Administering User Profiles

This chapter provides an overview of user profiles and discusses how to:

 

Click to jump to parent topicUnderstanding User Profiles

User profiles define individual PeopleSoft users. You define user profiles and then link them to one or more roles. Typically, a user profile must be linked to at least one role to be a usable profile. The majority of values that make up a user profile are inherited from the linked roles.

Note. A user profile may have no roles; for example, a user who is not allowed access to the PeopleSoft application. You still want workflow-generated email sent to the user.

You define user profiles by entering the appropriate values on the user profile pages. The user profile contains values that are specific to a user, such as a user password, an email address, an employee ID, and so on.

The user ID and description appear at the top of each page to help you recall which user profile you are viewing or modifying as you move through the pages.

Click to jump to parent topicSetting Up Access Profiles

This section provides an overview of access profiles and discusses how to:

Click to jump to top of pageClick to jump to parent topicUnderstanding Access Profiles

Every user profile must be assigned to an access profile, by way of a Symbolic ID. The Access ID consists of a relational database management system (RDBMS) ID and a password. Access profiles provide the necessary IDs and passwords for the database logon operations that occur in the background. Access IDs are used:

Users signing in to the system through PeopleSoft Pure Internet Architecture take advantage of the Access ID that the application server used for connecting to the database.

Access profiles enable you to minimize the number of users who need to know system administrator passwords. In fact, only one person needs to know these passwords. That person can create the required access profiles—by providing the necessary passwords when prompted—and all other security administrators can assign users to the predefined access profiles. The Access ID and password are encrypted in the database in the PSACCESSPRFL table.

Before you begin creating your user profiles, roles, and permission lists, you need to set up your access profiles in the database. Ultimately, the access profile is the profile that your users use to connect to your PeopleSoft database. Without being associated with an access profile, users cannot sign in, even with a test ID. This association is by way of the symbolic ID, which is a proxy ID for the Access ID and Access password.

The ID that you use must be defined at the RDBMS level as a valid RDBMS ID. You do not use PeopleSoft or PeopleTools software to create an RDBMS ID; create it using the utilities and procedures defined by your RDBMS platform. After you create the RDBMS ID, use the PeopleTools access profiles utility to link your RDBMS ID to the access profile. This profile is created when you first install your database.

Click to jump to top of pageClick to jump to parent topicUsing the Access Profiles Dialog Box

Access the Access Profiles dialog box in Application Designer (Tools, Miscellaneous Definitions, Access Profiles).

Close

Click to exit this dialog box.

New

Click to create a new access profile definition.

Edit

Click to edit an access profile definition.

Delete

Click to delete an access profile definition.

Click to jump to top of pageClick to jump to parent topicSetting Access Profile Properties

When you create or modify an Access Profile using the Access Profiles dialog, you need to understand the properties that comprise an access profile. After reading this section, you will be familiar with these properties.

Access the Add Access Profile dialog box (click the New button in the Access Profiles dialog box).

Symbolic ID

Enter the Symbolic ID that is used to retrieve the encrypted ACCESSID and ACCESSPSWD from PSACCESSPRFL. For your initial installation, set it equal to the database name.

Access Profile ID

Enter the Access Profile ID, which must be a valid RDBMS ID with system administrator privileges and must match the associated RDBMS ID. The system assumes that the RDBMS ID that you enter is the same as the Access Profile ID.

The Access Profile ID must be a different logon ID than the User ID. Logic within PeopleTools ensures that if Access ID = User ID, then PeopleTools does not log off and log on again, nor does the system issue a SET CURRENT SQLID = ‘owner ID’.

Note. In DB2 terminology, Access ID is a primary ID and Owner ID is a secondary Auth ID. If the Access ID does not equal the Owner ID, then secondary authorization security exists in DB2 to issue a SET CURRENT SQLID command. DB2 will qualify tables (required) with the Owner ID provided by SET CURRENT SQLID statements issued by the PeopleSoft software. If the Access ID equals the Owner ID, then the secondary authorization exits are not required. DB2 will qualify the table name with the Access ID.

Access Password

Enter the password associated with your RDBMS ID/Access Profile ID, which is the password that the Access ID uses to sign in to the database.

Click to jump to top of pageClick to jump to parent topicWorking with Access Profiles

This section discusses how to create a new Access Profile definition, change an Access Profile password, and delete an Access Profile in the PeopleSoft system.

To create a new Access Profile definition:

  1. In PeopleSoft Application Designer, select Tools, Miscellaneous Definitions, Access Profiles.

    The Access Profiles dialog box appears.

  2. Click New.

    The Add Access Profile dialog box appears.

    This dialog box prompts you for the Symbolic ID, name, and password of the new access profile.

  3. Enter a Symbolic ID.

    The Symbolic ID is used as the key to retrieve the encrypted ACCESSID and ACCESSPSWD from PSACCESSPRFL.

  4. Enter an Access Profile ID.

    This ID must be a valid RDBMS ID with system administrator privileges.

  5. Enter and confirm a password.

    The access password is the password string for the RDBMS ID/Access Profile ID. The Confirm Password field is required, and its value must match that of the Access Password field.

  6. Click OK.

Note. You should use only one Access ID for your system. Some RDBMSs do not permit more than one database table owner. If you create more than one Access ID, additional steps may be required to ensure that this ID has the correct rights to all PeopleSoft system tables.

To change an Access Profile password:

  1. In Application Designer, select Tools, Miscellaneous Definitions, Access Profiles.

    The Access Profiles dialog box appears.

  2. In the Access Profiles: list, highlight the profile that you want to modify, and click Edit.

    The Change Access Profile dialog box appears.

    This dialog box prompts you for the old password, the new password, and then a confirmation of the new password for the access profile.

  3. Enter and confirm the new password.

    The access password is the password string for the ID. The Confirm Password field is required, and its value must match that of the Access Password field.

  4. Click OK.

To delete an Access Profile:

  1. Select Tools, Miscellaneous Definitions, Access Profiles.

    The Access Profiles dialog box appears.

  2. Highlight the access profile that you want to remove, and click Delete.

    You are prompted to confirm the deletion.

    Click Yes at the prompt dialog box if you want to delete the selected access profile.

Important! Make sure you don't delete the only available Access ID or you will not be able to log on to PeopleSoft software in any capacity.

Click to jump to parent topicSetting Up User Profile Types

This section provides an overview of user profile types and discusses how to define user profile types.

Click to jump to top of pageClick to jump to parent topicUnderstanding User Profile Types

When deploying your applications to the internet, you potentially can generate thousands of different user profiles. In some situations, you may need to aggregate your user profiles by category. For example, ID types enable you to use employee ID numbers that begin at 1 as well as customer ID numbers that begin at 1.

User profile types also provide a way to link user profiles with data stored in application-specific records. PeopleSoft applications primarily need this link for self-service transactions. For example, you want employees to see only their own benefits, or you want customers to view and pay only their own bills. Customer ID, Employee ID, and so on are the keys for the application data. User profile types enable the system to find the correct ID based on the user profile. The system needs the value because personal data and vendor contact data may have the same key field. Because personal data and vendor contact data resides in different records, no edit exists that will prevent the two records from having the same key.

This table lists the profile types that PeopleSoft delivers:

ID Type

Description

BID

Bidder

CNT

Customer Contact

CST

Customer

EJA

External Job Applicant

EMP

Employee

NON

None

ORG

Organization ID

PER

Person (CRM)

VND

Vendor

PTN

Partner

Click to jump to top of pageClick to jump to parent topicPage Used to Set Up User Profile Types

Page Name

Definition Name

Navigation

Usage

User Profile Types

PSOPRALIASTYPE

PeopleTools, Security, Security Objects, User Profile Types

Define user profile types.

Click to jump to top of pageClick to jump to parent topicDefining User Profile Types

Access the User Profile Types page (PeopleTools, Security, Security Objects, User Profile Types).

ID Type

Displays the abbreviated form of the profile type name.

Description

Enter a name for the profile type that is no more than 30 characters. This value appears on the ID page in the User Profiles component.

Enabled?

Select this check box to enable a profile type. When selected, you can assign the profile type to user profiles. When deselected, the profile type does not appear in the Profile Type drop-down list box on the User Profile - ID page.

Note. Do not enable the ID type until the fields and tables in the Field Information section are defined and built using Application Designer.

Sequence Number

The SetUserDescr( ) function uses this value.

After you assign one or more ID types on the User Profiles - ID page, click the Set Description link and the SetUserDescr( ) function automatically retrieves the value of the recordfield that you reference in the Edit Table and Description Fieldname fields on the User Profile Types page. If you assign multiple ID types, the sequence number determines which user profile type to use. The function looks to the user profile type with the lowest sequence number and checks for the presence of a value in the description field. If no value exists, the function moves to the next higher sequence number. For example, if you assign a user both the Employee (seq no 1) and Customer Contact (seq no 3) ID types, then the function first looks to the Employee user profile type and retrieves the value in the PERSONAL_DATA.NAME field. If the PERSONAL_DATA.NAME field contains no value, the function looks to the Customer Contact ID type and retrieves the value from the CONTACT.NAME1 field.

Note. For user types that list multiple fields, the system uses the Description Fieldname of the last field in the field list. For example, the Customer Contact user profile type lists two fields: SETID and CONTACT_ID. The set user description function uses the Description Fieldname CONTACT.NAME1 corresponding to the last field, CONTACT_ID.

Long Description

Enter details about a profile type. The maximum length of this field is 250 characters.

Field Information

The fields that you select enable the User Profiles component to prompt for an ID value when you select a type on the ID page. For example, if the user selects the Employee ID type from the User Profiles - ID page, the system must know the table that contains the valid ID values to display to the user when the user clicks the prompt button. The Edit Table column specifies the record, and the Field Name column specifies the field. You can specify multiple fields if the ID has multiple keys, as is the case of the Customer user profile type where the keys for customer information are SETID and CUST_ID.

Click to jump to parent topicWorking With User Profiles

This section discusses how to:

Click to jump to top of pageClick to jump to parent topicCreating a New User Profile

To create a new user profile:

  1. Select PeopleTools, Security, User Profiles, User Profiles to access the Find Existing Values page.

  2. Click Add a New Value.

  3. On the Add a New Value page, enter the new user ID in the User ID field and click Add.

    The user ID can contain up to 30 characters. The name that you specify cannot contain white space or any of the following characters:

    ; : & , < > \ / " [ ] ( )

    Also, you cannot create a user ID named PPLSOFT; this user ID is reserved for use within PeopleTools.

  4. Specify the appropriate values from the pages in the User Profiles component (USERMAINT), and click Save.

Click to jump to top of pageClick to jump to parent topicCopying a User Profile

To copy a user profile:

  1. Select PeopleTools, Security, User Profiles, Copy User Profiles to access the Find an Existing Value search page.

  2. Select the user ID that you want to copy.

  3. On the User Profile Save As page, enter the new user ID, a description, and the password that the new user ID should use to sign in to the system.

Note. If Copy ID Type Information is not selected, the system does not save the EMPLID value to the PSOPRDEFN table.

Click to jump to top of pageClick to jump to parent topicDeleting a User Profile

To delete a user profile:

  1. Select PeopleTools, Security, User Profiles, Delete User Profiles to access the Delete User Profile page.

  2. Make sure that you have selected the correct user profile.

  3. Click Delete User Profile to remove information related to this particular user profile that appears in every PeopleTools and application data table in which the OPRID field is a key field.

    Note. Query the PS_TBLSELECTION_VW view to list the tables in which the OPRID field is a key field.

    To prevent user information in a specific table from being deleted, you can designate tables that the delete user process bypasses.

See Also

Component Interfaces

Click to jump to top of pageClick to jump to parent topicBypassing Tables During the Delete User Profile Process

Access the Bypass Tables page (PeopleTools, Security, Security Objects, Tables to Skip).

When you delete a user profile and its related information, you might not want to delete tables that contain rows of user profile data. For instances such as these, you can specify the tables for the delete process to skip.

To bypass tables during the Delete User Profile process:

  1. Click the prompt button to select the record name to skip.

    Note. The prompt displays only records that contain the OPRID field as a key field. The view behind this prompt is the PS_TBLSELECTION_VW.

  2. Insert additional rows for other table names, as necessary.

  3. Click the Save button.

See Also

Preserving Historical User Profile Data

Click to jump to parent topicSpecifying User Profile Attributes

This section discusses how to:

Click to jump to top of pageClick to jump to parent topicPages Used to Specify User Profile Attributes

Page Name

Definition Name

Navigation

Usage

General

USER_GENERAL

PeopleTools, Security, User Profiles, User Profiles, General

Set general user profile attributes.

ID

PSOPRALIAS

PeopleTools, Security, User Profiles, User Profiles, ID

Set ID type and attribute value.

Roles

USER_ROLES

PeopleTools, Security, User Profiles, User Profiles, Roles

Add roles to a user profile. This task defines user access in the PeopleSoft system. Through roles, the user inherits permission lists.

Workflow

USER_WORKFLOW

PeopleTools, Security, User Profiles, User Profiles, Workflow

Specify workflow settings for a user.

Audit

USER_AUDIT

PeopleTools, Security, User Profiles, User Profiles, Audit

Determine when and who last updated a profile.

Links

USER_OTHER

PeopleTools, Security, User Profiles, User Profiles, Links

Display any additional links added.

User ID Queries

USER_QUERY

PeopleTools, Security, User Profiles, User Profiles, User ID Queries

Run queries about a user profile.

Click to jump to top of pageClick to jump to parent topicSetting General User Profile Attributes

Access the General page (select PeopleTools, Security, User Profiles, User Profiles and click the General tab).

Logon Information

Account Locked Out?

Select this check box to deactivate a user profile for any reason. The user cannot sign in until you have deselected this option.

Note. The system automatically selects this check box if you are using password controls and the user exceeds the maximum number of failed logon attempts. The administrator needs to manually open the user profile and deselect this check box to reinstate the user.

Symbolic ID

Enter a value to retrieve the appropriate encrypted access ID and access password. This value determines which access ID and password are used to log the user onto the database after the system validates the user ID.

The access ID is required only when a user needs to connect directly to the database (in two-tier). The access ID is not required with the portal or if you use a Lightweight Directory Access Protocol (LDAP) directory server to manage user IDs.

With PeopleSoft Pure Internet Architecture, the application server maintains the connection to the database, so the application server must submit an access ID.

Password and Confirm Password

Enter the password string that the user must supply when signing in. The value in the Confirm Password field must match that in the User Password field. The maximum password length is 32 characters.

Note. These values are required to sign in to the system, but you can save the profile without populating these fields.

Password Expired?

If you are using PeopleSoft password controls, this option enables you to force users to change their passwords in the following situations:

  • The first time that a user signs in to PeopleSoft software.

  • The next time that a user signs in.

  • The first time that a user signs in after the system has emailed the user a randomly generated password.

Note. To use this option, you must enable the Password Expires in 'x' Days PeopleSoft password control.

When a user's password has expired, the Password Expired check box becomes enabled and selected. By deselecting the check box and saving the change, you can renew the password, although we do not recommend this practice.

User ID Alias

Enter a fully qualified email ID (email address) as a user ID alias. For example, [email protected] could be the user ID used to sign in to the system. The maximum character length is 70.

Edit Email Addresses

If a user is part of the workflow system or you have other systems that generate email for users, click this link to enter an email address for a user. You can enter multiple email addresses for a user, but you must select one as the primary email address. The system allows only one email address per type. For example, you cannot enter two home email addresses.

The Email Addresses interface has the following controls:

  • Primary Email Account: If you enter multiple email accounts, you must select one as the primary account.

  • Email Type: Select from Blackberry, Business, Home, Other, or Work.

    The Blackberry email type is used with the Workflow/RIM technology.

  • Email Address: Enter the email address in this field.

General Attributes

Language Code

Select a value. The language code on the User Profile page has a limited use. For example, when a user runs a batch job, the system needs to know in which language to generate the reports for the user who submitted the job.

In PeopleSoft Pure Internet Architecture, the user’s language preference is based on the selection that the user makes on the signon page.

For Microsoft Windows workstations, the user’s language preference is derived from the Display tab in PeopleSoft Configuration Manager. For the Microsoft Windows environment, the value specified as language code in the user profile acts as a default in case the language code is not specified in PeopleSoft Configuration Manager.

Currency Code

If the user works with international currencies, select a currency code to reflect the native or base currency. Values will appear in the currency with which the user is familiar.

Default Mobile Page

Select the mobile homepage that should appear after users sign on to their mobile device.

Important! PeopleSoft Mobile Agent is a deprecated product. These features exist for backward compatibility only.

Enable Expert Entry

Select to specify that some users, such as expert or power users, can defer all processing of the data that they enter. This selection enables users to reduce the number of trips to the server for data processing, regardless of how the developer set field deferred or interactive processing. You enable this option in a component in Application Designer, and you specify which users have this option using the Enable Expert Entry check box.

Deselect this check box to prevent a user from specifying deferred processing.

Allow Switch User

Select this option to designate users who can change identities in a PeopleSoft system. This feature applies only when accessing PeopleSoft applications using a browser; it has no effect on two-tier or three-tier connections.

The default for this feature is hidden. You display this check box by changing the Enable Switch User options on the PeopleTools Options page.

See General Options.

Permission Lists

Navigator Homepage

Enter a value associated with PeopleSoft Workflow.

Process Profile

Displays a value that contains the permissions that a user requires for running batch processes through PeopleSoft Process Scheduler. For example, the process profile is where users are authorized to view output, update run locations, restart processes, and so on.

Note. Only the process profile comes from this permission list, not the list process groups.

Primary and Row Security

Displays which data permissions to grant a user by examining the primary permission list and row security permission list. Which one is used varies by application and data entity (employee, customer, vendor, business unit, and so on). Consult your application documentation for more details.

The system also determines mass change (if needed), and definition security permissions from the primary permission list.

Click to jump to top of pageClick to jump to parent topicSetting ID Type and Attribute Value

Access the ID page (select PeopleTools, Security, User Profiles, User Profiles and click the ID tab).

ID Types and Values

ID Type and Attribute Value

Select the ID type and attribute value. Separating user profiles by ID type enables you to have multiple categories of user profiles with ID numbers all within a range of 1–1000, for example, and it also enables you to grant data permission by entity (customer, employee, and so on). When users sign in to your benefits or payroll deductions application, they see only information that applies to them.

A user profile is a set of data about an entity—a user—who interacts with the system. The human resources (HCM) system, which keeps track of your employee data, is designed to focus more on your employee user types. On the other hand, your financials system is designed to keep track of customer and supplier user types. ID types enable you to link user types with the records that are most relevant when a user interacts with the system.

In the Attribute Value field, select the value associated with the attribute name. In this case, the value reflects the employee number, but it could be a customer number or vendor number.

User Description

The User Description section enables you to help identify the user.

Description

Add a description, such as the name of an individual or an organization, for the user profile.

Set Description

Click this link to populate the field with a description from the database.

Note. Before you assign a user type to a user, you must create user types.

See Also

Setting Up User Profile Types

Click to jump to top of pageClick to jump to parent topicSetting Roles

Access the Roles page (select PeopleTools, Security, User Profiles, User Profiles and click the Roles tab).

Role Name

Displays the name of the role added to the user profile.

Description

Displays a description of the role added to the user profile.

Dynamic

Selected if the system assigned a particular role dynamically.

Route Control

Specify a route control profile for each role assigned to a user. For example, suppose that you have a role named EXPENSE_REP. If you want a particular expense representative to handle all of the expense reports submitted by people whose last names begin with A, you could assign the user a specific route control profile to send the user reports submitted by individuals with last names beginning with A.

View Definition

Click to view the role definition associated with this user profile.

See Understanding Route Control Development.

See Using the PeopleSoft Administrator Role.

Dynamic Role Rule

Use these options to test and manually carry out business rules for dynamically updating roles and assigning them to user profiles. You design your role rules using Query Manager, PeopleCode, or LDAP directory rules.

Execute on Server

Select the Process Scheduler server that should run your role rule.

Test Rule(s)

Click to test the rules and verify if they will produce the desired results for a particular user. None of the roles are actually assigned, but the system provides you a report as to what roles will be assigned when you run the rule.

Execute Rule(s)

Click to run the rules and manually assign the appropriate roles to a particular user. Typically, you implement role rules on a regular schedule through PeopleSoft Process Scheduler.

Process Monitor and Service Monitor

Click to view the status of the process carrying out the role rule and the messages that the process invoked.

Click to jump to top of pageClick to jump to parent topicSpecifying Workflow Settings

Access the Workflow page (select PeopleTools, Security, User Profiles, User Profiles and click the Workflow tab).

Workflow Attributes

Alternate User ID

Select an alternate role user to receive routings sent to this role user. Use this option when the role user is temporarily out (for example, on vacation or on leave).

If the field contains a role user name, the system automatically forwards new work items for whoever is assigned as the current role user to the alternate role user.

Note. The system forwards new work items to the alternate role user. It does not reassign items already in the user’s worklist.

Note. When applying an alternate user ID in your workflow settings, make note of the fact that the system only sends workflow routings to the immediate alternate user ID. The system does not send routings down multiple levels of alternate user IDs. For example, assume user A specifies user B as the alternate user ID while user A is out of the office. Also assume that user B is out of the office at a time during user A’s absence, and user B specifies user C as an alternate user ID for this time. In this case, the system does not send workflow routings originally intended for user A to user C.

Note. The Alternate User Id routing functionality is only meant to work with Role based applications, such as Virtual Approver (VA) Workflow in PeopleTools and Enterprise Component Approval Framework. In VA Workflow, the route is to Roles, not specific Users. And where the Enterprise Component Approval Framework worklist use Roles, the Alternate User ID routing functionality works.

The Workflow Field Mapping must be mapped to a Role or a Role Query in order for Alternate User to work.

From Date and To Date

Enter the date on which the current role user is going to begin and return from a temporary vacancy. This field specifies the time period that the alternate user ID is used.

Supervising User ID

Select the user ID of the user’s supervisor from this drop-down list box. The system uses this value when it needs to forward information to the user’s supervisor.

The system uses the PERSONAL_DATA record to determine the user’s supervisor.

Note. If you are using PeopleSoft Human Capital Management (PeopleSoft HCM) applications, this field should not appear. If it does, you must set your workflow system defaults.

Routing Preferences

Specify the routing types that this role user can receive. The Routing Preferences box shows the two places where the system can deliver work items: to a worklist or to an email mailbox. If the user does not have access to one or both of these places, deselect the check box. For example, if this person is not a PeopleSoft user, deselect Worklist User.

Reassign Work

Reassign Work To

Use to reassign pending work for this role user if positions change or a user is temporarily out, such as on leave or on vacation.

If this user has work items waiting (as shown by the Total Pending Worklist Entries in your Workflow interface), select this check box and select the user to whom work items should be forwarded from the drop-down list box. When you save the page, the system reassigns existing worklist entries to the specified user.

Note. If you don’t reassign pending work items, they remain unprocessed.

Total Pending Worklist Entries

Displays worklist items that require a user's attention.

See Also

Defining Roles and Users

Click to jump to top of pageClick to jump to parent topicViewing When a User Profile Was Last Updated

Access the Audit page (select PeopleTools, Security, User Profiles, User Profiles and click the Audit tab).

The Audit page is a display-only page that enables you to determine:

Click to jump to top of pageClick to jump to parent topicDisplaying Additional Links

Access the Links page (select PeopleTools, Security, User Profiles, User Profiles and click the Links tab).

Use this page to access links to other pages within your PeopleSoft system. For example, perhaps a PeopleSoft application requires a specific security setting to be associated with a user profile. If this application-specific setting appears on a page not in PeopleTools Security, add a link to the application page so that anyone updating the user profile can easily navigate to the page.

Note. The Links page is read-only. You create the inventory of links to pages that exist outside of PeopleTools Security by using the Security Links component.

If you added links for user profiles in the Security Links component, they appear on the Links page.

Click to jump to top of pageClick to jump to parent topicRunning User ID Queries

Access the User ID Queries page (select PeopleTools, Security, User Profiles, User Profiles and click the User ID Queries tab).

User ID queries enable you to run queries that provide detailed information about a user profile, such as the permission lists and roles associated with the user profile. The available queries are documented on the page.

To run a user ID query:

  1. Click the link associated with the query that you want to run.

    This action invokes a new browser window.

  2. View the information that the query returns to the new browser window or select a download option.

    For downloading, you have the following options:

Click to jump to parent topicWorking With Passwords

This section discusses how to:

Click to jump to top of pageClick to jump to parent topicSetting Password Controls

Access the Password Controls page (PeopleTools, Security, Password Configuration, Password Controls).

You use the Password Controls page to set any password restrictions, such as duration or minimum password length, that you want to impose on your end users. These options apply when you are maintaining your user profiles within PeopleSoft, not within a directory server.

Enable Signon PeopleCode

Select this check box to enable the following PeopleSoft password controls: Age and Account Lockout. The other password controls are not enabled by this box.

If you do not want these password controls, for example, you already have a third-party utility that performs equivalent features, then deselect this check box.

Note. If you change the status of the Enable Signon PeopleCode check box, you must restart the application server.

You can extend or customize the controls by modifying the PeopleCode.

Password Expiration

You define a number of days (between 1 and 365) that a password is valid. To do this, select the Password Expires in ‘N’ Days option. Users logging on after a password expires must change their password to log on. If you do not want the password to expire, then select Password Never Expires. When a password expires, a user cannot sign in to the system and is prompted to change the password.

If you want to specify a duration for which the system warns users that their password is about to expire, you have the following options:

  • If you want to specify a warning period, select Warn for 'N' days and enter the number of days in the field.

  • If you do not want any warning period, select Do not warn of expiration.

PeopleSoft delivers a default permission list named PSWDEXPR (Password Expired). When a user's password expires, the system automatically removes all of the user's roles and permission lists, and temporarily assigns them the PSWDEXPR permission list only.

A user whose password has expired can access only items in the PSWDEXPR permission list, which typically grants access to the Change Password component (CHANGE_PASSWORD) only. For the duration of the session, as in until the user changes the password, the user is restricted solely to the PSWDEXPR permission list.

Note. The actual user profile stored in the database is not changed in any way when the password expires. You do not need to redefine the profile. When the password is changed, the system restores the user profile's previous roles and permission lists.

Account Lockout

This control enables you to lock an account after n number of failed logon attempts. For example, if you set the Maximum Logon Attempts value to 3, and a user fails three signon attempts, they are automatically locked out of the system. Even if they correctly enter a user ID and password on the fourth attempt, the user is not permitted to log on. This feature reduces the risk of any intruders using brute force to break into your system. It also provides a reminder to users to remember their passwords.

After an account is locked out, a system administrator must open the user profile and deselect the Account Locked check box manually.

Miscellaneous

The Allow password to match User ID control enables administrators to make sure users do not use their own user ID as a password. This control helps you prevent hackers from guessing passwords based on a list of employee names.

Minimum Length

Administrators can set a minimum length for passwords maintained by the PeopleSoft system. If the minimum length is set to 0, then the PeopleSoft password controls do not enforce a minimum length on the user’s password; however, the password cannot be blank. When you create a new user or a user changes a password, the system checks this value. If it is not zero, then the system tests the password to ensure it meets length requirements and if it does not, an error message appears.

Character Requirements

Administrators can require a set number of digits or special characters within a password. Special characters refer to symbols such as # and @, and digits refer to numbers (integers), such as 1 or 2.

Here is the list of special characters you can include within a password:

! @ # $ % ^ & * ( ) - _ = + \ |[ ] {} ; : / ? . > <

Note. The maximum password length is 32 characters.

Purge Inactive User Profiles

This setting enables you to purge the system of user profiles that have not been used in a specified amount of time. If you maintain user profiles in a directory server, a row is added to the PSOPRDEFN table for the system to access while the user interacts with the system. However, when the user is deleted from the directory server, you must manually delete the row in PSOPRDEFN associated with the deleted user profile.

After you set the time value and save the page, click the Schedule button to access the PURGEOLDUSRS Application Engine program that performs the delete process.

Password History

This control enables you to define the number of user passwords to retain in the password history table. If the user attempts to reuse a password that is stored in the password history table, the application issues an error and prompts the user to enter a different password.

When the user reaches the maximum number of passwords indicated in the Number of Passwords to Retain field, the system deletes the oldest password and then stores the current password.

Note. If the password history table contains values and you change theNumber of Passwords to Retain field value to 0, the system deletes the password history for all users.

Click to jump to top of pageClick to jump to parent topicChanging Passwords

Access the Change My Password page (from the homepage, click Change My Password). The PeopleSoft system enables users to change their passwords as needed.

To change a PeopleSoft password:

  1. From the homepage, click Change My Password.

  2. On the Change Password page, enter the current password in the Current Password field.

  3. In the New Password field, enter a new password.

  4. Confirm the new password by entering it again in the Confirm Password field.

  5. Click Change Password.

Click to jump to top of pageClick to jump to parent topicCreating Email Text for Forgotten Passwords

Before the system emails a new, randomly generated password to a user, you want to make sure they are who they claim to be. The Forgotten Password feature enables you to pose a standard question to users requesting a new password to verify the user's authenticity. If the user enters the appropriate response, then the system automatically emails a new password.

When a user has forgotten a PeopleSoft password, the system sends the user a new password within an email message. You can have numerous password hints, but typically, you send all new passwords using the same email message template. Because of this, PeopleSoft provides a separate page just for composing the standard email text that you use for your template.

Access the Forgot My Password Email Text page (PeopleTools, Security, Password Configuration, Forgot My Password Email Text).

Add the following text string in the Email Text field:

<<%PASSWORD>>

The system inserts the new password here. The %PASSWORD variable resolves to the generated value.

Note. You might instruct the user to change the password to something easier to remember after they sign on to the system with the randomly generated password. Only users who have the Allow Password to be Emailed option enabled on the Permission List - General page can receive a new password using this feature.

Click to jump to top of pageClick to jump to parent topicCreating Hints for Forgotten Passwords

Access the Forgot My Password Hint page (PeopleTools, Security, Password Configuration, Forgotten Password Hint).

With these hints set up, users can access the Forgot My Password page. If the user answers the question correctly, a new password is sent through the email system.

To create a forgotten password hint:

  1. Click Add a New Value.

  2. On the Add a New Value page, enter a three-character ID in the Password Hint ID field.

  3. Click Add.

  4. Select the Active check box.

  5. Enter your question to verify that the user is who he or she claims to be.

  6. Click Save.

Click to jump to top of pageClick to jump to parent topicDeleting Hints for Forgotten Passwords

To delete a password hint:

  1. Select PeopleTools, Security, User Profiles, Delete Forgotten Password Hint.

  2. Enter the specific code for the hint or perform a search for it.

  3. On the Delete Forgot My Password Hint page, select the appropriate hint.

  4. Click Delete.

Click to jump to top of pageClick to jump to parent topicSetting Up the Site for Forgotten Passwords

PeopleSoft recommends setting up a site specifically designed for users who have forgotten their passwords. This site would require no password to enter, but it would provide access only to forgotten password pages.

To set up a forgotten password site:

  1. Set up a separate PeopleSoft Pure Internet Architecture site on your web server.

  2. Set up a direct connection to the site, such as a link to it.

  3. In the web profile, enable public access and specify a public user ID and password for automatic authentication.

    This direct user should have limited access, for example, only to the Email New Password component. Users go directly to it, and a new password is emailed.

  4. Place a link to the forgotten password site within the public portion of the PeopleSoft portal or on another public web site.

  5. Notify your user community of the link.

Note. The site should have this format: http://webserver/psp/sitename/portalname/localnodename/c/MAINTAIN_SECURITY .EMAIL_PSWD.GBL?

Click to jump to top of pageClick to jump to parent topicRequesting New Passwords

To request a new password, access the hidden Forgot My Password page (EMAIL_PSWD2).. The system randomly generates a new password and emails it to the user.

Before the system can email the user a new password, complete these tasks:

See Setting General Permissions.

To request a new password:

  1. Click the Forgotten Password link on the PeopleSoft signon page (or direct the user to the Forgotten Password link.)

  2. On the Forgot My Password page, enter your user ID.

  3. Click Continue.

  4. On the Email New Password page, verify that the system is set to send the new password to the appropriate email address.

    If the appropriate email address does not appear, contact your system administrator. System administrators must make sure that the email address is correctly represented for each user who intends to use this feature.

    Note. Use Application Designer to change any display properties of the fields on the EMAIL_PSWD2 page.

  5. Respond to the user validation question.

    Note. The user must have set up the forgotten password help.

    See Changing Your Password.

  6. Click Email New Password.

Click to jump to parent topicImplementing Distributed User Profiles

This section provides an overview of distributed user profiles and discusses how to:

Click to jump to top of pageClick to jump to parent topicUnderstanding Distributed User Profiles

As your user population increases in size, it can become impractical for one person to centrally administer all of your system's user profiles. You can distribute some or all user profile administration tasks by enabling selected users to use the Distributed User Profiles component (USERMAINT_DIST) to control the granting of selected roles to other users.

The pages in the Distributed User Profiles component are identical to the corresponding pages in the User Profiles component, except that its User Roles page does not include links for editing the assigned roles. You can restrict who can use the component, which users they can administer, and what roles they can grant, based on the roles to which they themselves belong. For example, you might specify that users in the Line Manager role can grant the Shipping Clerk role to other users. The effect of this is to designate line managers as remote security administrators who can administer the user profiles of shipping clerks. In addition to granting and managing roles, a remote security administrator can administer all parts of a user profile, including passwords, email addresses, and workflow.

Important! Distributing user profile administration might affect regulatory compliance (for example, Sarbanes Oxley). You are responsible for determining and accounting for any effect of using this feature.

To implement distributed user profiles:

  1. Use permission lists and roles to configure security to give selected remote security administrators access to the Distributed User Profiles component.

    Note. The PIA navigation path to this component is PeopleTools, Security, User Profiles, Distributed User Profiles.

  2. Use the Set Distributed User Profile Search Record page to define which user profiles can be administered with the Distributed User Profiles component.

    See Defining User Profile Access for Remote Security Administrators.

  3. Use the Role Grant page in the Roles component (ROLEMAINT) to specify which roles your remote security administrators can grant with the Distributed User Profiles component.

    See Defining Remote Security Administrator Role Grant Capability.

Click to jump to top of pageClick to jump to parent topicDefining User Profile Access for Remote Security Administrators

To define user profile access:

  1. Define a search record that returns only the user IDs that you want remote security administrators to be able to administer.

    Note. Initially, PSOPRDEFN_SRCH is the default search record for this purpose. You can accept the default and skip this step, but that action enables access to every user profile in your system. We encourage you to define a more restrictive search record.

    See PeopleTools 8.50 PeopleBook: PeopleSoft Application Designer, "Creating Component Definitions," Understanding Search Records.

  2. In a browser, select PeopleTools, Security, User Profiles, Distributed User Setup to access the Set Distributed User Profile Search Record page.

  3. In the New Search Record field, select the search record that you defined in Step 1, and then save.

    When remote security administrators access the Distributed User Profiles component, this search record enforces row-level security to restrict the set of user IDs that they can select and administer.

See Also

Understanding Search Records

Click to jump to top of pageClick to jump to parent topicDefining Remote Security Administrator Role Grant Capability

In a browser, select PeopleTools, Security, Permissions and Roles, Roles, Role Grant to access the Roles - Role Grant page.

You use this page to specify which roles can be granted using the Distributed User Profiles component and which users can grant them. This page is part of a role definition; you can configure this role to be a remote security administrator, a role that a remote security administrator can grant to users, or both.

Roles That Can Be Granted By This Role

By specifying one or more roles in this grid, you effectively designate users who belong to roles, and who have access to the Distributed User Profiles component, as remote security administrators. Add rows to enable this role to grant as many roles as appropriate. For example, you might want users who belong to the Shipping Manager role to be able to grant the Shipping Clerk (Temporary) role and the Packing Clerk (Temporary) role to other users.

Note. This grid is complementary to the Roles That Can Grant This Role grid, and it propagates its values accordingly. Using the example given, on the Role Grant page for the Shipping Clerk (Temporary) role and the Packing Clerk (Temporary) role, the Roles That Can Grant This Role grid now specifies Shipping Manager.

Roles That Can Grant This Role

By specifying one or more roles in this grid, you effectively designate users who belong to roles. and who have access to the Distributed User Profiles component,as remote security administrators, able to grant roles to users. Add more rows to enable additional roles to grant this role. For example, you might want users who belong to the Security Administrator role to be able to grant the Shipping Manager role to other users.

Note. This grid is complementary to the Roles That Can Be Granted By This Role grid, and it propagates its values accordingly. Using the example given, on the Role Grant page for the Security Administrator role, the Roles That Can Be Granted By This Role grid now specifies Shipping Manager.

View Definition

Click to view the associated role definition and ensure that you have selected the appropriate role to grant or to serve as a remote security administrator.

Click to jump to top of pageClick to jump to parent topicAdministering Distributed User Profiles

In a browser, select PeopleTools, Security, User Profiles, Distributed User Profiles to access the Distributed User Profiles component.

Remote security administrators can fully edit the user profiles that they access through the Distributed User Profiles component, including granting roles.

The users who remote security administrators can administer are determined by the search record you specified on the Set Distributed User Profile Search Record page.

The roles that a given remote security administrator can grant are determined by the selections that you made on the Roles - Role Grant page.

See Also

Specifying User Profile Attributes

Click to jump to parent topicTransferring Users Between Databases

You occasionally need to copy security information from one database to another. Typically, you do this as part of an upgrade or to transfer security information from your production environment to your development or testing environment. PeopleTools provides a set of Data Mover (DMS) scripts designed to export and import user profile security information. The provided scripts transfer user profile data from a source to a target database using these tables:

Note. Use Application Designer upgrade feature to upgrade both roles and permission lists.

One script exports User Profile data from the source database. The source database refers to the database that contains the User Profiles that you want to migrate. The target database refers to the database to which you are copying the user information.

After exporting the security information from the source database, you then run the import script against the target database. The target database refers to the database to which you want to transfer the security data. The scripts involved in transferring security information from one database to another are:

You will find this set of scripts in the <PS_HOME>/scripts folder.

Considerations

Before running scripts to export and import your security information, you should consider these topics:

Running the Scripts

Complete the following procedure to run the user transfer scripts:

  1. Using Data Mover, sign on to the source database and run USEREXPORT.DMS for user definitions.

    You can edit this script to specify the location and file name of the output file and the log file.

  2. Using Data Mover, sign on to the target database and run USERIMPORT.DMS for user definitions.

    You can edit the script to specify the location and file name of the input file and the log file. The name and location of the input file must match the output file you specified in Step 2.

  3. After copying user and role definitions, run the PeopleTools audits, including DDDAUDIT and SYSAUDIT, to check the consistency of your database.

Click to jump to parent topicTracking User Sign-in and Sign-out Activity

Access the Access Log Queries page (select PeopleTools, Security, Common Queries and click the Access Log Queries link on the Review Security Information page).

PeopleSoft Security provides two audit logs that track user sign-in and sign-out activity in PeopleSoft applications. Sign-in activity includes timeouts, browser closings, and browser freezes.

Select one of the following logs:

These logs are generated using data from the PSACCESSLOG table. If you are not interested in employing this functionality, you can delete the PSACCESSLOG table. Deleting this table does not have any negative effect.

Note. If you delete the PSACCESSLOG table and then decide that you would like to track user sign-in and sign-out activity, you must recreate the table using the same exact column names and order as were in the previous PSACCESSLOG table: OPRID, LOGIPADDRESS, LOGINDTTM, LOGOUTDTTM. Use Application Designer to open the PSACCESSLOG record definition and create the table.

Click to jump to parent topicPurging Inactive User Profiles

Access the Purge Inactive User Profiles page (PeopleTools, Security, User Profiles, Purge Inactive User Profiles).

Note. Before accessing this page, you must enter a run control ID.

See

This page enables you to access, run, and schedule the PURGEOLDUSRS Application Engine program. The PURGEOLDUSRS program deletes user profiles having an inactive status that exceeds the period specified in the Purge Inactive User Profiles section on the Password Controls page.

The Setup Purge Frequency for Inactive User Profiles link takes you to the Password Controls page, where you can enter a period (in days) under Purge Inactive User Profiles.

The Purge Inactive Users page is similar to the Delete User Profile page in that it invokes the process that removes all references to the user in any PeopleTools or application data table in which the OPRID field is a key. Before deleting user profiles, archive historical data according to local, state, and federal laws. Be sure to list historical and archival tables on the Tables to Skip page.

See Also

Working With Passwords

Bypassing Tables During the Delete User Profile Process

Component Interfaces

Click to jump to parent topicPreserving Historical User Profile Data

Although, you probably do not want to keep the permissions or signon access information for every user who has ever existed in the system, you generally do need to retain certain historical user profile data from your system. For example, local, state, and federal laws might demand that you retain certain employee history information. As another example, you might audit changes that users make to vital company data in the event you need to check that information a few months later if you discover some interesting financial allocations.

Use Data Archive Manager to archive and restore user profile data.

See

Important! Remember that deleting and purging user profile data deletes every row of data associated with a particular user profile from every table in which the OPRID field is a key field, including archived tables if they remain in your production database.

To preserve user profile information in a table for which the OPRID field is a key field, use the Bypass Tables page .

See Bypassing Tables During the Delete User Profile Process.