Embed Size (px)
Citation preview
EmpowHR
EmpowHR Security Overview
2
• Application Security Administration• Permission List• Roles• User Profiles
• Row level security• Distributed Security Administration
Agenda
3
Application Security
An application security definition refers to a collection of related security attributes that you create using PeopleTools Security. The three main PeopleSoft security definition types are:
• Permission list• Roles• User Profiles
4
Permission List PeopleTools > Security > Permissions & Roles > Permission Lists
Permission lists are the building blocks of user security authorizations. You typically create permission lists before you create user profiles and roles.
Permission lists may contain any number of permissions such as page permission, peopleTools permission, and process permission
5
Defining Page Permissions
Pages are contained within components, whichare ultimately contained within a menu name
Page permissions refer to the pages to which a user has access.
6
Defining CI Permissions
Grant access to any component interfaces that a user may need to use to complete business transactions.
7
Defining Query Permissions
Control the query operations a user can perform and the data a user can access while using PeopleSoft online Query
8
RolesPeopleTools > Security > Permissions & Roles > Roles
Roles are an intermediate object that exist between permission lists and user profiles. It combines a set of permission lists into a meaningful collection.
The View Definition link will display the
permission list definitions.
9
Defining Role Options
Members tab is used to view the current list of users assigned to the role.
10
Defining Role Options
Options to enable PeopleSoft Workflow notification. Users can notify others of data on a PeopleSoft page through email or worklists.
11
Defining User Profiles
Permission lists are assigned to roles with the exception of the following, which are assigned directly to the user ID, Navigator Homepage, Process Profile, Primary Permission List, Row Security
12
Defining User Profiles
Navigator Homepage: Associated with PeopleSoft Navigator maps
Process Profile: Defines a user’s access for running batch processes through PeopleSoft Process Scheduler. For example, the process profile is where users are authorized to view output, update run locations, restart processes
Primary: Defines a users organization default values such as Business Units, SetID and Company.
Row Security: Defines a user’s access to the rows of data in the system
13
Defining User Profiles
ID types and Attribute Name enable you to link user types with the records that are most relevant when a user interacts with the system. (i.e ESS/MSS)
14
User ProfilesPeopleTools > Security > User Profiles > User Profiles
User profiles define individual PeopleSoft users. You define user profiles and then link them to one or more roles.
15
Defining User Profiles
Select an alternate role user to receive routings sent to this role user. Use this option when the role user is temporarily out (for example, on vacation or on leave).
16
The Audit page is a display-only page that enables you to determine:• When a profile was last updated.• Who updated the profile.
Defining User Profiles
17
Understanding Row level security
Row level security refers to controlling access to the rows of data in the system with security search views. It enables the system to ensure that users have access only to that which you have granted them access.
This diagram shows how permission lists are created, assigned data permission, and assigned to users: User
18
Understanding Row level security
The Permission List relationship to the Department Security Tree is what defines the Permission List as a Row-Security Permission List. SETIDs, associated DEPTIDs, and Access Codes are what set apart a Row-Security Permission List from a standard application Permission List.
Navigation: Setup HRMS > Security > Department Security > Setup Security Access
19
Understanding the Department Security TreeA security tree is represents the organization's security hierarchy. Security trees enable you to grant / deny access to an employee's data by granting access to DEPTID to which they report.
Navigation: Tree Manger > Tree Viewer
20
As the user population increases in size, it can become impractical for one person to centrally administer all of EmpowHR user profiles. You can distribute some or all user profile administration tasks by enabling selected users to use the Distributed User Profiles component. Currently this is only enabled in DHS.
The pages in the Distributed User Profiles component are identical to the corresponding pages in the User Profiles component, except that its User Roles page doesn’t include links for editing the assigned roles.
You can restrict who can use the component, which users they can administer, and what roles they can grant, based on the roles to which they themselves belong.
Distributed Security Administration
21
Implementing Distributed Security
Use permission lists and roles to configure security to give your selected remote security administrators access to the Distributed User Profiles component (USERMAINT_DIST).
22
Implementing Distributed Security
Use the Role Grant page in the Roles component (ROLEMAINT) to specify which roles your remote security administrators can grant with the Distributed User Profiles component.
23
Implementing Distributed Security
Navigation: PeopleTools > Security > User Profiles > Distributed Set Up
Use the Set Distributed User Profile Search Record page to define a search record that returns only the user IDs that you want remote security administrators to be able to administer.
The default search record is PSOPRDEFN_SRC. We defined our own search record to be more restrictive by Primary Permission list. (Z_PSOPRDEFN_SRC)
24
Administering Distributed User Profiles
Navigate to: PeopleTools > Security > User Profiles > Distributed User Profiles
Clicking the “Search” button will display only the User IDs within the Administrators own component.
This is determined by the search record you specified on the Set Distributed User Profile Search Record page.
25
Administering Distributed User Profiles
The roles that a given remote security administrator can grant are determined by the selections that you made on the Roles - Role Grant page.
