II 3. Securing Processes

A.     Introduction to Processes

PeopleSoft provides several tools for batch processing and reporting of data which are referred to as ‘Processes’. Some of the most common process types are

  • Application Engine programs
  • SQR Processes
  • SQR Reports
  • XML Publisher
  • Cobol processes

For more information on each of these processes, refer to the appropriate PeopleBooks. For the purposes of security administration and the scope of this book, all processes are secured the same way and will be generally referred to as processes.

When a user needs to run a particular process, he or she will navigate to the appropriate page designed to initiate the process. This page, which provides the user with the ability to enter parameters that the user wants to execute the process/report, is called the Run Control Page for the process. Once the user enters any required parameters and clicks on the run button on the run control page, the process is submitted to the process scheduler for execution. The user can then click on the process monitor link to monitor the progress of the process. Once successfully completed, the user is then able to retrieve any report output or log files that are created by the executed process.

For any user to successfully execute a process, two security conditions should be met. First, the user should have update access to the run control page from where the process can be executed. This is controlled similarly to other PeopleSoft page granted on the permissions list. Second, the user should have access to the actual process itself which is verified before the process is submitted to the process scheduler through at least one of the permission lists granted to the user profile. In addition to this access, the user would need certain access on the process scheduler to be able to see, update or cancel the process as well being able to retrieve the output or log files.

Process security and process scheduler access are discussed below. For information on securing run control pages for the process, refer to Permission Lists – Securing PeopleSoft Pages chapter in this book.

Process Group (PRCSDEFNGRP): Every process in PeopleSoft is assigned to one or more process groups. A process group is a logical group id to group similar processes together and is used to for granting security permissions.

Navigate to the Process definition page and go to the ‘Process Definition Options’ tab to identify the process group(s) to which a process is assigned.

Navigation: PeopleTools >> Process Scheduler >> Processes
11

Figure III‑10 Process Definition – Process Groups

B.     Assign Processes to Permission List (PSAUTHPRCS):

  1. Navigate to the process definition page and search for the process you want to grant access to.
  2. In the Process Definition page, go the process definition options tab (Figure III- 10 Process Definition – Process Groups) and note the process groups that the process is assigned to.
  3. Navigate to Permission Lists page and open the permission list you want to assign the access to.
  4. Once you have the permission list open, go to ‘Process’ tab.
  5. Click on the ‘Process Group Permissions’ link.
  6. In the Process Group Permissions page, add the process group of the process copied from the process definition page in the grid.

12

Figure III‑11 Permission List – Process Group – A

13

Figure III‑12 Permission List – Process Group – B

** Note that adding a process group to a permission list grants all the processes that are in the process group to the permission list. Therefore, it is very important to query the PRCSDEFNGRP table to ensure that all the processes included in the process group are appropriate for the permission list. If required, change the process group of the process definition to a different or new group before assigning to the permission list.

C.     Assigning Process Profile Permissions (PSPRCSPRFL)

When a user runs a process or report in PeopleSoft, the run control page allows him/her to set the output destination and printers for auto-printing processes. Also, upon going to the process monitor, either by clicking the ‘Process Monitor’ link on the run control page for a process or by navigating through PeopleTools menu, he/she is able to perform certain actions on the processes submitted to the process scheduler. The access required to perform all such activities are together referred to as Process Profile for the user.

To update or grant process profile permissions to a permission list, go the Process tab of the permission list and click on the ‘Process Profile Permissions’ link

14

Figure III‑13 Permission List – Process – Process Profile

Server Destinations:

File: Default folder location where the process scheduler would place the output files created by the processes run by the user. When this value to set to %%OutputDirectory%% process scheduler uses the default output location defined in the process scheduler configuration.

Printer: The default printer name, as installed on the process scheduler server, to which to send the print jobs.

OS/390 Job Controls: All PeopleSoft Process Scheduler shell JCLs use meta-strings to pass data stored in the database. PeopleSoft Process Scheduler takes advantage of meta-strings to generate the JCL job cards based on the user who initiated the request

Name: (%JOBNAME%) The default OS390 job name that should be assigned in the job card for the jobs submitted

Acct: (%ACCTNAME%) JCL Account Code value to be used in the job card for the jobs submitted.

** The OS/390 Job Controls options applies only to DB2 UDB for z/OS

Allow Process Request:

View By: When set to ‘All’, the user will be able to see the processes submitted by all users in the process monitor. When set to ‘Owner’, the user is able to see only the processes that he/she ran. Setting this value to ‘None’ would restrict the user from being able to see any processes in process monitor. The recommended value for general business user is ‘Owner’.

Update By: When set to ‘All’, the user will be able to make changes such as hold, cancel, delete or restart the processes submitted by all users in the process monitor. When set to ‘Owner’, the user is able to update only the processes that he/she ran. Setting this value to ‘None’ would restrict the user from being able to update any processes in process monitor. Recommended value for the general business user is ‘Owner’.

Allow Requestor To:

Override output destination: Allows the user to change the output of the process from the defined default.

Override Server Parameters: Allows the user to override the server name and run date and time

View Server Status: Allows the user to access the server list tab view in the Process Monitor to check the status of the process scheduler servers

Update Server Status: Allows the user to suspend, restart, or shut down a process scheduler server through the server list tab in Process Monitor.

Enable Recurrence Selection: Allows the user to select a recurring schedule to run the process automatically at selected schedule times. This is done from the run control page at the time of submitting the process to the process scheduler.

** Use ‘Update By – ALL’ and ‘Update Server Status’ options carefully. This access should not be available to regular business end users and should be restricted to system administrator or person responsible for batch process scheduling and monitoring as this could cause potential issues and delays in critical scheduled processes.

** Unlike any other access, the user does not inherit the access granted in the process profile permissions of a permission list through the roles assigned to his profile. The user’s process profile access is defined by the Process Profile Permission List that is assigned directly at the user profile level. See User Profile-General Information section in this book for more details on this.