II 1. Securing PeopleSoft Pages

A.     Introduction to PeopleSoft Pages

To understand how PeopleSoft pages are secured, it is important to understand the design architecture of pages available in PeopleSoft.

As discussed in Chapter I, all PeopleSoft applications are built upon a standard set of PeopleTools. All pages available for the users in the PeopleSoft Internet Architecture (PIA) are designed and customized using a specific PeopleTool called Application Designer. This tool allows you to create, utilize, or customize several Oracle® delivered or custom created definitions that make up the PeopleSoft front end application.

To overly simplify the task of developing a new page, the following steps are to be completed, in this order:

  1. Define Fields (PSDBFIELD) – Data elements that are used to capture information
  2. Define and build records (PSRECDEFN, PSRECFIELD) – PeopleSoft’s naming convention for Tables, which are logical combinations of one or more fields put together to capture relevant data
  • Define Pages (panels) ( PSPNLDEFN, PSPNLFIELD) – Graphical user interface to update data in the fields from one or more related records
  1. Define Components (panel groups) (PSPNLGRPDEFN, PSPNLGRP) – Logical grouping of one or more pages that hold information for the same key field in the records
  2. Define Menu (PSMENUDEFN, PSMENUITEM) – Grouping of one or more Components to provide easy access to related components.
  3. Register the component to PIA Navigation, assign initial security

For security administration purposes, any PeopleSoft page is defined by three parameters:

  • MENUNAME
  • COMPONENT
  • PNLNAME

** This information can be found for any PeopleSoft page by using CTRL+J keys once the user has navigated to that page. Newer browser versions may require CTRL+SHIFT+J for displaying this information. Some Administrators disable this functionality in production environment as some of the information displayed here is not suitable for end users.

 

B.     Adding page access to Permission List

  1. Navigate to the page you want to be added to the permission list and hit CTRL+J and copy the page information (menuname, component and page name).
  2. Navigate to PeopleTools à Security à Permissions & Roles à Permission Lists.
  3. On the search page, enter the name of the permission list you want to grant the page access to or click on ‘Add a new value’ tab to create a new permission list.
  4. Once you have the permission list open, go to ‘Pages’ tab.
  5. Check to see if the permission list already has access to the MENUNAME of the page being assigned. If yes, proceed to next step. If no, click on ‘+’ button to open a blank field for the menu name. Add the menu name (saved from CTRL+J information) and hit tab.
  6. The ‘Edit Component’ link now becomes available. Click on the edit components link.
  7. On the Component Permissions page, locate the component name from the CTRL+J information, and click ‘Edit Pages’ link for that component.

* The list of components available in a menu cannot be changed from PIA portal. This is done during the development process.

  1. In the ‘Page Permissions’ page that opens, select the appropriate access to be granted on the specific page for this permission list, and click OK twice then save on the permission list page.

* At least one of the ‘Actions’ should be selected in addition to ‘Authorized’ and/or Display only authorizations.

Read only vs. Update access on PeopleSoft pages:

When adding a page to a permission list, you have the option to make the page available to the user(s) in update mode or read only mode. In the read only mode (referred to as ‘Display only’) users will only be able to see the information presented on the page without being able to edit it. This type of access is useful when you have to grant a user access to a certain page but do not want him/her to be able to modify any data on the page. To grant a page in ‘Display only’ mode, simply select the ‘Display Only’ check box for the page in addition to the ‘Authorized?’ check box (Figure III- 3 Permission List – Page Access). If the ‘Display Only’ check box is unchecked, the page is granted in update mode by default.

Authorized Actions:

Depending upon the design of the PeopleSoft component, users can perform several different kinds of actions on a PeopleSoft page. For example, users are able to add a new data row, update the existing data. Since the “authorized actions” is a critical part of PeopleSoft security that is often misunderstood and not properly granted, we will discuss these in slightly more detail:

ADD: When in non-display only mode, lets the user to add a new row of information. Users cannot see or change existing data if they only have access to ‘Add’.

UPDATE/DISPLAY: When in non-display only mode, lets the user to make changes to the existing data on the page. In the display only mode, the user can see the existing data on the page.

UPDATE/DISPLAY ALL: On the components that store historical information, for example Job Information component stores the entire job history of the employee, UPDATE/DISPLAY ALL lets the user see the history rows while, at the same time, being able to update information in the most current row and save it as current row. The user will NOT be able to save changes to the historical data. In display only mode, the users will be able to see current and historical information.

CORRECTION: In the rare instances where there is need to change historical information on a component, users require “correction” access to make such changes to history. Since changes to historical information have unintended effects on other related information in the system, correction mode should be granted very cautiously to very select super users in the organization. This access is typically granted in conjunction with UPDATE/DISPLAY ALL.

* Not all authorizations are available on all components. The design of the component as well as the options chosen in application designer at the time of development determines the options available to add at the permission list level.

Example of Page access in a permission list:

four

Figure III‑3 Permission List – Page Access

The above screen shot shows that ‘User Self Service’ page is authorized for the specific permission list in non-display only mode with ‘Update/Display’ action. The user with this permission list will be able to go to this page and make changes to the existing data. The user will not be able to add new rows on this page. Due to the data and design of the page, there is no historical data to see or change on this page.

C.       Modify page access to Permission List

  1. Navigate to the page you want to be added to the permission list and hit CTRL+J and copy the page information (menuname, component and page name).
  2. Navigate to PeopleTools à Security à Permissions & Roles à Permission Lists.
  3. On the search page, enter the name of the permission list you want to modify the access.
  4. Once you have the permission list open, go to ‘Pages’ tab.
  5. Locate the menuname of the page you are modifying and click on the edit components link.
  6. On the Component Permissions page, locate the component name from the CTRL+J information and click the ‘Edit Pages’ link for that component.
  7. In the Page Permissions page that opens, select the appropriate access to be granted on the specific page for this permission list and click OK twice and save on the permission list page.

D.     Remove page access from a Permission List

  1. Navigate to the page you want to be added to the permission list and hit CTRL+J and copy the page information (menuname, component and page name).
  2. Navigate to PeopleTools à Security à Permissions & Roles à Permission Lists.
  3. On the search page, enter the name of the permission list you want to modify the access.
  4. Once you have the permission list open, go to ‘Pages’ tab.
  5. Locate the menuname of the page you are modifying and click on the edit components link.
  6. On the Component Permissions page, locate the component name from the CTRL+J information and click ‘Edit Pages’ link for that component.
  7. In the Page Permissions page that opens, click on ‘Deselect All’ button and click OK twice and save on the permission list page.

** You can click on ‘Select All’ button on the component permissions page to grant access to all components under the menu or ‘Select All’ button on the page permissions page to grant access to all pages under the component. Clicking the ‘Select All’ button grants access to all underlying definitions in the non-display only mode with the maximum authorized actions available for each of them.