III 2. Dynamic Roles

PeopleSoft roles can be assigned dynamically (system maintained) or statically (administrator maintained).

Static Roles: When setting up user profiles in PeopleSoft, the security administrator can assign each user with access to one or more roles appropriate for his/her access. The security administrator should be notified of all employee changes, possibly through scheduled queries or reports, and should manually make changes to the affected user profiles. The roles that are assigned to the user profiles manually are referred to as ‘Static Roles’. Maintenance of user access through Static roles can be a tedious and error-prone manual work, especially in large organizations with significant number of employee changes on regular basis.

‘Members’ tab on Roles page displays the list of users who have been assigned access to the particular role using static role assignment.

4_2

Figure IV‑3 Roles – Members

Dynamic Roles: PeopleSoft provides an automated way of maintaining users’ access to roles by using the ‘Dynamic Roles’ functionality. Dynamic roles are specially configured roles that are automatically assigned to appropriate user profiles based upon the specific rules that govern their assignment. PeopleSoft delivered DYNROLE_PUBL (Dynamic Role Assignment) process is scheduled to run daily (more often if necessary). This process goes through each dynamic role and assigns it to any users that may match the configured rule and does not have the role already assigned to their user profile. It also removes the role from any users who previously had the role assigned in their user profile but no longer meet the criteria for the rule. All role access changes are made to the user profiles through Integration Broker web services against the USER_PROFILE component.

** A role setup to be assigned dynamically can also be assigned manually like any other static role. In such cases the dynamic role process WILL NOT remove the role from such user profiles even when it does not meet the defined criteria for the role.

Dynamic Roles can be defined using different rule types:

  1. Query Rule Enabled
  2. PeopleCode Rule Enabled
  3. Directory Rule Enabled

Use the ‘Dynamic Members’ tab in Roles page to enable dynamic role and configure the appropriate rule to assign the access.

4_4

Figure IV‑4 Roles – Dynamic Members

A.     Dynamic Role – Query Rule Enabled

Query rule enabled dynamic roles use a PeopleSoft query to fetch the list of users who should be granted access to this role.

Steps to configure Query Rule Enabled dynamic rule:

  1. Create a query using PeopleSoft Query tool with the right criteria for the users who should be assigned access to the role and save it as public query and type of ‘Role’ query.
  2. On the Dynamic members tab in Roles page, select the ‘Query Rule Enabled’ check box.
  3. In the ‘Query Rule’ edit box that becomes available, enter the name of the Role rule query created in step a.
  4. Click on Test rules button to verify the list of users who will be granted access to this role at the current time.
  5. Adjust the criteria in the Role rule query if necessary. Once validated, save the Role.
  6. Click ‘Execute Rule(s)’ button to run the query rule and assign access immediately. Once the DYNROLE_PUBL completes successfully, all changes are synced through Integration Broker Web Services.
  7. Once all messages are published, click the ‘Refresh’ button to see the list of users who are now assigned this role dynamically.
  8. Confirm or setup a recurring schedule to run DYNROLE_PUBL process to automatically manage the users for this and all other dynamic roles.

4_5

Figure IV‑5 Roles – Dynamic Members – Query Rule Enabled

** For the dynamic role maintenance, the query rule should return UNIQUE user ids. Duplicate user ids in the returned results will cause the process to fail due to unique constraints.

** Role rule queries HAVE to be saved as public queries and only the query type ‘Role’ can be used as Query rules for dynamic roles.

** Refer to “Assigning Query Profile permissions” for information on granting access to create public and role type queries.

B.     Dynamic Role – PeopleCode Rule Enabled

In cases where the criteria for assigning the dynamic role may be complicated to achieve through the PeopleSoft queries, developers can use PeopleCode to return the list of users appropriate for the role instead. This allows the developers to execute complex conditions and validations for the list of users. As with all PeopleCode functions, this PeopleCode should be saved in a derived record, FUNCLIB.

Steps to configure PeopleCode Rule Enabled dynamic rule:

  1. Create PeopleCode function which returns the valid list of user ids to grant access for this role and save it as a field formula in a FUNCLIB
  2. On the Dynamic members tab in Roles page, select the ‘PeopleCode Rule Enabled’ check box.
  3. In the ‘PeopleCode Rule’ section that appears, enter the name of the FUNCLIB where the required PeopleCode function is stored in the Record field.
  4. Enter the field name from the FUNCLIB record on which the PeopleCode is stored and select the PeopleCode on which the function is stored in the Field Name and Event boxes respectively.
  5. In the Function edit box, enter the name the PeopleCode function that returns the required list of users for this role.
  6. Click on Test rules button to verify the list of users who will be granted access to this role at the current time.
  7. Adjust the criteria in the Role rule PeopleCode if necessary. Once validated, save the Role.
  8. Click ‘Execute Rule(s)’ button to run the query rule and assign access immediately. Once the DYNROLE_PUBL completes successfully, all changes are synced through Integration Broker Web Services.
  9. Once all messages are published, click the ‘Refresh’ button to see the list of users who are now assigned this role dynamically.
  10. Confirm or setup a recurring schedule to run DYNROLE_PUBL process to automatically manage the users for this and all other dynamic roles.

4_6

Figure IV‑6 Roles – Dynamic Members – PeopleCode Rule Enabled

** For the dynamic role maintenance, the PeopleCode function should return UNIQUE user ids. Duplicate user ids in the returned results will cause the process to fail due to unique constraints.

** The user id executing the dynamic role process should have access to the funclib and fieldformula which is used for defining the role rule. Refer to “Permission Lists – Web Libraries” for information on how to grant this access.

** Refer to the PeopleSoft PeopleCode Developer’s guide PeopleBook for information on PeopleCode functions.

C.      Dynamic Role – Directory Rule Enabled

If an enterprise directory is used for user authentication and mapping as a LDAP directory, it is possible to use the user groups that are already configured in the directory as a rule for the list of users to grant the dynamic role access. This allows the user access to be kept in sync between the enterprise directory and PeopleSoft application where applicable. For example, if the directory already has a separate group which holds all the Payroll Analysts, PeopleSoft can utilize the group to grant the PeopleSoft application role(s) appropriate for Payroll Analysts instead of having to create a new query or PeopleCode for the same list of users.

The Dynamic Role Publish process uses the DynRoleMembers function stored on OPRID field of the FUNCLIB_LDAP derived record to execute a directory search to get the list of users from the LDAP directory.

Steps to configure Directory Rule Enabled dynamic rule:

  1. Create the Role Membership Rule for the User Profile mapping on the LDAP directory configuration.
  2. On the Dynamic members tab in Roles page, select the ‘Directory Rule Enabled’ check box. Note that the ‘PeopleCode Rule Enabled’ check box is automatically checked and values filled for it.
  3. Click the ‘Assign Directory Rule’ hyperlink and select the appropriate directory rule for the role.
  4. Click on Test rules button to verify the list of users who will be granted access to this role at the current time.
  5. Adjust the criteria in the Directory Role rule if necessary. Once validated, save the Role.
  6. Click ‘Execute Rule(s)’ button to run the query rule and assign access immediately. Once the DYNROLE_PUBL completes successfully, all changes are synced through Integration Broker Web Services.
  7. Once all messages are published, click the ‘Refresh’ button to see the list of users who are now assigned this role dynamically.
  8. Confirm or setup a recurring schedule to run DYNROLE_PUBL process to automatically manage the users for this and all other dynamic roles.

4_7

Figure IV‑7 Roles – Dynamic Members – Directory Rule Enabled

** For the dynamic role maintenance, the union of the used Directory Rule(s) should return UNIQUE user ids. Duplicate user ids in the returned results will cause the process to fail due to unique constraints.

** The user id executing the dynamic role process should have access to the FUNCLIB_LDAP funclib and DynRoleMembers field formula which is used by Directory Role Rule process. Refer to “Permission Lists – Web Libraries” for information on how to grant this access.

** Refer to ‘System Security – LDAP Authentication’ for information on configuring Role Membership Rules for directory.