Advanced PeopleSoft Security Audit · PeopleSoft determines which data permissions to grant a user...

Advanced PeopleSoft Security Audit

David Pigman

SpearMC Consulting www.spearmc.com

1

2

AGENDA

• About SpearMC

• Objectives

• User Profile Flow / Records

• Application Object Hierarchy / Records

• Portal Objects

• Sample Queries

• Q & A

5/27/2012 2

3

SpearMC is a full-service consulting and

technology services firm with specific focus on

PeopleSoft Financials

Our consultants and network of PeopleSoft

Analysts, Technical Leads and Project Managers

average fifteen years of PeopleSoft

experience

We are North America’s leading provider of

custom-tailored PeopleSoft Financial training

solutions and educational content development.

It is our mission to provide the highest levels of

professional service at competitive rates

ABOUT SPEARMC

David Pigman, Technical Architect

[email protected]

866-SPEARMC x802

About the Author

mailto:[email protected]

5

• Learn the record definitions and views that support PeopleSoft

security

• Resolve highly complex security data into views for use with

PeopleSoft Query

OBJECTIVES

6

USER PROFILE FLOW

User Profile (UserID/OPRID)

Record - PSOPRDEFN Primary Permission List and Row Security Permission List

(Row Level Security) Record - PSOPRDEFN

Process Profile Permission List Record - PSOPRDEFN

Roles Join Record – PSROLEUSER

Record - PSROLEDEFN

Permissions Lists Join Record - PSROLECLASS

7

User Profile (UserID/OPRID)

Record - PSOPRDEFN

Primary Permission List and Row Security Permission List

(Row Level Security) Record - PSOPRDEFN

Process Profile Permission List Record - PSOPRDEFN

Roles Record - PSROLEUSER

PeopleSoft determines which data permissions to grant a user by looking at the user's Primary Permission List and Row Security Permission List. Which one is used varies by application and data entity (Employee, Customer, Vendor, Business Unit, etc.) PeopleSoft determines Mass Change, and Object Security permissions from the Primary Permission List.

USER PROFILE FLOW

8

Permissions Lists Join Record – PSROLECLASS

Record - PSCLASSDEFN

Sign-On Record - PSAUTHSIGNON

Pages/Menu Items Record - PSAUTHITEM

Process Group Record - PSAUTHPRCS

Query Record - SCRTY_QUERY

Application Designer Record - PSAUTHITEM

Message Monitor Record - PSAUTHCHNLMON

Component Interface Record - PSAUTHBUSCOMP

Misc. Tools

USER PROFILE FLOW

9

Operator Definition (PSOPRDEFN)

OPRID (User ID) EMPLID (EmplID) OPRCLASS (Primary Permission List) ROWSECCLASS (Row Security Permission) PRCSPRFLCLS (Process Profile Permission List) LASTUPDOPRID (Last Update User ID) LASTUPDDTTM (Last Update Date/Time)

Role Definition (PSROLEDEFN)

ROLENAME (Role Name)

ROLETYPE (Role Type) - U-User or Q-Query to route

Workflow

LASTUPDOPRID (Last Update User ID)

LASTUPDDTTM (Last Update Date/Time)

Role User (PSROLEUSER)

ROLEUSER (User/Operator ID) - based on OPRID


DYNAMIC_SW (Dynamic)

RECORD DEFINITIONS – PEOPLESOFT SECURITY

10

Permission Lists Definition (PSCLASSDEFN)

CLASSID (Permission List)

CLASSDEFNDESCR (Permission List Description)

TIMEOUTMINUTES (Time-out Minutes)

STARTAPPSERVER (Can Start Application Server)

ALLOWPSWDEMAIL (Allow Password to be EMailed)

LASTUPDOPRID (Last Update User ID)

LASTUPDDTTM (Last Update Date/Time)

Role Classes (PSROLECLASS)



Authorized Signon Period (PSAUTHSIGNON)


DAYOFWEEK (Day Of Week)

STARTTIME (Start Time)

ENDTIME (End Time) Process Profile (PSPRCSPRFL)


SRVRDESTFILE (Server File Destination)

SRVRDESTPRNT (Server Print Destination)


11


Authorized Process Groups (PSAUTHPRCS)


PRCSGRP (Process Definition Group)

PS/Query Profile (SCRTY_QUERY)


QRY_RUN_ONLY (Only Allowed to run Queries)

QRY_CREATE_PUBLIC (Allow create of Public Queries)

QRY_CREATE_WFLOW (Allow create of Wrkflw Query)

QRY_MAX_FETCH (Maximum Rows Fetched)

QRY_MAX_RUN (Maximum Run Time in Minutes)

QRY_ADV_DISTINCT (Allow use of Distinct)

QRY_ADV_ANY_JOIN (Allow use of Any Join)

QRY_ADV_SUBQUERY (Allow use of Subquery/Exists)

QRY_ADV_UNION (Allow use of Union)

QRY_ADV_EXPR (Allow use of Expressions)

QRY_MAX_JOINS (Maximum Joins Allowed)

12


Access Group Security (SCRTY_ACC_GRP)


TREE_NAME (Tree Name)

ACCESS_GROUP (Access Group)

ACCESSIBLE (Accessible)

Component Interface Security (PSAUTHBUSCOMP)


BCNAME (Business Component Name)

BCMETHOD (Method)

AUTHORIZEDACTIONS (Authorized Actions)

Authorized Menu Items (PSAUTHITEM)


MENUNAME (Menu Name) - prompts PSMENUDEFN

BARNAME (Bar Name)

BARITEMNAME (Bar Item Name)

PNLITEMNAME (Page Item Name)

DISPLAYONLY (Display Only)

AUTHORIZEDACTIONS (Authorized Actions)

13

Chosen Record s

PSOPRDEFN (Operator Definition)

PSROLEUSER (Role User)

PSROLECLASS (Role Classes)

PSCLASSDEFN (Permission Lists Definition)

PSROLEDEFN (Role Definition)

Fields Order

ROLEUSER (UserID) 1

OPRDEFNDESC (User ID Descr)

ROLENAME (Role Name) 2

DESCR (Role Descr)

CLASSID (Permission List) 3

CLASSDEFNDESC (Perm List Descr)

QUERY DEFINITION: SMC_CO_USPMRL – USERIDS ROLES PERMS

14

Query Criteria

QUERY DEFN: SMC_CO_USPMRL – USERIDS, ROLES &PERMISSIONS

15

Prompt Edit - ROLEUSER

QUERY DEFN: SMC_CO_USPMRL – USERIDS, ROLES &PERMISSIONS

16

QUERY RESULTS: SMC_CO_USPMRL – USERIDS, ROLES &PERMS

17

Navigation: PeopleTools - Security - Permission & Roles - Permission Lists. Select the PeopleTools Tab

PeopleTools Permissions

Menu Names (PSAUTHITEM.MENUNAME)

DATA_MOVER – Data Mover Access

APPLICATION_DESIGNER – Application Designer Access

OBJECT_SECURITY – Definition Security Access

QUERY_MANAGER – Query Access

PERFMONPPMI – Performance Monitor PPMI Access

PERMISSION LIST – CHECK BOXES

Data Archival Fields for Record PS_ARCH_SECURITY

ARCH_SEC_EDIT - Run SQL

ARCH_SEC_RUN – Edit SQL

18

Navigation: PeopleTools - Security - Permission & Roles - Permission Lists. General Tab

Permission List General/Time-out Minutes

Fields for Record PSCLASSDEFN

STARTAPPSERVER – Can Start Application Server?

ALLOWPSWDEMAIL– Allow Password to be Emailed?

SERVERTIMEOUT – Never Time-out &

Specific Time-out (minutes)


19

Navigation: PeopleTools -> Security -> Permission & Roles -> Perm Lists. Select the Query Tab and Click Query Profile

Permission List Query Profile Fields for Record SCRTY_QUERY

QRY_RUN_ONLY - Only Allowed to run Queries

QRY_CREATE_PUBLIC - Allow create of Public Queries

QRY_CREATE_WFLOW - Allow create of Workflow Query

QRY_MAX_FETCH - Maximum Rows Fetched

QRY_MAX_RUN - Maximum Run Time in Minutes

QRY_ADV_DISTINCT - Allow use of Distinct

QRY_ADV_ANY_JOIN - Allow use of 'Any Join'

QRY_ADV_SUBQUERY - Allow use of Subquery/Exists

QRY_ADV_UNION - Allow use of Union

QRY_ADV_EXPR - Allow use of Expressions


20

Record s Definitions

PSAUTHITEM (Authorized Menu Item)

PSCLASSDEFN (Permission Lists Definition)

Fields Order

CLASSID (Permission Lists)

CLASSDEFNDESC (Permission List Descr)

MENUNAME (Menu Name)

Query Criteria

SCM_CO_DATA_MOVER_PM – DATA MOVER ACCESS PM

21

QUERY RESULTS: SMC_CO_DATA_MOVER_PM – DATA MOVER ACCESS PM

22

APPLICATION OBJECT HIERARCHY

Menu Group – PSMENUDEFN (Record) Name: Administer Workforce

Menu Name– PSMENUDEFN Object: – MAINTAIN_VENDORS Descr: – (Blank)

Menu Item– PSMENUITEM Keys: Menu, Menu Bar, Menu Item, Component Menu: MAINTAIN_VENDORS/(blank) Menu Bar: USE/Use Menu Item: VENDOR_INFORMATION/ Vendor Information Component: VNDR_ID/Vendors

Component – PSPNLGRPDEFN PNLGRPNAME Object/Descr: VNDR_ID1_SUM/Vendor Summary VNDR_ID1/Vendor ID VNDR_ADDRESS/Vendor Address VNDR_CONTACT/(blank) VNDR_LOC/(blank) VNDR_CUSTOM/User Definable Vendor Fields Etc... ACTION - Add - Update/Display – Update/Display All – Correction

Component/Page– PSPNLGROUP (Record) Keys: Component/Page Table used to join Components to Pages

Page – PSPNLDEFN Object: VNDR_ID_SUM/Vendor Summary

23

Menu Item (PSMENUITEM)

MENUNAME (Menu Name) - prompts Menu Definition (PSMENUDEFN)

BARNAME (Menu Bar Name)

ITEMNAME (Item Name) *** Links to PSAUTHITEM.BARITEMNAME

ITEMNUM (Item Number)

ITEMTYPE (Item Type)

PNLGRPNAME (Component Name) *** Links to PSPNLGROUP.PNLGRPNAME

MARKET (Market)

BARLABEL (Menu Bar Label)

ITEMLABEL (Menu Item Label) *** Label for ITEMNAME - shows in the Navigation

XFERCOUNT (Page Transfer Count)

SEARCHRECNAME (Search Record Name)

RECORD DEFINITIONS – APPLICATION OBJECTS

Menu Definition (PSMENUDEFN)

• MENUNAME (Menu Name)

• MENUGROUP (Menu Group)

• MENULABEL (Menu Label)

24

Component Group Definition (PSPNLGRPDEFN)

PNLGRPNAME (Component Name)

MARKET (Market)

SEARCHRECNAME (Search Record Name)

ACTIONS (Actions)


25

Component Group (PSPNLGROUP)

PNLGRPNAME (Component Name) - base d on

Component Definition (PSPNLGRPDEFN)

MARKET (Market)

PNLNAME (Page Name) - base d on Page Definition

(PSPNLDEFN)

SUBITEMNUM (Sub Item Number)

ITEMNAME (Item Name)

ITEMLABEL (Menu Item Label)

FOLDERTABLABEL (Folder Tab Label)

HIDDEN (Hidden)

Page Definition (PSPNLDEFN)

PNLNAME (Page Name)

LANGUAGE_CD (Language Code)

PNLTYPE (Page Type)


26

APPLICATION OBJECT – VENDOR PAGE

27

APPLICATION OBJECT – VENDOR PAGE – PRESS CTRL - J

28

Menu: MAINTAIN VENDORS

Component: VNDR_ID

APPLICATION OBJECT – VENDOR PAGE PEOPLETOOLS OBJECTS

29

Resolves the Actions that have been granted to a

menu/bar/item/component/page for a particular permission list

BARITEMNAME changed to ITEMNAME for intuitive table joins

SMC_PMAUTH_VW (SPEARMC CUSTOM VIEW)

30

SpearMC PSAUTHITEM (SMC_PMAUTH_VW)

CLASSID

MENUNAME

BARNAME

ITEMNAME

PNLITEMNAME

DISPLAYONLY

AUTHORIZEDACTIONS

ACTIONTYPE

Add Update/ Display

Update/Display - All

Correction SpearMC Code

ACTIONTYPE 1 X A 2 X UD 3 X X A UD 4 X UDA 5 X X A UDA 6 X X UD UDA 7 X X X A UD UDA 8 X C 9 X X A C 10 X X UD C 11 X X X A UD C 12 X X UD C 13 X X X A UD C 14 X X X UD UDA 15 X X X X A UD UDA

V (Display Only)


31

SQL Definition

SELECT CLASSID, MENUNAME

, BARNAME, BARITEMNAME

, PNLITEMNAME, DISPLAYONLY

, AUTHORIZEDACTIONS

, CASE AUTHORIZEDACTIONS WHEN 1 THEN 'A' WHEN 2 THEN 'UD' WHEN 4 THEN 'UDA'

WHEN 8 THEN 'C' WHEN 3 THEN 'A UD' WHEN 5 THEN 'A UDA' WHEN 9 THEN 'A C' WHEN 6

THEN 'UD UDA' WHEN 10 THEN 'UD C' WHEN 12 THEN 'UDA C' WHEN 7 THEN 'A UD UDA'

WHEN 11 THEN 'A UD C' WHEN 13 THEN 'A UDA C' WHEN 14 THEN 'UD UDA C' WHEN 15

THEN 'A UD UDA C' END

FROM PSAUTHITEM


32

• Resolves the Object Hierarchy for use in Reporting

• Turns encrypted Action numbers into legible codes

Action 15 is resolved to A UD UDA C for Add – Update Display – Update Display

All -Correction

• Two custom fields SMC_PIA_PATH and SCM_PIA_LBL_PATH

provide object and object label navigation paths

MAINTAIN_VENDORS --> USE --> VENDOR_INFORMATION --> VNDR_ID

Administer Procurement --> &Maintain Vendors --> &Use --> Vendor &Information

--> VNDR_ID

SMC_MENU_PIA_VW (SPEARMC CUSTOM VIEW)

33

PIA Navigation (SMC_MENU_PIA_VW)

MENUNAME

BARNAME

ITEMNAME

PNLGRPNAME

MARKET

ACTIONS

MENUGROUP

MENULABEL

ITEMLABEL

BARLABEL

SMC_PIA_PATH

SMC_PIA_LBL_PATH

ACTIONTYPE

Add Update/Display

Update/Display - All

Correction SpearMC Code

ACTIONTYPE 1 X A 2 X UD 3 X X A UD 4 X UDA 5 X X A UDA 6 X X UD UDA 7 X X X A UD UDA 8 X C 9 X X A C 10 X X UD C 11 X X X A UD C 12 X X UD C 13 X X X A UD C 14 X X X UD UDA 15 X X X X A UD UDA


34

SQL Definition

SELECT MD.MENUNAME , MI.BARNAME , MI.ITEMNAME, PG.PNLGRPNAME , PG.MARKET

, GD.ACTIONS , MD.MENUGROUP , MD.MENULABEL , MI.BARLABEL , MI.ITEMLABEL

,'c/' %Concat RTRIM(MD.MENUNAME) %Concat '.' %Concat RTRIM(PG.PNLGRPNAME) %Concat '.' %Concat RTRIM(PG.MARKET) AS URL_1

, RTRIM(MD.MENUNAME) %Concat ' --> ' %Concat RTRIM(MI.BARNAME) %Concat ' --> ' %Concat RTRIM(MI.ITEMNAME) %Concat ' --> '

%Concat RTRIM(PG.PNLGRPNAME)

, RTRIM(MD.MENULABEL) %Concat ' --> ' %Concat RTRIM(MI.BARLABEL) %Concat ' --> ' %Concat RTRIM(MI.ITEMLABEL) %Concat ' --> ' %Concat

RTRIM(PG.PNLGRPNAME)

, CASE GD.ACTIONS WHEN 1 THEN 'A' WHEN 2 THEN 'UD' WHEN 4 THEN 'UDA' WHEN 8 THEN 'C' WHEN 3 THEN 'A UD' WHEN 5 THEN 'A UDA'

WHEN 9 THEN 'A C' WHEN 6 THEN 'UD UDA' WHEN 10 THEN 'UD C' WHEN 12 THEN 'UDA C' WHEN 7 THEN 'A UD UDA' WHEN 11 THEN 'A UD

C' WHEN 13 THEN 'A UDA C' WHEN 14 THEN 'UD UDA C' WHEN 15 THEN 'A UD UDA C' END AS ACTIONTYPE FROM PSMENUDEFN MD ,

PSMENUITEM MI , PSPNLGROUP PG , PSPNLGRPDEFN GD WHERE MD.MENUNAME = MI.MENUNAME AND MI.PNLGRPNAME =

PG.PNLGRPNAME AND MI.MARKET = PG.MARKET AND PG.PNLGRPNAME = GD.PNLGRPNAME

GROUP BY MD.MENUNAME, MI.BARNAME, MI.ITEMNAME, PG.PNLGRPNAME, PG.MARKET, GD.ACTIONS, MD.MENUGROUP,

MD.MENULABEL, MI.BARLABEL, MI.ITEMLABEL


35

SMC_MENU_PIA_VW (SPEARMC CUSTOM VIEW) RESULTS

36

Record s Definitions

SMC_PMAUTH_VW (Component Security)

SMC_MENU_PIA_VW (Menu PIA)

PSPNLGROUP – Panel Group

Fields Order

CLASSID (Permission List) 1

MENUNAME (Menu Name) 2

PNLGRPNAME (Component Name) 3

PNLNAME (Panel Name) 4

ACTIONTYPE (Action Type)

ACTIONTYPE (Action Type)

SMC_PIA_PATH (PIA Navigation)

SMC_PIA_LBL_PATH (PIA Label Navigation)

QUERY DEFINITION: SMC_CO_PIA_PM – PIA BY PM

37

Query Criteria


38

Prompt Edit - MENUNAME Prompt Edit - PNLGRPNAME


39

QUERY RESULTS: SMC_CO_PIA_PM – PIA BY PM

40

Contact Information:

• Marcus Bode, Principal [email protected]

• David Pigman, Technical Architect [email protected]



41

Questions?

Advanced PeopleSoft Security Audit · PeopleSoft determines which data permissions to grant a user...

Documents

Transcript of Advanced PeopleSoft Security Audit · PeopleSoft determines which data permissions to grant a user...