pssecurityq&afile3320

Bowling Green State UniversityDemonstration Questions Technical (Day 1)

Page 1 of 12 Student 10/28/03

Can a group of reports be tied to a role/user?

Yes, PeopleSoft allows you to configure what reports users can access throughProcess Groups. These groups can be used to provide access to a group of reports or 1individual report if needed. BGSU can configure and unlimited amount of thesegroups to allocate to the end user population when looking to tie reports or processesto Roles and/or end users.

What is the security hierarchy within?

A security definition refers to a collection of related security attributes that you createusing PeopleTools Security. The three main PeopleSoft security definition objecttypes are:

User Profiles

Roles

Permission Lists

Because deploying your applications to the Internet significantly increases thenumber of potential users your system must accommodate, you need an efficientmethod of granting authorization to different user types. PeopleSoft securitydefinitions provide a modular means to apply security attributes in a scaleablemanner.

Each user of your system has an individual User Profile, which in turn is linked toone or more Roles. To each Role, you add one or more Permission Lists, whichultimately control what a user can and can't access. So a user inherits permissionsthrough the role, but here are a few permissions that are assigned directly to the userprofile, but these are the exception, as in Process Profile, Primary, and Row Levelpermission lists.

User Profile:

A User Profile is a set of data describing a particular user of your PeopleSoft system.This data includes everything from the low-level data that PeopleTools requires, suchas Language Code, to application-specific data, such as the setIDs a user is authorizedto access within the PeopleSoft Financials applications. Some User Profileinformation, such as password, is truly security related. Alternatively, some of theinformation, such as the email address, is descriptive, and some of the information,such as Multi Language Enabled, is a preference. User Profiles also maintain theRoles that are assigned to the user.

User Profiles are different from the application data tables, such asPERSONAL_DATA, that also store information about people. User Profiles arerelevant when a user interacts with the system by logging in, viewing a worklist entry,receiving an email, and so on. Application data tables are involved with the coreapplication functionality, such as payroll processing, not with user interaction.



Roles:

You assign Roles to User Profiles. Roles are intermediate objects that link UserProfiles to Permission Lists. You can assign multiple Roles to a User Profile, and youcan assign multiple Permission Lists to a Role. Some examples of Roles might beEmployee, Manager, Customer, Vendor, Student, and so on.

A Manager is also an Employee, and possibly, she may also be a Student. Rolesenable you to mix and match access appropriately.

You have two options when assigning roles, assign Roles manually or you can assignthem dynamically. When assigning roles dynamically, you can use PeopleCode,Lightweight Directory Access Protocol (LDAP), and Query rules to assign UserProfiles to Roles programmatically.

Permission Lists:

Permission Lists are lists, or groups, of authorizations that you assign to Roles.Permission Lists store Sign-on times, Page access, PeopleTools access, and so on.

A Permission List may contain one or more types of permissions. The fewer types ofpermissions in Permission List the more modular and scaleable your implementation.To what granularity you decide to take your permission lists is up to you.

A User Profile inherits most of its permissions through the roles that have beenassigned to the User Profile. Some Permission Lists, such as Process Profile or row-level security, you apply directly to a User Profile.

Data permissions, or row-level security, appear either through a Primary PermissionsList or a Row Security Permissions list.

Are Crystal Reports a separate purchase from PeopleSoft?

Crystal reports are packaged and supported by PeopleSoft. BGSU will receive anunlimited user license when deploying this product to its end users for creating,running and viewing reports online.

Does Crystal Reports need to be loaded on the workstation (i.e., as PeopleTools)?

For Developers that will be created and editing Reports the Crystal Client will need tobe loaded on the desktop. End-users accessing, running and viewing reports can do soover the Web without any client install or plug-in needed.

What type of support do you suggest to administer security (i.e., a security officerfor each system (HR, Student, or one for all systems)?

PeopleSoft delivers a flexible security model, which can allow for the easyadministration of the entire PeopleSoft system. The administration of security can be



a delegated task assigned to both IT and Functional leads for their respectiveapplication (i.e. Financial Aid, Admissions). All applications will be administeredusing the Security Manager PeopleTool i.e. the same resources can be shared amongstthe different modules. The Security Manager Tools will deliver a seamless interfacefor the End User or IT head to create and administer system wide security forauthentication and authorization rules. Security Manager includes the followingcapabilities:

- Administer, create and assign roles for transaction access- Create User Profiles- Develop/Modify Permissions lists to define Page level (read/write & update

access)- Password Controls (i.e. Password expiration, force change, dictionary)- LDAP interface setup and attribute mapping- Reporting access to tables (i.e. Define what tables users can view and access)

We use SUN hardware on the UNIX side and leverage SUN Crypto Acceleratorhardware for SSL with Apache. What kind of support for hardware SSLacceleration with SUN hardware do Websphere/WebLogic provide?

Support for SSL acceleration will be dependent upon the hardware in place. The SunCrypto Accelerator will deliver network security on Sun servers running the SolarisOperating System, the Sun Open Net Environment (Sun ONE) Web Server software,or Apache Web server software only.

How do imports handle various batch formats such as DOS, MAC, line breaks,etc.?

The PeopleSoft batch import file is capable of importing CSV, XML or Fixed widthfiles from a DOS or MAC platform. PeopleCode routines can be created to extract,transform and load data from these variety of file formats. In the event that linebreaks may cause complications upon import PeopleCode routines can be created toaccommodate these special requirements.

Does the First Logic function come standard with PeopleSoft?

FirstLogic is a 3rd party application that is sold through FirstLogic, Inc.

How many tables are in the system?

Each module in the PeopleSoft application has tables that are used for functional datastorage (i.e. General Ledger in Financials, Student in Student Administration, andEmployee in Human Resources) and tables for metadata definitions (i.e. pagedefinitions, workflow definitions, field and label layouts). The numbers of tablesvary, based on PeopleSoft module. To date, there are over 10,000 tables (including



System, Tools & applications) used to store business logic and PeopleSoft transactiondata for Student/HRMS.

How many workflows come standard?

PeopleSoft delivers several workflow definitions for each module. Please see theattached Financials and HR documents that contain out of the box workflowdefinitions.

Are PeopleTools used for workflow query development?

PeopleTools are used for workflow development in that setting up the underliningworkflow characteristics such as routings and branching characteristics. Workflow isalso configured as part of the underlining business events that are configured in thePeopleSoft applications, such as security administration, or personal routingcharacteristics.

Users who have security authorization can define queries, which are a reportingmechanism in the PeopleSoft application, in the Query Manager. System or dataadministrators can also define queries in PeopleTools.

Can we use the local email address book?

PeopleSoft maintains an email address for each user of the system so in case the localemail address is unavailable, email can still be sent. PeopleSoft is capable of usingemail address defined within LDAP to drive email notifications for system users. IfBGSU intends to use the address book defined within GroupWise to be accessibledirectly from PeopleSoft in real-time this integration would need to be created.

Currently, some tables are maintained by user offices. It appears that these rulesare all set by IT. Can this be distributed to user offices based on processes basedon user ID or function?

A centralized security administrator is responsible for maintaining and creating rolesand permission lists in PeopleSoft. The delegation of the roles can be assigned to theuser offices by the central security administrator to a super user who can assign theroles to their user community for whom they are responsible.

Can queries be created, run and viewed on a MAC?

Yes! PeopleSoft supports the Safari browser on the Macintosh, as well as InternetExplorer and Netscape browsers.

Can ID numbers for people be generated automatically?



PeopleSoft is able to mass generate UserID for authentication into the PeopleSoftapplication. A mass generation process can be run to assign UserIds to students,employees, faculty, etc. For the assignment and creation of Student/Employee IDs(Student #) these individuals will be assigned IDs manually via the Hire/Admitprocess.

If so, what is the format of a generated number?

The Format of the number is currently incremented in numeric form. BGSU canappend any character string or initial to the incremented ID number if needed using asimple PeopleSoft function.

Can the number include a check digit?

A check digit validation routine can be created as a customization using PeopleCode.At run time a function would be called to validate the assigned ID number andgenerate a Check digit as a result append to the newly assigned UserID.

Can we also generate requisition numbers and other identifying numbers?

Yes.

Are W2s and 1099s delivered and maintained?

W2s and 1099 forms are delivered reports from PeopleSoft. W2s and 1099s areSQR reports, which are run via the process scheduler based on workflow or manuallyrun processes. The forms are delivered by PeopleSoft and maintained by BGSU.Report templates are stored in the file directory to be accessed at run time whenneeded. BGSU can copy and modify reports as needed.

How do you monitor problems as they occur?

PeopleSoft currently delivers functionality to monitor transactions and events in thePeopleSoft application so that system admins can visually check the status of theapplication. Application traces, Debugging, X-reference reports and systemmonitoring tools (i.e. PSADMIN, PSPING) can be used to monitor daily systemactivity.

Currently, the PeopleSoft application can be monitored by 3rd party applications suchas Quest Software, BMC Software, or Computer Associates. System Administratorscan create their own scripts to monitor or test the health of the PeopleSoftapplication as well.

How and who is notified there is a problem?



Events in the system can be sent to the appropriate system administrator, as BowlingGreen seems fit. Messages can be sent via email, pager, cell phone, and to the usersworklist within the Portal. Messages can be custom defined by Bowling Green to fiteach unique situation.

How do you enter necessary selection criteria and which fields to print? How doyou get totals?

PeopleSoft delivers query and reporting capabilities for PeopleSoft users so that fieldscan be manually selected and ordered in their reports. Totals can be created in thesame graphical interface.

A graph (pie chart) was presented, but how was it created?

The pie chart was created by using the Cognos analytic tool to query a data cube andthen present information via Cognos. In addition, PeopleSoft deliveres chartingfunctions which can be used to create a graph from any PeopleSoft application table.

Can reports be triggered from a combination of tablessome in HR and others inSIS?

Yes, reports can be created from data in multiple PSFT modules.

How does Blackboard co-exist with PS Portal? For instance, does access toinformation links appear in both (my services module vs. Enterprise links)?

PeopleSoft and Blackboard have a constantly evolving relationship where Blackboarddata can be incorporated into the PeopleSoft via pagelet. Bowling Green can definethe links to Blackboard and the integration routines so that the users do not have tosign in again to the Blackboard transactions they are attempting to view. Otherintegration capabilities are going to be delivered that incorporate web servicetechnology so that transactional data can be seamlessly incorporated into thePeopleSoft Portal application.

Can views be created by user offices?

Via PeopleTools, views can be created by users with the appropriate security. Systemor data administrators who are familiar with the detailed data structures, which makeup the PeopleSoft data model, typically create views. With the input from the usercommunity, the system or data administrators can create custom views so that datacan be grouped logically and seen as one logical grouping instead of multiple tables.

Can you limit user access to data or roles based on time of day via roles or is itbased on user ID?



Restriction can be set by time of day as defined in the primary permission listassigned to a user id.

Can you ensure audit trail data cannot be altered in any way?

The PeopleSoft application has a detailed security model which prevents everyonefrom being able to alter the audit data that is stored. In a relational data model, onlythe trusted DBA who has the highest level of database authority can have updateauthority on this data.

Does PS have real time integration with all external databases including VSAM,etc.?

PeopleSoft integration capabilities with mainframe data can be achieved in real timeby using the PeopleSoft Integration Broker technology in conjunction with IBMWebsphere or 3rd party applications such as Jacada.

Since a lot of the security information, permissions, etc., is stored in PeopleSoftand not in the database, what happens if we need to migrate away fromPeopleSoft to a new application someday?

The security setup in the PeopleSoft application is local to the PeopleSoft application.However, PeopleSoft is LDAP compliant, which allows security permissions to bestored outside of the application, and can be transferred to other applications whennecessary.

Can we do snapshot reporting at a specific time in the past?

Yes. PeopleSoft uses effective dating so that transactions can be reported as asnapshot in time.

Where is the actual role and authority data stored? Is it held in the database? Canwe use existing LDAP authentication information? Can we store role data inLDAP groups?

Yes, Roles are comparable to groups in LDAP. PeopleSoft gives you the ability toassign roles to existing LDAP groups in mass using our delivered LDAP interface.

Need more clarification on how to interface with other systems. Example: MBS,or bookstore system. They need to know who is eligible to make charges, thensend that charge to their bursar account or their department account.

When making charges directly into the PS system, Student Financials Business Unitsecurity as well as Item Type security can be used to control the posting of charges to



various accounts. The latter is really about giving access to only those accounts (i.e.Item Types) that end users should have access too. For instance, the Parkingdepartment can only have access to and post Parking charges. They cannot post atuition charge, for example. All accounts are mapped to the General Ledger whenposted within the student system.

Please clarify authentication, creation and use of electronic signatures.

Electronic signatures within PeopleSoft can include appending an ElectronicSignature or bitmap (image) of a signature to a transaction at run time or digitallysigning a transaction using PKI. At the transaction level both methods will includeminor customization when appending a signature. BGSU will be required to purchasea license from a trusted (CA) i.e. (Entrust, VeriSign) when attempting to digitally signtransactions. PeopleSoft delivers the tools and container to store certificates from alicensed CA on the Web Server for use at run time.

In the interest of automating password changes and synchronization, what formatis the password stored in and do we need to feed passwords to the changemechanism in clear text or can we feed it in some pre-encoded form.

PeopleSoft passwords are Hashed when stored to the database. PeopleSoft delivers aSingle Signon process, which will allow BGSU to store different Passwords for a userin different modules but only require the User to know 1 UserID and Password forsystem wide authentication thereby circumventing any need for passwordsynchronization. When using LDAP passwords will be stored and maintained withinthe Directory Service and not PeopleSoft. Below is an example of the PeopleSoftsignon process:

1 The user enters the User ID and password into the PeopleSoft signon page.

2 If the login to the Psoft application server is successful, the server generates a single signon token. The webserver receives the single signon token from the application server, and issues a cookie to the browser.

3 The user navigates in the application and encounters a hyperlink to the external system. The user clicks on thelink.

4 The browser passes the PS_TOKEN cookie to your external web server.

5 The external web server checks for the PS_TOKEN cookie before displaying a signon page.

6 Once it is determined that the user is accessing your application through PeopleSoft, you retrieve theauthentication token and send it to the PRTL_SS_CI component interface to verify authentication. For instance,Call PRTL_SS_CI.Authenticate(Auth. token string)

7 After the system authenticates the token, the system can then make calls to the PRTL_SS_CI.Get_UserID()function to return the appropriate User ID.



How many current clients use row level or field level security?

We dont have exact statistics on this type of metric from our clients, but it isbelieved that almost all clients have row level security and most have implementedsome form of field level security.

How are the roles initially assigned to the database of users of the system:students, faculty, employees and all combinations?

Roles can be assigned by a security administrator by hand, or they can be assigneddynamically by security queries or PeopleCode based on events in the system (i.e.promotions, workflow events, conditions, etc.) A dynamic role can be assigned basedon characteristics of a user and can be unassigned when the characteristics change.Dynamic roles allow permissions to be assigned based on business events that may betemporary, but necessary to get work done in normal business processing.

Is there a limited number of roles or views that you can create?

No. Unlimited.

How much time must DBA team spend on occasional security problem diagnosis?

DBA time varies, but will decrease as time goes on and the system has been inproduction. The DBA will be required to monitor the health of the database to makesure response time is adequate.

Who updates SQL or PeopleCodeBGSU or PeopleSoft?

PeopleSoft delivers a robust application design application called PeopleTools.PeopleTools allows Bowling Green to alter or create new functionality in thePeopleSoft application to fit Bowling Greens unique requirements. The changesBowling Green creates or applies are tracked by PeopleSoft, so when upgrades occur,those changes are applied and not lost. The PeopleSoft Upgrade Manager controlsthis process.

Who typically maintains the views related to field level security?

Security administrators who have access to PeopleTools typically maintain the viewsrelated to field level security.



What process or tools eliminates duplicate accounts or people from the system ifthey have been added by mistake?

PeopleSoft, as defined by BGSU, can setup data validation rules so that whenaccounts are created, duplicate data will not be input into the system. However,FirstLogic also has tools to identify accounts that may be duplicates that are notcaught by the data validation rules.

Can BGSU define custom roles and security? Can users view specific fields onlyor is it all or nothing?

Via the security administration tools in PeopleSoft, BGSU can define their owncustom roles and permission lists based on their own unique requirements. Securitycan be defined at multiple levels so that the appropriate level of access is granted to ausers based on the type of transaction that is being issued, or blanket security given tothat user. Users can view specific fields on a page based on field level security. Eachuser or role can see different fields based on security access.

How can a view be tied to an application routine?

Views, which are a logical grouping of physical tables, are created by a system ordata administrator in the application designer; a component of PeopleTools. Thefields in a view can be placed on a page just as a physical record (or table) has itsfields defined on a page. Views are typically used to group similar data and presentmultiple records (or tables) in one view.

Can Java web server be other than WebLogic/WebSphere (such as TomCat)?

PeopleSoft supports:

Web Servers BEA WebLogic Server IBM WebSphere ServerOptional Reverse Proxy Servers (HTTP Servers): Microsoft IIS v4 on Windows NT 4 Microsoft IIS v5 on Windows 2000 iPlanet Web Server, Enterprise Edition Apache (WebLogic only) IBM HTTP Server (IHS) (WebSphere only). Packaged with WebSphere install.

What application are you using for single sign-on?

Single Sign-on is delivered for the PeopleSoft application from PeopleSoft. It isPeopleSofts own application. PeopleSoft can be incorporated with other SSOapplications like Netegrity or Oblix.



How do we maintain changes or upgrade for these database and field changes?

The Upgrade Manager utility, which is part of PeopleTools, manages the PeopleSoftupgrade processes. When a change is made by Bowling Green to any object in thePeopleSoft application, the metadata for that object is updated and defined as a userdefined change so that during the upgrade process, all changes are captured, verified,and migrated with the Upgrade Manager. The Upgrade Manager manages theupgrade process.

How are they available in different regions? Example: If you want to modify ascreen by adding a new field, how would you do this change and be able to testwithout modifying the production screen?

In a typical PeopleSoft architecture, most customers have a development, test, andproduct environments. This is so enhancements to the PeopleSoft application can bethoroughly tested before the changes and migrated to the production environment.PeopleSoft has a process called Data Mover, which manages the process of movingchanges from one PeopleSoft landscape (i.e. Development to Test, Test toProduction). PeopleSoft recommends having a development and/or test environmentso that changes can be tested without impacting production systems.

Can a username change or must the username be deleted and readded?

In the security administrator, if a user name must be changed, the following processshould be followed:

1) Copy the existing user profile name to the new profile name2) Test the sign in process to the new user profile name3) Delete the old user profile name

What version of WebLogic is used?

WebLogic 6.1 is the current supported level.

Will business rules will be modified by PeopleTools and PeopleCode?

Business Rules can be defined in multiple locations in PeopleSoft depending on theevents being defined. For example, security is setup via the security administrator inthe PeopleSoft application. Financial configurations, such as General Ledger setup,are done via the Financials module, and likewise for benefits in Human Resources. Insome cases, business rules will need to be defined in PeopleTools, such as workflowbranching configurations. There may be times during that process that PeopleCodewill need to be written. However, most business rules are defined in the PeopleSoftapplications themselves without a line of code being written.



Are the queries that appear on the portal page processed realtime only or can theybe cached or set to expire results within a specific time frame?

The queries in the portal pagelets are run real-time when the user logs in or clicks onthe refresh button on the pagelet or the browser.

How are changes deployed from development to test without recreating elements?

In a typical PeopleSoft architecture, most customers have a development, test, andproduct environments. This is so enhancements to the PeopleSoft application can bethoroughly tested before the changes and migrated to the production environment.PeopleSoft has a process called Data Mover, which manages the process of movingchanges from one PeopleSoft landscape (i.e. Development to Test, Test toProduction). PeopleSoft recommends having a development and/or test environmentso that changes can be tested without impacting production systems.

Over time BGSU may have multiple changes to the system. When implementinga new release of PeopleSoft, does PeopleSoft automatically account for thesechanges? If not, does PS inform DBA of changes to the system?

The Upgrade Manager utility, which is part of PeopleTools, manages the PeopleSoftupgrade processes. When a change is made by Bowling Green to any object in thePeopleSoft application, the metadata for that object is updated as a user definedchange, so that during the upgrade process, all changes are captured, verified, andmigrated. As part of the upgrade process, a report will be created stating what waschanged by Bowling Green. Bowling Green will have the option to carry forward allmodifications they made, or only carry forward a sub set of changes. This process isall defined via the Upgrade Manager.

Is all security done by a master admin or are there sub admins.? Can somesecurity be delegated?

Both. Security can be centralized or decentralized to sub admins in departments ororganizations. Typically a central security administrator creates the permission listsand roles needed. Administration at the department level can be decentralized and theresponsibility for role assignment can be delegated to a super user in each department.

Wireless access has been mentioned in a number of contexts. Which means ofaccess are supported, i.e., WAP, browser-based, etc,

PeopleSoft supports WAP enabled devices and PocketPC devices. Please refer to theHardware and Software guide for supported device

pssecurityq&afile3320

Documents