II_7. Securing Web Services

A.     Introduction to Web Services

PeopleSoft Integration Broker provides a way to integrate with internal and external systems using synchronous and asynchronous messaging. Integration broker exposes the PeopleSoft logic to third party systems as web services, which are invoked and consumed through the Integration Gateway component of Integration Broker.

As defined in Webopedia, the term Web services describes a standardized way of integrating Web-based applications using the XML, SOAP, WSDL and UDDI open standards over an Internet protocol backbone. XML is used to tag the data, SOAP is used to transfer the data, WSDL is used for describing the services available and UDDI is used for listing what services are available.

A sequence of access validations is performed by the PeopleSoft system before invoking the web service called by the external system request. If the user and password are provided, then the user id should exist as a valid user profile in PeopleSoft and the password should match. If verification fails, PeopleSoft then checks to see if the request originated from a trusted node. If yes, the external user associated with node definition is used for access validation. If no, PeopleSoft associates the request to the Anonymous node and validates the access for the user associated with the anonymous node. The web service is only invoked if at least one of the user ids verified in this validation has a permission list with authorization to invoke and the web service called in the message.

For complete details on the web service authentication process, refer to the PeopleSoft Integration Broker PeopleBook.

** Web Services have replaced Message Channels used in the previous PeopleTools versions. Message channels are still supported for backward compatibility but are truly only a part of the web services functionality. If you are using older version of PeopleTools, refer to PSAUTHCHNLMON table for access details.

 B.     Assign Web Services to Permission List (PSAUTHWS):

  1. Navigate to Permission Lists page and open the permission list you want to assign the web services access to.
  2. Once in the Permission list, go to the Web Services tab.
  3. In the Web Services grid, enter the name of the Web Service and hit tab.
  4. Click on the ‘Edit’ hyperlink that becomes available.
  5. On the Web Services Permissions page, select ‘Full Access’ from the drop down for the operations that you want the user to be able to access. Select ‘No Access’ for the functions that user should not be able to call.
  6. Click OK, and save the permission list.

20 Figure III‑19 Permissions List – Web Services

 

21

Figure III‑20 Permission List – Web Services – Web Services Permissions

** You can click on ‘Full Access (All)’ button on the Web Services page directly in the permissions list to grant access to all Web Services or ‘No Access (All)’ to remove access to all Web Services. The Full Access button here will give access to all service operations under all web services. You can also click on ‘Full Access (All)’ button in the Web Service Permissions page to grant access to all service operations for the web service or ‘No Access (All)’ to remove access to all service operations for the web service.