I. Introduction to PeopleSoft Security

Oracle PeopleSoft­­® is one of the leading ERP applications used in large and medium sized private and government organizations as well as educational institutions. It provides robust, delivered functionality to address standard business processes in human resources, accounting, and customer service amongst several others. Oracle PeopleSoft® is delivered as several independent applications which work as stand-alone applications that are able to seamlessly sync with other PeopleSoft® and non- PeopleSoft ERP applications used to manage another part of the entity’s business. The most popular PeopleSoft® applications are:

  • Oracle® PeopleSoft® Human Capital Management
  • Oracle® PeopleSoft® Financials and Supply Chain Management
  • Oracle® PeopleSoft® Customer Relationship Management
  • Oracle® PeopleSoft® Enterprise Performance Management
  • Oracle® PeopleSoft® Enterprise Portal Solutions
  • Oracle® PeopleSoft® Enterprise Learning Management

One of the key advantages for enterprises to use Oracle® PeopleSoft® applications for multiple business areas is that all of the PeopleSoft® applications share a standard tool set for implementation, upgrade, administration and customization. This singular tool set provides a common look and feel for the business users while operating in various PeopleSoft® applications, reducing the maintenance and support costs for the organization. The IT team can learn one set of tools which can be used to provide support for any of the PeopleSoft® applications. PeopleSoft® refers to this core of common tools upon which each of the PeopleSoft® applications are built as PeopleTools®. Below is a list (not-comprehensive) of PeopleTools provided with PeopleSoft® applications:

·         Application Designer ·         PeopleCode
·         Application Engines ·         Data Mover
·         Process Scheduler ·         PSADMIN
·         PeopleSoft Query ·         PeopleSoft Internet Architecture
·         Security Administration ·         XML Publisher
·         Workflow Technology ·         PeopleSoft Tree Manager
·         PS n/Vision ·         SQR
·         Integration Broker ·         Change Assistant
·         Setup Manager ·         Test Framework
·         Cobol ·         Component Interfaces

 

As identified in above, Security Administration is defined as a separate PeopleTool in itself. However, PeopleSoft security is an all-encompassing set of tools that lay on top of the PeopleSoft tools and application modules that control the functionality made available to the user at run-time. This book will spend most of the time discussing PeopleSoft security and how it is used to secure PeopleSoft Human Capital Management along with the PeopleTools that form the base for these applications. Most of the principles and methods discussed in this book can be applied to other PeopleSoft enterprise applications barring a few application specific security features that differ between each of the applications.

PeopleSoft Security can be broadly divided into three main areas:

  1. Function security – What can a user do in a PeopleSoft system? Ex: Page access, Run queries, Component Interfaces, etc.
  2. Data/Row level security – What specific data can a user access once the user gets to a certain page? Ex: Employees of specific departments
  3. System security – What general system wide security controls are imposed on users? Ex: Password controls, authentication methods, session expirations, etc.

 

A.     Function security: What can a user do in a PeopleSoft system?

Once a user gains access into a PeopleSoft application, he/she is presented with a home page that provides a list of all the pages (commonly referred to as components) that a user has been granted access to. Access to each of these pages can either be available in update or display only. Users are specifically granted the ability to run programs, create and/or run queries against the database, component interfaces, etc. All access authorizations that grant the user the ability to update or view something in the system are controlled by the roles assigned to the user’s profile, which in turn have one or more permission lists associated with them.

** Display Only access is also referred to as Read Only access. In this mode, users can only see the information displayed without being able to edit any values.

  1. User Profile: This is a unique identifier associated with every user that logs into the PeopleSoft application. A user profile is a combination of user id, password and roles assigned along with several other attributes that define the way a user logs in and accesses the PeopleSoft application.
  2. Roles: Each user profile is granted access to the various functions in PeopleSoft by the roles assigned to it. A role is logical combination of one or more permission lists that are grouped together for ease of assignment and maintenance.
  3. Permission List: A permission list is a combination of several page and non-page access permissions in PeopleSoft that grant access to various functions in the applications. Permission lists are the basic building block of PeopleSoft security where all the access is assigned. Typically access is added to a permission list that is then assigned to one or more roles. Roles are then assigned to the user profile which inherits all the access granted to all the Permission lists assigned in his roles. There are, however, some access permissions that are directly granted at the user profiles, and they will be discussed in the later chapters.

Figure II 1: Relationship between permission list, roles and users

Figure I‑1: Relationship between permission list, roles and users

 

Principle of cumulative maximum access:

PeopleSoft security access follows a cumulative maximum method during run time, which means that the user will be presented with the maximum level of access granted by all permission lists assigned via all roles granted to the user. If the user has access to the same page through multiple permission lists, one or more with display only and one or more with update access, PeopleSoft considers update access as maximum access and presents the user with update access when navigating to the page. The same methodology is applicable to the authorized actions available to the users on the component. If a user has access to the same page but with different authorized actions, PeopleSoft will present the component with the maximum level of access granted through all permission lists available to the user. Therefore, it is important to check all permission lists that have access to a page or component when determining the level of access granted to the user.

 

B.     Data/Row Security: What filters the data visible on the pages?

Once the user navigates his way to one of the pages he has access to that was granted through the function security permission lists, the data visible to him on these pages can be restricted by the data security permission lists assigned to his profile. The data visible to the user is restricted differently in different PeopleSoft systems and sometimes varies within the same PeopleSoft system depending upon the component (page) being accessed. The data security permission lists are also referred to as row level security permission lists.

Aspects of Data security: Depending upon the specific PeopleSoft application there are different tools provided for securing data. In PeopleSoft HCM Applications, row level security is provided through:

  • Security by department tree
  • Security by permission list
  • Time and Labor security

 

C.      System Security: How is the PeopleSoft system secured from threats?

 

These PeopleTools set of security controls allows security administrators to control the overall security settings for the system. These controls work in conjunction with the organization’s network security to secure the PeopleSoft system as a whole. These security controls are generally applicable at the system level instead of the individual user level.

Aspects for System Security include:

  • Authentication Process in PeopleSoft
  • Password controls
  • LDAP Authentication
  • Single Sign-On among PeopleSoft systems
  • Forgot Password utility

There are a few other security features provided by PeopleSoft which are not covered in this book as they require expert level knowledge in technologies out of the scope of this book.

  • Encryption and Digital certificates
  • Web Services security
  • Sign-on PeopleCode edits
  • Single Sign-on with Non-PeopleSoft systems