Upload
doxuyen
View
231
Download
7
Embed Size (px)
Citation preview
Advanced PeopleSoft Security Audit
David Pigman
SpearMC Consulting www.spearmc.com
1
2
AGENDA
• About SpearMC
• Objectives
• User Profile Flow / Records
• Application Object Hierarchy / Records
• Portal Objects
• Sample Queries
• Q & A
5/27/2012 2
3
SpearMC is a full-service consulting and
technology services firm with specific focus on
PeopleSoft Financials
Our consultants and network of PeopleSoft
Analysts, Technical Leads and Project Managers
average fifteen years of PeopleSoft
experience
We are North America’s leading provider of
custom-tailored PeopleSoft Financial training
solutions and educational content development.
It is our mission to provide the highest levels of
professional service at competitive rates
ABOUT SPEARMC
David Pigman, Technical Architect
866-SPEARMC x802
About the Author
5
• Learn the record definitions and views that support PeopleSoft
security
• Resolve highly complex security data into views for use with
PeopleSoft Query
OBJECTIVES
6
USER PROFILE FLOW
User Profile (UserID/OPRID)
Record - PSOPRDEFN Primary Permission List and Row Security Permission List
(Row Level Security) Record - PSOPRDEFN
Process Profile Permission List Record - PSOPRDEFN
Roles Join Record – PSROLEUSER
Record - PSROLEDEFN
Permissions Lists Join Record - PSROLECLASS
7
User Profile (UserID/OPRID)
Record - PSOPRDEFN
Primary Permission List and Row Security Permission List
(Row Level Security) Record - PSOPRDEFN
Process Profile Permission List Record - PSOPRDEFN
Roles Record - PSROLEUSER
PeopleSoft determines which data permissions to grant a user by looking at the user's Primary Permission List and Row Security Permission List. Which one is used varies by application and data entity (Employee, Customer, Vendor, Business Unit, etc.) PeopleSoft determines Mass Change, and Object Security permissions from the Primary Permission List.
USER PROFILE FLOW
8
Permissions Lists Join Record – PSROLECLASS
Record - PSCLASSDEFN
Sign-On Record - PSAUTHSIGNON
Pages/Menu Items Record - PSAUTHITEM
Process Group Record - PSAUTHPRCS
Query Record - SCRTY_QUERY
Application Designer Record - PSAUTHITEM
Message Monitor Record - PSAUTHCHNLMON
Component Interface Record - PSAUTHBUSCOMP
Misc. Tools
USER PROFILE FLOW
9
Operator Definition (PSOPRDEFN)
OPRID (User ID) EMPLID (EmplID) OPRCLASS (Primary Permission List) ROWSECCLASS (Row Security Permission) PRCSPRFLCLS (Process Profile Permission List) LASTUPDOPRID (Last Update User ID) LASTUPDDTTM (Last Update Date/Time)
Role Definition (PSROLEDEFN)
ROLENAME (Role Name)
ROLETYPE (Role Type) - U-User or Q-Query to route
Workflow
LASTUPDOPRID (Last Update User ID)
LASTUPDDTTM (Last Update Date/Time)
Role User (PSROLEUSER)
ROLEUSER (User/Operator ID) - based on OPRID
ROLENAME (Role Name)
DYNAMIC_SW (Dynamic)
RECORD DEFINITIONS – PEOPLESOFT SECURITY
10
Permission Lists Definition (PSCLASSDEFN)
CLASSID (Permission List)
CLASSDEFNDESCR (Permission List Description)
TIMEOUTMINUTES (Time-out Minutes)
STARTAPPSERVER (Can Start Application Server)
ALLOWPSWDEMAIL (Allow Password to be EMailed)
LASTUPDOPRID (Last Update User ID)
LASTUPDDTTM (Last Update Date/Time)
Role Classes (PSROLECLASS)
ROLENAME (Role Name)
CLASSID (Permission List)
Authorized Signon Period (PSAUTHSIGNON)
CLASSID (Permission List)
DAYOFWEEK (Day Of Week)
STARTTIME (Start Time)
ENDTIME (End Time) Process Profile (PSPRCSPRFL)
CLASSID (Permission List)
SRVRDESTFILE (Server File Destination)
SRVRDESTPRNT (Server Print Destination)
RECORD DEFINITIONS – PEOPLESOFT SECURITY
11
RECORD DEFINITIONS – PEOPLESOFT SECURITY
Authorized Process Groups (PSAUTHPRCS)
CLASSID (Permission List)
PRCSGRP (Process Definition Group)
PS/Query Profile (SCRTY_QUERY)
CLASSID (Permission List)
QRY_RUN_ONLY (Only Allowed to run Queries)
QRY_CREATE_PUBLIC (Allow create of Public Queries)
QRY_CREATE_WFLOW (Allow create of Wrkflw Query)
QRY_MAX_FETCH (Maximum Rows Fetched)
QRY_MAX_RUN (Maximum Run Time in Minutes)
QRY_ADV_DISTINCT (Allow use of Distinct)
QRY_ADV_ANY_JOIN (Allow use of Any Join)
QRY_ADV_SUBQUERY (Allow use of Subquery/Exists)
QRY_ADV_UNION (Allow use of Union)
QRY_ADV_EXPR (Allow use of Expressions)
QRY_MAX_JOINS (Maximum Joins Allowed)
12
RECORD DEFINITIONS – PEOPLESOFT SECURITY
Access Group Security (SCRTY_ACC_GRP)
CLASSID (Permission List)
TREE_NAME (Tree Name)
ACCESS_GROUP (Access Group)
ACCESSIBLE (Accessible)
Component Interface Security (PSAUTHBUSCOMP)
CLASSID (Permission List)
BCNAME (Business Component Name)
BCMETHOD (Method)
AUTHORIZEDACTIONS (Authorized Actions)
Authorized Menu Items (PSAUTHITEM)
CLASSID (Permission List)
MENUNAME (Menu Name) - prompts PSMENUDEFN
BARNAME (Bar Name)
BARITEMNAME (Bar Item Name)
PNLITEMNAME (Page Item Name)
DISPLAYONLY (Display Only)
AUTHORIZEDACTIONS (Authorized Actions)
13
Chosen Record s
PSOPRDEFN (Operator Definition)
PSROLEUSER (Role User)
PSROLECLASS (Role Classes)
PSCLASSDEFN (Permission Lists Definition)
PSROLEDEFN (Role Definition)
Fields Order
ROLEUSER (UserID) 1
OPRDEFNDESC (User ID Descr)
ROLENAME (Role Name) 2
DESCR (Role Descr)
CLASSID (Permission List) 3
CLASSDEFNDESC (Perm List Descr)
QUERY DEFINITION: SMC_CO_USPMRL – USERIDS ROLES PERMS
14
Query Criteria
QUERY DEFN: SMC_CO_USPMRL – USERIDS, ROLES &PERMISSIONS
15
Prompt Edit - ROLEUSER
QUERY DEFN: SMC_CO_USPMRL – USERIDS, ROLES &PERMISSIONS
16
QUERY RESULTS: SMC_CO_USPMRL – USERIDS, ROLES &PERMS
17
Navigation: PeopleTools - Security - Permission & Roles - Permission Lists. Select the PeopleTools Tab
PeopleTools Permissions
Menu Names (PSAUTHITEM.MENUNAME)
DATA_MOVER – Data Mover Access
APPLICATION_DESIGNER – Application Designer Access
OBJECT_SECURITY – Definition Security Access
QUERY_MANAGER – Query Access
PERFMONPPMI – Performance Monitor PPMI Access
PERMISSION LIST – CHECK BOXES
Data Archival Fields for Record PS_ARCH_SECURITY
ARCH_SEC_EDIT - Run SQL
ARCH_SEC_RUN – Edit SQL
18
Navigation: PeopleTools - Security - Permission & Roles - Permission Lists. General Tab
Permission List General/Time-out Minutes
Fields for Record PSCLASSDEFN
STARTAPPSERVER – Can Start Application Server?
ALLOWPSWDEMAIL– Allow Password to be Emailed?
SERVERTIMEOUT – Never Time-out &
Specific Time-out (minutes)
PERMISSION LIST – CHECK BOXES
19
Navigation: PeopleTools -> Security -> Permission & Roles -> Perm Lists. Select the Query Tab and Click Query Profile
Permission List Query Profile Fields for Record SCRTY_QUERY
QRY_RUN_ONLY - Only Allowed to run Queries
QRY_CREATE_PUBLIC - Allow create of Public Queries
QRY_CREATE_WFLOW - Allow create of Workflow Query
QRY_MAX_FETCH - Maximum Rows Fetched
QRY_MAX_RUN - Maximum Run Time in Minutes
QRY_ADV_DISTINCT - Allow use of Distinct
QRY_ADV_ANY_JOIN - Allow use of 'Any Join'
QRY_ADV_SUBQUERY - Allow use of Subquery/Exists
QRY_ADV_UNION - Allow use of Union
QRY_ADV_EXPR - Allow use of Expressions
PERMISSION LIST – CHECK BOXES
20
Record s Definitions
PSAUTHITEM (Authorized Menu Item)
PSCLASSDEFN (Permission Lists Definition)
Fields Order
CLASSID (Permission Lists)
CLASSDEFNDESC (Permission List Descr)
MENUNAME (Menu Name)
Query Criteria
SCM_CO_DATA_MOVER_PM – DATA MOVER ACCESS PM
21
QUERY RESULTS: SMC_CO_DATA_MOVER_PM – DATA MOVER ACCESS PM
22
APPLICATION OBJECT HIERARCHY
Menu Group – PSMENUDEFN (Record) Name: Administer Workforce
Menu Name– PSMENUDEFN Object: – MAINTAIN_VENDORS Descr: – (Blank)
Menu Item– PSMENUITEM Keys: Menu, Menu Bar, Menu Item, Component Menu: MAINTAIN_VENDORS/(blank) Menu Bar: USE/Use Menu Item: VENDOR_INFORMATION/ Vendor Information Component: VNDR_ID/Vendors
Component – PSPNLGRPDEFN PNLGRPNAME Object/Descr: VNDR_ID1_SUM/Vendor Summary VNDR_ID1/Vendor ID VNDR_ADDRESS/Vendor Address VNDR_CONTACT/(blank) VNDR_LOC/(blank) VNDR_CUSTOM/User Definable Vendor Fields Etc... ACTION - Add - Update/Display – Update/Display All – Correction
Component/Page– PSPNLGROUP (Record) Keys: Component/Page Table used to join Components to Pages
Page – PSPNLDEFN Object: VNDR_ID_SUM/Vendor Summary
23
Menu Item (PSMENUITEM)
MENUNAME (Menu Name) - prompts Menu Definition (PSMENUDEFN)
BARNAME (Menu Bar Name)
ITEMNAME (Item Name) *** Links to PSAUTHITEM.BARITEMNAME
ITEMNUM (Item Number)
ITEMTYPE (Item Type)
PNLGRPNAME (Component Name) *** Links to PSPNLGROUP.PNLGRPNAME
MARKET (Market)
BARLABEL (Menu Bar Label)
ITEMLABEL (Menu Item Label) *** Label for ITEMNAME - shows in the Navigation
XFERCOUNT (Page Transfer Count)
SEARCHRECNAME (Search Record Name)
RECORD DEFINITIONS – APPLICATION OBJECTS
Menu Definition (PSMENUDEFN)
• MENUNAME (Menu Name)
• MENUGROUP (Menu Group)
• MENULABEL (Menu Label)
24
Component Group Definition (PSPNLGRPDEFN)
PNLGRPNAME (Component Name)
MARKET (Market)
SEARCHRECNAME (Search Record Name)
ACTIONS (Actions)
RECORD DEFINITIONS – APPLICATION OBJECTS
25
Component Group (PSPNLGROUP)
PNLGRPNAME (Component Name) - base d on
Component Definition (PSPNLGRPDEFN)
MARKET (Market)
PNLNAME (Page Name) - base d on Page Definition
(PSPNLDEFN)
SUBITEMNUM (Sub Item Number)
ITEMNAME (Item Name)
ITEMLABEL (Menu Item Label)
FOLDERTABLABEL (Folder Tab Label)
HIDDEN (Hidden)
Page Definition (PSPNLDEFN)
PNLNAME (Page Name)
LANGUAGE_CD (Language Code)
PNLTYPE (Page Type)
RECORD DEFINITIONS – APPLICATION OBJECTS
26
APPLICATION OBJECT – VENDOR PAGE
27
APPLICATION OBJECT – VENDOR PAGE – PRESS CTRL - J
28
Menu: MAINTAIN VENDORS
Component: VNDR_ID
APPLICATION OBJECT – VENDOR PAGE PEOPLETOOLS OBJECTS
29
Resolves the Actions that have been granted to a
menu/bar/item/component/page for a particular permission list
BARITEMNAME changed to ITEMNAME for intuitive table joins
SMC_PMAUTH_VW (SPEARMC CUSTOM VIEW)
30
SpearMC PSAUTHITEM (SMC_PMAUTH_VW)
CLASSID
MENUNAME
BARNAME
ITEMNAME
PNLITEMNAME
DISPLAYONLY
AUTHORIZEDACTIONS
ACTIONTYPE
Add Update/ Display
Update/Display - All
Correction SpearMC Code
ACTIONTYPE 1 X A 2 X UD 3 X X A UD 4 X UDA 5 X X A UDA 6 X X UD UDA 7 X X X A UD UDA 8 X C 9 X X A C 10 X X UD C 11 X X X A UD C 12 X X UD C 13 X X X A UD C 14 X X X UD UDA 15 X X X X A UD UDA
V (Display Only)
SMC_PMAUTH_VW (SPEARMC CUSTOM VIEW)
31
SQL Definition
SELECT CLASSID, MENUNAME
, BARNAME, BARITEMNAME
, PNLITEMNAME, DISPLAYONLY
, AUTHORIZEDACTIONS
, CASE AUTHORIZEDACTIONS WHEN 1 THEN 'A' WHEN 2 THEN 'UD' WHEN 4 THEN 'UDA'
WHEN 8 THEN 'C' WHEN 3 THEN 'A UD' WHEN 5 THEN 'A UDA' WHEN 9 THEN 'A C' WHEN 6
THEN 'UD UDA' WHEN 10 THEN 'UD C' WHEN 12 THEN 'UDA C' WHEN 7 THEN 'A UD UDA'
WHEN 11 THEN 'A UD C' WHEN 13 THEN 'A UDA C' WHEN 14 THEN 'UD UDA C' WHEN 15
THEN 'A UD UDA C' END
FROM PSAUTHITEM
SMC_PMAUTH_VW (SPEARMC CUSTOM VIEW)
32
• Resolves the Object Hierarchy for use in Reporting
• Turns encrypted Action numbers into legible codes
Action 15 is resolved to A UD UDA C for Add – Update Display – Update Display
All -Correction
• Two custom fields SMC_PIA_PATH and SCM_PIA_LBL_PATH
provide object and object label navigation paths
MAINTAIN_VENDORS --> USE --> VENDOR_INFORMATION --> VNDR_ID
Administer Procurement --> &Maintain Vendors --> &Use --> Vendor &Information
--> VNDR_ID
SMC_MENU_PIA_VW (SPEARMC CUSTOM VIEW)
33
PIA Navigation (SMC_MENU_PIA_VW)
MENUNAME
BARNAME
ITEMNAME
PNLGRPNAME
MARKET
ACTIONS
MENUGROUP
MENULABEL
ITEMLABEL
BARLABEL
SMC_PIA_PATH
SMC_PIA_LBL_PATH
ACTIONTYPE
Add Update/Display
Update/Display - All
Correction SpearMC Code
ACTIONTYPE 1 X A 2 X UD 3 X X A UD 4 X UDA 5 X X A UDA 6 X X UD UDA 7 X X X A UD UDA 8 X C 9 X X A C 10 X X UD C 11 X X X A UD C 12 X X UD C 13 X X X A UD C 14 X X X UD UDA 15 X X X X A UD UDA
SMC_MENU_PIA_VW (SPEARMC CUSTOM VIEW)
34
SQL Definition
SELECT MD.MENUNAME , MI.BARNAME , MI.ITEMNAME, PG.PNLGRPNAME , PG.MARKET
, GD.ACTIONS , MD.MENUGROUP , MD.MENULABEL , MI.BARLABEL , MI.ITEMLABEL
,'c/' %Concat RTRIM(MD.MENUNAME) %Concat '.' %Concat RTRIM(PG.PNLGRPNAME) %Concat '.' %Concat RTRIM(PG.MARKET) AS URL_1
, RTRIM(MD.MENUNAME) %Concat ' --> ' %Concat RTRIM(MI.BARNAME) %Concat ' --> ' %Concat RTRIM(MI.ITEMNAME) %Concat ' --> '
%Concat RTRIM(PG.PNLGRPNAME)
, RTRIM(MD.MENULABEL) %Concat ' --> ' %Concat RTRIM(MI.BARLABEL) %Concat ' --> ' %Concat RTRIM(MI.ITEMLABEL) %Concat ' --> ' %Concat
RTRIM(PG.PNLGRPNAME)
, CASE GD.ACTIONS WHEN 1 THEN 'A' WHEN 2 THEN 'UD' WHEN 4 THEN 'UDA' WHEN 8 THEN 'C' WHEN 3 THEN 'A UD' WHEN 5 THEN 'A UDA'
WHEN 9 THEN 'A C' WHEN 6 THEN 'UD UDA' WHEN 10 THEN 'UD C' WHEN 12 THEN 'UDA C' WHEN 7 THEN 'A UD UDA' WHEN 11 THEN 'A UD
C' WHEN 13 THEN 'A UDA C' WHEN 14 THEN 'UD UDA C' WHEN 15 THEN 'A UD UDA C' END AS ACTIONTYPE FROM PSMENUDEFN MD ,
PSMENUITEM MI , PSPNLGROUP PG , PSPNLGRPDEFN GD WHERE MD.MENUNAME = MI.MENUNAME AND MI.PNLGRPNAME =
PG.PNLGRPNAME AND MI.MARKET = PG.MARKET AND PG.PNLGRPNAME = GD.PNLGRPNAME
GROUP BY MD.MENUNAME, MI.BARNAME, MI.ITEMNAME, PG.PNLGRPNAME, PG.MARKET, GD.ACTIONS, MD.MENUGROUP,
MD.MENULABEL, MI.BARLABEL, MI.ITEMLABEL
SMC_MENU_PIA_VW (SPEARMC CUSTOM VIEW)
35
SMC_MENU_PIA_VW (SPEARMC CUSTOM VIEW) RESULTS
36
Record s Definitions
SMC_PMAUTH_VW (Component Security)
SMC_MENU_PIA_VW (Menu PIA)
PSPNLGROUP – Panel Group
Fields Order
CLASSID (Permission List) 1
MENUNAME (Menu Name) 2
PNLGRPNAME (Component Name) 3
PNLNAME (Panel Name) 4
ACTIONTYPE (Action Type)
ACTIONTYPE (Action Type)
SMC_PIA_PATH (PIA Navigation)
SMC_PIA_LBL_PATH (PIA Label Navigation)
QUERY DEFINITION: SMC_CO_PIA_PM – PIA BY PM
37
Query Criteria
QUERY DEFINITION: SMC_CO_PIA_PM – PIA BY PM
38
Prompt Edit - MENUNAME Prompt Edit - PNLGRPNAME
QUERY DEFINITION: SMC_CO_PIA_PM – PIA BY PM
39
QUERY RESULTS: SMC_CO_PIA_PM – PIA BY PM
40
Contact Information:
• Marcus Bode, Principal [email protected]
• David Pigman, Technical Architect [email protected]
41
Questions?