24/03/2015

EnterprisePeopleTools8.50PeopleBook:SecurityAdministration

UnderstandingPeopleSoftSecurity
Thischapterdiscusses:
Securitybasics.
PeopleSoftonlinesecurity.
PeopleSoftauthorizationIDs.
PeopleSoftsignin.
Implementationoptions.

SecurityBasics
Securityisespeciallycriticalforcorebusinessapplications,suchasPeopleSoftapplications.Typically,youdo
notwanteverydepartmentinyourcompanytohaveaccesstoallyourapplications.Nordoyouwanteveryone
withinadepartmenttohaveaccesstoallthefunctionsorallthedataofaparticularapplication.Additionally,
youmaywanttorestrictwhocancustomizeyourapplicationswithPeopleTools.
PeopleSoftsoftwareprovidessecurityfeatures,includingcomponentsandPeopleToolsapplications,toensure
thatyoursensitiveapplicationdata,suchasemployeesalaries,performancereviews,orhomeaddresses,does
notfallintothewronghands.Mostlikely,youuseothersecuritytoolsforyournetworkandrelationaldatabase
managementsystem(RDBMS).ThesetoolsworktogethertoprotectthePeopleSoftsystemfromunauthorized
access.
AsyouimplementthePeopleSoftInternetArchitecture,youneedarobustandscalablemeansbywhichyou
cangrantauthorizationtousersefficiently.Whenyoudeployyourapplicationstotheinternet,thenumberof
potentialusersofyoursystemincreasesexponentially.Suddenly,youhavecustomers,vendors,suppliers,
employees,andprospectsallusingthesamesystem.
ThePeopleSoftsecurityapproachistailoredfortheinternet.Itenablesyoutoeasilycreateandmaintain
securitydefinitions,andyoucanperformmanymaintenancetasksprogrammatically.
Youcanapplysecuritytoallusers,includingemployees,managers,customers,contractors,andsuppliers.You
groupyourusersaccordingtorolestogivethemdifferentdegreesofaccess.Forinstance,theremightbean
Employeerole,aManagerrole,andanAdministratorrole.Userswhobelongtoaparticularrolerequirea
specificsetofpermissions,orauthorizations,withinyoursystem,sothattheycancompletetheirdailytasks.
YoumustalsosecuretheobjectsanddefinitionsinyourPeopleSoftdevelopmentenvironment.Justasyou
restrictsetsofendusersfromaccessingparticularpagesandcomponents,youalsorestrictthedefinitionsthat
yoursitesdeveloperscanaccessusingPeopleSoftApplicationDesigner.Adefinitionreferstoanyofthe
definitionsthatyoucreatewithinPeopleSoftApplicationDesigner,suchasrecords,pages,orcomponents.
Eachobjectdefinitionmayhaveindividualsecurityneeds.Forexample,youmayhavealargedevelopment
staff,butperhapsyouwantonlyafewdeveloperstohaveaccesstospecificrecorddefinitions.
PeopleSoftSecurityDefinitions
Becausedeployingyourapplicationstotheinternetsignificantlyincreasesthenumberofpotentialusersyour
systemmustaccommodate,youneedanefficientmethodofgrantingauthorizationtodifferentusertypes.
PeopleSoftsecuritydefinitionsprovideamodularmeanstoapplysecurityattributesinascalablemanner.
AsecuritydefinitionreferstoacollectionofrelatedsecurityattributesthatyoucreateusingPeopleTools
Security.ThethreemainPeopleSoftsecuritydefinitiontypesare:
Userprofiles.
Roles.
Permissionlists.
Note.APeopleSoftsecuritydefinitioncalledanAccessProfilealsoexists,butthesearedefinedatthe
databaselevel.
http://docs.oracle.com/cd/E15645_01/pt850pbr0/eng/psbooks/tsec/htm/tsec03.htm

1/10

24/03/2015

EnterprisePeopleTools8.50PeopleBook:SecurityAdministration

UserProfiles
UserprofilesdefineindividualPeopleSoftusers.
Eachuserhasanindividualuserprofile,whichinturnislinkedtooneormoreroles.Youaddoneormore
permissionlists,whichultimatelycontrolwhatausercanandcannotaccess,toeachrole.Afewpermission
typesareassigneddirectlytotheuserprofile.
Typically,auserprofilemustbelinkedtoatleastoneroleinordertobeavalidprofile.Themajorityofvalues
thatmakeupauserprofileareinheritedfromthelinkedroles.
Roles
Rolesareintermediateobjectsthatlinkuserprofilestopermissionlists.Youcanassignmultiplerolestoauser
profile,andyoucanassignmultiplepermissionliststoarole.SomeexamplesofrolesmightbeEmployee,
Manager,Customer,Vendor,andStudent.
Amanagerisalsoanemployeeandmayalsobeastudent.Rolesenableyoutomixandmatchaccess
appropriately.
Youhavetwooptionswhenassigningroles:assignrolesmanuallyorassignthemdynamically.Whenassigning
rolesdynamically,youusePeopleCode,LDAP,andPeopleSoftQueryrulestoassignuserprofilestoroles
programmatically.
PermissionLists
Permissionlistsaregroupsofauthorizationsthatyouassigntoroles.Permissionlistsstoresignintimes,page
access,PeopleToolsaccess,andsoon.
Apermissionlistmaycontainoneormoretypesofpermissions.Thefewertypesofpermissionsinapermission
list,themoremodularandscalableyourimplementation.
Auserprofileinheritsmostofitspermissionsthroughroles,butyouapplysomepermissionlists,suchas
processprofileorrowlevelsecurity(datapermissions),directlytoauserprofile.
SeeAlso
OracleMetaLink3website.

PeopleSoftOnlineSecurity
ThePeopleSoftsystemhasmanyelements,suchasbatchprocesses,objectdefinitions,andapplicationdata.
UsePeopleToolssecuritytoolstocontrolaccesstomostoftheseelements.Tosecureotherelements,youuse
applicationspecificinterfaces,suchasAdministerSecurity.
Thissectiondiscusses:
Signinandtimeoutsecurity.
Pageanddialogboxsecurity.
Batchenvironmentsecurity.
Definitionsecurity.
Applicationdatasecurity.
PeopleSoftInternetArchitecturesecurity.

SigninandTimeoutSecurity
WhenauserattemptstosignintoPeopleSoft,heorsheentersauserIDandapasswordonthePeopleSoft
Signonpage.IftheIDandpasswordarevalid,PeopleSoftconnectstheusertotheapplication,andthesystem
retrievestheappropriateuserprofile.
Iftheuserattemptstosigninduringaninvalidsignintimeasdefinedintheuser'ssecurityprofile,heorsheis
notallowedtosignin.Asignintimeisanadjustableintervalduringwhichauserisallowedtosigninto
PeopleSoft.Forexample,ifagivensignintimeisMondaythroughFridayfrom7a.m.to6p.m.forasetof
users,thoseuserscannotaccessaPeopleSoftapplicationonSaturdayoronFridayat6:05p.m.Ifauseris
http://docs.oracle.com/cd/E15645_01/pt850pbr0/eng/psbooks/tsec/htm/tsec03.htm

2/10

24/03/2015

EnterprisePeopleTools8.50PeopleBook:SecurityAdministration

signedinwhenthesigninperiodexpires,PeopleSoftsignstheuseroutautomatically.
Aftersigningin,ausercanstayconnectedaslongasthesignintimeallowsandaslongasthebrowserdoes
notsitidleforlongerthanthetimeoutinterval.Atimeoutintervalspecifieshowlongtheusersmachinecan
remainidlenokeystrokes,noSQLbeforethePeopleSoftsystemautomaticallysignstheuseroutofthe
application.
YouspecifyboththesignintimesandtimeoutintervalusingPeopleToolsSecurity.
Note.Othertimeoutintervals,unrelatedtosecurity,arecontrolledbyyourwebserverandbyPeopleSoftPure
InternetArchitecturecomponents.

PageandDialogBoxSecurity
YoucanrestrictaccesstoPeopleSoftmenus.Youcansettheaccessrightstotheentiremenu,suchas
AdministerWorkforceorPeopleToolsSecurity,orjustaspecificitemonthatmenu.Becausetheonlynormal
waytoaccessaPeopleSoftpageisthroughamenu,ifauserhasnoaccesstoaparticularmenuormenuitem,
thenyouhaveeffectivelyrestrictedthatuser'saccesstothecorrespondingpage.
Youcanalsorestrictaccesstospecificactionsorcommandsonapage.Forexample,youmaywantaclerkin
yoursalesofficetobeabletoaccesscontractdatabutnotbeabletoupdatethedata.Inthiscase,yougrant
accesstothesetofpages,butyouallowdisplayonlyaccessonly.Inthiscase,theclerkcannotupdateor
correctanydata.Thisapproachenablesuserstogettheirworkdonewhilemaintainingthesecurityandintegrity
ofyourbusinessdata.

BatchEnvironmentSecurity
IfaparticularusermustrunbatchprocessesusingPeopleSoftProcessScheduler,assigntheappropriate
processprofiletotheuserprofileandcreateprocessgroupsforyourprocesses.Auserreceivesbothprocess
groupandprocessprofileauthorizationsthroughpermissionlists.Ausergetspermissiontoprocessgroups
throughroles,andtheygetaprocessprofilethroughtheprocessprofilepermissionlist.
Note.Youaddtheprocessprofilepermissionlistdirectlytotheuserprofile,nottoanintermediaryrole.
ProcessSecurity
BecausePeopleSoftapplicationstakeadvantageofotherapplications,suchasSQRandCOBOL,yourbatch
processesshouldberuninasecureenvironment.
Thethreelevelsofsecurityforbatchprogramsare:
Eachbatchprogramhasaruncontrolthatyoudefinebeforeyoucanrunthebatchprogram.
RuncontrolsaresetupusingPeopleSoftProcessScheduler.
PeopleSoftProcessSchedulerenablesyoutosetupprocessgroups,whicharegroupsofbatch
processes.
InPeopleToolsSecurity,youaddprocessgroupstoasecurityprofile.Userscanrunprocessesthat
belongtotheprocessgroupsassignedtotheirsecurityprofile.
InyourRDBMSenvironment,youcanrestrictofflineaccesstobatchprocessesusingthesecuritytools
describedinyourplatformmanuals.
ReportingSecurity
PeopleSoftReportManagerusesalogicalspaceonawebservercalledtheReportRepository.PeopleSoft
ReportManagerenablesyoutogenerateanddistributereportsovertheinternet,anditstorestheoutputinthe
ReportRepository.Whereveryoudecidetosituateyourrepository,makesurethattheserverisprotectedfrom
outsideaccess.EnsurethatonlythePeopleSoftsystemcanaccessanddistributethegeneratedreports.The
ReportRepositoryservletgetsitemsfromthewebserverandputstheminthebrowser.Withreportdistribution,
youdistributereportsandviewthemaccordingtoyourrole.
PeopleSoftdeliverstheserolesforthespecificuseinreporting:
ReportDistAdmin
ReportSuperUser
http://docs.oracle.com/cd/E15645_01/pt850pbr0/eng/psbooks/tsec/htm/tsec03.htm

3/10

24/03/2015

EnterprisePeopleTools8.50PeopleBook:SecurityAdministration

DefinitionSecurity
UseDefinitionSecuritytogovernaccesstodatabaseobjectdefinitions,suchasrecorddefinitions,field
definitions,andpagedefinitions,andtoprotectparticularobjectdefinitionsfrombeingmodifiedbycertain
developers.

ApplicationDataSecurity
Definitionsecurityisaformofdatasecurityyouuseittocontrolaccesstoparticularrowsofdata(object
definitions)inPeopleToolstables.PeopleSoftsoftwarealsoprovidesothermethodstocontroltheapplication
datathatauserisallowedtoaccessinthePeopleSoftsystem.Thistaskisalsoknownassettingdata
permissions.
Withapplicationdatasecurity,youcansetdatapermissionsatthefollowinglevels:
Tablelevel(forqueriesonly).
Rowlevel.
Fieldlevel.
TableLevelSecurity
YouusePeopleSoftQuerytobuildSQLqueriesandretrieveinformationfromapplicationtables.Foreach
PeopleSoftQueryuser,youcanspecifytherecordstheuserisallowedtoaccesswhenbuildingandrunning
queries.YoudothisbycreatingqueryaccessgroupsinPeopleSoftTreeManagerandthenassigningusersto
thosegroupswithPeopleSoftQuerysecurity.PeopleSoftQuerysecurityisenforcedonlywhenusing
PeopleSoftQueryitdoesnotcontrolruntimepageaccesstotabledata.
RowLevelSecurity
YoucandesignspecialtypesofSQLviewssecurityviewstocontrolaccesstoindividualrowsofdatastored
withinapplicationdatabasetables.Rowlevelsecurityenablesyoutospecifythedatathataparticularuseris
permittedtoaccess.PeopleSoftapplicationsaredeliveredwithbuiltinrowlevelsecurityfunctionsthatare
tailoredtospecificapplications.
Forexample,PeopleSoftHumanResourcessecuritytablesenableyoutorestrictuseraccesstoemployee
rowsofdataaccordingtoorganizationalroles.Youcouldalsopermituserstoviewandupdaterowsfor
employeesintheirdepartmentsonly.Similarly,inPeopleSoftFinancials,youcanusesecurityviewsto
determineaccesstobusinessunitsandledgers.Youcanalsousesecuritytablestograntprivilegesbyaccess
grouptouserswhousePeopleSoftQuerytoaccessdatafromthedatabase.
Seethedocumentationforyourapplicationfordetailsaboutimplementingrowlevelsecurityforyour
applications.
FieldSecurity
UsePeopleCodetorestrictaccesstoparticularfieldsorcolumnswithinapplicationtables.Forexample,ifyou
wantacertainclassofusertobeabletoaccesscertainpagesbutnottoviewaparticularfieldonthosepages,
suchascompensationrate,youcanwritePeopleCodetohidethefieldforthatuserclass.

PeopleSoftInternetArchitectureSecurity
PeopleSoftInternetArchitecturesecurityisalsoknownasruntimesecurity.Onlyauthorizeduserscanconnect
tothewebandapplicationserver,andonlyauthorizedapplicationserverscanconnecttoagivendatabase.
PeopleSoftsoftwareusesauthenticationtokensembeddedinbrowsercookiestoauthorizeusersandenable
singlesigninthroughoutthesystem.Tosecurelinksbetweenelementsofthesystem,includingbrowsers,web
servers,applicationservers,anddatabaseservers,PeopleSoftsoftwareincorporatesacombinationofSSL
securityandOracleTuxedoandOracleJoltencryption.
SSLisaprotocoldevelopedbyNetscapethatdefinesaninterfacefordataencryptionbetweennetworknodes.
ToestablishanSSLencryptedconnection,thenodesmustcompletetheSSLhandshake.Thesimplifiedsteps
oftheSSLhandshakeareasfollows:
1. Clientsendsarequesttoconnect.
2. Serverrespondstotheconnectrequestandsendsasignedcertificate.
http://docs.oracle.com/cd/E15645_01/pt850pbr0/eng/psbooks/tsec/htm/tsec03.htm

4/10

24/03/2015

EnterprisePeopleTools8.50PeopleBook:SecurityAdministration

3. Clientverifiesthatthecertificatesignerisinitsacceptablecertificateauthoritylist.
4. Clientgeneratesasessionkeytobeusedforencryptionandsendsittotheserverencryptedwiththe
server'spublickey(fromthecertificatereceivedinstep2).
5. Serverusesaprivatekeytodecrypttheclientgeneratedsessionkey.
EstablishinganSSLconnectionrequirestwocertificates:onecontainingthepublickeyoftheserver(server
certificateorpublickeycertificate)andanothertoverifythecertificationauthoritythatissuedtheserver
certificate(trustedrootcertificate).Theserverneedstobeconfiguredtoissuetheservercertificatewhena
clientrequestsanSSLconnection,andtheclientneedstobeconfiguredwiththetrustedrootcertificateofthe
certificateauthoritythatissuedtheservercertificate.
Thenatureofthoseconfigurationsdependsonboththeprotocolbeingusedandtheclientandserverplatforms.
InmostcasesyoureplaceHTTPwithLDAP.SSLisalowerlevelprotocolthantheapplicationprotocol,such
asHTTPorLDAP.SSLworksthesameregardlessoftheapplicationprotocol.
Note.EstablishingSSLconnectionswithLDAPisnotrelatedtowebservercertificatesorcertificatesusedwith
PeopleSoftintegration.
ThesystemusesSSLencryptioninthefollowinglocations:
Betweenthebrowserandthewebserver.
Betweentheapplicationserverandtheintegrationgateway.
Betweentheintegrationgatewayandanexternalsystem.
ThesystemusesOracleTuxedoandOracleJoltencryptionintheselocations:
Betweenthewebserverandtheapplicationserver.
BetweentheintegrationgatewayandaPeopleSoftsystem(OracleJoltonly).
SecuritybetweentheapplicationserveranddatabaseissuppliedbyRDBMSconnectivity.
PeopleSoftIntegrationBrokerandportalproductshaveadditionalsecurityconcerns,whichareaddressedinthe
documentationforthoseproducts.
SeeAlso
EnterprisePeopleTools8.50PeopleBook:InternetTechnology
EnterprisePeopleTools8.50PeopleBook:PeopleSoftIntegrationBroker

PeopleSoftAuthorizationIDs
ThePeopleSoftsystemusesvariousauthorizationIDsandpasswordstocontroluseraccess.Youuse
PeopleToolsSecuritytoassigntwooftheseIDs:theuserIDandthesymbolicID.
Thissectiondiscusses:
UserIDs.
ConnectID.
AccessIDs.
SymbolicIDs.
Administratoraccess.
SeeAlso
PeopleSoftSignin

UserIDs
APeopleSoftuserIDistheIDyouenteratthePeopleSoftsignindialogbox.YouassigneachPeopleSoftuser
auserIDandpassword.ThecombinationofthesetwoitemsgrantsusersonlineaccesstothePeopleSoft
system.ThesystemcanalsouseauserIDstoredwithinanLDAPdirectoryserver.
http://docs.oracle.com/cd/E15645_01/pt850pbr0/eng/psbooks/tsec/htm/tsec03.htm

5/10

24/03/2015

EnterprisePeopleTools8.50PeopleBook:SecurityAdministration

TheuserIDisthekeyusedtoidentifytheuserprofiledefinition.

ConnectID
TheconnectIDperformstheinitialconnectiontothedatabase.
Note.PeopleSoftnolongercreatesusersatthedatabaselevel.
AconnectIDisavaliduserIDthat,whenusedduringsignin,takestheplaceofPeopleSoftuserIDs.Usinga
connectIDmeansyoudonothavetocreateanewdatabaseuserforeveryPeopleSoftuserthatyouaddtothe
system.
Note.AconnectIDisrequiredforadirectconnection(twotierconnection)tothedatabase.Applicationservers
andtwotierMicrosoftWindowsclientsrequireaconnectID.YouspecifytheconnectIDforanapplication
serverintheSignonsectionofthePSADMINutility.ForMicrosoftWindowsclients,youspecifytheconnectID
intheStartuptabofPeopleSoftConfigurationManager.YoucancreateaconnectIDbyrunningthe
Connect.SQLandGrant.SQLscripts.
Note.Whenperformingadatabasecompareorcopy,bothdatabasesmusthavethesameconnectID.
Warning!WithoutaconnectIDspecified,thesystemassumestheworkstationisaccessingPeopleSoft
throughanapplicationserver.Theoptiontooverridethedatabasetypeisdisabled.

AccessIDs
WhenyoucreateanyuserID,youmustassignitanaccessprofile,whichspecifiesanaccessIDand
password.
ThePeopleSoftaccessIDistheRDBMSIDwithwhichPeopleSoftapplicationsareultimatelyconnectedto
yourdatabaseafterthePeopleSoftsystemconnectsusingtheconnectIDandvalidatestheuserIDand
password.AnaccessIDtypicallyhasalltheRDBMSprivilegesnecessarytoaccessandmanipulatedatafor
anentirePeopleSoftapplication.TheaccessIDshouldhaveSelect,Update,andDeleteaccess.
UsersdonotknowtheircorrespondingaccessIDs.TheyjustsigninwiththeiruserIDsandpasswords.Behind
thescenes,thesystemsignsthemintothedatabaseusingtheaccessID.
IfuserstrytoaccessthedatabasedirectlywithaquerytoolusingtheiruserorconnectIDs,theyhavelimited
access.UserandconnectIDsonlyhaveaccesstothefewPeopleSofttablesusedduringsignin,andthat
accessisSelectlevelonly.Furthermore,PeopleSoftencryptsthesensitivedatathatresidesinthosetables.
Note.Accessprofilesareusedwhenanapplicationserverconnectstothedatabase,whenaMicrosoft
Windowsworkstationconnectsdirectlytothedatabase,andwhenabatchjobconnectsdirectlytothe
database.AccessprofilesarenotusedwhenendusersaccessapplicationsthroughPeopleSoftPureInternet
Architecture.DuringaPeopleSoftPureInternetArchitecturetransaction,theapplicationservermaintainsa
persistentconnectiontothedatabase,andtheendusersleveragetheaccessIDthattheapplicationserver
domainusedtosignintothedatabase.
Note.PeopleSoftsuggeststhatyouonlyuseoneaccessIDforyoursystem.SomeRDBMSdonotpermit
morethanonedatabasetableowner.IfyoucreatemorethanoneaccessID,itmayrequirefurtherstepsto
ensurethatthisIDhasthecorrectrightstoallPeopleSoftsystemtables.

SymbolicIDs
PeopleSoftencryptstheaccessIDwhenitisstoredinthePeopleToolssecuritytables.Consequently,an
encryptedvaluecannotbereadilyreferencedoraccessed.SowhentheaccessID,whichisstoredin
PSACCESSPRFL,mustberetrievedorreferenced,thequeryselectstheappropriateaccessIDbyusingthe
symbolicIDasasearchkey.
ThesymbolicIDactsasanintermediaryentitybetweentheuserIDandtheaccessID.AlltheuserIDsare
associatedwithasymbolicID,whichinturnisassociatedwithanaccessID.IfyouchangetheaccessID,you
needtoupdateonlythereferenceoftheaccessIDtothesymbolicIDinthePSACCESSPRFLtable.Youdo
notneedtoupdateeveryuserprofileinthePSOPRDEFNtable.

AdministratorAccess
http://docs.oracle.com/cd/E15645_01/pt850pbr0/eng/psbooks/tsec/htm/tsec03.htm

6/10

24/03/2015

EnterprisePeopleTools8.50PeopleBook:SecurityAdministration

Asanadministrator,youmustcustomizeyourownuserdefinition.PeopleSoftdeliversatleastonefullaccess
userIDwitheachdelivereddatabase.YourfirsttaskshouldbetosigninwiththisIDandpersonalizeitforyour
needsortocreateanew,fullaccessID,beingsuretospecifyanewpassword.Youshouldchangethe
passwordsofalldeliveredIDsassoonaspossible.
Note.PeopleSoftdeliveredIDsandpasswordsaredocumentedinyourinstallationmanual.
WhenyouinstallPeopleSoft,youarepromptedforanRDBMSsystemadministratorIDandpassword.This
informationisusedtoautomaticallycreateadefaultaccessprofile.Ifyouwillbeusingmorethanoneaccess
profile,setuptheothersbeforecreatinganynewPeopleSoftsecuritydefinitions.Mostsitesonlyuseone
accessprofile.
ThenumberofdatabaselevelIDsyoucreateisuptoyoursiterequirements.However,inmostcases,having
fewerdatabaselevelIDsreducesmaintenanceissues.
Forexample,ifyouimplementpureLDAPauthentication,ataminimumyouneedtwodatabaselevelIDsyour
accessIDandyourconnectID.Withthisscenario,inPeopleSoftyouneedtomaintainonlyasymbolicIDto
referencetheaccessIDandmaintainauserIDthattheapplicationserverusesduringsignin.Withthisminimal
approach,eachuserwhoneedsatwotierconnection,torunanupgrade,forexample,couldusethesameuser
IDthattheapplicationserveruses.

PeopleSoftSignin
Thissectiondiscusses:
PeopleSoftsignin.
Directoryserverintegration.
AuthenticationandsignonPeopleCode.
Singlesignon.

PeopleSoftSignin
ThemostcommondirectsignintothePeopleSoftdatabaseistheapplicationserversignin.
Thesearethebasicstepsthataretakenwhentheapplicationserversignsintothedatabase:
1. Initialconnection.
TheapplicationserverstartsandusestheconnectIDanduserIDspecifiedinitsconfigurationfile
(PSAPPSRV.CFG)toperformtheinitialconnectiontothedatabase.
2. TheserverperformsaSQLSelectstatementonsecuritytables.
AftertheconnectIDisverified,theapplicationserverperformsaSelectstatementonPeopleTools
securitytables,suchasPSOPRDEFN,PSACCESSPRFL,andPSSTATUS.Fromthesetables,the
applicationservergatherssuchitemsastheuserIDandpassword,symbolicID,accessID,andaccess
password.Aftertheapplicationserverhastherequiredinformation,itdisconnects.
3. TheserverreconnectsusingtheaccessID.
WhenthesystemverifiesthattheaccessIDisvalid,theapplicationserverbeginsthepersistent
connectiontothedatabasethatallPeopleSoftPureInternetArchitectureandMicrosoftWindowsthree
tierclientsusetoaccessthedatabase.Typically,theuserssigninginusingaMicrosoftWindows
workstationaredevelopersusingPeopleSoftApplicationDesigner.
Note.AMicrosoftWindowsworkstationattemptingatwotierconnectionusesthesameprocessasthe
applicationserver.
PeopleSoftrecommendsthatallconnectivitybemadethrougheitherathreetierMicrosoftWindowsclientor
throughthebrowser.Atwotierconnectionisnolongernecessaryotherthanfortheapplicationserver,
PeopleSoftProcessScheduler,orforauserwhowillberunningupgradesorPeopleSoftDataMoverscripts.
SigninPeopleCodedoesnotrunduringatwotierconnection,somaintainingtwotierusersinanLDAPserver
isnotsupported.
http://docs.oracle.com/cd/E15645_01/pt850pbr0/eng/psbooks/tsec/htm/tsec03.htm

7/10

24/03/2015

EnterprisePeopleTools8.50PeopleBook:SecurityAdministration

DirectoryServerIntegration
PeopleSoftrecognizesthatyoursiteusessoftwareproducedbynumerousvendors,andeachdifferentproduct
requiressecurityauthorizationsforusers.Mostoftheseproductsadheretothemodelthatincludesuserprofiles
androles(orgroups)towhichusersbelong.PeopleSoftenablesyoutointegrateyourauthenticationschemefor
thePeopleSoftsystemwithyourexistinginfrastructure.Youcanreuseuserprofilesandrolesthatarealready
definedwithinanLDAPdirectoryservice.
Organizationstypicallystoreuserprofilesinacentralrepositorythatservesuserinformationforallofthe
programsthatrequireit.ThecentralrepositoryistypicallyanLDAPdirectoryserver.
Adirectoryserverenablesyoutomaintainasingle,centralizeduserprofilethatyoucanuseacrossallofyour
PeopleSoftandnonPeopleSoftapplications.Thisapproachreducesredundantmaintenanceofuserinformation
storedseparatelythroughoutyourenterprise,anditreducesthepossibilityofuserinformationgettingoutof
synchronization.
YoualwaysmaintainpermissionlistsandrolesusingPeopleToolsSecurity.However,youcanmaintainuser
profilesinPeopleToolsSecurityorwithanexternalLDAPserver.
SeeAlso
EmployingLDAPDirectoryServices

AuthenticationandSignonPeopleCode
YoucanstorePeopleSoftpasswordswithinPeopleTools,inthePSOPRDEFNtable.Youcanalsostoreand
maintainuserpasswordsandtherestoftheuserprofiledatainanLDAPdirectoryserver.PeopleSoftretrieves
theinformationstoredinanexternaldirectoryserverusingacombinationoftheUserProfilescomponent
interfaceandsigninPeopleCode.
Ifyoudecidetoreuseexistinguserprofilesstoredinadirectoryserver,youdontneedtoperformdual
maintenanceonthetwocopiesoftheuserdataonecopyintheLDAPserverandonecopyinPSOPRDEFN.
PeopleSoftensuresthattheuserinformationstayssynchronized.IfyouconfigureLDAPauthentication,you
maintainyouruserprofilesinLDAPandnotinPeopleToolsSecurity.
SignonPeopleCodecopiesthemostrecentuserprofiledatafromadirectoryservertothelocaldatabase
wheneverausersignsin.PeopleSoftapplicationsreferencetheuserinformationstoredinthePeopleSoft
databaseratherthanmakingacalltotheLDAPdirectoryeachtimethesystemrequiresuserprofileinformation.
SignonPeopleCodeensuresthelocaldatabasehasacurrentcopyoftheuserprofilebasedontheinformationin
thedirectory.Eachtimetheusersignsin,signonPeopleCodecheckstoseetoseeiftherowintheuserprofile
cacheneedstobeupdated.
Thesigninprocessoccursasfollows:
1. TheuserentersauserIDandpasswordonthesigninpage.
2. PeopleToolsattemptstoauthenticatetheuseragainstthePSOPRDEFNtable.
3. SignonPeopleCoderuns.
ThedefaultsignonPeopleCodeprogramupdatestheuserprofilebasedonthecurrentdatastoredinthe
directoryserver.
YoucanusesignonPeopleCodeandbusinessinterlinkstosynchronizethelocalcopyoftheuserprofilewith
anydatasourceatsignintimetheprogramthatshipswithPeopleToolsisdesignedtosynchronizetheuser
profilewithanLDAPdirectoryserveronly.BecausethesigninprogramisPeopleCode,youcanmodifyit,
incorporatinganyofthePeopleSoftintegrationtechnologiesthatPeopleCodesupports.
ToeditthesignonPeopleCodeprogram,youopentheLDAPfunctionlibraryrecordandusethePeopleCode
editortocustomizethePeopleCode.DeveloperswhomodifythesigninPeopleCodeprogramneedtohavea
goodunderstandingofPeopleCodeandtheintegrationfeaturesitoffers.
Note.OnlyuserswhosignonthroughPeopleSoftPureInternetArchitectureorthreetierMicrosoftWindows
clientstakeadvantageofsignonPeopleCode.

SingleSignon
PeopleSoftPureInternetArchitectureusesbrowsercookiesforseamlesssinglesignonacrossallPeopleSoft
http://docs.oracle.com/cd/E15645_01/pt850pbr0/eng/psbooks/tsec/htm/tsec03.htm

8/10

24/03/2015

EnterprisePeopleTools8.50PeopleBook:SecurityAdministration

nodes.Anodereferstoadatabaseandtheapplicationserversconnectedtoit.Forexample,ausercan
completeaPeopleSoftHumanResourcestransaction,andthenclickalinkforaPeopleSoftFinancials
transactionwithouteverreenteringapassword.SinglesignonisespeciallyimportanttothePeopleSoftportal,
whichaggregatescontentfromseveraldifferentapplicationsanddatasourcesintoasingle,integrateddisplay.
SeeAlso
WorkingwithSSLandDigitalCertificates

ImplementationOptions
Byusingourintegrationtechnologies,youcanconfigurePeopleSoftsecuritytoworkwithnumerousschemes.
Thissectiondiscusses:
Authentication.
Roleassignments.
Crosssystemsynchronization.

Authentication
ConsiderhowyouplantoauthorizeusersastheysignintoyourPeopleSoftsystem.Doyouwanttostoreand
maintainthePeopleSoftuserpasswordswithinPeopleSoft,ordoyouplantotakeadvantageofexistinguser
profilesinanexternaldirectoryserver?
PeopleSoftBasedAuthentication
Thisoptionis,generally,thewayPeopleSoftcustomershaveauthorizedusersinpreviousreleases.PeopleSoft
userpasswordsarestoredandmaintainedsolelywithinPeopleSoft.Althoughthismethoddoesnotrequirea
largeamountofstorage,itdoesaddadministrationissues,mainlybecausePeopleSoftpasswordsareyet
anotherpasswordusersneedtoremember.
WiththisoptionthereareonlytwodatabaselevelIDs,theaccessIDandtheconnectID.Thepasswordsreside
inthePSOPRDEFNalongwiththeotheruserinformation.
DirectoryBasedAuthentication
YoucanalsouseacentralrepositoryforuserinformationinadirectoryserverthatusestheLDAPprotocol.
TheadvantageofthisoptionisthatauserhasoneuserIDandpasswordthatallowsaccesstonumerous
softwaresystems.

RoleAssignments
Considerhowyouplantoassignauthorizationstoyourusers.Recallthatusersinheritpermissionsthroughthe
rolestowhichtheyareassigned.Whenyouplanyourauthorizationassignment,youarereallyplanninghowyou
intendtoassignrolestousers.Youcanassignrolestousersintwoways:thestaticapproachandthedynamic
approach.
Static
Usingthestaticapproach,youassignuserstorolesmanually.Thestaticapproachisnotscalabletothe
thousandsofusersthatarelikelytouseyoursystemwhenyoudeployapplicationstotheinternet.
Thestaticapproachrequiresanadministratortomaintaineachuser'ssetofroles.Forthatreason,PeopleSoft
recommendsthatyouexploreandimplementthedynamicassignmentofroles.
Dynamic
Usingthedynamicapproach,thesystemassignsrolesbasedonbusinessrules.Youcanmanuallyruntherule,
buttypically,youruntherulesfromascheduledbatchprocess.
Supposeanemployeechangesjobsandbecomesamanagerinanewdepartment.Whenyourunyourdynamic
rule,thesystemremovestherolesassociatedwiththeemployee'spreviouspositionandthenaddsthe
appropriaterolesrequiredforthenewposition.Inaddition,youcanhavetherulepublishamessagetoother
http://docs.oracle.com/cd/E15645_01/pt850pbr0/eng/psbooks/tsec/htm/tsec03.htm

9/10

24/03/2015

EnterprisePeopleTools8.50PeopleBook:SecurityAdministration

nodes,suchasaPeopleSoftFinancialsnode,thatmightsubscribetochangesinthePeopleSoftHuman
Resourcesdatabase.
YoucanusePeopleSoftQuery,LDAP,orPeopleCodetodefinedynamicroleassignment.Ifnecessary,you
canuseacombinedapproachwiththerulesforassigningroles.Forexample,youcanhaveonerolerulebased
onLDAP,anotherbasedonaquery,andsoon.Youcanalsohavemultipleruletypesforonerole.Forexample,
aManagerrolecouldbederivedpartiallyfromanLDAPruleandpartiallyfromaPeopleSoftQueryrule.Asthe
followinglistdescribes,wheretheinformationthatdrivesyourroleassignmentsisstoreddeterminesthetypes
ofrolerulesyouuse:
IfthemembershipdataforyourrolesresidesinyourPeopleSoftdatabase,usePeopleSoftQueryto
constructyourrolerules.
OnequerycouldbeMANAGER,anotherEMPLOYEE,andsoon.Whentheruleruns,thesystem
assignsyouremployeeuserstotheEMPLOYEEroleandthemanageremployeestotheMANAGERrole
basedontheresultsreturnedfromthequery.
IfyoualreadyhaveLDAPdirectoryservergroupsorganizedbyregion,department,position,andsoon,
baseyourrulesontheexistingLDAPstructure.
Basedonthedirectorysetupandhierarchy,yourruleassignsPeopleSoftuserstotheappropriateroles.
PeopleSoftusesyourexistingLDAPconfiguration.Youshouldusethisroleruletypeinconjunctionwith
LDAPauthentication.
Ifyouhaveuserinformationinotherthirdpartysystems,suchaslegacymainframeapplicationsorUNIX
accountgroups,usePeopleCode.
YoucantakeadvantageoftheintegrationtechnologiesthatPeopleCodesupports,suchasbusiness
interlinksandcomponentinterfaces.Thebusinessinterlinksretrievethedatafromtheexternalsystem
andwriteittotheroleassignmenttablesinthePeopleSoftdatabase.

CrossSystemSynchronization
IfyouhavemultiplePeopleSoftsystems,considerhowtokeepuserinformationsynchronized.Synchronization
isespeciallyimportantfortheportaldeployment,whereusersarelikelytomovefromonesystemtoanother
seamlessly.Forinstance,aftercompletingatransactioninPeopleSoftHumanResources,ausermayclicka
linkthattakesherdirectlytoPeopleSoftFinancials.
Ifyouareusingdynamicroleassignment,thedynamicrolebatchprogram,bydefault,publishesamessagethat
indicatesaparticularchange.Youneedtomakesurethatnodesthatrequiresuchinformationchangesare
configuredtosubscribetothemessagethatpublishesthechangeddata.Forexample,supposePeopleSoft
Financialsneedsalistofmanagersforaparticulartransaction.Becausethemanagerinformationresidesin
PeopleSoftHumanResources,PeopleSoftHumanResourcespublishesanychangedinformationtoPeopleSoft
Financialstokeepthedatasynchronized.
PeopleSoftsecurityalsopublishesamessagewhenauserprofilechanges(ifthecorrespondingService
Operationversionisactive),whichismostusefulifyouarenotusingLDAPtostoreuserinformation.Ifyou
storeuserinformationinthePeopleSoftsystem,themessagemakessurethatpasswordchangesarereplicated
acrossmultipledatabases.IfyoustoreyouruserinformationinacentralLDAPserver,thenthepasswords,and
soon,arealreadyinasensesynchronized.
YoucanupgradepermissionlistsandrolesusingthePeopleSoftApplicationDesignerupgradefeatures.For
userinformation,PeopleSoftDataMoverscriptsmigrateuserprofilesbetweensystemsforupgradesorbulk
loads.
EnterprisePeopleTools8.50PeopleBook:SecurityAdministration Copyright1988,2010,Oracleand/oritsaffiliates.Allrightsreserved.

http://docs.oracle.com/cd/E15645_01/pt850pbr0/eng/psbooks/tsec/htm/tsec03.htm

10/10