Thanks to visit codestin.com
Credit goes to www.scribd.com

Scribd
Upload
657 views7 pages

Dynamic Role Rules in PeopleSoft

This document discusses how to implement dynamic role rules in PeopleSoft to assign roles to user profiles programmatically based on business rules. There are three main components used for security - user profiles, roles, and permission lists. Dynamic role rules allow roles to be assigned to user profiles automatically based on data from PeopleSoft or external systems using PS/Query, LDAP plugins, or PeopleCode. This reduces manual administration and the risk of errors compared to static role assignments.

Uploaded by

Srinivasan Lord
Copyright
© Attribution Non-Commercial (BY-NC)
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
657 views7 pages

Dynamic Role Rules in PeopleSoft

This document discusses how to implement dynamic role rules in PeopleSoft to assign roles to user profiles programmatically based on business rules. There are three main components used for security - user profiles, roles, and permission lists. Dynamic role rules allow roles to be assigned to user profiles automatically based on data from PeopleSoft or external systems using PS/Query, LDAP plugins, or PeopleCode. This reduces manual administration and the risk of errors compared to static role assignments.

Uploaded by

Srinivasan Lord
Copyright
© Attribution Non-Commercial (BY-NC)
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
You are on page 1/ 7

PeopleSoft Security -Dynamic Role Rules

• Three major building blocks used when defining your PeopleSoft security

– User Profiles – Roles – Permission Lists

User Profiles

• Define the individual users of your PeopleSoft system


• Set of data describing a particular user of your PeopleSoft system
• Information about the user such as email address, language code, and password
• Assign process profiles, row-level security or business unit security at the User Profile level
• User Profiles are linked to Roles to grant access to specific areas within the PS applicationRoles
• Roles are assigned to User Profiles

• Intermediate objects that link User Profiles to Permission Lists


• Multiple roles can be assigned to a single User Profile
• Examples: Applicant, Employee, Vendor, Accounts Payable Clerk, and Manager
• Roles allow you to mix and match access to your PeopleSoft system
• Roles can be assigned to User Profiles manually or dynamically
Permission List

• Lowest level of PeopleSoft security


• Grants access to pages, PeopleTools, and sign-on times
• Assign actions such as Add, Update /Display, and Correction
• The fewer Permission Lists used, the more modular and scalable your PS security will be
• Multiple Permission Lists can be assigned to a single role
• Granularity allows you to “mix and match”
What are dynamic role rules?

• The assignment of roles to User Profiles based on your business rules


• These business rules run against system(s) to assign PeopleSoft access
• Business rule data can reside in a number of places:
– PeopleSoft data – 3rd party systems – LDAP
• Allows your PeopleSoft security structure to change in an automated fashion
• The dynamic role rule process removes and grants access to User Profiles
Methods - Assigning dynamic role rules

• There are three technologies you can use to execute your business rules:
o PS/Query o LDAP Plug-in o PeopleCode
• One, two, or all three of the technologies listed above can be used
Building Role Rules - PS/Query

• PeopleSoft recommends using PS/Query to build role rules if the membership data resides in your
PeopleSoft database
• Access is removed or granted based on the User Profile IDs retrieved by the query
• Can be built on Queries and/or Views
• Business rules can be built into the View and/or Query
Assigning Roles - LDAP
• Organizations that currently have LDAP directory server groups defined
• Plug into current LDAP configuration
• Leverage existing directory groups/roles
• Easier to maintain
• Single directory server leveraged by multiple applications
• Single point of maintenance reduces the risk of user information getting out of synch
• Involves PeopleCode expertise/coding
Assigning Roles - PeopleCode

• Membership data not contained within the PS database


• Data might exist on other 3rd party systems
• Extremely flexible
o SQLExec functions o Business Interlinks o Component Interfaces
Static role assignments

• Roles are assigned to User Profiles manually


• Not scalable
• All security changes require manual intervention
• High administration costs
• High margin for human error
Benefits - Dynamic role rules

• Roles are assigned to User Profiles programmatically


• Scalable (internet friendly)
• Less manual work for the PeopleSoft Security Administrator
• Eliminating static assignment decreases administration costs
• Reduces risk of human error
• Lessens load on your help desk calls
• Audit reporting is simplified
• Schedule your rule execution based on your environment
Application Messaging

• DYNROLE_PUBL publishes messages when assigning dynamic role rules


• The DYNROLE_PUBL Application Engine does not update the database directly
• Application Server must be configured to handle Application Messaging
• Status of the Application Messages are viewed in the Application Messaging Monitor
• Administrator must monitor the Application Messages to correct invalid data or errors
Technical Setup – Application Server

• Publish and Subscribe servers need to be configured on the application server


Demo Dynamic Role Rules using PS/Query

Example – Steps for creating PS/Query rules

• Define the business rules


• Create a view that retrieves a list of OPRIDs
• Create a query (ROLEQRY) that selects from the view
• Attach the ROLEQRY to the Role in Maintain Security
• Execute DYNROLE_PUBL
• Check Application Message Monitor
• View Results!!
Example – PS/Query Rules

• Dynamically grant access to the Payroll Administrator role


• Job codes that perform the Payroll Administrator role are KC006 and KC008
• Create a view that selects all OPRIDs that have a job code of KC006 or KC008 on their current job record
• Save the view as SPH_PAYROLL_ADM
Creating the View
SELECT B.OPRID FROM PS_JOB A, PSOPRDEFN B
WHERE A.EFFDT = (SELECT MAX(A_ED.EFFDT) FROM PS_JOB A_ED WHERE A.EMPLID = A_ED.EMPLID
AND A.EMPL_RCD = A_ED.EMPL_RCD AND A_ED.EFFDT <= GETDATE())
AND A.EFFSEQ = (SELECT MAX(A_ES.EFFSEQ) FROM PS_JOB A_ES WHERE A.EMPLID = A_ES.EMPLID
AND A.EMPL_RCD = A_ES.EMPL_RCD AND A.EFFDT = A_ES.EFFDT) AND A.EMPLID = B.EMPLID
AND A.JOBCODE IN ('KC008','KC006') AND A.EMPL_STATUS = 'A'

Creating the View --Don’t forget the following:


• Build the view
• Add the SPH_PAYROLL_ADM view to one of your security trees
• The query driving the dynamic role rules will be built using SPH_PAYROLL_ADM
Create the Query
• Create a new query, selecting OPRID from SPH_PAYROLL_ADM
• WHERE logic can be maintained in the view or in the query
• Note: When saving the query, it must be saved as a PUBLIC ROLEQRY
• Saved query as PAYROLL_ADM_ROLE_RULE
Creating the Query Assign the Query to the Role

• Navigate to PeopleTools -Maintain Security - Use- Roles


• Open the Payroll Administrator role
• Click on the Dynamic Members tab
• Click on the Query Rule Enabled checkbox
• Populate the Query Rule textbox with PAYROLL_ADM_ROLE_RULE
• Save the role
Assign the Query to the Role

Execute DYNROLE_PUBL AE

• Navigate to PeopleTools -Maintain Security- Process - Execute Role Rules


• Enter the server name (PSNT)
• Click on Execute Dynamic Role Rules
• The pushbutton initiates the DYNROLE_PUBL application engine process
• Process Monitor will display “Success” when the application engine process completes
Application Message Monitor

• DYNROLE_PUBL application engine publishes messages to ROLESYNCH_MSG


• Click on App Msg Monitor to view the status of the messages
Application Message Monitor
• The Application Message Monitor displays the different types of messages and the status
• Messages move from “New” to “Done” as they are processed
• Assignment of the dynamic role rules is not complete, until each of the messages is out of “New”
status
• Click on the Refresh pushbutton to watch the message process
Application Message Monitor

View the Dynamic Members

• Dynamic members attached to the role can be viewed when looking at the role definition
• Navigate to: PeopleTools -Maintain Security- Use - Roles
• Click on the Dynamic Members tab
View the Dynamic Members

View the User Profile

Summary

• Drive down PeopleSoft Administration costs by implementing dynamic role rules


• Define your business rules
• Develop your dynamic roles based on the business rules defined by your organization
• Three technologies used to develop dynamic roles
o PS/Query o PeopleCode o LDAP
• Start small – Mix and match dynamic and static
o Dynamically assign PS/Query or Process Monitor

You might also like