request:

This is an example of a request to select all users that begin with PS and have the role PeopleSoft Administration. 

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:⇒
qas="http://xmlns.oracle.com/Enterprise/Tools/schemas/QAS_LISTROLEUSERS_REQ_⇒
MSG.VERSION_1" xmlns:qas1="http://xmlns.oracle.com/Enterprise/Tools/schemas/QAS_⇒
LISTROLEUSERS_REQ.VERSION_1">
   <soapenv:Header/>
   <soapenv:Body>
      <qas:QAS_LISTROLEUSERS_REQ_MSG>
         <!--Zero or more repetitions:-->
         <qas:QAS_LISTROLEUSERS_REQ>
            <qas1:PTQASWRK class="R">
               <qas1:RoleName>PeopleSoft Administrator</qas1:RoleName>
               <!--Optional:-->
               <qas1:SearchString>PS</qas1:SearchString>
            </qas1:PTQASWRK>
         </qas:QAS_LISTROLEUSERS_REQ>
      </qas:QAS_LISTROLEUSERS_REQ_MSG>
   </soapenv:Body>
</soapenv:Envelope>

Response Message: QAS_LISTROLEUSERS_RESP_MSG

Element Name

Description

UserName

User name.

Description

User description.

Example Response: 

<?xml version="1.0"?>
<QAS_LISTROLE_RESP_MSG xmlns="http://xmlns.oracle.com/Enterprise/Tools/schemas/QAS_⇒
LISTROLE_RESP_MSG.VERSION_1">
    <QAS_LISTROLE_RESP>
        <PTQASWRK class="R" xmlns="http://xmlns.oracle.com/Enterprise/Tools⇒
/schemas/QAS_LISTROLE_RESP.VERSION_1">
            <RoleName>QAS Admin</RoleName>
            <Description>QAS Administrators</Description>
        </PTQASWRK>
    </QAS_LISTROLE_RESP>
</QAS_LISTROLE_RESP_MSG>

Click to jump to top of pageClick to jump to parent topicQAS_LOGIN_OPER

This service operation is available for a client application to sign on to the PeopleSoft database and use QAS service operations to create and execute queries.

To use this service operation, the user must install and configure certificates.

See Understanding SSL and Digital Certificates.

Request Message: QAS_LOGIN_REQ_MSG

Element Name

Description

UserVerificationAttempt

Do not enter a value.

Example Request: 

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:⇒
qas="http://xmlns.oracle.com/Enterprise/Tools/schemas/QAS_LOGIN_REQ_MSG.VERSION_1">
   <soapenv:Header/>
   <soapenv:Body>
      <qas:UserVerificationAttempt></qas:UserVerificationAttempt>
   </soapenv:Body>
</soapenv:Envelope>

Response Message:

Element Name

Description

IsValidUser

Returns Y if the user is validated.

Example Response: 

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:⇒
soapenc="http://schemas.xmlsoap.org/soap/encoding/" xmlns:xsd="http://www.w3.org/⇒
2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001⇒
/XMLSchema-instance">
   <soapenv:Body>
      <qss:QAS_LOGIN_RESP_MSG xmlns:qss="http://xmlns.oracle.com/Enterprise/Tools/⇒
schemas/QAS_LOGIN_RESP_⇒
MSG.VERSION_1">
         <isValidUser>Y</isValidUser>
      </qss:QAS_LOGIN_RESP_MSG>
   </soapenv:Body>
</soapenv:Envelope>

Click to jump to parent topicUsing QAS Administration

The QAS Administration page is used to monitor QAS query execution. To access the QAS administration page, the user must have permission to access the QAS Administration page (PSQASADMIN).

After executing a query, the client application is responsible for canceling the query, which will delete the row from the PSQASRUN table. If the rows are not deleted by the client application, the QAS Administrator can delete the rows using the QAS Administration page.

To access the QAS Administration page, select PeopleTools, Utilities, Administration, QAS Administration (PSQASADMIN).

This page displays the run status for QAS service operations that execute queries on the PeopleSoft system. Depending on the execution type and output format, you will see various run statuses.

This table lists the run statuses by output format.

Output Format

Status

Description

FILE

running

The report is running in Process Scheduler.

FILE

posting

The report was posted to the report repository.

FILE or NONFILE

error

The query encountered an error. If the query does not exist or the user does not have access to the query, an error will occur.

NONFILE

success

The query data is stored in the Integration Broker runtime tables.

Use the Clear button to delete entries from the page.