II 2.Securing PeopleTools

A.     Introduction to PeopleTools

Access to certain development and administration PeopleTools is controlled by assigning specific tools to a permission list that the user has access to. The tools that are secured using the PeopleTools security functionality include:

Navigation:

PeopleTools >> Security >> Permissions & Roles >> Permission Lists >> PeopleTools tab

  1. Application Designer: Application Designer is a Windows client PeopleTool that is primarily used for creating and/or customizing the PeopleSoft application. This includes creation of new pages, editing and/or writing PeopleCode, Application Engine programs, Component Interfaces, etc. We will discuss the access granting to these definitions in the sections below.
  2. Data Mover: PeopleSoft Data Mover, as the name suggests, is a Windows client PeopleTool that is used to import /export data between databases within the same or across different platforms. Data Mover can also be used to execute SQL scripts and other specialized tasks like password encryption.
  3. Definition Security Tool: Definition security is used to control access to the PeopleSoft definitions once the user is logged into Application Designer. For example, the user may have access to update field definitions in Application Designer, but he/she may not be able to make changes to a particular field if that field is secured through definition security and not granted to user. Refer to APPENDIX – A: Definition Security for more information on securing definitions in Application Designer.
  4. Query Tool: In addition to the PeopleSoft Query tool that PeopleSoft has introduced in the recent versions, the legacy Windows client tool for query continues to exist. This tool serves the same purpose as the PeopleSoft Query Manager/Viewer that is available through the PIA. Since the queries executed through the Query client application do not go through the web server, power users prefer the client version over the PIA version of Query.
  5. Performance Monitor PPMI: The Performance Monitor enables you to view and monitor performance of your PeopleSoft systems. Performance monitor is disabled in a new installation by default. You should configure PeopleSoft performance monitor to capture and analyze your PeopleSoft environment. It is typically used to help solve performance issues and/or to analyze usage trends.
  6. Realtime Event Notification (REN): REN servers are used by PeopleSoft applications to push event notifications to users, such as the Reporting Progress output windows. REN server is an application server process and is a part of the PeopleSoft Multi-channel framework (MCF) architecture.
  7. Data Archival: PeopleSoft Data Archive Manager is used to archive PeopleSoft application data as part of regular database maintenance and storage optimization. Historical data from large tables can be safely achieved to improve the performance of the system processing while providing an easy way to query and/or retrieve archived information.

five

Figure III‑4 Permissions list – PeopleTools access

Assigning access to each of these PeopleTools is as simple as selecting the appropriate check box, except for Application Designer, REN and Data Archival which will be discussed below. However, each of these is a powerful development and/or administrative tool that should be restricted to a very small number of users typically within the system administration and support teams.  Access granted to these tools may be more limited in production than in development and non-production SDLC environment for developers and support teams.

B.     Application Designer

For the permission list that you would like to grant access to the Application Designer, go to the PeopleTools tab and select the ‘Application Designer Access’ check box. This enables three hyperlinks (Figure III- 4 Permissions list – PeopleTools access) for different security aspects of the application designer. Let us review each of these links individually:

  1. Definition Permissions: This is used to secure the different types of application designer definitions the user of this permission list is allowed to see and or update. Select the appropriate level of access for each of the object types from the drop down. Users with Full access will be able to view and edit the object type. Users with Read Only access can only open the objects of the particular type but will not be able save changes to those objects. Use No Access to restrict the user from being able to open a specific object type in application designer. Alternatively, you can click on the buttons at the page level to grant full, read only or no-access to all objects at once.

six

Figure III‑5 Permissions List – PeopleTools – Definition Permissions

 

  1. Tools Permissions: These permissions are used to control access to higher level tools that are available through application designer, useful for change control, upgrade and troubleshooting purposes. For more detailed information on the usage on these tools, refer to a PeopleSoft developer’s guide or PeopleBooks. Select the appropriate level of access adjacent to each of the tools from the drop down. The drop down list for each of the tools is different based upon the functionality being provided and should be carefully considered when providing access in production environments. Optionally, you can click on the buttons at the page level to grant full, read only or no-access (minimal or restricted where applicable) to all tools at once.

seven

Figure III‑6 Permission List – PeopleTools – Tools Permission

  1. Miscellaneous Permissions: As the name suggests, these permissions are used to control access to certain aspects of PeopleSoft environment that pertain mostly to the ability to change the look and feel of the application with the exception of Access Profiles permission. Access Profiles are key to the way PeopleSoft system interacts with the database and should not be updated without careful planning and coordination. Identify the access level from the pull down menu for each of the features. Optionally, you can click on the buttons at the page level to grant full, read only or no-access to all objects at once.

eight

Figure III‑7 Permission List – PeopleTools – Miscellaneous Permissions

C.      Realtime Event Notification Permissions

For the permission list that you would like to grant access to the REN setup permissions, go to the PeopleTools tab and click on the ‘Realtime Event Notification permissions’ hyperlink. This will bring you to the REN permissions page. Select the appropriate level of access for each of the object type from the drop down. The only options available are Full Access or No access. Users with Full access will be able to view and edit the object type. Use ‘No Access’ to restrict the user from being able to open a specific object type in application designer. If desired, you can click on the buttons at the page level to grant full or no-access to all objects at once.

nine

Figure III‑8 Permissons List – PeopleTools – REN Permissions

** If you choose to implement Multi-channel framework and REN server configuration, it is important to keep these in mind when implementing and designing security for MCF and REN server. (From PeopleBooks documentation for MultiChannel Framework)

To enable access to the Report-to-Window functionality, add WEBLIB_RPT to the Web Libraries page of the permission list, and set Reporting Window to Full Access on the REN Permissions page.

Grant full access to the MCF CTI Server object only on the permission list that is assigned to the CTI server role. No other users should have MCF CTI Server access.

The user ID that is configured to start the Process Scheduler must have full access to the Reporting Window REN permission on at least one permission list for that user ID. If the user ID does not have full access to the Reporting Window, then the pop-up window stays in a status of queued.

D.     Data Archival

For the permission list that you would like to grant data archival setup permissions, go to the PeopleTools tab and select the appropriate check boxes under the Data Archival section. The security options listed in this group are the various actions required while using PeopleSoft Data Archive Manager to archive PeopleSoft application data. Select the appropriate actions that should be available for the user when using the archive manager.

ten

Figure III‑9 Permission List – PeopleTools – Data Archival