Permission Lists:
- Grants access to a particular combination of Peoplesoft elements.
- Its defined before defining roles and user profiles.
Roles:
- Collection of permission lists.
- Created to assign permissions dynamically.
- Intermediate object linking permission list to profile.
User Profiles:
- Represents one PS user.
- Specifies a number of user attributes including one or more assigned role.
1) Application Security
- Normal Security (Roles, Permission Lists, OPRIDs)
- Row Level Security (Departmental Security)
2) Database Security
- ACCESSID
- CONNECTID
- SYMBOLICID
- OPRIDs
LDAP: User profiles are stored in a central repository called a directory server. Peoplesoft uses this server for managing user profiles and authenticating users. User profiles are defined within a LDAP directory server, and can be used accross all peoplesoft and non-peoplesoft applicatons.
Change Control security and Locking definitions - Change Control is a Application Designer feature and it should be activated in a development environment, to activate go to Tools > Change Control > Administrator and select the option to 1- Use Change Control Locking and 2- Use Change Control History. Now you can lock definitions in app designer and track the history of changes to a definition.
Security Join Tables in peoplesoft- The SJT tables are referenced to determine which rows of data an user can access. There are two types of SJT tables-
1) User SJT tables - stores user security definitions, and
2) Transaction SJT tables - stores transaction security definitions.
There are 4 transaction SJT (imp are- SJT_PERSON, SJT_DEPT) and 2 user SJT tables ( SJT_CLASS_ALL and SJT_OPR_CLS).
SJT_CLASS_ALL - contains data permission information for a permission list.
SJP_OPR_CLS - contains the UserIDs with permission lists.
SJT refresh processes are run on a regular basis in order to keep security data up-to-date.
Query and Definition Security
PS Query Security: This is available to PSQuery user. It specifies records the user is allowed to access when building and running queries. Query access groups are created in PS Tree Manager and the queries are added to these groups.
Definition Security: User access to database object definitions e.g. record definition, page definition, field definition etc. is governed by the Definition Security. It protects object definitions from modifications. It is used to control access to ps definitions through application designer. The definition security tool is available with app designer (Go > Definition Security). The definitions under the default group PEOPLETOOLS displays all the definitions that are read-only or excluded from security.
3 Basic Security Records
- PSSTATUS - this table is used during signon process. TOOLSREL value from this table is used to determine version test; whether the client and database are on same version.
- PSOPRDEFN - the application user and password is stored in PSOPRDEFN.
- PSACCESSPRFL - the ACCESSID and password (database user and password, both stored in encrypted form) is stored in PSACCESSPRFL.
ACCESSID: When any userid is created, it is assigned to an access profile, which specifies an ACCESSID and password. ACCESSID is the RDBMS id with which PS applications are ultimately connected to database after PS system connects using CONNECTID and validates the userid and password.
Access profile is not used when end user access PS application through PIA. During a PIA transaction, application server maintains a persistent connection to database with ACCESSID.
SYMBOLICID: SYMBOLICID masks ACCESSID. It acts as an intermediate entity between OPRID and ACCESSID. It is used as a search key to select the ACCESSID from PSACCESSPRFL where ACCESSID is stored in encrypted form.
Implementing SSL -
SSL Handshake Process - The browser begins the SSL handshake process by requesting a secure Web page using the HTTPS protocol thus initiating a secure session with the website by sending message containing information about encryption and compression algorithms the browser supports and a random number. The Webserver responds with a message, which also includes information about supported algorithms and a random number. The Webserver chooses the strongest encryption methods that both the browser and server support. The server also sends its digital certificate to the browser and waits for browser's response.
Browser receives the server response and now checks the certificate against a list of known Certificate Authorities to verify the validity of server's digital certificate. The server's certificate contains its public key and the name of the server.
The client then uses the above two random values and computes a secret code, encrypt this code using webserver's certificate's public key and sends to the server as a Client Key Exchange message. If the server can decrypt this data, the client is assured that the server has the correct private key. This step determines the authenticity of the server.
The exchanged data is now used by both the client and the server to calculate a Master Secret key. The server now respond to the browser with a request to initiate communication using the established keys and parameters.
How SSL is configured in Peoplesoft- Here are the steps to configure SSL -
1. Generate webserver' s private key and certificate signing request (CSR).
2. Submit CSR to your CA for signing:
3. Download the root certificate and intermediate CA certificates.
4. Download SSL certificate.
5. Import certificates into keystore.
6. Configuring the Oracle WebLogic Server to use the keystore.
[... More on configuring SSL]2. Submit CSR to your CA for signing:
3. Download the root certificate and intermediate CA certificates.
4. Download SSL certificate.
5. Import certificates into keystore.
6. Configuring the Oracle WebLogic Server to use the keystore.
Portal Security Sync
Sign-on and Time-out Security
Process Security
PIA (the Peoplesoft Internet Architecture) Security
No comments:
Post a Comment