Understanding User Profile Synchronization
This chapter provides an overview of user profile synchronization and discusses how to:
Implement standard user profile synchronization.
Implement configurable user profile synchronization.
Transfer users between databases.
Understanding User Profile Synchronization
For implementations that use multiple PeopleSoft databases, you commonly have the same user in more than one database. Typically in production environments, you want the user profile information of the same user to be synchronized among databases. For example, if a user modifies her password or other user profile information in one database, you prefer that the system automatically synchronize the changes across the enterprise rather than have the user or an administrator manually replicate changes in multiple databases.
User profile synchronization involves setting up each PeopleSoft database in the enterprise to send and receive user profile updates through the Integration Broker. When you enter new profiles or modify and delete existing profiles on any publishing database and save, PeopleCode publishes a user profile service operation—which contains a user profile message—and routes the message to all subscribing nodes according to your specifications. The subscribing databases then update the user profile data with data from the publishing database.
Note. User profiles contain sensitive information. Design and implement user profile synchronization across different nodes with special care. As delivered, user synchronization behavior may not be acceptable in all cases.
Components Used to Update User Profiles
You can use these online components to make changes to user profile data:
User Profiles (USERMAINT)
Distributed User Profiles (USERMAINT_DIST)
My System Profile (USERMAINT_SELF)
Change My Password (CHANGE_PASSWORD)
Expired Password (EXPIRE_CHANGE_PSWD)
Forgot My Password (EMAIL_PSWD)
Administrators use the first two online components. The My System Profile component is a self-service component, which can be used to modify a limited set of data about a user. The Change My Password, Expired Password, and Forgot My Password components are used to change only the user password. Generally, the Forgot My Password component is configured as a public site that is separate from the PeopleSoft application. You can also modify user profile data through batch processes.
Types of User Profile Synchronization
PeopleSoft applications have two types of user profile synchronization:
Default user profile synchronization.
Configurable user profile synchronization.
The publishing processes for default and configurable user profile synchronization use different PeopleCode. PeopleSoft applications are delivered with the PeopleCode for both types of user profile synchronization. You select the appropriate PeopleCode by using the Security PeopleCode Options page. This page eliminates the need to access Application Designer to select the PeopleCode for the corresponding type of user profile synchronization.
Note. You should select the user profile synchronization type at the time of your implementation, after which you should restrict access to the Security PeopleCode Options page.
Implementing Standard User Profile Synchronization
This section provides an overview of standard user profile synchronization and discusses how to set up a standard user profile synchronization.
When you implement standard user profile synchronization among databases, other than the standard user profile synchronization exceptions mentioned below, the subscribing databases have no control over the data that they receive and process.
All participating databases use the USER_PROFILE service operation and the USER_PROFILE.VERSION_84 message during the publish and the subscribe processes.
This diagram shows the service operations and messages, and the way in which user profile data is published by and subscribed to by three PeopleSoft systems that are using standard user profile synchronization:
Diagram of the flow of user profile information as it uses standard synchronization among three PeopleSoft databases
Standard User Profile Synchronization Designed Exclusions
Adding and deleting user profiles on the publishing node cause corresponding changes on the subscribing nodes. Modifying user profiles on the publishing node causes corresponding changes on the subscribing nodes with these exceptions:
Changes to the primary email account are ignored if a primary email exists in the subscribing node.
Changes to a user ID type are ignored if the user ID type is not valid on the subscribing node. Instead, the subscribing node inserts an ID type of None if the subscribing node does not have a row for None already.
In general, changes that produce invalid field values in the subscribing node are ignored by the subscribing node.
Understanding Standard User Profile Synchronization
Setting Up Standard User Profile SynchronizationTo set up standard user profile synchronization, perform these tasks:
Turn on the Pub/Sub servers.
Define the local gateway URL for the integration broker.
In each participating database, activate the domain in integration broker.
In each participating database, create and configure the remote nodes.
In each participating database, configure single signon by setting up each subscribing database as a trusted node.
In each participating database, define the gateway properties; include all PeopleSoft nodes.
In each participating database, activate the USER_PROFILE service operation.
Note. The default setting is Enabled.
In each participating database, configure and activate routings for the USER_PROFILE service operation.
In each subscribing database, select the Generate Any-to-Local check box to create the necessary inbound routings; or create point-to-point inbound routings.
In each publishing database, you must create outbound routings to each subscribing node. For example, if you are in a CRM database publishing to an HCM and a FIN database, you must create two outbound routings.
For each subscribing database, grant permission list security for the USER_PROFILE service operations.
Implementing Configurable User Profile Synchronization
This section provides an overview of configurable user profile synchronization and discusses how to:
Enable Security PeopleCode options.
Set up configurable user profile synchronization.
Understanding Configurable User Profile Synchronization
When you implement configurable user profile synchronization among databases, you can select, or configure, the fields containing data for which you want to subscribe.
All participating databases use the USER_PROFILE service operation and the USER_PROFILE.VERSION_84 message to publish user profile information. All participating databases use the USER_PROFILE_XFR service operation and the USER_PROFILE.VERSION_XFR message to subscribe to the incoming data. You configure the USER_PROFILE_XFR inbound routing with a USER_PROFILE.VERSION_84 external alias. This alias enables the subscribing databases to receive the inbound USER_PROFILE.VERSION_84 message and transform it based on your field configuration.
The USER_PROFILE.VERSION_XFR message definition excludes only the following record.fields by default:
PSOPRDEFN.OPRCLASS
PSOPRDEFN.ROWSECCLASS
PSOPRDEFN.SYMBOLICID
PSOPRDEFN.PRCSPRFLCLS
PSOPRDEFN.DEFAULTNAVHP
This diagram shows the service operations and messages, and the way in which user profile data is published by and subscribed to by three PeopleSoft systems that use configurable user profile synchronization:
Diagram of the flow of user profile information as it uses configurable synchronization among three PeopleSoft databases
Enabling Security PeopleCode Options
Access the Security PeopleCode Options page (PeopleTools, Security, Security Objects, Security PeopleCode Options).
|
Application Class Method |
Application classes, at their base level, are PeopleCode programs. In addition, application classes provide more structure. Using the Application Packages, you have a clear definition of each class, as well as its listed properties and methods, which makes it easier for you to create a complex program that uses many functions. This group box displays information about the PT_SECURITY application package. |
|
PeopleCode Function Options |
This group box displays the available PeopleCode functions for the CopyRowsetDelta_Sec method, which you use to implement user profile synchronization. |
|
Function Name |
Select from these two functions:
See Message Classes. |
|
Enabled |
Select a check box to choose the type of user profile synchronization. You can enable only one option in the list of functions. |
Setting Up Configurable User Profile Synchronization
To set up configurable user profile synchronization:
Turn on the Pub/Sub servers.
In each publishing database, access the Security PeopleCode Options page and enable the CopyRowsetDeltaOriginal_Mod PeopleCode function.
Define the local gateway URL for Integration Broker.
In each participating database, activate the domain in Integration Broker.
In each participating database, create and configure the remote nodes.
In each participating database, configure single signon by setting up each subscribing database as a trusted node.
In each participating database, define the gateway properties; include all PeopleSoft nodes.
In each participating database, deactivate the inbound generated USER_PROFILE.VERSION_84 routing definition.
See Activating and Inactivating Routing Definitions in the Routing Component.
Note. This step is necessary only if you implemented standard user profile synchronization and are switching to configurable user profile synchronization.
In each participating database, configure and activate the routings for the USER_PROFILE service operation.
In each publishing database, you must create outbound routings to each subscribing node. For example, if you are in a CRM database publishing to an HCM and a FIN database, you must create two outbound routings.
See Activating and Inactivating Routing Definitions in the Routing Component.
In each participating database, activate the USER_PROFILE_XFR service operation.
In each participating database, configure the routings for the USER_PROFILE.VERSION_XFR service operation.
In each subscribing database, select the Generate Any-to-Local check box to create the necessary inbound routings or create point-to-point inbound routings.
In each publishing database, change the external alias on the Parameters page to USER_PROFILE.VERSION_84.
In each subscribing database, grant permission list security for the USER_PROFILE_XFR service operations.
In each subscribing database, configure the USER_PROFILE.VERSION_XFR message definition:
Expand the User Profile message records.
Select the fields that you want the subscribing database to update.
Clear the fields that you want the subscribing database to ignore.
Save the message.
Transferring Users Between Databases
Sometimes you might want to transfer all user information from a source database to a target database, for example, during the upgrade process or when moving users from the production environment to a development or a testing environment. PeopleSoft applications provide Data Mover (DMS) scripts that export and import user profile security information. These scripts transfer user profile data from a source to a target database. The scripts use these tables:
PSOPRDEFN
PSOPRALIAS
PSROLEUSER
PSUSERATTR
PSUSEREMAIL
PSUSERPRSNLOPTN
ROLEXLATOPR
PS_RTE_CNTL_RUSER
Note. Use the Application Designer upgrade feature to upgrade both roles and permission lists.
One script exports User Profile data from the source database. The source database refers to the database that contains the User Profiles that you want to migrate. The target database refers to the database to which you are copying the user information.
After exporting the security information from the source database, you then run the import script against the target database. The target database refers to the database to which you want to transfer the security data. The scripts involved in transferring security information from one database to another are:
This script exports User Profiles from the source database and stores them in a Data Mover DAT file. The output file is named USEREXPORT.DAT.
This script reads the file created by USEREXPORT.DMS and copies the User Profile data into the target database.
You will find this set of scripts in the <PS_HOME>/scripts directory.
Note. Using Data Mover to transfer user profiles from one database to another does not trigger user profile synchronization.
Considerations
Before running scripts to export and import your security information, you should consider these topics:
If the target database already contains a row of data with identical keys to a row transferred by the import script, the duplicate row will not be transferred to the target. The scripts make no attempt to merge the duplicate row; the row is not transferred.
To ensure that you do not have data rows with duplicate keys, you must ensure that the source database does not contain a User Profile with the same name as in the target database.
You should not have data rows with duplicate keys in your source and target database when you begin the copy, as this can lead to unexpected results that compromise database integrity.
Because the PeopleTools table structures change between major releases (6.X to 7.X or 7.X to 8.X), you cannot transfer users between databases that run different versions of PeopleTools. Before starting the migration process, upgrade your source and target databases so the release levels match.
Complete the following procedure to run the user transfer scripts.
Using Data Mover, sign on to the source database and run USEREXPORT.DMS for user definitions.
You can edit this script to specify the location and file name of the output file and the log file.
Using Data Mover, sign on to the target database and run USERIMPORT.DMS for user definitions.
You can edit the script to specify the location and file name of the input file and the log file. The name and location of the input file must match the output file you specified in Step 2.
After copying user and role definitions, run the PeopleTools audits, including DDDAUDIT and SYSAUDIT, to check the consistency of your database.