Você está na página 1de 199

1.

D69117
D61554GC10

September 2010
Rel 8.50
PeopleSoft Security

For Instructor Use Only.


This document should not be distributed.
Copyright 2010, Oracle and/or its affiliates. All rights reserved.
This document contains proprietary information and is protected by copyright and other intellectual property laws. You may copy and
print this document solely for your own use in an Oracle training course. The document may not be modified or altered in any way.
Except where your use constitutes "fair use" under copyright law, you may not use, share, download, upload, copy, print, display,
perform, reproduce, publish, license, post, transmit, or distribute this document in whole or in part without the express authorization of
Oracle.
The information contained in this document is subject to change without notice. If you find any problems in the document, please report
them in writing to: Oracle University, 500 Oracle Parkway, Redwood Shores, California 94065 USA. This document is not warranted to
be error-free.
If this documentation is delivered to the United States Government or anyone using the documentation on behalf of the United States
Government, the following notice is applicable:
U.S. GOVERNMENT RIGHTS

This document should not be distributed.


The U.S. Government's rights to use, modify, reproduce, release, perform, display, or disclose these training materials are restricted by
the terms of the applicable Oracle license agreement and/or the applicable U.S. Government contract.
Oracle is a registered trademark of Oracle Corporation and/or its affiliates. Other names may be trademarks of their respective owners.

For Instructor Use Only.


Working with Permission Lists Lesson 4

Activity 1: Working with Permission Lists


In this activity, you will review the activity overview and:

Create permission lists.

Configure security links.

Copy permission lists.

Delete permission lists

This document should not be distributed.


Slide 63

Instructor Notes

For Instructor Use Only.


Duration

Note. This activity should take approximately 30 minutes.

Answers to Activity Questions


These are the answers to the questions in the activity:

Definition Element Value or Status

Menu Name PORTAL_ADMIN

Menu Bar Name USE

Bar Item Name FOLDER_CREF_LIST

Item Name PORTAL_OBJ_LIST

102
Lesson 4 Working with Permission Lists

Activity Overview
Create the permission lists that enable Training Department managers to complete the training administration
process.

Create the SETUP01 permission list to incorporate the transactions necessary to complete the setup of the
training administration tables. Refer to the detailed instructions for the specific pages.

Create a link that enables you to access the PeopleTools, Portal, Structure and Content page from the
Permission Link List page. Portal Admin (PORTAL_ADMIN) is the menu name. Use (USE) is the bar name.
Folder Content Reference Permission List (FOLDER_CREF_LIST) is the menu item name. Portal Object
List (PORTAL_OBJ_LIST) is the item name. Access Application Designer to view these menu and

This document should not be distributed.


component definition elements.

Create the COURSE01 permission list as a clone of the PSU1100 permission list. This permission list
incorporates the functionality involved in setting up training programs and courses. Refer to the detailed
instructions for the specific pages.

For Instructor Use Only.


Clone the ALLPAGES permission list as ALLPAGESCOPY. Then, delete the ALLPAGESCOPY permission
list.

Note. Use the T1B85001 database with the user name and password PTTRN in this activity.

103
Working with Permission Lists Lesson 4

Activity Detailed Steps


Perform the detailed steps to complete the activity.

Creating Permission Lists


To create permission lists:

1. Select PeopleTools, Security, Permissions & Roles, Permission Lists.

2. Click the Add a New Value link.

This document should not be distributed.


3. Enter SETUP01 in the Permission List field and click the Add button.

4. On the General page, enter Set up training tables in the Description field.

5. Select the Pages page.

For Instructor Use Only.


6. Enter PSU_TRAINING in the Menu Name field and press the Tab key.

7. Click the Edit Components link for the PSU_TRAINING menu.

8. Click the Edit Pages link for the PSU_BUS_UNITS component.

9. Enter the following information:

Page Authorized? Display Only Actions

PSU Bus Units Selected Selected Update/Display

10. Click the OK button.

11. Repeat steps 8 through 10 and use the following information:

Component Page Authorized? Display Only Actions

PSU_INSTR Professional Details Selected Cleared Add, Update/Display

PSU_INSTR Photo Selected Cleared Add, Update/Display

PSU_MATRL Course Materials Selected Cleared Add, Update/Display

PSU_TRNLOC Training Facilities Selected Cleared Add, Update/Display

PSU_VENDOR Vendor Information Selected Cleared Add, Update/Display

12. Click the OK button.

13. Click the Save button.

14. Insert a new row on the Pages page.

15. Enter QUERY_MANAGER in the Menu Name field and press the Tab key.

104
Lesson 4 Working with Permission Lists

16. Click the Edit Components link for the QUERY_MANAGER menu.

17. Click the Edit Pages link for the QUERY_MANAGER component.

18. Click the Select All button.

19. Click the OK button.

20. Repeat steps 18 through 20 for the QUERY_VIEWER component.

21. Click the Edit Pages link for the QUERY_ADMIN component.

22. Select the Authorized check box for the Qry Admin page and then select the Update/Display check box.

This document should not be distributed.


23. Click the OK button twice.

24. Save the permission list.

Results

These are the results of creating permission lists:

For Instructor Use Only.


Configuring Security Links
To configure security links:

1. Select PeopleTools, Portal, Structure and Content.

2. Observe the page.

This is the destination page to which you will link in the next set of steps.

3. Press Ctrl + J twice and record the menu name in this table.

Page Element Value

Menu Name

4. Click the Continue link and then minimize the browser and close the Downloads window, if it opened.

5. On the desktop, open the PeopleTools 8.5 folder and double-click Application Designer.

105
Working with Permission Lists Lesson 4

6. Sign on to the T1B85001 database; use PTTRN as the User ID and Password.

7. Select File, Open and select Menu from the Destination drop-down list box.

8. Enter the value from step three in the Name field and press the OK button.

9. In the menu bar, double-click Use and record the bar name in this table:

Definition Element Value

Menu Bar Name

This document should not be distributed.


10. Click the OK button to dismiss the dialog box.

11. In the bar item list, double-click Folder Cref List and record the bar item name in this table:

Definition Element Value

For Instructor Use Only.


Bar Item Name

12. Click the OK button to dismiss the dialog box.

13. Right-click Folder Cref List and select View Definition.

14. Find the Portal Obj List page and record the item name in this table:

Definition Element Value

Item Name

15. Close Application Designer and maximize the browser.

16. Select PeopleTools, Security, Security Objects, Security Links.

17. Select the Permission List page and enter this information:

Page Element Value or Status

Active Flag Selected

Description Structure and Content

Menu Name Enter the value from step three.

Menu Bar Name Enter the value from step nine.

Bar Item Name Enter the value from step 11.

Item Name Enter the value from step 14.

18. Save the page.

106
Lesson 4 Working with Permission Lists

19. Select PeopleTools, Security, Permissions & Roles, Permission Lists.

20. Select the SETUP01 permission list.

21. Select the Links page and compare your results with the results at the end of this activity.

22. Click the Edit link for Structure and Content.

23. Observe the page.

It should be the Structure and Content page that you observed in step two.

Results

This document should not be distributed.


These are the results of configuring security links:

For Instructor Use Only.


Copying Permission Lists
To copy permission lists:

1. Select PeopleTools, Security, Permissions & Roles, Copy Permission List.

2. Click the Search button.

3. Select ALLPAGES in the Permission List field.

4. Enter ALLPAGESCOPY in the To field.

5. Click the Save button.

6. Click the Return to Search button.

7. Enter PSU1100 in the Permission List field.

8. Click the Search button.

9. Enter COURSE01 in the To field.

10. Click the Save button.

11. Select PeopleTools, Security, Permissions & Roles, Permission Lists.

12. Click the Return to Search button and enter COURSE in the permission list field.

13. Click the Search button and select COURSE01.

107
Working with Permission Lists Lesson 4

14. Clear the contents and then enter Maintain course data in the Description field

15. Select the Pages page.

16. Click the Edit Components link for the PSU_TRAINING menu and use the following information to
grant permissions:

Component Page Authorized? Display Only Actions

PSU_COURSE_MATL Course Materials Selected Cleared Update/Display


Information

This document should not be distributed.


PSU_CRS_DBASE PSU Course Selected Cleared Update/Display
Database

PSU_CRS_EVAL Course Evaluations Selected Cleared Update/Display

17. Click the OK button.

For Instructor Use Only.


18. Save the permission list.

Results

These are the results of copying permission lists:

Deleting Permission Lists


To delete permission lists:

1. Select PeopleTools, Security, Permissions & Roles, Delete Permission Lists.

2. Click the Return to Search button.

3. On the search page, enter ALL in the Permission List field and click the Search button.

4. Select the ALLPAGESCOPY permission list.

5. On the Delete Permission List page, click the Delete Permission List button.

6. Click the OK button.

108
Lesson 4 Working with Permission Lists

7. Select PeopleTools, Security, Permissions & Roles, Permission Lists and verify that ALLPAGESCOPY is
not in the search results.

Results

These are the results of deleting permission lists:

This document should not be distributed.


For Instructor Use Only.
This concludes the activity. Please do not continue.

109
Lesson 5 Working with Roles

Activity 2: Creating Roles


In this activity, you will review the activity overview and:

Create roles.

Copy roles.

Delete roles.

This document should not be distributed.


Slide 74

Instructor Notes

For Instructor Use Only.


Duration

Note. This activity should take approximately 10 minutes.

127
Working with Roles Lesson 5

Activity Overview
Create the Instructor Manager role. It should contain the SETUP01 and COURSE01 permission lists.

Copy the Instructor role as Instructor 2. Confirm its existence and then delete the Instructor 2 role.

Note. Use the T1B85001 database with the user name and password PTTRN in this activity.

This document should not be distributed.


For Instructor Use Only.

128
Lesson 5 Working with Roles

Activity Detailed Steps


Perform the detailed steps to complete the activity.

Creating Roles
To create roles:

1. Select PeopleTools, Security, Permissions & Roles, Roles.

2. Click the Add a New Value link.

This document should not be distributed.


3. Enter Instructor Manager in the Role Name field.

4. Click the Add button.

5. Enter Manages TAs and Instructors in the Description field.

For Instructor Use Only.


6. Select the Permission Lists page and enter SETUP01 in the Permission List field.

7. Click the insert row button (+).

8. Enter COURSE01 in the Permission List field.

9. Save the role.

Results

These are the results of creating roles:

Copying Roles
To copy roles:

1. Select PeopleTools, Security, Permissions & Roles, Copy Roles.

2. Click the Return to Search button.

3. On the search page, enter Instructor in the Role Name field and click the Search button.

4. On the Role Save As page, enter Instructor 2 in the as: field.

5. Click the Save button.

129
Working with Roles Lesson 5

6. Select PeopleTools, Security, Permissions & Roles, Roles.

7. Click the Return to Search button.

8. Enter Ins in the Role Name field and click the Search button.

9. Verify the presence of the Instructor 2 role in the search results.

Results

These are the results of copying roles:

This document should not be distributed.


For Instructor Use Only.
Deleting Roles
To delete roles:

1. Select PeopleTools, Security, Permissions & Roles, Delete Roles.

2. Enter Ins in the Role Name field and click the Search button.

3. Select Instructor 2.

4. Click the Delete Role button.

5. Click the OK button.

6. Enter Ins in the Role Name field and click the Search button.

7. Verify the absence of the Instructor 2 role from the search results.

Results

These are the results of deleting roles:

130
Lesson 5 Working with Roles

This document should not be distributed.


For Instructor Use Only.
This concludes the activity. Please do not continue.

131
Lesson 6 Working with User Profiles

Activity 3: Creating User Profiles


In this activity, you will review the activity overview and:

Create user profiles.

Copy user profiles.

Slide 84

This document should not be distributed.


Instructor Notes

Duration

For Instructor Use Only.


Note. This activity should take approximately 15 minutes.

Notes About the Activity


If you do not enter a symbolic ID, you receive the following warning message:

Important! The General page consistently throws an "Invalid xml" error if you do not follow the instruction
in the guide as written. If students receive this error, instruct them to click the Home link in the navigation
header. They will lose any changes they have made since the last save.

149
Working with User Profiles Lesson 6

Activity Overview
Training implementation is underway. Create user profiles for James Fung, Dr. Calvin Roth, and yourself.
Use first initials and last names as the user IDs and the passwords. Use the charts in the activity detailed steps
to assign specific user profile properties.

When you finish, start another browser session to test sign in privileges.

Note. Use the T1B85001 database with the user name and password PTTRN in this activity.

This document should not be distributed.


For Instructor Use Only.

150
Lesson 6 Working with User Profiles

Activity Detailed Steps


Perform the detailed steps to complete the activity.

Creating User Profiles


To create user profiles:

1. Select PeopleTools, Security, User Profiles, User Profiles.

2. Click the Add a New Value tab.

This document should not be distributed.


3. Enter your first initial and last name for the User ID.

4. Click the Add button.

5. Enter the following information on the General page:

For Instructor Use Only.


Page Element Value or Status

Symbolic ID SYSADM1

Password <Student first initial and last name>

Confirm Password <Student first initial and last name>

6. Select the ID tab and enter the following information:

Page Element Value or Status

ID type Employee

Employee ID 00001 (even though you are not Cornelia)

Description <Student name>

7. Select the Roles tab, insert three rows in the User Roles grid, and then enter the following information:

Page Element Value or Status

Role Name Employee


Training Administrator
Training Manager
PeopleSoft User

8. Click the Save button.

9. Click the Add button.

10. Enter JFUNG in the User ID field and click the Add button.

151
Working with User Profiles Lesson 6

11. Select the General page, and enter the following information:

Page Element Value or Status

Symbolic ID SYSADM1

Password JFUNG

Confirm Password JFUNG

Primary PPMGR

This document should not be distributed.


12. Select the ID page, and enter the following information:

Page Element Value or Status

ID type Employee

For Instructor Use Only.


Employee ID 00136

Description James Fung

13. Select the Roles page and enter Employee in the Role Name field.

14. Click the Insert row button.

15. Enter Training Manager in the Role Name field and click the Save button.

16. Click the Insert row button.

17. Enter Instructor Manager in the Role Name field and click the Save button.

18. Click the Insert row button.

19. Enter PeopleSoft User in the Role Name field and click the Save button.

20. Sign out.

21. Sign in as the JFUNG/JFUNG.

22. Select Set Up Training, Materials and add a new value: PSU466.

152
Lesson 6 Working with User Profiles

23. Click the Add button, and enter the following information:

Page Element Value or Status

Description Security Training Guide

Short Description Security

Minimum Inventory Level 20

Inventory Reorder Point 12

This document should not be distributed.


Price 38.95

24. Save the page and sign out.

25. Sign in as the <<student name>> user and check the results.

For Instructor Use Only.


Results

The new user ID will display the following menu:

Copying User Profiles


To copy user profiles:

1. Sign out and sign in as PTTRN/PTTRN.

2. Select PeopleTools, Security, User Profiles, Copy User Profiles.

153
Working with User Profiles Lesson 6

3. Select JFUNG and enter the following information:

Page Element Value or Status

New User ID CROTH

Description Dr. Calvin Roth

Password CROTH

Confirm Password CROTH

This document should not be distributed.


Copy ID Type Selected

4. Click the Save button.

5. Select the ID page and change the EMPLID to 00137.

For Instructor Use Only.


6. Click the Save button and sign out.

7. Sign in as CROTH and make sure that the user has appropriate access.

8. Check the results and sign out.

Results

This is the menu available to the CROTH user ID:

This concludes the activity. Please do not continue.

154
Lesson 7 Managing Advanced Application Security

Activity 4: Configuring Distributed Role Assignment


In this activity, you will review the activity overview, and:

Grant component permissions.

Enable role grant.

Test the role grant.

View search records.

This document should not be distributed.


Set the distributed user profile search record.

Slide 95

For Instructor Use Only.


Instructor Notes

Duration

Note. This activity should take approximately 10 minutes.

Answers To Questions
These are the answers to the questions:

Question Answer

How many user profiles are displayed? 67

Question Answer

How many roles are available for DPOND to assign? 1

Question Answer

How many user profiles are displayed after search record 19


is implemented?

Identifying Possible Problems


When students test the role grant, they should see 66 user profiles. Numbers might vary slightly. After
changing the view, they should see 19 user profiles.

175
Managing Advanced Application Security Lesson 7

Optional Steps
After specifying the search record, students might want to repeat the section "Testing the Role Grant" steps 1
through 5.

This document should not be distributed.


For Instructor Use Only.

176
Lesson 7 Managing Advanced Application Security

Activity Overview
Grant all pages of the distributed user profile component (USERMAINT_DIST) to the PSU1100 permission
list.

Specify that the Training Coordinator role can be granted by the Training Administrator role.

In Application Designer, open the PSOPRDEFN_SRCH and DIST_USER_SRCH records. View the SQL for
the two search records.

Specify the new DIST_USER_SRCH search record on the Distributed User Set Up page.

This document should not be distributed.


Denise Pond (DPOND) is a training administrator. Test to see whether she can grant the training coordinator
role to another user.

Note. Use the T1B85001 database with the user name and password PTTRN in this activity.

For Instructor Use Only.

177
Managing Advanced Application Security Lesson 7

Activity Detailed Steps


Perform the detailed steps to complete the activity.

Granting Component Permissions


To grant component permissions:

Note. Use PTTRN for the user name and password in this part of the activity.

This document should not be distributed.


1. Select PeopleTools, Security, Permissions & Roles, Permission Lists.

2. Enter PSU1100 in the Permission List field.

3. Select the Pages tab.

4. Insert a new row.

For Instructor Use Only.


5. Enter MAINTAIN_SECURITY in the Menu Name field and press the Tab key.

6. Click the Edit Components link for the MAINTAIN_SECURITY menu.

7. Scroll to the bottom of the page and click the Edit Pages link for the USERMAINT_DIST component.

8. Click the Select All button.

9. Select the Display Only check box for each page except the User Roles page.

10. Clear the Add check box.

Compare your page to the Results.

11. Click the OK button.

12. Click the OK button again.

13. Click the Save button.

Results

These are the results of granting component permissions:

178
Lesson 7 Managing Advanced Application Security

This document should not be distributed.


For Instructor Use Only.
Enabling Role Grant
To enable role grant:

1. Select PeopleTools, Security, Permissions & Roles, Roles.

2. Select the Training Administrator role.

3. Select the Role Grant tab.

4. Enter Training Coordinator in the Role Name field in the first scroll area.

5. Click the Save button.

Results

These are the results of enabling role grant.

Testing Role Grant


To test role grant:

Note. Use <<student name>>for the user name and password in this part of the activity. This is the user
profile you created in Activity 3 "Creating User Profiles".

179
Managing Advanced Application Security Lesson 7

1. Sign in to the T1B85001 database using the profile you created in activity 3.

2. Select PeopleTools, Security, User Profiles, Distributed User Profiles.

3. Click the Search button and answer this question:

Question Answer

How many user IDs appear?

4. Select the DPOND user ID.

This document should not be distributed.


5. Select the User Roles page.

6. Insert a new row.

7. Click the lookup button for the Role Name and answer this question:

Question Answer

For Instructor Use Only.


How many roles are available to assign?

8. Select the Training Coordinator role.

9. Save the page.

10. Sign out.

Viewing Search Records


To view search records:

Note. Use PTTRN for the user name and password in this part of the activity.

1. Launch PeopleSoft Application Designer from the PeopleTools folder on the desktop.

2. Select File, Open and select Record from the Definition drop-down list box.

3. Enter PSOPRDEFN_SRCH in the Name field and press the Enter key.

4. Select the Record Type tab.

5. Click the SQL Editor button and examine the SQL for this view.
SELECT oprid, oprdefndesc
FROM psoprdefn

6. Close the SQL window.

7. Select File, Open and select Record from the Definition drop-down list box.

8. Enter DIST_USER_SRCH in the Name field and press the Enter key.

9. Select the Record Type tab.

180
Lesson 7 Managing Advanced Application Security

10. Click the SQL Editor button and examine the SQL for this view.
SELECT A.OPRID, A
.OPRDEFNDESC
FROM PSOPRDEFN A
,PSOPRALIAS B
,PS_PERSONAL_DATA P
WHERE A.OPRID = B.OPRID
AND B.EMPLID = P.EMPLID

11. Close the SQL editor.

This document should not be distributed.


Setting the Distributed User Profile Search Record
To set the distributed user profile search record:

Note. Use PTTRN for the user name and password in this part of the activity.

For Instructor Use Only.


1. Sign in and select PeopleTools, Security, User Profiles, Distributed User Set Up.

2. Enter DIST_USER_SRCH in the New Search Record field.

3. Click the Save button.

4. Sign out.

Note. Use <<student name>>for the user name and password in this part of the activity.

5. Sign in and select PeopleTools, Security, User Profiles, Distributed User Profiles.

6. Click the Search button.

7. Compare this number of User IDs that return to the number in the previous section.

8. Sign out.

This concludes the activity. Please do not continue.

181
Managing Advanced Application Security Lesson 7

Activity 5: Assigning Roles Dynamically


In this activity, you will review the activity overview and:

Activate domain.

Run dynamic role queries.

Verify the process.

This document should not be distributed.


Slide 101

Instructor Notes

For Instructor Use Only.


Duration

Note. This activity should take approximately 10 minutes.

The ROLESYNCEXT_MSG and ROLESYNCH_MSG messages update dynamic role membership. In the
training database, the domain associated with these messages might be inactive which prevents the
subscription PeopleCode in these messages from working.

Answer

Question Answer

What users appear in the list? DZL, KLK, TAH, JXP

194
Lesson 7 Managing Advanced Application Security

Activity Overview
Diane Loncarevic (DZL), Kathryn Kaplan (KLK), Todd Hersh (TAH), and Jeff Phey (JXP) are new training
managers. They are just the first of several new training managers coming to work for the company and so the
reporting team created a role query (TRN_MGR_ROLE_QRY) to select for training managers. Use this
query to implement dynamic role assignment to the Training Manager role. Configure, test, and run the query
rule.

Note. Use the T1B85001 database with the user name and password PTTRN in this activity.

This document should not be distributed.


For Instructor Use Only.

195
Managing Advanced Application Security Lesson 7

Activity Detailed Steps


Perform the detailed steps to complete the activity.

Activating the Domain


The domain must be active for this activity to succeed. To check the domain status:

1. Select PeopleTools, Integration Broker, Service Operations Monitor, Administration, Domain Status.

2. Click the Purge Domain Status button.

This document should not be distributed.


3. Click the Update button.

Results

The Dispatcher Status will show ACT for all 3 dispatchers:

For Instructor Use Only.


Note. If the dispatchers do not show ACT, then change the Domain Status to Inactive and click Update.
Change the Domain Status back to Active and click Update again.

Running Dynamic Role Queries


To run dynamic role queries:

1. Select PeopleTools, Security, Permissions & Roles, Roles.

2. Enter Training Manager in the Role field.

3. Click the Search button.

4. Select the Dynamic Members page and select the Query Rule Enabled check box.

196
Lesson 7 Managing Advanced Application Security

5. Select the TRN_MGR_ROLE_QRY query.

6. Click the Test Rule(s) button.

7. Click the Yes button and answer this question:

Question Answer

What users appear in the list?

8. Click the Return button.

This document should not be distributed.


9. Click the Execute Rule(s) button.

10. Click the Process Monitor link and observe that the process has completed successfully.

11. Close any open Process Monitor browser windows.

For Instructor Use Only.


Verifying the Process
To verify process:

1. Select PeopleTools, Security, User Profiles, User Profiles.

2. Enter DZL as the user ID.

3. Select the Roles page.

Results

This page shows the dynamic role membership for the DZL user ID:

This concludes the activity. Please do not continue.

197
Lesson 8 Auditing Security Tables

Activity 6: Configuring Field Level Audits


In this activity, you will review the activity overview and:

Configure field level audits.

Test field level audits.

Query the PSAUDIT table.

This document should not be distributed.


Slide 109

Instructor Notes

For Instructor Use Only.


Duration

Note. This activity should take approximately 20 minutes.

Notes for Completing the Activity


The Copy User Profile does not register as a field Add.

The Delete User Profile does not register as a field Delete.

These are the answers to the questions:

Question Answer

How many rows are in the table? 1

Why is the first row in the table? It is a change.

Why do no A or D rows exist for the TEST-FLA user? The component processor does not do the copy and delete.

SQL Developer
SQL Developer should be setup with a connection for the T1B85001 database. Here is an example of the
connection:

209
210
Auditing Security Tables
Lesson 8

For Instructor Use Only.


This document should not be distributed.
Lesson 8 Auditing Security Tables

Activity Overview
Enable the system to track field additions and deletions of the OPRID field and updates of the
OPRDEFNDESC field in the PSOPRDEFN record.

After you set up the audits, create a new user TEST-FLA. Use TEST-FLA as the password. Enter a description
and save the user. Change the description and save the user profile again.

Then open SQL Developer and query the PSAUDIT table.

Note. Use the T1B85001 database with the user name and password PTTRN in Application Designer and in

This document should not be distributed.


the browser in this activity.

For Instructor Use Only.

211
Auditing Security Tables Lesson 8

Activity Detailed Steps


Perform the detailed steps to complete the activity.

Configuring Field Level Audits


To configure field level audits:

1. In Application Designer, select File, Open.

2. Select Record from the Definition drop-down list box.

This document should not be distributed.


3. Enter PSOPRDEFN in the name field and click the Open button.

4. Double-click the PSOPRDEFN record name.

5. Double-click the OPRID field.

For Instructor Use Only.


6. Select the Field Delete and Field Add check boxes.

7. Click the OK button.

8. Double-click the OPRDEFNDESC field.

9. Select the Field Change audit check box.

10. Click the OK button.

11. Save the record definition.

Testing Field Level Audits


To test field level audits:

1. In the browser, select PeopleTools, Security, User Profiles, Copy User Profiles.

2. Enter PTEMPL in the User ID field and click the Search button.

3. Enter the following information:

Page Element Value or Status

New UserID TEST-FLA

Description Field Level Audit Test

Password TEST-FLA

Confirm password TEST-FLA

4. Click the Save button.

5. Select the ID tab and add My to the beginning of the description.

212
Lesson 8 Auditing Security Tables

6. Save the profile.

7. Select PeopleTools, Security, User Profiles, Delete User Profiles.

8. Search for and select TEST-FLA.

9. Click the Delete User Profile button.

10. Click the OK button.

Querying the PSAUDIT Table


To review the PSAUDIT table:

This document should not be distributed.


1. Double-click the SQL Developer shortcut on the desktop.

Note. If you get the message "Would you like to migrate from a previous release", click No. If Configure
File Type Associations is displayed, click Cancel. If the tip of the Day is displayed, click Close.

For Instructor Use Only.


2. Expand the Connections.

3. Double-click T1B85001.

4. Enter the following statement:


SELECT * FROM PSAUDIT

5. Click the Execute Statement icon (or use F9 key).

6. Answer these questions:

Question Answer

How many rows are in the table?

Why is the first row in the table?

Why are there no A or D rows for the TEST-FLA user?

Results

The additions and changes to the user profiles are stored in the PSAUDIT table:

213
Auditing Security Tables Lesson 8

This document should not be distributed.


This concludes the activity. Please do not continue.

For Instructor Use Only.

214
Auditing Security Tables Lesson 8

Activity 7: Configuring Record Level Audits


In this activity, you will review the activity overview and:

Create audit record definitions.

Build audit tables.

Configure audited records.

Test record level auditing.

This document should not be distributed.


Query the audit table.

Slide 115

For Instructor Use Only.


Instructor Notes

Duration

Note. This activity should take approximately 20 minutes.

226
Lesson 8 Auditing Security Tables

Activity Overview
Create the AUDIT_PSOPRDEFN table to track changes made to the OPRID and OPRDEFNDESC fields in
the PSOPRDEFN table. Audit for any additions, deletions, and selective changes.

Copy the PTEMPL user profile, make a change to the copy, and then delete the copy.

Use SQL Developer to check the contents of the PS_AUDIT_PSOPRDEFN table.

Note. Use the T1B85001 database with the user name and password PTTRN in this activity.

This document should not be distributed.


For Instructor Use Only.

227
Auditing Security Tables Lesson 8

Activity Detailed Steps


Perform the detailed steps to complete the activity.

Creating Audit Record Definitions


To create audit record definitions:

1. In Application Designer, select File, New.

2. Select Record from the Definition drop-down list box.

This document should not be distributed.


3. Select Insert, Field and, insert the following fields, in the order listed.

AUDIT_OPRID

AUDIT_STAMP

For Instructor Use Only.


AUDIT_ACTN

OPRID

OPRDEFNDESC
4. Make the fields AUDIT_OPRID, AUDIT_STAMP and AUDIT_ACTN required and keys.

5. Double-click the AUDIT_STAMP field, select the Use tab, and select the Auto-Update check box.

6. Click the OK button.

7. Save the record definition as AUDIT_PSOPRDEFN.

8. Select PTAPP.PSPTDMO for the Space.

Results

These are the results of creating audit record definitions:

Building Audit Tables


To build audit tables:

1. With the audit table open, select Build, Current Definition.

228
Lesson 8 Auditing Security Tables

2. Select the Create Table check box and the Execute SQL now option.

3. Click the Build button.

Configuring Audited Records


To configure the audited records:

1. Open the PSOPRDEFN record.

2. Select File, Definition Properties.

This document should not be distributed.


3. Select the Use tab.

4. In the Record Audit group box, enter AUDIT_PSOPRDEFN in the Record Name field.

5. Select the Add, Selective, and Delete check boxes.

6. Click the OK button.

For Instructor Use Only.


7. Save the record definition.

Results

These are the results of configuring audited records:

229
Auditing Security Tables Lesson 8

This document should not be distributed.


For Instructor Use Only.
Testing Record Level Audits
To test record level audits:

1. In the browser, select PeopleTools, Security, User Profiles, Copy User Profiles.

2. Enter PTEMPL in the User ID field and click the Search button.

230
Lesson 8 Auditing Security Tables

3. Enter the following information:

Page Element Value or Status

New UserID TEST-RLA

Description Record Level Audit Test

Password TEST-RLA

Confirm password TEST-RLA

This document should not be distributed.


4. Click the Save button.

5. Select the ID tab and add My to the beginning of the description.

6. Save the profile.

For Instructor Use Only.


7. Select PeopleTools, Security, User Profiles, Delete User Profiles.

8. Click the Delete User Profile button.

9. Click the OK button.

Reviewing the Audit table


To review the audit table:

1. Open SQL Developer and select the T1B85001 connection.

2. Enter the following statement:


SELECT * FROM PS_AUDIT_PSOPRDEFN

3. Click the Execute Statement icon or press the F9 key.

Results

These are the results of reviewing the audit table:

231
Auditing Security Tables Lesson 8

This document should not be distributed.


This concludes the activity. Please do not continue.

For Instructor Use Only.

232
Lesson 8 Auditing Security Tables

Activity 8: Configuring Database Level Audits


In this activity, you will review the activity overview and:

Define audit triggers.

Create the audit trigger scripts.

Run the audit trigger scripts.

Test triggers.

This document should not be distributed.


Review the audit table.

Delete audit triggers.

Slide 120

For Instructor Use Only.


Instructor Notes

Duration

Note. This activity should take approximately 15 minutes.

Notes for Completing the Activity


The triggers that are generated on the Oracle platform reference a function that PeopleSoft delivers to obtain
the PS_OPRID. This function must be installed into the Oracle database schema for the PeopleSoft database
prior to creating the trigger. Students need to run getpsoprid.sql. If they skip this step, they will get a warning
when they compile the trigger and a they will not be able to save the user profile.

In the SQL Developer, a second C appears in the third row. Ask students

Question Answer

Where does the second change come from? The record level audit wrote it to the
PS_AUDIT_PSOPRDEFN table because you didn't
remove the audit.

245
Auditing Security Tables Lesson 8

Activity Overview
Create a database level audit of the PSOPRDEFN table. Use the audit record that you created in the last
activity and audit the OPRID and OPRDEFNDESC fields for the addition of new rows and for the removal of
existing rows.

Create the trigger, create a new user profile, change the user profile, and then delete the profile and view the
audit results. Drop the trigger at the end of the audit.

Note. Use the T1B85001 database with the user name and password PTTRN in this activity.

This document should not be distributed.


For Instructor Use Only.

246
Lesson 8 Auditing Security Tables

Activity Detailed Steps


Perform the detailed steps to complete the activity.

Defining Audit Triggers


To define auditing triggers:

1. Select PeopleTools, Utilities, Audit, Update Database Level Auditing.

2. Click the Add a New Value link.

This document should not be distributed.


3. Enter PSOPRDEFN in the Record Name field.

4. Click the Add button.

5. On the Audit Triggers page, enter AUDIT_PSOPRDEFN in the Audit Record Name field.

For Instructor Use Only.


6. Select the Add and Delete check boxes.

7. Click the Generate Code button.

8. Click the Save button.

Results

These are the results of defining audit triggers:

Creating the Audit Trigger Scripts


To create the auditing trigger scripts:

1. Select PeopleTools, Utilities, Audit, Perform Database Level Audit.

247
Auditing Security Tables Lesson 8

2. Click the Add a New Value link.

3. Enter 1 in the Run Control ID field.

4. Click the Add button.

5. Enter PSOPRDEFN in the Create Trigger(s) On field.

6. Click the Run button.

7. Click the OK button.

8. Click the Process Monitor link.

This document should not be distributed.


9. Click Refresh and check the Run Status.

Note. The run status must be success before you can view the log/trace file.

10. On the Process List page, click the Details link for the TRGRAUDPROG process.

For Instructor Use Only.


11. On the Details page, click the View Log/Trace link.

Note the name of the sql file (should be trgcode1.sql).

12. Click the trgcode1.sql link.

13. Copy all of the text in trgcode1.

Running the Audit Trigger Scripts


To run the auditing triggers script:

1. Double-click SQL Developer shortcut on the Desktop.

2. Select File, Open and select D:\PeopleTools\scripts\getpsoprid.sql.

3. Select T1B85001 for the database.

4. Click the Run Script icon or Press the F5 key to run the script.

Note. In the Script Output window, the last line should say grant execute succeeded. You may see an
error in the log because the script will try to drop the function GET_PS_OPRID if it already exists.

5. Right-click T1B85001 in the Connections list and select Open SQL Worksheet.

6. Paste the text into the SQL Statement area.

7. Click the Run Script icon or Press the F5 key to run the script.

8. Minimize SQL Developer.

Results

The trigger should compile successfully.

248
Lesson 8 Auditing Security Tables

This document should not be distributed.


For Instructor Use Only.
Testing Triggers
To test triggers:

1. In the browser, select PeopleTools, Security, User Profiles, Copy User Profiles.

2. Enter PTEMPL in the User ID field and click the Search button.

3. Enter the following information:

Page Element Value or Status

New UserID TEST-DBLA

Description Database Level Audit Test

Password TEST-DBLA

Confirm password TEST-DBLA

4. Click the Save button.

5. Select the ID tab and add Myto the beginning of the description.

6. Save the profile.

7. Select PeopleTools, Security, User Profiles, Delete User Profiles.

8. Click the Delete User Profile button.

9. Click the OK button.

249
Auditing Security Tables Lesson 8

Reviewing the Audit table


To review the audit table:

1. In SQL Developer, right-click on T1B85001 and select Open SQL Worksheet.

2. Enter the following statement:


SELECT * FROM PS_AUDIT_PSOPRDEFN

3. Click the Execute Script icon or press the F9 key.

Results

This document should not be distributed.


These are the results of reviewing the audit table:

For Instructor Use Only.


Deleting Audit Triggers
To delete auditing triggers:

1. Select PeopleTools, Utilities, Audit, Update Database Level Auditing.

2. Enter PSOPRDEFN in the Record Name field.

3. Click the Search button.

4. Clear the Add, Change, and Delete check boxes.

5. Click the Generate Code button.

6. Click the Save button.

7. Maximize SQL Developer.

8. Enter this SQL statement in the query tool:


Drop trigger PSOPRDEFN_TR

9. Click the Execute Script icon or press the F9 key.

250
Lesson 8 Auditing Security Tables

10. Click the Commit icon or press the F11 key.

This concludes the activity. Please do not continue.

This document should not be distributed.


For Instructor Use Only.

251
Lesson 9 Managing PeopleTools Security

Activity 9: Implementing Developer Security


In this activity, you will review the activity overview and:

Create permission lists.

Create roles.

Create user profiles.

This document should not be distributed.


Slide 131

Instructor Notes

For Instructor Use Only.


Duration

Note. This activity should take approximately 30 minutes.

269
Managing PeopleTools Security Lesson 9

Activity Overview
John Fitzsimmons, a PeopleSoft Enterprise consultant, is the implementation developer for the PeopleSoft
training administration application. Set up John Fitzsimmons' security by creating a new permission list, a
new role, and a new user profile.

Create a new permission list named CPTRNDEV. Use the charts in the activity detailed steps to determine the
menu access.

Grant Definition Security and Application Designer access. Use the charts in the activity detailed steps to
determine the level of access.

This document should not be distributed.


Create the Training Developer role and assign it to the CPTRNDEV permission list.

In the user profile, use ALLPAGES as the process profile permission list, PPDEV as the Primary permission
list, and NONE as the ID type. John's profile contains the Training Developer and PeopleSoft User roles.

Note. Use the T1B85001 database with the user name and password PTTRN in this activity.

For Instructor Use Only.

270
Lesson 9 Managing PeopleTools Security

Activity Detailed Steps


Perform the detailed steps to complete the activity.

Creating Permission Lists


To create permission lists:

1. Select PeopleTools, Security, Permissions & Roles, Permission Lists.

2. Click the Add a New Value link and enter CPTRNDEV in the Permission List field.

This document should not be distributed.


3. Click the Add button.

4. Enter Training Developer as the description.

5. Select the Allow Password to be Emailed check box.

For Instructor Use Only.


6. Select the Pages page, and then add these menus:

Menu Components

PSU_TRAINING Select All

MAINTAIN_SECURITY Select All

UTILITIES Select All

APPLICATION_ENGINE Select All

QUERY_MANAGER Select All

7. Click the Save button.

8. Select the PeopleTools page and enter the following information:

Page Element Value or Status

Application Designer Access Selected

Definition Security Access Selected

9. Click the Definitions Permissions link and click the Full Access (All) button.

271
Managing PeopleTools Security Lesson 9

10. For the following definition types, change the access:

Page Element Value or Status

Activity No Access

Approval Rule Set No Access

Business Interlink No Access

Business Process No Access

This document should not be distributed.


Message Channel No Access

Message Node No Access

11. Click the OK button.

For Instructor Use Only.


12. Click the Tools Permission link and click the Full Access (All) button.

13. For the following tools, change the access:

Page Element Value or Status

Build/Data Admin Build Scripts Only

Change Control Developer Access

14. Click the OK button.

15. On the Miscellaneous Permissions page, select Read Only for Access Profiles; for all other features,
select Full Access.

16. Click the OK button.

17. Click the Save button.

Creating Roles
To create the Training Developer role:

1. Select PeopleTools, Security, Permissions & Roles, Roles.

2. Click the Add a New Value link.

3. Enter Training Developer in the Role field.

4. Click the Add button.

5. Enter Training Developer in the Description field.

6. Select the Permission Lists page.

7. Enter CPTRNDEV in the Permission List field.

272
Lesson 9 Managing PeopleTools Security

8. Click the Save button.

Creating User Profiles


To create a user profile:

1. Select PeopleTools, Security, User Profiles, User Profiles.

2. Click the Add a New Value link.

3. Enter JFITZ in the User ID field.

This document should not be distributed.


4. Click the Add button and enter the following information:

Page Element Value or Status

Symbolic ID SYSADM1

For Instructor Use Only.


Password JFITZ

Confirm Password JFITZ

Permission List -Process Profile ALLPAGES

Permission Primary PPDEV

5. Click the Edit Email Addresses link and enter this information:

Page Element Value or Status

Primary Email Account Selected

Email Type Business

Email Address jfitz@oracle.com

6. Click the OK button and click OK again when you get a warning message.

7. Select the ID page, and then select None in the ID Type field.

8. Enter John Fitzsimmons in the Description field.

9. On the Roles page, enter PeopleSoft User and Training Developer.

10. Click the Save button.

11. Sign out.

12. To verify John's access, sign in as JFITZ and verify that he has the appropriate permissions.

This concludes the activity. Please do not continue.

273
Managing PeopleTools Security Lesson 9

Activity 10: Managing Definition Security


In this activity, you will review the activity overview and:

Create definition groups.

Insert security definition groups in permission lists.

Slide 137

This document should not be distributed.


Instructor Notes

Duration

For Instructor Use Only.


Note. This activity should take approximately 15 minutes.

Notes for Completing the Activity


These are the answers to the questions:

284
Lesson 9 Managing PeopleTools Security

Question Answer

Were you able to open the page? (PSU_COURSE) No (The TOOLS1 group secures this definition.)

Question Answer

Were you able to open the page? No (After creating the new group, any definitions in the
(PSU_STUDENT_PERS) group are automatically excluded from all permission lists
and students will not be able to open the definitions.)

This document should not be distributed.


Question Answer

What groups comprise this permission list? PEOPLETOOLS

What is the special property of the included group? Display Only

For Instructor Use Only.


Question Answer

Were you able to open the page? Yes (Once the page is included in a permission list, they
have access to the page.)

Question Answer

What message do you get and why? Read Only (The PEOPLETOOLS group is included on the
permission list PPDEV as Read Only. Students will be
able to view PeopleTools definitions, but cannot modify
them. It is recommended that the PEOPLETOOLS group
be defined as Read Only.)

285
Managing PeopleTools Security Lesson 9

Activity Overview
Create the TRNDEV definition security group. Insert the PSU_COURSE and PSU_STUDENT_PERS pages,
and the PSU_COURSE_TBL and PSU_STUDENT_TBL records into the group. Finally, assign the new
group to the PPDEV permission list and test.

Note. Use the T1B85001 database with the user name and password JFITZ in this activity.

This document should not be distributed.


For Instructor Use Only.

286
Lesson 9 Managing PeopleTools Security

Activity Detailed Steps


Perform the detailed steps to complete the activity.

Creating Definition Security Groups


To create definition security groups:

Note. Use JFITZ for the user name and password in this part of the activity.

This document should not be distributed.


1. Sign in to Application Designer for the T1B85001 database.

2. Select File, Open, Page, and select the PSU_STUDENT_PERS page.

3. Close the definition.

4. Select File, Open, Page, select the PSU_COURSE page, and answer this question:

For Instructor Use Only.


Question Answer

Were you able to open the page?

5. Click the OK button.

6. Select Go, Definition Security.

7. Select File, New Group.

8. Select Pages in the All Definitions drop-down list box.

9. Double-click the PSU_COURSE and PSU_STUDENT_PERS pages to move them into the left column.

10. Select Records in the drop-down edit box.

11. Double-click the PSU_COURSE_TBL and PSU_STUDENT_TBL records to move them into the left
column.

12. Select File, Save.

13. Enter TRNDEV for the group name.

14. Click the OK button.

15. Open the PSU_STUDENT_PERS page in the PeopleSoft Application Designer and answer this question:

Question Answer

Were you able to open the page?

16. Close any open dialog boxes.

287
Managing PeopleTools Security Lesson 9

Inserting Security Definition Groups in Permission Lists


To include the security definition group in a permission list:

1. In the Definition Security application, select File, Open, Permission List.

2. Select the PPDEV permission list and answer these questions:

Question Answer

What groups comprise this permission list?

This document should not be distributed.


What is the special property of the included group?

3. Move the TRNDEV group into the left column.

4. Select File, Save.

For Instructor Use Only.


5. In the PeopleSoft Application Designer, open the PSU_COURSE page, and then answer this question:

Question Answer

Were you able to open the page?

6. Close the definition.

7. Open the PSOPRDEFN record definition and answer this question:

Question Answer

What message do you get and why?

This concludes the activity. Please do not continue.

288
Lesson 9 Managing PeopleTools Security

Activity 11: Creating Definition Security Groups- Optional


In this activity, you will review the activity overview and:

Create definition security groups.

Assign groups to permissions lists.

Slide 138

This document should not be distributed.


Instructor Notes

Duration

For Instructor Use Only.


Note. This activity should take approximately 15 minutes.

289
Managing PeopleTools Security Lesson 9

Activity Overview
Create the TRMGR security group. The TRMGR security definition group secures the query definitions
associated with training courses. All of these queries begin with the TRN prefix. Assign this group to the
PPMGR permission list.

Create the TRCOURSE security group. The TRCOURSE security definition group secures the definitions
associated with training courses. Assign this group to the PPDEV and PPMGR permission lists.

Secure the following definitions in the TRCOURSE group:

This document should not be distributed.


Definition Type Definition Name

Menu PSU_TRAINING

Component PSU_COURSE

For Instructor Use Only.


Component PSU_CRS_ENROLL

Component PSU_CRS_SESSN

Page PSU_COURSE

Page PSU_CRS_ENROLL

Page PSU_CRS_SESSN

Record PSU_COURSE_TBL

Record PSU_CRS_SESSN

Note. Use the T1B85001 database with the user name and password PTTRN in this activity.

290
Lesson 9 Managing PeopleTools Security

Activity Detailed Steps


Perform the detailed steps to complete the activity.

Creating Definition Security Groups


To create definition security groups:

1. Sign on to PeopleSoft Application Designer.

2. Select Go, Definition Security.

This document should not be distributed.


3. Select File, New Group.

4. Select Queries from the drop-down list box.

5. Include the queries that begin in TRN.

For Instructor Use Only.


6. Select File, Save, enter TRMGR in the Save Group ID As field, and then click the OK button.

7. Select File, New Group.

8. Select Menus from the drop-down list box.

9. Include the PSU_TRAINING menu.

10. Select Components from the drop-down list box.

11. Include the components as listed in the activity overview.

12. Select Pages from the drop-down list box.

13. Include the pages as listed in the activity overview.

14. Select Records from the drop-down list box.

15. Include the records as listed in the activity overview.

16. Save the group as TRCOURSE and click the OK button.

Results

This example shows the TRMGR security group:

291
Managing PeopleTools Security Lesson 9

This document should not be distributed.


For Instructor Use Only.
This example shows the TRCOURSE security group:

Assigning Groups to Permission Lists


To assign groups to permission lists:

1. Select File, Open, Permission List.

2. Select the PPDEV permission list.

3. Select TRCOURSE and click the single left arrow button to move it to the left column.

4. Select File, Save.

5. Select File, Open, Permission List.

6. Select the PPMGR permission list.

292
Lesson 9 Managing PeopleTools Security

7. Select TRMGR and TRCOURSE and click the single left arrow button.

8. Select File, Save.

Results

These are the results of assigning groups to permission lists:

This document should not be distributed.


For Instructor Use Only.
This concludes the activity. Please do not continue.

293
Managing PeopleTools Security Lesson 9

Activity 12: Implementing Change Control


In this activity, you will review the activity overview and

Implement Change Control.

Examine Change Control features.

View Change Control history.

Turn off Change Control Locking.

This document should not be distributed.


Slide 141

Instructor Notes

For Instructor Use Only.


Duration

Note. This activity should take approximately 15 minutes.

298
Lesson 9 Managing PeopleTools Security

Activity Overview
Sign into Application Designer as PTTRN and activate Change Control Locking.

Then, sign in as JFITZ and open the PSOPRDEFN record definition and the OPRID field to examine Change
Control features.

When you have explored change control features, sign in as PTTRN and turn off Change Control Locking.

This document should not be distributed.


For Instructor Use Only.

299
Managing PeopleTools Security Lesson 9

Activity Detailed Steps


Perform the detailed steps to complete the activity.

Implementing Change Control


To implement Change Control Locking:

Note. Use PTTRN for the user name and password in this part of the activity.

This document should not be distributed.


1. Sign on to PeopleSoft Application Designer.

2. Select Tools, Change Control, Administrator.

3. Select the Use Change Control Locking check box.

4. Click the OK button to close the dialog box.

For Instructor Use Only.


5. Click the OK button to dismiss the message that all users must log off.

6. Close all PeopleSoft Application Designer sessions.

Examining Change Control Features


To examine Change Control features:

Note. Use JFITZ for the user name and password in this part of the activity.

1. Sign in to Application Designer in the T1B85001 database.

Note. If you set Tools, Options to automatically reload last project at startup, you will receive a message
to open the project in read-only mode. Select the Yes button.

2. Notice the two new buttons on the toolbar (Locked and Unlocked).

3. Select File, Open and select Record from the Definition drop-down list box.

4. Enter PSU_COURSE_TBL in the Name field.

5. Click the Open button and notice the message that you receive.

6. Click the Yes button and notice that the Lock button is enabled.

300
Lesson 9 Managing PeopleTools Security

7. Click the Lock button and enter documentation for locking:

Dialog Box Element Value or Status

Project Test

Incident ID 0466

Comments Test change control locking

8. Click the OK button and notice that the Unlock button is enabled.

This document should not be distributed.


9. Sign out of Application Designer.

Note. Use PTTRN for the user name and password in this part of the activity.

10. Sign in to Application Designer.

For Instructor Use Only.


11. Open the PSU_COURSE_TBL record and notice the message.

12. Click the Yes button.

13. Select File, New, Project.

14. Select Insert, Current Definition into Project.

15. Expand the record folder in the project and compare the project workspace with the Results section.

16. Sign out of Application Designer and do not save the project.

Results.

You can see the developer who locks a definition:

Viewing Change Control History


To view Change Control History:

Note. Use JFITZ for the user name and password in this part of the activity.

1. Sign in to Application Designer.

2. Open the PSU_COURSE_TBL record.

301
Managing PeopleTools Security Lesson 9

3. Click the Unlock button and enter this information:

Dialog Box Element Value or Status

Project Test

Incident ID 0466

Comments Testing complete

4. Click the OK button.

This document should not be distributed.


5. Select Tools, Change Control, View History to view the notes.

Results

The Change Control History displays:

For Instructor Use Only.


1. Click the Close button.

2. Close Application Designer.

Turning Off Change Control Locking


To turn off Change Control Locking:

Note. Use PTTRN for the user name and password in this part of the activity.

1. Sign in to Application Designer.

2. Select Tools, Change Control, Administrator.

3. Clear the Use Change Control Locking check box.

4. Click the OK button.

5. Click the OK button to dismiss the message that all users must log off.

6. Exit Application Designer.

This concludes the activity. Please do not continue.

302
Encrypting Data Lesson 10

Activity 13: Encrypting Data


In this activity, you will review the activity overview and:

View algorithm chains.

View algorithm keysets.

Review encryption profiles.

Test encryption profiles.

This document should not be distributed.


Slide 156

Instructor Notes

For Instructor Use Only.


Duration

Note. This activity should take approximately 20 minutes.

Answers
These are the answers to the questions in the activity:

Question Answer

What is the name of the second algorithm? 3des_ks168_cbc_encrypt

Question Answer

What is the name of the algorithm chain? 3DES CBC B64 DECRYPT

What is the name of the third algorithm? 3des_ks168_cbc_decrypt

Why is this algorithm third, not second? Because this chain has to be in reverse order to the first
algorithm chain.

Viewing Algorithm Chains

334
Lesson 10 Encrypting Data

Question Answer

What is the Algorithm ID? 3des_ks168_cbc_encrypt

What is the first keyset ID? cc_encrypt

What is the second keyset ID? ssn_encrypt

Question Answer

This document should not be distributed.


What is the Algorithm ID? 3des_ks168_cbc_decrypt

What is the second keyset ID? cc_decrypt

What is the third keyset ID? ssn_decrypt

For Instructor Use Only.


Notes for Completing the Activity
The encryption keysets already exist in the T1B85001 database.

Copy the ciphertext by dragging or using the Ctrl + C command. You can copy the ciphertext even though the
field is display only.

Students can copy the initialization vector value from the InitVector.txt file in the D:\Labs\Security folder.

335
Encrypting Data Lesson 10

Activity Overview
Look at the 3DES CBC B64 DECRYPT and 3DES CBC B64 ENCRYPT algorithm chains. Notice the triple
DES algorithms in these chains.

Define the TRIPLE DES ENC B64 encryption profile to use the 3DES CBC B64 ENCRYPT algorithm chain.
Enter a hexadecimal initialization vector and choose cc_encrypt as the SYMMETRICKEY value.

Create the TRIPLE DES DEC B64 encryption profile as the decryption partner to the first encryption profile.

Note. Use the T1B85001 database with the user name and password PTTRN in this activity.

This document should not be distributed.


For Instructor Use Only.

336
Lesson 10 Encrypting Data

Activity Detailed Steps


Perform the detailed steps to complete the activity.

Viewing Algorithm Chains


To view algorithm chains:

1. Select PeopleTools, Security, Encryption, Algorithm Chain.

2. Click the Search button and select 3DES CBC B64 ENCRYPT from the search results.

This document should not be distributed.


3. Notice the algorithm chain and answer this question:

Question Answer

What is the name of the second algorithm?

For Instructor Use Only.


4. Click the Previous in List button and answer these questions:

Question Answer

What is the name of the algorithm chain?

What is the name of the third algorithm?

Why is this algorithm third, not second?

Viewing Algorithm Keysets


To view algorithm keysets:

1. Select PeopleTools, Security, Encryption, Algorithm Keyset.

2. Enter 3des_ks168_cbc and click Search,

3. Select 3des_ks168_cbc_encrypt.

4. Answer these questions:

Question Answer

What is the Algorithm ID?

What is the second keyset ID?

What is the third keyset ID?

Note. Click the Last link in the scroll area header to see the second keyset ID.

337
Encrypting Data Lesson 10

5. Click the Previous in List button and answer these questions:

Question Answer

What is the Algorithm ID?

What is the second keyset ID?

What is the third keyset ID?

This document should not be distributed.


Reviewing Encryption Profiles
To review encryption profiles:

1. Select PeopleTools, Security, Encryption, Encryption Profile.

2. Select TRIPLE DES ENC B64 in the Profile ID field and click the Search button.

For Instructor Use Only.


3. Note the IV Parameter Value and the SYMMETRICKEY Value.

4. Click Return to Search and select TRIPLE DES DEC B64

5. Note the IV Parameter Value and the SYMMETRICKEY Value.

Testing Encryption Profiles


To test encryption profiles:

1. Select PeopleTools, Security, Encryption, Test Encryption Profile.

2. Enter the following information:

Page Element Value or Status

Encryption Profile ID TRIPLE DES ENC B64

Text to be encrypted 1111222233334444

3. Click the Run Encryption Profile button.

4. Copy the cipher text.

5. Delete the current plaintext and paste the ciphertext into the field.

6. Select TRIPLE DES DEC B64 as the encryption profile ID.

7. Click the Run Encryption Profile button.

Results

These are the results of testing the encryption profile:

338
Lesson 10 Encrypting Data

This document should not be distributed.


This concludes the activity. Please do not continue.

For Instructor Use Only.

339
Encrypting Data Lesson 10

Activity 14: Using PSCipher to Encrypt Text


In this activity, you will review the activity overview and encrypt a password using the Password Encryption
Utility.

Slide 160

Instructor Notes

This document should not be distributed.


Duration

Note. This activity should take approximately 5 minutes.

For Instructor Use Only.


PSCipher
In this activity, students use the password utility built into some PeopleSoft pages. If students want to see that
they get the same results using the command line, have them follow the steps in student notes for slide 158
"Encrypting Passwords Using the PSCipher Utility."

344
Lesson 10 Encrypting Data

Activity Overview
In this activity, you will encrypt a password using the pscipher utility in PeopleSoft Internet Architecture.

Open the node FILEOUT and add an encrypted password to the properties.

Note. Use the T1B85001 database with the user name and password PTTRN in this activity.

This document should not be distributed.


For Instructor Use Only.

345
Encrypting Data Lesson 10

Activity Detailed Steps


Perform the detailed steps to complete the activity.

Adding an Encrypted Password Property


To add an encrypted password property:

1. Select PeopleTools, Integration Broker, Integration Setup, Nodes.

2. Select FILEOUT.

This document should not be distributed.


3. Access the Connectors page.

4. Add a new row and select

Page Element Value or Status

For Instructor Use Only.


Property ID PROPERTY

Property Name Password

5. Expand the Password Encryption Utility.

6. Enter XXXX for the Password and Confirm Password.

7. Click Encrypt.

8. Copy the encrypted password and paste in the Value column.

9. Click Save.

Results

The password is encrypted.

346
Lesson 10 Encrypting Data

This document should not be distributed.


For Instructor Use Only.
This concludes the activity. Please do not continue.

347
Lesson 11 Using Digital Certificates

Activity 15: Importing Root Certificates into the Database


Keystore
In this activity you will read the activity overview and: import a root CA into the database keystore.

Import a root CA into the database keystore.

Create a private and public key pair.

This document should not be distributed.


Slide 176

Instructor Notes

For Instructor Use Only.


Duration

Note. This activity should take approximately 15 minutes.

377
Using Digital Certificates Lesson 11

Activity Overview
In this activity, you will: import a root certificate into the database keystore.

Import the CACert.cer root certificate into the database keystore.

Create a private and public key pair. When you generate the request, you will copy the CSR as though you
were going to navigate to request the signed public key.

Note. Use the T1B85001 database with the user name and password PTTRN in this activity.

This document should not be distributed.


For Instructor Use Only.

378
Lesson 11 Using Digital Certificates

Activity Detailed Steps


Perform the detailed steps to complete the activity.

Importing Root CAs into the Database Keystore


To import root CAs into the database keystore:

1. In Windows Explorer, navigate to D:\Labs\Security.

2. Right-click the CACert.cer file, select Open With, and then select Notepad from the list of programs.

This document should not be distributed.


3. Copy the contents of the file and close the window.

4. In the browser, select PeopleTools, Security, Security Objects, Digital Certificates.

5. Click the Insert Row button (the + button).

For Instructor Use Only.


6. Enter the following information:

Page Element Value or Status

Type Root CA

Alias Training

Issuer Alias Training

7. Click the Add Root link.

8. Paste the contents from CACert.cer into the long edit box.

9. Click the OK button.

10. Click the Details link for Training.

Result

This is the result of importing the root certificate:

379
Using Digital Certificates Lesson 11

This document should not be distributed.


For Instructor Use Only.
Generating Private and Public Key Pair and CSRs for the Database Keystore
To generate private and public key pairs and CSRs for the database keystore:

1. Select PeopleTools, Security, Security Objects, Digital Certificates.

2. Click the Insert Row button (the + button).

3. Enter the following information:

Page Element Value or Status

Type Local Node

Alias PSFT_TRN

Issuer Alias Training

4. Click the Refresh button.

5. Click the Request link.

380
Lesson 11 Using Digital Certificates

6. Enter the following information:

Page Element Value or Status

Common Name PSFT_TRN

Org Unit PeopleTools

Organization Oracle

Locality <Your City>

This document should not be distributed.


State/Province <Your State or Province>

Country <Your 2-char Country Code>

Algorithm SHA1 with RSA encryption

For Instructor Use Only.


Key Size 1024 bits

Email Address <your.name@yourdomain.com>

Challenge Pswd password

7. Click the OK button.

8. Observe the CSR and then click the OK button.

Results

This is the CSR:

This concludes the activity. Please do not continue.

381
Lesson 11 Using Digital Certificates

Activity 16: Generating a Private and Public Key Pair and a


CSR for the Java Keystore
In this activity you will read the activity overview and use the keytool utility to:

1. Generate a private and public key pair.

2. Generate a CSR.

This document should not be distributed.


Slide 183

Instructor Notes

For Instructor Use Only.


Duration

Note. This activity should take approximately 15 minutes.

393
Using Digital Certificates Lesson 11

Activity Overview
Use the keytool utility to generate a private and public key pair for the interop.jks Java keystore. After you
generate the public key, generate a CSR for the key. Access the .csr file and view it.

This document should not be distributed.


For Instructor Use Only.

394
Lesson 11 Using Digital Certificates

Activity Detailed Steps


Perform the detailed steps to complete the activity.

Generating Private and Public Key Pairs


To generate private and public key pairs:

1. Select Start, Run.

2. Enter cmd in the Run field and press the Enter key.

This document should not be distributed.


3. Open the file D:\Labs\Security\Activity16a.txt in Notepad.

4. Select Format, Word Wrap.

Turns word wrap on.

For Instructor Use Only.


5. Replace text within the angle brackets as appropriate:
keytool -genkey -alias <your_initials_key> -keyalg RSA -keysize 1024 -
dname "CN=OracleUniversity, OU=PeopleSoft, O=Oracle, L=<your city>,
ST=<your 2 digit state code>, C=<your 2 digit country code>" -keypass
password -keystore
D:\Peopletools\webserv\peoplesoft\applications\peoplesoft\pspc.war\WEB-
INF\classes\interop.jks -storepass interop

Note. Remember to replace the text within the angle brackets as appropriate.

6. Select Format, Word Wrap.

Turns word wrap off.

7. Select Edit, Select All.

8. Select Edit, Copy.

9. At the command prompt, right-click and select paste.

10. Press Enter.

11. Open the file D:\Labs\Security\Activity16b.txt in Notepad.


keytool -v -list -keystore
D:\Peopletools\webserv\peoplesoft\applications\peoplesoft\pspc.war\WEB-
INF\classes\interop.jks -storepass interop

12. Select Edit, Select All.

13. Select Edit, Copy.

14. At the command prompt, right-click and select paste.

15. Press Enter.

395
Using Digital Certificates Lesson 11

Results

This is the command prompt showing the keyEntry in the certificate list:

This document should not be distributed.


For Instructor Use Only.
Generating CSRs
To generate CSRs:

1. Open the file D:\Labs\Security\Activity16c.txt in Notepad.

2. Select Format, Word Wrap.

Turns word wrap on.

3. Replace text within the angle brackets as appropriate:


keytool -certreq -alias <your_initials_key> -file
D:\temp<your_initials>_csr.csr -keypass password -keystore
D:\Peopletoolswebservpeoplesoft\applications\peoplesoft\pspc.warWEB-
INF\classes\interop.jks -storepass interop

Note. Remember to replace the text within the angle brackets as appropriate.

4. Select Format, Word Wrap.

Turns word wrap off.

5. Select Edit, Select All.

6. Select Edit, Copy.

7. At the command prompt, right-click and select paste.

8. Press Enter.

9. Use Windows Explorer and navigate to D:\temp to verify that the file was generated.

396
Lesson 11 Using Digital Certificates

10. Right-click the <your_initials>_csr.csr file, select Send To and then select Notepad.

Results

This is the command prompt showing the keyEntry in the certificate list:

This document should not be distributed.


For Instructor Use Only.
This concludes the activity. Please do not continue.

397
Using Digital Certificates Lesson 11

Activity 17: Importing CA Root Certificates into the Java


Keystore
In this activity you will read the activity overview and import the CACert.cer root certificate into the Java
keystore.

Slide 184

This document should not be distributed.


Instructor Notes

Duration

For Instructor Use Only.


Note. This activity should take approximately 10 minutes.

398
Lesson 11 Using Digital Certificates

Activity Overview
Access and examine the CA root certificate. Then, use the Keytool utility to import the CACert.cer root
certificate into the Java keystore.

This document should not be distributed.


For Instructor Use Only.

399
Using Digital Certificates Lesson 11

Activity Detailed Steps


Perform the detailed steps to complete the activity.

Examining Root Certificates


To examine root certificates:

1. In Windows Explorer, navigate to D:\Labs\Security.

2. Right-click the CACert.cer certificate file.

This document should not be distributed.


3. Select Send To and then select Notepad.

Results

This is the result of examining the root certificate:

For Instructor Use Only.

Importing CA Root Certificates into the Java Keystore


To import root CAs into the Java keystore:

1. Select Start, Run.

2. Enter cmd in the Run field and press the Enter key.

400
Lesson 11 Using Digital Certificates

3. Enter the following command (or copy it from D:\Labs\Security\Activity17a.txt), replacing text within the
angle brackets as appropriate:
keytool -import -alias Root_CA_Key -file D:LabsSecurityCACert.cer -
keypass password -keystore
D:\PeopleTools\webserv\peoplesoft\applications\peoplesoft\pspc.war\WEB-
INF\classes\interop ks -storepass interop

4. Enter Y when prompted to Trust this certificate and press Enter.

5. Verify that the new key exists by entering the following command (or copying it from
D:\Labs\Security\Activity17b.txt:

This document should not be distributed.


keytool -v -list -keystore
D:\PeopleTools\webserv\peoplesoft\applications\peoplesoft\pspc.war\WEB-
INF\classes\interop jks -storepass interop

Results

This is the result of importing the root certificate into the Java keystore:.

For Instructor Use Only.

401
Lesson 12 Securing Processes

Activity 19: Creating Process Groups


In this activity, you will review the activity overview and:

Create process groups.

Validate page access.

Secure process groups.

This document should not be distributed.


Slide 200

Instructor Notes

For Instructor Use Only.


Duration

Note. This activity should take approximately ten minutes.

Answer to Questions
This is the answer to the question:

Question Answer

Through what component do you have access to the PSU_RUN_INACT4


PSU_INACT_4 process?

439
Securing Processes Lesson 12

Activity Overview
In tis activity you will:

Create a Process Group TRNINS for the process PSU_INACT_4.

Validate that the permission list CPTRNDEV has access to the page PSU_INACT_4.

Add the process group TRNINS to the permission list CPTRNDEV.

Note. Use the T1B85001 database with the user name and password PTTRN in this activity.

This document should not be distributed.


For Instructor Use Only.

440
Lesson 12 Securing Processes

Activity Detailed Steps


Perform the detailed steps to complete the activity.

Creating Process Groups


To create a process group:

1. Select PeopleTools, Process Scheduler, Processes.

2. Select Process Name from the drop-down list box.

This document should not be distributed.


3. Enter PSU_INACT_4 as the process name.

4. Click the Search button.

5. Access the Process Definition Options page.

For Instructor Use Only.


6. In the Process Groups grid, click the Insert row button to insert a new row.

7. Enter TRNINS in the blank row in the Process Groups grid.

8. Click the Save button.

9. Answer this question:

Question Answer

Through what component do you have access to the


PSU_INACT_4 process?

Results

These are the results of creating process groups:

441
Securing Processes Lesson 12

This document should not be distributed.


For Instructor Use Only.
Validating Page Access
To validate page access:

1. Select PeopleTools, Security, Permissions & Roles, Permission Lists.

2. Enter CPTRNDEV as the permission list.

3. Click the Search button.

4. Select the Pages page.

5. Click the Edit Components link for the PSU_TRAINING menu.

6. Click the Edit Pages link for the PSU_RUN_INACT4 component

7. Verify access or click the Select All button.

Results

These are the results of validating page access:

442
Lesson 12 Securing Processes

This document should not be distributed.


Securing Process Groups
To secure process groups:

1. Click the OK button twice.

For Instructor Use Only.


2. Select the Process page.

3. Click the Process Group Permissions link.

4. Enter TRNINS as a process group.

5. Click the OK button.

6. Click the Save button.

Results

This is the result of securing process groups:

This concludes the activity. Please do not continue.

443
Securing Processes Lesson 12

Activity Overview
In this activity, you will:

1. Access the CPTRNDEV permission list and set the following process profile permissions.

Page Element Value or Status

File %%OutputDirectory%%

Printer %DefaultPrinter%

This document should not be distributed.


View By All

Update By Owner

Allow Requestor To Select all check boxes

For Instructor Use Only.


2. Assign the permission list as the process profile for JFITZ.

3. Test the process group by running PSU_INACT_4.

Note. Use the T1B85001 database. Use PTTRN for the user name and password in the first part of this
activity. Then use JFITZ for the user name and password in the second part of this activity.

448
Lesson 12 Securing Processes

Activity Detailed Steps


Perform the detailed steps to complete the activity.

Setting Process Profile Permissions


To set process profile permissions:

Note. Use PTTRN for the user name and password in this activity.

This document should not be distributed.


1. Select PeopleTools, Security, Permissions & Roles, Permission Lists.

2. Select CPTRNDEV and click the Search button.

3. Select the Process page and click the Process Profile Permissions link.

4. Enter the values as shown in the activity overview for the process profile.

For Instructor Use Only.


5. Click the OK button.

6. Save the page.

Results

This is the result of setting process profile permissions:

Assigning a Process Profile to a User


To assign a process profile to a user:

1. Select PeopleTools, Security, User Profiles, User Profiles.

449
Securing Processes Lesson 12

2. Select the JFITZ user profile and click the Search button.

3. Enter CPTRNDEV in the Process Profile permission list field.

4. Save the page.

Testing Process Group Security


To test process group security:

1. Sign off and sign on as JFITZ/JFITZ.

This document should not be distributed.


2. Select Courses, Process Course Information, Inactivate Courses.

3. Click the Add a New Value tab.

4. Enter P1 in the Run Control ID field and click the Add button.

5. Enter the following information:

For Instructor Use Only.


Page Element Value or Status

Application Release 7.00

PeopleTools Release 7.00

6. Click the Run button.

7. Click the OK button.

8. Click the Process Monitor link.

Results

These are the results of testing process group security:

This concludes the activity. Please do not continue.

450
Securing Processes Lesson 12

Activity 21: Working with Processes


In this activity, you will review the activity overview and:

Create a process group.

Update permission list.

Secure process group.

Link permission list to a user profile.

This document should not be distributed.


Test the user profile.

Slide 206

For Instructor Use Only.


Instructor Notes

Duration

Note. This activity should take approximately 20 minutes.

Answers
These are the answers to the questions in the activity:

Question Answer

Does the JFUNG user ID have access to the Yes


XMLP_STUDENT_EXP Application Engine program?

Notes on the Activity


The CRS_BY_BU XML Publisher report will fail for JFUNG because it is a query-based XML Publisher
report and JFUNG does not have access to the query. This leads into the next lesson where Query Security is
established.

In PeopleTools 8.50.05 there is an issue with Query prompting that causes a more cryptic message to be
displayed in the Message log. Patch 05 was necessary to fix some other issues so that is the patch level for
this class.

Message Log in 8.50

460
Lesson 12

Message Log in 8.50.05


Securing Processes

461
For Instructor Use Only.
This document should not be distributed.
Securing Processes Lesson 12

Activity Overview
Managers need access to a number of reports and processes. In this activity, you will:

1. Create a new process group TRNMGR with access to the CRS_BY_BU and XMLP_STU_EXP processes

2. Create the CPTRNRPT permission list.

Grant access to the RUN_CRS_BU and PSU_RUN_STUDENT components on the


XMLP_TRAINING_MENU.

Grant access to Process Monitor.

This document should not be distributed.


Grant access to Process Scheduler.
3. Add the process group TRNMGR to the permission list CPTRNRPT.

4. Add a process profile to the permission list CPTRNRPT using the following:

For Instructor Use Only.


Page Element Value or Status

File %%OutputDirectory%%

Printer %DefaultPrinter%

View By All

Update By Owner

Allow Requestor To Select all check boxes

5. Associate the CPTRNRPT permission list with the Training Manager role, and add CPTRNRPT as the
process profile for JFUNG user profile.

6. Run the processes CRS_BY_BU and XMLP_STU_EXP to test James Fung's permissions.

Note. Use the T1B85001 database. Use PTTRN for the user name and password in the first part of this
activity. Use JFUNG for the user name and password in the second part of this activity.

462
Lesson 12 Securing Processes

Activity Detailed Steps


Perform the detailed steps to complete the activity.

Creating Process Groups


To create process groups:

Note. Use PTTRN for the user name and password in this part of this activity.

This document should not be distributed.


1. Select PeopleTools, Process Scheduler, Processes.

2. Select Process Name from the drop-down list box.

3. Enter CRS_BY_BU as the process name.

4. Select the Process Definition Options page.

For Instructor Use Only.


5. Click the Insert row button in the Process Groups grid.

6. Enter TRNMGR in the blank field.

7. Click the Save button.

8. Click the Return to Search button.

9. Click the Clear button.

10. Enter XMLP_STU_EXP in the Process Name field.

11. Click the Search button.

12. Access the Process Definition Options page.

13. Click the Insert row button in the Process Groups grid.

14. Enter TRNMGR in the blank field.

15. Click the Save button.

Results

These are the results of creating process groups:

463
Securing Processes Lesson 12

This document should not be distributed.


For Instructor Use Only.
Updating Permission Lists
To update permission lists:

1. Select PeopleTools, Security, Permissions & Roles, Permission Lists.

2. Click the Add a New Value link.

3. Enter CPTRNRPT in the Permission List field.

4. Click the Add button.

5. Enter Training Reports in the Description field.

6. Select the Pages page.

7. Enter XMLP_TRAINING_MENU in the Menu Name field.

8. Click the Edit Components link.

9. Click the Edit Pages link for the RUN_CRS_BU component.

10. Click the Select All button.

11. Click the OK button .

12. Click the Edit Pages link for the PSU_RUN_STUDENT component.

13. Click the Select All button.

14. Click the OK button twice.

15. Click the Insert row button in the Menus grid.

464
Lesson 12 Securing Processes

16. Enter PROCESSMONITOR in the Menu Name field.

17. Click the Edit Components link.

18. Click the Select All button.

19. Click the OK button.

20. Repeat steps 15 to 19 for PROCESS_SCHEDULER.

21. Click the Save button.

Results

This document should not be distributed.


These are the results of updating permission lists:

For Instructor Use Only.


Securing Process Groups
To secure process groups

1. Select the Process page.

2. Click the Process Group Permissions link.

3. Enter TRNMGR in the Process Group field.

Results

These are the results of securing process groups:

465
Securing Processes Lesson 12

This document should not be distributed.


Setting Process Profile Permissions
To set process profile permissions:

1. Click the OK button.

For Instructor Use Only.


2. Click the Save button.

3. Click the Process Profile Permissions link.

4. Enter the values as shown in the activity overview for the process profile.

5. Click the OK button.

6. Save the page.

Results

This is the result of setting process profile permissions:

466
Lesson 12 Securing Processes

Linking Permission Lists to User Profiles


To add the permission list to a role and assign the role to a user profile:

1. Select PeopleTools, Security, Permissions & Roles, Roles.

2. Enter Training Managerin the Role field.

3. Select the Permission List page.

4. Click the Insert row button in the Permission List grid.

This document should not be distributed.


5. Enter CPTRNRPT in the Permission List field.

6. Click the Save button.

7. Select PeopleTools, Security, User Profiles, User Profiles.

8. Enter JFUNG in the User ID field.

For Instructor Use Only.


9. Enter CPTRNRPT for the Process Profile.

10. Click Save.

11. Sign out.

Testing the User Profile


To test the user profile:

Note. Use JFUNG for the user name and password in this part of this activity.

1. Select XML Publisher Training, Run XMLP Reports, Run Student Report.

2. Select Add a New Value and enter STU.

3. Click Add and enter 2001 for the Student ID.

4. Click the Run button and answer this question.

Question Answer

Does the JFUNG user ID have access to the


XMLP_STUDENT_EXP Report?

5. Click OK.

6. Select XML Publisher Training, Run XMLP Reports, Run Course by BU.

7. Click the Add a New Value tab.

8. Enter CRS as the run control ID.

9. Click the Add button.

10. Enter 01/01/2010 for Start Date Greater Than.

467
Securing Processes Lesson 12

11. Click the Run button.

12. Click OK.

13. Click the Process Monitor link.

14. Click the Refresh button

Results

Only one job completed successfully:

This document should not be distributed.


For Instructor Use Only.
Note. JFUNG has access to the component and the process group, however he does not have access to the
query used in the XMLP Report. Query Security is covered in the next lesson.

This concludes the activity. Please do not continue.

468
Lesson 12 Securing Processes

Activity 22: Using Reporting Console Optional


In this activity, you will review the activity overview and:

1. Set up Reporting Console.

2. Run report from Reporting Console.

Slide 207

This document should not be distributed.


Instructor Notes

Duration

For Instructor Use Only.


Note. This activity should take approximately 10 minutes.

Notes on Activity
Question and answer

Question Answer

Why is run not enabled? JFUNG does not have Process Group authority to run the
report.

Other Reports for JFUNG

The other two reports that JFUNG ran require parameters. Here is set up for the other reports:

469
Securing Processes Lesson 12

CRS_BY_BU

Bookmark

This document should not be distributed.


Runtime Parameters

For Instructor Use Only.

470
Lesson 12 Securing Processes

XMLP_STU_EXP

Bookmark

This document should not be distributed.


Runtime Parameters

For Instructor Use Only.

471
Securing Processes Lesson 12

Activity Overview
In this activity, you will:

1. Set up the Reporting Console as JFUNG using the default preferences and add a folder Training to My
Favorites. Add the process SQR Report DDDAUDIT to the Training folder.

2. Edit the process DDDAUDIT to run from the Reporting Console and run the report.

Note. Use the T1B85001 database with the user name and password JFUNG in this activity.

This document should not be distributed.


For Instructor Use Only.

472
Lesson 12 Securing Processes

Activity Detailed Steps


Perform the detailed steps to complete the activity.

Setting Up Reporting Console


To set up the reporting console:

1. Select Reporting Tools, Reporting Console.

2. Click the Click here to setup display preferences link.

This document should not be distributed.


3. Click OK to accept all the defaults.

4. Click the Add link for My Favorites.

5. Select the Folder radio button.

For Instructor Use Only.


6. Enter Training for the new folder name and click OK.

7. Click the Add link for the Training folder.

8. Select the Process Bookmarks radio button.

9. Select the Process Type/Name radio button.

10. Select SQR Report for the Process Type.

11. Enter DDDAUDIT for the Process Name.

12. Click the Search button and the Process List appears.

13. Select the check box for DDDAUDIT.

14. Click Bookmark Selected.

15. Expand the Training folder.

Results

The bookmark has been added, but you can't run the report from the Reporting Console.

473
Securing Processes Lesson 12

This document should not be distributed.


Running Report from Reporting Console
To run report from Reporting Console:

For Instructor Use Only.


1. Click the Edit link for Data Designer/Database Audit.

2. Select the Enable Generic Prompting check box and click OK.

3. Answer this question.

Question Answer

Why is run not enabled?

4. Click the Edit link for Data Designer/Database Audit.

5. Select the Process Definitions Options tab.

6. Insert a new row in the Process Group and select TRNMGR.

7. Click OK.

8. Click the Run link.

9. Click Schedule.

10. Enter DDDAUDIT in the Saved Parameter.

11. Click OK twice.

12. Expand each folder.

Note. To refresh the view collapse and then expand the folder.

Results

The DDDAUDIT ran successfully and you can view the report from the Reporting Console.

474
Lesson 12 Securing Processes

This document should not be distributed.


This concludes the activity. Please do not continue.

For Instructor Use Only.

475
Administering Query Security Lesson 13

Activity Overview
Access the training reports (CPTRNRPT) permission list. Then, grant rights to the Query Manager
(QUERY_MANAGER) component, and save the permission list.

Note. Use the T1B85001 database with the user name and password PTTRN in this activity.

This document should not be distributed.


For Instructor Use Only.

484
Lesson 13 Administering Query Security

Activity Detailed Steps


Perform the detailed steps to complete the activity.

Verifying Query Manager Authorization


To add Query Access Manager authorization:

1. Select PeopleTools, Security, Permissions & Roles, Permission Lists.

2. Enter CPTRNRPT as the permission list.

This document should not be distributed.


3. Click the Search button.

4. Access the Pages page.

5. Add a new row and enter QUERY_MANAGER for the Menu Name.

For Instructor Use Only.


6. Tab and then click the Edit Component link for the QUERY_MANAGER menu.

7. Click the Select All button.

8. Click the OK button.

9. Click Save.

Results

Query Manager is added to the permission list:

This concludes the activity. Please do not continue.

485
Administering Query Security Lesson 13

Activity 24: Creating Query Profiles


In this activity, you will review the activity overview and create a query profile.

Slide 215

Instructor Notes

This document should not be distributed.


Duration

Note. This activity should take approximately five minutes.

For Instructor Use Only.

490
Lesson 13 Administering Query Security

Activity Overview
Create a query profile for the CPTRNRPT permission list. Use the chart in the activity detailed steps to
complete the profile.

Note. Use the T1B85001 database with the user name and password PTTRN in this activity.

This document should not be distributed.


For Instructor Use Only.

491
Administering Query Security Lesson 13

Activity Detailed Steps


Perform the detailed steps to complete the activity.

Creating Query Profiles


To create query profiles:

1. Select PeopleTools, Security, Permissions & Roles, Permission Lists.

2. Enter CPTRNRPT as the permission list and click the Search button.

This document should not be distributed.


3. Select the Query page.

4. Click the Query Profile link and enter the following information:

Page Element Value or Status

For Instructor Use Only.


Allow creation of Public Queries Selected

Allow creation of Roles, Processes and Archive Queries Selected

Allow use of Distinct Selected

Allow use of 'Any Join' Selected

Allow use of Subquery/Exists Selected

Allow use of Union Cleared

Allow use of Expression Selected

Maximum Joins Allowed 9

Maximum 'In Tree' Criteria 9

5. Click the OK button.

6. Click the Save button.

Results

These are the results of creating query profiles:

492
Lesson 13 Administering Query Security

This document should not be distributed.


For Instructor Use Only.
This concludes the activity. Please do not continue.

493
Administering Query Security Lesson 13

Activity 25: Creating Query Access Groups


In this activity, you will review the activity overview and

Create query tree.

Create an access group.

Authorize the access group.

Create a Query Profile.

This document should not be distributed.


Test record access in Query Manager.

Slide 221

For Instructor Use Only.


Instructor Notes

Duration

Note. This activity should take approximately 30 minutes.

506
Lesson 13 Administering Query Security

Activity Overview
Create the PSU Security Tables (QRY_TREE_SECURITY) query tree. Create the Security Tables
(SECURITY_TABLES) root node. Create the System Security Tables (SYS_SEC_TBLS) child group.
Create the User Security Tables (USER_SEC_TBLS) child group to authorize the PSOPRDEFN,
PSOPRCLS, PSOPRALIAS, and PSOPRALIAS_VW record definitions.

This diagram illustrates the tree:

This document should not be distributed.


For Instructor Use Only.
Next, use the CPTRNDEV permission list to grant access to the User Security Tables access group. Finally,
sign in as JFITZ and create a query to determine if you can access the records in the query access group.

507
Administering Query Security Lesson 13

Activity Detailed Steps


Perform the detailed steps to complete the activity.

Creating a Query Tree


To create query trees:

Note. Use PTTRN for the user name and password in this part of the activity.

This document should not be distributed.


1. Select PeopleTools, Security, Query Security, Query Access Manager.

2. Click the Create a New Tree link.

3. Enter the following information:

For Instructor Use Only.


Page Element Value or Status

Tree Name QRY_TREE_SECURITY

Description PSU Security Tables

Category TOOLS

4. Click the OK button.

Creating an Access Group


To create access groups:

1. Enter SECURITY_TABLES in the Access Group field.

2. Click the Save button.

3. Enter PeopleTools Security Tables in the Description field.

4. Click the OK button.

5. Click the Insert Child Group icon.

6. Enter SYS_SEC_TBLS in the Access Group field.

7. Click the Add button.

8. Enter System Security Tables in the Description field.

9. Click the OK button.

10. Click the SYS_SEC_TBLS access group link.

11. Click the Insert Child Group icon.

12. Enter USER_SEC_TBLS in the Access Group field.

508
Lesson 13 Administering Query Security

13. Click the Add button.

14. Enter User Profile Security Tables in the Description field.

15. Click the OK button.

16. Click the USER_SEC_TBLS access group link.

17. Click the Insert Child Record icon.

18. Enter PSOPRDEFN in the Record (Table) Name field.

19. Click the Add button.

This document should not be distributed.


20. Repeat steps 17, 18, and 19 three times, and enter the following records:

Page Element Value or Status

Record (Table) Name PSOPRALIAS

For Instructor Use Only.


Record (Table) Name PSOPRALIAS_VW

Record (Table) Name PSOPRCLS

21. Click the Save link.

Results

These are the results of creating access groups:

509
Administering Query Security Lesson 13

Authorizing the Access Group


To authorize access groups:

1. Select PeopleTools, Security, Permissions and Roles, Permission Lists.

2. Enter CPTRNDEV in the Permission List field.

3. Click the Search button.

4. Select the Query page.

This document should not be distributed.


5. Click the Access Group Permissions link.

6. Enter the following information:

Page Element Value or Status

Tree Name QRY_TREE_SECURITY

For Instructor Use Only.


Access Group USER_SEC_TBLS

Accessible Selected

7. Click OK.

Results

These are the results of authorizing access group:

Creating a Query Profile


To create query profiles:

510
Lesson 13 Administering Query Security

1. Click the Query Profile link and enter the following information:

Page Element Value or Status

Allow creation of Public Queries Selected

Allow creation of Roles, Processes and Archive Queries Selected

Allow use of Distinct Selected

Allow use of 'Any Join' Selected

This document should not be distributed.


Allow use of Subquery/Exists Selected

Allow use of Union Selected

Allow use of Expression Selected

For Instructor Use Only.


Maximum Joins Allowed 9

Maximum 'In Tree' Criteria 9

2. Click the OK button.

3. Click the Save button.

Results

These are the results of creating query profiles:

511
Administering Query Security Lesson 13

Testing Record Access in Query Manager


To test record access in Query Manager:

Note. Use JFITZ for the user name and password in this part of the activity.

1. Sign out and sign on as JFITZ/JFITZ.

2. Select Reporting Tools, Query, Query Manager.

3. Click the Create New Query link.

This document should not be distributed.


4. Click the Search button on the Records page to view the records available.

Results

These are the results of testing record access in Query Manager:

For Instructor Use Only.


This concludes the activity. Please do not continue.

512
Lesson 13 Administering Query Security

Activity 26: Configuring Query Security


In this activity, you will review the activity overview and:

1. Create query trees.

2. Create root nodes.

3. Create access groups.

4. Create child groups.

This document should not be distributed.


5. Create sibling groups.

6. Grant access group permissions

7. Configure query profiles.

For Instructor Use Only.


8. Run Query access list cache.

9. Verify access permissions.

Slide 226

Instructor Notes

Duration

Note. This activity should take approximately 30 minutes.

Notes for Completing the Activity with Students


This table describes access groups and records that the JFITZ user ID inherits through the CPTRNRPT
permission list:

519
Administering Query Security Lesson 13

Access Group Record

QRY_TREE_SECURITY - USER_SECURITY_TBLS PSOPRALIAS


PSOPRALIAS_VW
PSOPRCLS
PSOPRDEFN

QRY_TREE_TRN - INSTRUCTORS PSU_CRS_SESSN


PSU_COURSE_TBL

This document should not be distributed.


PSU_INSTR_TBL

This table describes access groups and records that the JFUNG user ID inherits through the COURSE01
permission list:

Access Group Record

For Instructor Use Only.


QRY_TREE_TRN - INSTRUCTOR_MGR ORD_DTL
ORD_HDR
PSU_TRNLOC_TBL
PSU_COURSE_TBL, PSU_INSTR_TBL, and
PSU_CRS_SESSN (through the INSTRUCTORS access
group)

QRY_TREE_TRN - ADMINISTRATION PSU_COURSE_TBL


PSU_CRS_SESSN
PSU_CUST_TBL

This table lists all of the queries for which the two users have permissions:

User Query

JFITZ 13 queries
PSU_TRNLOC_TBL is in the root TRAIN_DEPT and
JFITZ does nor have access.

JFUNG 27 queries
The profile includes other permission lists that also have
access to queries.

The PTTRN user ID sees all queries because that ID has access to all tables. The PTTRN user ID inherits the
ALLPAGES permission list, which has the definition security group ALL DEFINITIONS.

520
Lesson 13 Administering Query Security

Activity Overview
Create a query security tree for the training department. The tree should have this structure:

This document should not be distributed.


For Instructor Use Only.
Configure the COURSE01 permission list to access the Instructor Managers and Administration access
groups. Configure the CPTRNRPT permission list to access the Instructors access group. Next, configure a
query profile for JFUNG by using the COURSE01 permission list.

Cache the Query access list.

Finally, test to see that the JFUNG and JFITZ user IDs have the necessary authorizations to create and run
queries for the records in the diagram, and verify their access to run the queries in the activity results.

521
Administering Query Security Lesson 13

Activity Detailed Steps


Perform the detailed steps to complete the activity.

Creating Query Trees


To create a Query tree:

Note. Use PTTRN for the user name and password in this part of the activity.

This document should not be distributed.


1. Select PeopleTools, Security, Query Security, Query Access Manager.

2. Click the Create a New Tree link.

3. Enter the following information:

For Instructor Use Only.


Page Element Value or Status

Tree Name QRY_TREE_TRN

Description Training Dept Query Tree

Category TOOLS

4. Click the OK button.

Results

These are the results of creating query trees:

522
Lesson 13 Administering Query Security

Creating Root Nodes


To create root nodes:

1. Enter TRAIN_DEPT in the Access Group field.

2. Click the Save button.

3. Enter Training Department Records in the Description field.

4. Click the OK button.

Results

This document should not be distributed.


These are the results of creating root nodes:

For Instructor Use Only.


Creating Access Groups
To create access groups:

1. Click the TRAIN_DEPT node.

2. Click the Insert Child Group button.

3. Enter INSTRUCTOR_MGR in the Access Group field.

4. Click the Add button.

5. Enter Instructor Manager Records in the Description field.

6. Click the OK button.

7. Click the Instructor Manager node.

8. Click the Insert Child Record button.

9. Enter ORD_HDR in the Record (Table) Name field.

10. Click the Add button.

523
Administering Query Security Lesson 13

11. Repeat steps 8, 9, and 10 and enter the following records:

Page Element Value or Status

Record ORD_DTL

Record PSU_TRNLOC_TBL

Creating Child Groups


To create child groups:

This document should not be distributed.


1. Click the Insert Child Group button.

2. Enter INSTRUCTORS in the Access Group field.

3. Click the Add button.

For Instructor Use Only.


4. Enter Instructor Records in the Description field and click the OK button.

5. Click the INSTRUCTORS node.

6. Click the Insert Child Record button.

7. Enter PSU_CRS_SESSN in the Record (Table) Name field.

8. Click Add.

9. Repeat steps 6, 7, and 8 and enter the following records:

Page Element Value or Status

Record PSU_COURSE_TBL

Record PSU_INSTR_TBL

Creating Sibling Groups


To create sibling groups:

1. Click the INSTRUCTOR_MGR access group.

2. Click the Insert Sibling Group button.

3. Enter ADMINISTRATION in the Access Group field.

4. Click the Add button.

5. Enter Administration Records in the Description field.

6. Click the OK button.

7. Click the ADMINISTRATION node.

524
Lesson 13 Administering Query Security

8. Click the Insert Child Record button.

9. Enter PSU_COURSE_TBL in the Record (Table) Name field.

10. Click the Add button.

11. Repeat steps 8, 9 and 10 and enter the following records:

Page Element Value or Status

Record PSU_CRS_SESSN

This document should not be distributed.


Record PSU_CUST_TBL

12. Click the Save button.

Results

The completed tree contains three access groups:

For Instructor Use Only.

Granting Access Group Permissions


To grant access group permissions:

1. Select PeopleTools, Security, Permissions & Roles, Permission Lists.

525
Administering Query Security Lesson 13

2. Enter COURSE01 in the Permission List field.

3. Click the Search button.

4. Select the Query page.

5. Click the Access Group Permissions link.

6. Enter QRY_TREE_TRN in the Tree Name field.

7. Enter INSTRUCTOR_MGR in the Access Group field.

8. Click the Insert row button.

This document should not be distributed.


9. Enter QRY_TREE_TRN in the Tree Name field.

10. Enter ADMINISTRATION in the Access Group field.

11. Click the OK button.

12. Click the Save button.

For Instructor Use Only.


13. Click the Return to Search button.

14. Enter CPTRNDEV in the Permission List field.

15. Click the Search button.

16. Select the Query page.

17. Click the Access Group Permissions link.

18. Insert a new row.

19. Enter QRY_TREE_TRN in the Tree Name field.

20. Enter INSTRUCTORS in the Access Group field.

21. Click the OK button.

22. Click the Save button.

Results

These are the results of granting access group permissions:

526
Lesson 13 Administering Query Security

Configuring Query Profiles


To configure query profiles:

1. Select PeopleTools, Security, Permissions & Roles, Permission Lists.

2. Enter COURSE01 as the permission list.

3. Click the Search button.

4. Select the Query page.

This document should not be distributed.


5. Click the Query Profile link.

6. Enter the following information:

Page Element Value or Status

Allow creation of Public Queries Selected

For Instructor Use Only.


Allow creation of Role, Process and Archive Queries Selected

Allow use of Distinct Selected

Allow use of 'Any Join' Selected

Allow use of Subquery/Exists Selected

Allow use of Union Selected

Allow use of Expressions Selected

Maximum Joins Allowed 9

Maximum 'In Tree' Criteria 9

7. Click the OK button.

8. Click the Save button.

Running Query Access List Cache


To run Query access list cache:

1. Select PeopleTools, Security, Query Security, Query Access List Cache.

2. Select the Enable Access List Cache option.

3. Click the Run button.

4. Click the OK button.

5. Click the Process Monitor link.

527
Administering Query Security Lesson 13

6. Click the Refresh button until the process posts successfully.

7. Sign out.

Verifying the Access Permissions


To verify the access rights for users:

Note. Use JFITZ for the user name and password in this part of the activity.

1. Sign in and select Reporting Tools, Query, Query Manager.

This document should not be distributed.


2. Click the Search button and answer this question:

Question Answer

How many training queries appear?

For Instructor Use Only.


3. Click the Create New Query link.

4. Answer this question:

Question Answer

Why doesn't the PSU_TRNLOC_TBL appear in the


list?

5. Sign out.

Note. Use JFUNG for the user name and password in this part of the activity.

6. Sign in as JFUNG/JFUNG.

7. Select Reporting Tools, Query, Query Manager.

8. Click the Search button.

9. Answer this question:

Question Answer

How many training queries appear?

10. Click the Create New Query link.

11. Click the Search button and compare the page to these results:

Results

These are the results of verifying access for the JFUNG user ID:

528
Lesson 13 Administering Query Security

This document should not be distributed.


For Instructor Use Only.
Running CRS_BY_BU Report
To run CRS_BY_BU REPORT:

1. Select XML Publisher Training, Run XMLP Reports, Run Course by BU.

2. Select CRS as the run control ID.

3. Click Run.

4. Click OK.

5. Select the Process Monitor link.

6. Click Refresh.

Results

JFUNG has access to the report and the underlying query, so the report will run to Success.

This concludes the activity. Please do not continue.

529
Lesson 14 Maintaining Portal Registry Security

Activity 27: Working with Portal Security


In this activity, you will review the activity overview and:

Modify folder security.

Add component permissions.

Slide 238

This document should not be distributed.


Instructor Notes

Duration

For Instructor Use Only.


Note. This activity should take approximately ten minutes.

551
Maintaining Portal Registry Security Lesson 14

Activity Overview
Review the security for the Training Tasks folder located under the folder Set Up Training, and then add the
content reference PSU_TASK to the permission list SETUP01. After adding the component to the permission
list, observe how the system automatically updated folder level security.

Note. Use the T1B85001 database with the user name and password PTTRN in this activity.

This document should not be distributed.


For Instructor Use Only.

552
Lesson 14 Maintaining Portal Registry Security

Activity Detailed Steps


Perform the detailed steps to complete the activity.

Modifying Folder Security


To modify folder security:

1. Select PeopleTools, Portal, Structure and Content.

2. Click the Edit link for the Set Up Training folder.

This document should not be distributed.


3. Select the Folder Security page.

4. Select the Cascade check box for the PSU1000 permission list.

5. Click the Save button.

For Instructor Use Only.


6. Click the Root link in the breadcrumbs.

7. Click the Set Up Training link.

8. Click the Edit link for the Training Tasks folder.

9. Select the Folder Security page and notice the inherited permissions.

Results

These are the results of modifying folder security:

553
Maintaining Portal Registry Security Lesson 14

Adding Component Permissions


To add component permissions:

1. Select PeopleTools, Security, Permissions & Roles, Permission Lists.

2. Select SETUP01 as the permission list and click the Search button.

3. Select the Pages page.

4. Click the Edit Components link for the PSU_TRAINING menu.

This document should not be distributed.


5. Click the Edit Pages link for the PSU_TASK component.

6. Click the Select All button.

7. Click the OK button twice.

8. Click the Save button.

For Instructor Use Only.


9. Select PeopleTools, Portal, Structure and Content.

10. Click the Set Up Training link.

11. Click the Edit link for the Training Tasks folder.

12. Select the Folder Security page.

Results

The SETUP01 permission list was added to the security for Training Tasks folder:

This concludes the activity. Please do not continue.

554
Administering Signon Security Lesson 15

Activity 28: Testing Authorization IDs


In this activity, you will review the activity overview and test the access rights of various authorization IDs.

Slide 253

Instructor Notes

This document should not be distributed.


Duration

Note. This activity should take approximately 20 minutes.

For Instructor Use Only.


Guiding Students Through the Chart
Guide students through the following chart. In the blanks, students fill in the rows returned for the ID at the
head of the column.

SQL Command SYSADM/SYSADM people / peop1e JFITZ/JFITZ

SELECT COUNT (*) FROM 1 Security error: see note Login failed: see note
PSSTATUS

SELECT COUNT (*) FROM Around 68 Security error: see note -


PSOPRDEFN
Since students are
playing with user
profiles it might differ a
little

SELECT COUNT (*) FROM 39 Security error: see note -


PS_PSU_CUST_TBL

SELECT COUNT (*) FROM 144 Security error: see note -


PS_PERSONAL_DATA

Note. The security error will state that the SELECT permission is denied on the table being queried.
When logging in as JFITZ, students will get an error stating that the login failed for JFITZ because they were
unable to connect to the server.
When running commands as people you will get table or view does not exist for all 4 statements.

584
Lesson 15 Administering Signon Security

Activity Overview
Using these SQL commands, query the T1B85001 database using SYSADM as the login ID and SYSADM as
the password. Use the table to repeat the queries with the other IDs and passwords and to record the results:

SYSADM/SYSAD
SQL Command M people/peop1e JFITZ/JFITZ

SELECT COUNT (*) FROM PSSTATUS

SELECT COUNT (*) FROM PSOPRDEFN

This document should not be distributed.


SELECT COUNT (*) FROM
PS_PSU_CUST_TBL

SELECT COUNT (*) FROM


PS_PERSONAL_DATA

For Instructor Use Only.

585
Administering Signon Security Lesson 15

Activity Detailed Steps


Perform the detailed steps to complete the activity.

Testing the Access Rights of Various Authorization IDs


To test the access rights of various authorization IDs:

1. Double-click the SQL Developer icon on the desktop.

This document should not be distributed.


Note. If Startup Tips are displayed, click Close.

2. Expand Connections and double-click on T1B85001.

3. Enter the following SQL commands. After you enter each SQL command, highlight it and press the F9
key to run the command. Enter the number of rows returned in the appropriate line of the table:

For Instructor Use Only.


SQL Command Rows Returned

SELECT COUNT (*) FROM PSSTATUS

SELECT COUNT (*) FROM PSOPRDEFN

SELECT COUNT (*) FROM PS_PSU_CUST_TBL

SELECT COUNT (*) FROM PS_PERSONAL_DATA

4. Right-click on T1B85001 in the Connections tree and select Properties.

5. Change the Username to JFITZ.

6. Change the Password to JFITZ.

7. Click Test.

Note. JFITZ is not authorized.

8. Change the Username to people (letter 'l').

9. Change the Password to peop1e (number '1').

10. Click Test.

11. Click Connect.

12. Copy the commands from the first worksheet to your new worksheet.

13. Try running the commands, one line at a time and answer this question?

Question Answer

Which tables do you have access to?

586
Lesson 15 Administering Signon Security

14. Close the worksheet by clicking the X on the tab.

Select No if prompted to save changes.

15. Right-click on T1B85001 in the Connections tree and select Properties.

16. Change the Username to SYSADM.

17. Change the Password to SYSADM.

18. Click Test.

19. Click Save and then click Connect.

This document should not be distributed.


20. Select File, Exit.

21. Select No if prompted to save changes.

This concludes the activity. Please do not continue.

For Instructor Use Only.

587
Administering Signon Security Lesson 15

Activity Overview
Implement password controls. Set passwords to expire after 5 days. Test the PTTRN user ID and change the
password to PTTRN1.

Next, force the password for the CROTH user ID to expire upon next sign in. Test the password expiration.

Finally, turn off password controls and change the password for the PTTRN user ID back to PTTRN.

Note. Use the T1B85001 database with the user name and password PTTRN in this activity.

This document should not be distributed.


For Instructor Use Only.

600
Lesson 15 Administering Signon Security

Activity Detailed Steps


Perform the detailed steps to complete the activity.

Activating Password Expiration


To activate password expiration:

1. Select PeopleTools, Security, Password Configuration, Password Controls.

2. Select the Password Expires option.

This document should not be distributed.


3. Enter 5 in the Days field.

4. Click the Save button.

Configure the PSWDEXPR Permission List

For Instructor Use Only.


To configure the PSWDEXPR permission list:

1. Select PeopleTools, Security, Permissions & Roles, Permission Lists.

2. Enter PSWDEXPR in the Permission List field and click the Search button.

3. Select the Pages page.

4. Click the Edit Component link for MAINTAIN_SECURITY.

5. Click the Edit Pages link for EXPIRE_CHANGE_PSWD.

6. Verify or select the Authorized check boxes.

7. Click the OK button twice and save the component.

Enabling the Signon PeopleCode for Password Controls


To enable the signon PeopleCode for password controls:

1. Select PeopleTools, Security, Security Objects, Signon PeopleCode.

2. Select the Invoke As option and enter PTINT in the User ID and Password fields.

3. Select the Enabled check box for the FUNCLIB_PWDCNTL record.

4. Clear the other Enabled check boxes.

5. Click the Save button.

Testing Password Expiration


To test password expiration:

Note. Use PTTRN for the user name and password in this part of the activity.

601
Administering Signon Security Lesson 15

1. Start a new browser session and sign in.

2. Click the link to change the password.

3. Enter the following information:

Page Element Value or Status

Current Password PTTRN

New Password PTTRN1

This document should not be distributed.


Confirm Password PTTRN1

4. Click the Change Password button.

5. Click the OK button.

6. Sign out.

For Instructor Use Only.


7. Sign in; use PTTRN for the user name and PTTRN1 for the password .

8. Select PeopleTools, Security, User Profiles, User Profiles.

9. Enter CROTH as the user ID and click the Search button.

10. Select the Password Expired check box and save the profile.

11. Sign out.

12. Sign in using CROTH for the user name and password to verify that the password for the CROTH user ID
has expired.

13. Close the browser.

Resetting Password Controls


To reset the passwords:

Note. Use PTTRN for the user name and password in this part of the activity.

1. Sign on as PTTRN with the password PTTRN1.

2. Select Change My Password.

3. Enter the following information:

Page Element Value or Status

Current Password PTTRN1

New Password PTTRN

Confirm Password PTTRN

602
Lesson 15 Administering Signon Security

4. Click the Change Password button.

5. Select PeopleTools, Security, Password Configuration, Password Controls.

6. Select the Password Never Expires option.

7. Save the page.

8. Sign out.

This concludes the activity. Please do not continue.

This document should not be distributed.


For Instructor Use Only.

603
Administering Signon Security Lesson 15

Activity 30: Setting Up Forgotten Password Options


In this activity, you will review the activity overview and:

1. Create the mail password permission list.

2. Create the Forgotten Password role.

3. Assign the Forgotten Password role to the public user.

4. Verify public access.

This document should not be distributed.


5. Set up the password hint and email pages.

6. Enable the forgotten password hint for the user.

7. Test the email password option.

For Instructor Use Only.


Slide 268

Instructor Notes

Duration

Note. This activity should take approximately 45 minutes.

Activity Information
Point out to the students that JFITZ uses the CPTRNDEV permission list, which has the email password
feature enabled. If you select other users such as PTTRN, you get an error message when you test, even if you
create the hints.

Email Error
In the activity test section, the application does generate a new password when you enter the correct
credentials for JFITZ. Because there is no email access in the classroom, the system displays the SMTP error.
To demonstrate to students that the password is no longer JFITZ, they sign in and receive the invalid user
credentials error.

620
Lesson 15 Administering Signon Security

Activity Overview
The entire implementation team, including John Fitzsimmons, is leaving for a three-week technical training
conference in Costa Rica. You know they are likely to forget their passwords while away.

Enable the necessary forgotten password options. Create the forgotten password permission list
(MAILPSWD) and grant the necessary pages, component interfaces, and web libraries. Create the Forgotten
Password role. Set up the public user profile (GUEST). Set up the Forgot My Password Hint page. Set up the
Forgot My Password Email Text page.

Note. Use the T1B85001 database with the user name and password PTTRN in this activity.

This document should not be distributed.


For Instructor Use Only.

621
Administering Signon Security Lesson 15

Activity Detailed Steps


Perform the detailed steps to complete the activity.

Creating the Mail Password Permission List


To create the mail password permission list:

1. Select PeopleTools, Security, Permissions & Roles, Permission Lists.

2. Select the Add a New Value link.

This document should not be distributed.


3. Enter MAILPSWD in the Permission List field and then click the Add button.

4. Enter Email password in the Description field.

5. Select the Pages page.

For Instructor Use Only.


6. Enter MAINTAIN_SECURITY in the Menu Name field and press Tab.

7. Click the Edit Component link.

8. Click the Edit Pages link for the EMAIL_PSWD component.

9. Click the Select All button and then click the OK button.

10. Click the OK button.

11. Click the Save button.

12. Select the Component Interfaces page.

13. Enter USERMAINT_SELF in the Name field.

14. Click the Edit link for USERMAINT_SELF.

15. Click the Full Access (All) button and then click the OK button.

16. Select the Web Libraries page.

17. Enter WEBLIB_PORTAL in the Name field.

18. Click the Edit link for WEBLIB_PORTAL.

19. Click the Full Access (All) button and then click the OK button.

20. Insert a new row in the Web Libraries scroll area.

21. Enter WEBLIB_PT_NAV in the Name field

22. Click the Edit link for WEBLIB_PT_NAV.

23. Click the Full Access (All) button and click the OK button.

24. Click the Save button.

622
Lesson 15 Administering Signon Security

Results

These are the results of configuring the Web Libraries page:

This document should not be distributed.


Creating the Forgotten Password Role

For Instructor Use Only.


To create the Forgotten Password role:

1. Select PeopleTools, Security, Permissions & Roles, Roles.

2. Select the Add a New Value link.

3. Enter Forgotten Password in the Role Name field, and then click the Add button.

4. Enter Set up Forgotten Password in the Description field.

5. Select the Permission Lists page.

6. Enter MAILPSWD in the Permission List field, and then click the Save button.

Results

These are the results of creating the forgotten password role:

Assigning the Forgotten Password Role to the Public User


To assign the Forgotten Password role to the public user:

1. Select, PeopleTools, Security, User Profiles, User Profiles.

2. Enter GUEST as the user profile and click the Search button.

623
Administering Signon Security Lesson 15

3. Select the Roles page.

4. Insert a new row.

5. Enter Forgotten Password in the Role Name field.

6. Click the Save button.

Results

These are the results of assigning the Forgotten Password role to the public user:

This document should not be distributed.


For Instructor Use Only.
Verifying Public Access
To verify the public user:

1. Select PeopleTools, Web Profile, Web Profile Configuration.

2. Enter DEV as the profile name and click the Search button.

3. Select the Security page.

4. Select the Allow Public Access check box.

5. Enter GUEST for the public user and password.

6. Click Save.

Setting Up the Forgot My Password Hint and Email Pages


To set up the Forgot My Password Hint and Email pages:

1. Select PeopleTools, Security, Password Configuration, Forgotten Password Hint.

2. Click the Add a New Value link.

3. Enter MOM in the Password Hint ID field and then click the Add button.

4. Enter the following question:

What is your mother's maiden name?

5. Click the Save button.

624
Lesson 15 Administering Signon Security

6. Click the Add button.

7. Enter PET in the Password Hint ID field and then click the Add button.

8. Enter the following question:

What is the name of your first pet?

9. Click the Save button.

10. Select PeopleTools, Security, Password Configuration, Forgotten Password Email Text.

11. Enter the following text:

This document should not be distributed.


Your new password is<<%PASSWORD>>Please change your password immediately after signon.

12. Click the Save button.

Results

This is the result of creating the email hint and text:

For Instructor Use Only.

Enabling Forgotten Password Hint for the User


To enable the forgotten password hint for the user:

Note. Use JFITZ for the user name and password in this part of activity.

1. Sign in.

2. Select My System Profile.

625
Administering Signon Security Lesson 15

3. Click the Change or setup forgotten password help link.

4. Enter the following information:

Page Element Value or Status

Question What is the name of your first pet?

Response Rover

5. Click the OK button.

This document should not be distributed.


6. Click the Save button.

7. Sign out and close all open browser sessions.

Testing the Email Password Option

For Instructor Use Only.


Testing the email password option:

1. Open the D:\Labs\Security\ForgottenPassword.txt file.

2. Copy the text.

3. Open a new browser session and paste the text into the address field of the browser.

4. In the URL, change the machine name to match the workstation machine name.

5. Click the Go button.

6. Sign on using JFITZ for the user ID and password.

7. Enter JFITZ as the user ID and then click the Continue button.

8. Enter Rover as the answer to the question.

9. Click the Email New Password button.

10. Dismiss the error message.

The Training environment does not have email setup.

This concludes the activity. Please do not continue.

626
Configuring Single Signon Lesson 16

Activity Overview
Configure single signon between the T1B85001 and T1C85001 databases. Use the PTTRN user ID to test the
configuration. Single signon has been set up on the T1C85001 database.

Note. In this activity, you will use both the T1B85001 and T1C85001 databases, use PTTRN for the user
name and password in both databases.

This document should not be distributed.


For Instructor Use Only.

646
Lesson 16 Configuring Single Signon

Activity Detailed Steps


Perform the detailed steps to complete the activity.

Configuring Single Signon in the T1B85001 Database


To configure single signon in the T1B85001 database:

1. Sign in to the T1B85001 database.

2. On the home page, select the Personalize Content link.

This document should not be distributed.


3. Enter T1B85001in the Welcome Message field.

4. Click the Save button.

5. Select PeopleTools, Integration Broker, Integration Setup, Nodes.

For Instructor Use Only.


6. Select PSFT_TRN and note the following:

It is the default local node.

It uses Password Authentication. The password does not display , but it is 123.

Default User Id is PTINT.


7. Access the Connectors tab and click the Ping Node button.

You should see a successful ping.

8. Click Return

9. Click the Return to Search button.

10. Select PSFT_C2 and note the following:

It is a remote node.

It uses Password Authentication. The password does not display , but it is 123.

Default User Id is PTINT.


11. Enter the following information:

Page Element Value or Status

Authentication Option Password

Password 123

Confirm Password 123

12. Access the Connectors tab and click the Ping Node button.

The ping is successful.

647
Configuring Single Signon Lesson 16

13. Click Return

14. Select PeopleTools, Security, Security Objects, Single Signon.

15. Click the Insert row button.

16. Enter PSFT_C2 in the Message Node Name field.

17. Click the Save button.

Testing Single Signon Between Databases


To test single signon between databases:

This document should not be distributed.


1. Select PeopleTools, Security, User Profiles, User Profiles.

2. In the browser, select Bookmarks, Bookmark this page.

For IE select Favorites, Add to Favorites.

For Instructor Use Only.


3. Enter User Profiles - T1B for the Name and click the Done button.

4. Close the browser.

5. Double-click the T1C85001 icon on the desktop.

6. Sign on as PTTRN/PTTRN.

7. Select PeopleTools, Security, User Profiles, User Profiles.

8. Click Search and note the number of user profiles.

9. In the browser, select Bookmarks, Bookmark this page.

For IE select Favorites, Add to Favorites.

10. Enter User Profiles - T1C for the Name and click the Done button.

11. Select Bookmarks, User Profiles - T1B.

12. Click the Search button and notice the entries.

13. Select Bookmarks, User Profiles - T1C.

14. Click the Search button and notice the entries.

15. Sign out.

This concludes the activity. Please do not continue.

648
Lesson 17 Maintaining Security Definitions Among Multiple Databases

Activity 32: Transferring Security Definitions Between


Databases
In this activity, you will review the activity overview and

Manually transfer roles and permission lists

Manually transfer users.

This document should not be distributed.


Slide 287

Instructor Notes

For Instructor Use Only.


Duration

Note. This activity should take approximately 15 minutes.

Note. Point out that students will be transferring permission lists and roles from the T1B85001 database to the
T1C85001 database. The definitions will transfer because both databases are at the same PeopleTools release
level.

Notes for Completing the Activity


You might want to have students sign into the T1C85001 database as <student name> and then, as PTTRN to
show students that the Instructor Manager role and the SETUP01 and COURSE01 permission lists do not
exist.

659
Maintaining Security Definitions Among Multiple Databases Lesson 17

Activity Overview
Copy the COURSE01 and SETUP01 permission lists and the Instructor Manager role to the T1C85001
database.

Transfer all user profiles from the T1B85001 database to the T1C85001 database.

Note. Use PTTRN for the user name and password in this activity.

This document should not be distributed.


For Instructor Use Only.

660
Lesson 17 Maintaining Security Definitions Among Multiple Databases

Activity Detailed Steps


Perform the detailed steps to complete the activity.

Manually Transferring Roles and Permission Lists


To manually transfer roles and permission lists between databases:

1. Open the PeopleSoft Application Designer for the T1B85001 database.

2. Select File, New, Project.

This document should not be distributed.


3. Select the Upgrade tab.

4. Select Insert, Definitions into Project.

5. Select Permission Lists in the Definition Type field.

For Instructor Use Only.


6. Enter COURSE01 in the Name field and click the Insert button.

7. Double-click COURSE01 or highlight it and click the Insert button.

8. Enter SETUP01 in the Name field and click the Insert button.

9. Double-click SETUP01 or highlight it and click the Insert button.

10. Select Roles in the Definition Type field.

11. Enter Instructor Manager in the name field and click the Insert button.

12. Double-click Instructor Manager or highlight it and click the Insert button.

13. Click the Close button.

14. Save the project as SEC_DEFNS_PRJ.

15. Select Tools, Copy Project, To Database.

16. Sign in to the T1C85001 database, using PTTRN as the user ID and password.

17. Click the Select All button.

18. Click the Copy button.

19. When the copy is complete, close Application Designer.

20. Open the PeopleSoft Application Designer for the T1C85001 database.

21. Select File, Open, Project.

22. Enter SEC in the Name field.

23. Select the Upgrade tab and verify the SEC_DEFNS_PRJ project and its security definitions.

24. Sign out of Application Designer.

661
Maintaining Security Definitions Among Multiple Databases Lesson 17

Transferring User Profiles


To transfer user profiles:

1. Open the PeopleTools folder on the desktop and double-click Data Mover.

2. Enter the following information:

Page Element Value or Status

Database T1B85001

This document should not be distributed.


User ID PTTRN

Password PTTRN

3. Select File, Open and navigate to D:\PeopleTools\scripts.

For Instructor Use Only.


4. Select userexport.dms and click the Open button.

5. Find this line:


SET OUTPUT USEREXPORT.DAT;

6. Change the line to:


SET OUTPUT D:\Labs\Security\USEREXPORT.DAT;

7. Select File, Run Script.

8. Verify that the USEREXPORT.DAT file is in the D:\Labs\Security directory.

9. Select File, Exit and click Yes to save the script.

10. Open the PeopleTools folder on the desktop and double-click Data Mover.

11. Enter the following information:

Page Element Value or Status

Database T1C85001

User ID PTTRN

Password PTTRN

12. Click the OK button.

13. Select File, Open and navigate to D:\PeopleTools\scripts.

14. Select userimport.dms and click the Open button.

15. Find this line:


SET INPUT USEREXPORT.DAT;

662
Lesson 17 Maintaining Security Definitions Among Multiple Databases

16. Change the line to:


SET INPUT D:\Labs\Security\USEREXPORT.DAT;

17. Select File, Run Script.

18. Select File, Exit and click Yes to save the script.

19. Sign on to the browser for T1C85001 database as the <<student name>> user ID and password.

This concludes the activity. Please do not continue.

This document should not be distributed.


For Instructor Use Only.

663
Lesson 17 Maintaining Security Definitions Among Multiple Databases

Activity 33: Setting Up Default User Profile Synchronization


In this activity, you will review the activity overview and

Activate the service operation on the B database.

Activate the service operation on the C database.

Test user profile synchronization.

Verify user profile in C database.

This document should not be distributed.


Slide 294

Instructor Notes

For Instructor Use Only.


Duration

Note. This activity should take approximately 30 minutes.

Notes for Completing the Activity


You might consider walking the students through this activity to impress upon them the set up steps that must
be done in Integration Broker.

679
Maintaining Security Definitions Among Multiple Databases Lesson 17

Activity Overview
Configure the T1B85001 database for default user profile synchronization with the T1C85001 database. Then
test the implementation by changing your password in the T1B database and verifying that it changed in the
T1C database.

This document should not be distributed.


For Instructor Use Only.

680
Lesson 17 Maintaining Security Definitions Among Multiple Databases

Activity Detailed Steps


Perform the detailed steps to complete the activity.

Activating the Service Operation on the B Database


To activate the service operation on the B database:

1. Sign on to T1B85001 as PTTRN.

2. Select PeopleTools, Integration Broker, Integration Setup, Service Operations.

This document should not be distributed.


3. Select Service Operation USER_PROFILE.

4. Select the Active check box.

5. Click Save and then OK.

For Instructor Use Only.


6. Access the Routings tab.

7. Enter SYNC_USER_TO_C in the Routing Name and click Add.

8. Enter the following:

Page Element Value or Status

Sender Node PSFT_TRN

Receiver Node PSFT_C2

9. Click Save and then click OK.

Results

The routing is saved.

681
Maintaining Security Definitions Among Multiple Databases Lesson 17

This document should not be distributed.


For Instructor Use Only.
Activating the Service Operation on the C Database
To activate the service operation on the C database:

1. Sign on to T1C85001 as PTTRN.

2. Select PeopleTools, Integration Broker, Service Operations Monitor, Administration, Domain Status.

3. Click the Purge Domain Status button.

4. Click the Update button.

Note. If the dispatchers do not show ACT, then change the Domain Status to Inactive and click Update.
Change the Domain Status back to Active and click Update again.

5. Select PeopleTools, Integration Broker, Integration Setup, Service Operations.

6. Select Service Operation USER_PROFILE.

The Active check box is selected.

7. Access the Routings tab.

8. Enter SYNC_USER_FROM_B in the Routing Name and click Add.

9. Enter the following:

Page Element Value or Status

Sender Node PSFT_TRN

Receiver Node PSFT_C2

682
Lesson 17 Maintaining Security Definitions Among Multiple Databases

10. Click Save and then click OK.

11. Click Return.

Results

Inbound routing is created:

This document should not be distributed.


For Instructor Use Only.
Testing User Profile Synchronization
To test user profile synchronization:

1. Sign on to the T1B85001 database as PTTRN.

2. Select PeopleTools, Security, User Profiles, User Profiles.

3. Select the user profile you created in activity 3 (your first initial and last name).

4. Access the Roles page and add a new row.

5. Enter Instructor Manager for the Role and Save.

6. Select PeopleTools, Integration Broker, Service Operations Monitor, Monitoring, Asynchronous Services.

7. Access the Publication Contracts tab.

8. Enter USER_PROFILE in the Service Operation field and click Refresh.

Results

The publication contract has a status of Done.

683
Maintaining Security Definitions Among Multiple Databases Lesson 17

This document should not be distributed.


Verifying User Profile in C Database

For Instructor Use Only.


To verify the user profile in the C database:

1. Sign on to the T1C85001 database as PTTRN.

2. Select PeopleTools, Security, User Profiles, User Profiles.

3. Select the user profile you created in activity XX (your first initial and last name).

4. Access the Roles page.

Results

The user profile was updated:

This concludes the activity. Please do not continue.

684
Lesson 17 Maintaining Security Definitions Among Multiple Databases

Activity 34: Setting Up Configurable User Profile


Synchronization
In this activity, you will review the activity overview and

Examine the USER_PROFILE.VERSION_XFR message

Enable the CopyRowsetDeltaOriginal_mod.

Activate the USER_PROFILE_XFR service operation on the C database.

This document should not be distributed.


Test user profile synchronization.

Verify user profile in C database.

Slide 297

For Instructor Use Only.


Instructor Notes

Duration

Note. This activity should take approximately 30 minutes.

Notes for Completing the Activity


If the Service Operation USER_PROFILE_XFR does not appear in the C database, it is most likely the
student forgot to set the permission list (step 1113 in section Activating the USER_PROFILE_XFR Service
Operation on the C Database. To fix this:

1. On the B database, select PeopleTools, Integration Broker, Service Operation Monitor, Monitoring,
Asynchronous Services.

2. Click the Publications Contacts tab and click Refresh.

3. Check the Status for the latest USER_PROFILE service operation it will say Error.

4. Click the Details link.

691
Maintaining Security Definitions Among Multiple Databases Lesson 17

5. Click the Error Messages link.

This document should not be distributed.


6. Click Return.

7. In the C database, select PeopleTools, Integration Broker, Integration Setup, Service Operations.

8. Select Service Operation USER_PROFILE_XFR.

For Instructor Use Only.


9. Click the Service Operation Security link.

10. Enter PTPT1100 for the Role and click Save.

11. Close the Web Service Access window.

12. In the B database, click the Resubmit button on the Details page for the transaction.

692
Lesson 17 Maintaining Security Definitions Among Multiple Databases

Activity Overview
In this activity, you will set up configurable user profile synchronization. Use these steps to set it up:

1. Activate the USER_PROFILE_XFR service operation on the B database.

2. Examine the USER_PROFILE.VERSION_XFR message in the B database and identify the fields that
will not be copied.

3. Enable the security PeopleCode option used for configurable user profile synchronization.

4. Activate the USER_PROFILE_XFR service operation on the C database and activate the appropriate

This document should not be distributed.


routing.

5. Test user profile synchronization by changing the Process Profile, Primary Permission List and Employee
ID for a user profile in the B database.

6. Verify user profile in C database.

For Instructor Use Only.

693
Maintaining Security Definitions Among Multiple Databases Lesson 17

Activity Detailed Steps


Perform the detailed steps to complete the activity.

Examining the USER_PROFILE.VERSION_XFR Message


To examine the USER_PROFILE.VERSION_XFR message:

1. Select PeopleTools, Integration Broker, Integration Setup, Messages.

2. Enter USER_PROFILE in the Message Name and click Search.

This document should not be distributed.


3. Select USER_PROFILE.VERSION_XFR.

4. Expand the record PSOPRDEFN in the message tree at the bottom of the page.

Results

For Instructor Use Only.


Note the fields that are not included in the message.

Enable CopyRowsetDeltaOriginal_mod
To enable CopyRowsetDeltaOriginal_mod:

1. Sign on to T1B85001 as PTTRN.

2. Select PeopleTools, Security, Security Objects, Security PeopleCode Options.

694
Lesson 17 Maintaining Security Definitions Among Multiple Databases

3. Select the Enabled check box for CopyRowsetDeltaOriginal_mod.

Note. This will clear the check box for CopyRowsetDelta.

4. Click Save.

Activating the USER_PROFILE_XFR Service Operation on the C Database


To activate the service operation on the C database:

1. Sign on to T1C85001 as PTTRN.

This document should not be distributed.


2. Select PeopleTools, Integration Broker, Integration Setup, Service Operations.

3. Select Service Operation USER_PROFILE.

4. Select the Routings page.

5. Select the check box for SYNC_USER_FROM_B routing and click the Inactivate Selected Routing

For Instructor Use Only.


button.

6. Click Save and then OK.

7. Click Return to Search.

8. Select Service Operation USER_PROFILE_XFR.

9. Verify the Active check box is selected.

10. Verify the any-to-local routing exists.

11. Click the Service Operation Security link.

12. Enter PTPT1100 for the Role and click Save.

13. Close the Web Service Access window.

14. Access the Routings tab.

15. Select the check box for Any-to-Local routing and click the Activate Selected Routing button.

16. Click Save and then OK.

17. Click on the routing link.

18. Access the Parameters page.

Results

The external alias for this service operation is USER_PROFILE.VERSION_84.

695
Maintaining Security Definitions Among Multiple Databases Lesson 17

This document should not be distributed.


For Instructor Use Only.
Testing User Profile Synchronization
To test user profile synchronization:

1. Sign on to the T1B85001 database as PTTRN.

2. Select PeopleTools, Security, User Profiles, User Profiles.

3. Select the user profile you created in activity 3 (your first initial and last name).

4. Enter the following:

Page Element Value or Status

Process Profile CPTRNDEV

Primary CPTRNDEV

5. Click the ID tab.

6. Change the Empl ID to 00003.

7. Click Save.

Verifying User Profile in C Database


To verify the user profile in the C database:

1. Sign on to the T1C85001 database as PTTRN.

696
Lesson 17 Maintaining Security Definitions Among Multiple Databases

2. Select PeopleTools, Integration Broker, Service Operation Monitor, Monitoring, Asynchronous Services.

3. Click the Subscription Contacts tab and click Refresh.

Notice that the service operation is USER_PROFILE_XFR.

4. Select PeopleTools, Security, User Profiles, User Profiles.

5. Select the user profile you created in activity 3 (your first initial and last name).

The Process Profile and Primary permission lists were not updated, however the Empl ID was updated.

This concludes the activity. Please do not continue.

This document should not be distributed.


For Instructor Use Only.

697
Lesson 18 Configuring PeopleSoft Applications for Directory Authentication

Activity 35: Configuring Directory Authentication


In this activity, you will review the activity overview and:

Enable Signon PeopleCode.

Configure and cache the directory.

Create the authentication map

Create a user profile map.

This document should not be distributed.


Test the configuration.

Alter the authentication map to use email signon.

Slide 316

For Instructor Use Only.


Instructor Notes

Duration

Note. This activity should take approximately 30 minutes.

Notes for Completing the Activity


The Connect DN field values are not case sensitive.

Oracle Internet Directory has a number requirement for the password field. The password for all directory
entries is the user ID and the number one. For example, the password for BLOCH is BLOCH1.

739
Configuring PeopleSoft Applications for Directory Authentication Lesson 18

Activity Overview
Configure the T1B85001 database for directory authentication.

Verify that Signon PeopleCode is enabled. Configure and cache the TRAINING directory. Create the
TRAINING authentication and user profile maps. Next, test the configuration using the uid attribute.

Then, alter the authentication map to use the email address attribute for signon authentication.

The directory server contains all training users, including Betty Locherty:

This document should not be distributed.


For Instructor Use Only.
The following information describes the directory server:

The default connection uses the orcladmin user.

The password is oratrain1.

The default port is 389.

The search base for the authentication map isou=training, o=ccb.com.

Use the search attribute uid.

Betty Locherty's password is BLOCH1 (BLOCH plus the number one).

740
Lesson 18 Configuring PeopleSoft Applications for Directory Authentication

Activity Detailed Steps


Perform the detailed steps to complete the activity.

Enable Signon PeopleCode


To enable Signon PeopleCode:

Note. Use PTTRN for the user name and password in this part of the activity.

This document should not be distributed.


1. Select PeopleTools, Security, Security Objects, Signon PeopleCode.

2. Enter PTTRN in the Invoke As PeopleSoft user ID and password fields.

3. Select the Enabled check box for the LDAP_AUTHENTICATION function on the FUNCLIB_LDAP
record.

For Instructor Use Only.


4. Select the Exec Auth Fail check box for the LDAP_AUTHENTICATION function

5. Select the Enabled check box for the LDAP_PROFILESYNCH function on the FUNCLIB_LDAP record.

6. Click the Save button.

Results

These are the results of updating signon PeopleCode:

Configuring and Caching the Directory


To configure and cache the directory:

1. Select PeopleTools, Security, Directory, Configure Directory.

2. Select the Add a New Value link.

3. Enter TRAINING in the Directory ID field.

4. Click the Add button.

741
Configuring PeopleSoft Applications for Directory Authentication Lesson 18

5. Enter the following information:

Page Element Value or Status

Description Security Training Directory

Directory Product Oracle Internet Directory

Default Connection DN cn=orcladmin, cn=Users, dc=ccb, dc=com

Password oratrain1

This document should not be distributed.


LDAP Server <machinename>.us.oracle.com

Port 389

SSL Port leave blank

For Instructor Use Only.


6. Click the Save button.

7. Select the Test Connectivity tab.

Results

Verify the connection is successful.

Caching the Directory Schema


To cache the directory schema:

1. Select PeopleTools, Security, Directory, Cache Directory Schema.

742
Lesson 18 Configuring PeopleSoft Applications for Directory Authentication

2. Enter the following information:

Page Element Value or Status

Directory ID TRAINING

Server Name PSNT

3. Click the Cache Schema Now button.

4. Click the Process Monitor link to verify success.

This document should not be distributed.


Creating the Authentication Map
To create the authentication map:

1. Select PeopleTools, Security, Directory, Authentication Map.

For Instructor Use Only.


2. Select the Add a New Value link.

3. Enter TRAINING in the Map Name field.

4. Click the Add button.

5. Enter the following information:

Page Element Value or Status

Directory ID TRAINING

Connect DN cn=orcladmin, cn=Users ,dc=ccb, dc=com (defaults


from the directory)

Search Base ou=training, o=ccb.com

Search Scope Sub

Search Attribute uid

SeqNum 1

LDAP Server <machinename>.us.oracle.com

6. Click the Save button.

Results

These are the results of creating the authentication map:

743
Configuring PeopleSoft Applications for Directory Authentication Lesson 18

This document should not be distributed.


For Instructor Use Only.
Creating User Profile Maps
To create user profile maps:

1. Select PeopleTools, Security, Directory, User Profile Map.

2. Select the Add a New Value link.

3. Enter TRAINING in the Map Name field and click the Add button.

4. Enter the following information for mandatory properties:

Page Element Value or Status

Authentication Map TRAINING

User ID Attribuite uid

ID Type NON

Use default Role Selected

Role Name PeopleSoft User

Use Default Language Code Selected

Language Code English

744
Lesson 18 Configuring PeopleSoft Applications for Directory Authentication

5. Enter the following information for optional properties:

Page Element Value or Status

User Profile Property UserDescription

Attribute Name cn

Always Update Selected

6. Click the insert row button (+).

This document should not be distributed.


7. Enter the following information for optional properties:

Page Element Value or Status

User Profile Property EmailAddress

For Instructor Use Only.


Attribute Name mail

Always Update Selected

8. Click the insert row button (+).

9. Enter the following information:

Page Element Value or Status

User Profile Property SymbolicID

Use Constant Value Selected

Constant Value SYSADM1

10. Click the Save button.

Results

This is the first page of the results of creating user profile maps:

745
Configuring PeopleSoft Applications for Directory Authentication Lesson 18

This document should not be distributed.


For Instructor Use Only.
This is the second page of the results of creating user profile maps:

Testing the Configuration


To test the configuration:

1. Select PeopleTools, Security, User Profiles, User Profiles.

2. Verify that BLOCH is not present as a user.

3. Sign out.

746
Lesson 18 Configuring PeopleSoft Applications for Directory Authentication

4. Sign in with this information:

Page Element Value or Status

User ID BLOCH

Password BLOCH1

5. Click the Sign In button.

6. Sign out.

This document should not be distributed.


Altering the Authentication Map to Use Email Signon
To alter the Authentication map to use email signon

Note. Use PTTRN for the user name and password in this part of the activity.

For Instructor Use Only.


1. Sign in as PTTRN/PTTRN.

2. Select PeopleTools, Security, Directory, Authentication Map.

3. Select the TRAINING authorization map.

4. Enter mail in the Search Attribute field.

5. Click the Save button and sign out.

6. Enter the following information:

Page Element Value or Status

User ID BLocherty@ccb.com

Password BLOCH1

7. Click the Sign In button.

8. Sign out.

This concludes the activity. Please do not continue.

747
Lesson 18 Configuring PeopleSoft Applications for Directory Authentication

Activity 36: Assigning PeopleSoft Roles Using Directory


Groups
In this activity, you will review the activity overview and:

Create a directory role rule.

Implement a directory role rule.

Verify the dynamic role user.

This document should not be distributed.


Slide 319

Instructor Notes

For Instructor Use Only.


Duration

Note. This activity should take approximately 10 minutes.

When you test the dynamic role rule, James Fung's name returns. When you run the role rule, the rule does
not dynamically assign James Fung to the Training Manager role because you already assigned that role to
him when you created his user profile.

753
Configuring PeopleSoft Applications for Directory Authentication Lesson 18

Activity Overview
Set up a dynamic role rule based on directory information. Then, implement that role online.

In the Oracle Internet Directory, the DS_Manager group contains two members:

This document should not be distributed.


For Instructor Use Only.
Note. Use PTTRN for the user name and password in this activity.

754
Lesson 18 Configuring PeopleSoft Applications for Directory Authentication

Activity Detailed Steps


Perform the detailed steps to complete the activity.

Creating a Directory Role Rule


To create a directory role rule:

1. Select PeopleTools, Security, Directory, Role Membership Rules.

2. Access the Add a New Value page and enter TRAINING.

This document should not be distributed.


3. Click Add and enter the following information:

Page Element Value or Status

Description Training

For Instructor Use Only.


User Profile Map TRAINING

Search Base o=ccb.com

Search Scope Sub

4. In the Build Filter section, click the triangle to expand the scroll.

5. Enter the following information:

Page Element Value or Status

Attribute cn

Operation =

Value DS_Manager

Directory Attribute member

6. Click the Refresh Search Filter button.

7. Save the component.

Results

The role policy page identifies member criteria:

755
Configuring PeopleSoft Applications for Directory Authentication Lesson 18

This document should not be distributed.


For Instructor Use Only.
Implementing a Directory Role Rule
To implement a directory role rule:

1. Click the Assign to Role link.

2. Select the Training Manager role.

3. Select the Directory Rule Enabled check box.

4. Click the Assign Directory Rule link.

5. Select TRAINING as the rule name.

6. Click the OK button and then save the component.

7. Click the Test Rules button.

8. Click Yes.

Results

You should see two directory users and four query users:

756
Lesson 18 Configuring PeopleSoft Applications for Directory Authentication

This document should not be distributed.


For Instructor Use Only.
Verify the Dynamic Role User
To verify the dynamic role user:

1. Click the Return button.

2. Click the Execute Rules button.

3. Click the Process Monitor link.

4. Verify that the DYNROLE_PUBL process was successful.

5. Select PeopleTools, Security, User Profiles, User Profiles.

6. Enter BLOCH in the User ID field and then click the Search button.

7. Select the Roles page.

Results

The Training Manager role is present as a dynamic role for Betty Locherty:

757
Configuring PeopleSoft Applications for Directory Authentication Lesson 18

This document should not be distributed.


This concludes the activity. Please do not continue.

For Instructor Use Only.

758