Transcription
Implementing One AuthoritativeSource of Data Security –PeopleSoft Financials 9.2ChartField Security withQuery and nVision SecurityTrimaan DangJune 23, 2015
Contents Issue and business requirements Proposed solution Chartfield Security Query Security nVision Security Use case Conclusion Questions Deloitte LLP and affiliated entitiesnVision Security Implementing One Authoritative Source of Data Security – PeopleSoft Financials 9.2 – ChartField Security with Query and2
Typical business requirements andimplementation issuesWhat’s the need?What’s the problem? Secure fields not able to secure inthe past Ensure confidential data accessibleonly by authorized users Ensure data available for userswithout an extra layer of effort Different methods of accessing data Wide-open access to data, bydefault Securing data through one meansdoes not automatically secure datathrough other means Gap exists that needs to bemitigated Deloitte LLP and affiliated entitiesnVision Security Implementing One Authoritative Source of Data Security – PeopleSoft Financials 9.2 – ChartField Security with Query and3
Proposed solution One overall security method Other methods of accessing datadefault to the same level of accessprovided under overall approachChartField security Same outcome from a dataperspective, no matter which accessroute is selected Terminology Used: Chartfield Security: As intendedwithin PSQuerysecuritynVisionsecurity Query and nVision Security: Deeperdive while including data restriction Deloitte LLP and affiliated entitiesnVision Security Implementing One Authoritative Source of Data Security – PeopleSoft Financials 9.2 – ChartField Security with Query and4
ChartField Security Deloitte LLP and affiliated entitiesnVision Security Implementing One Authoritative Source of Data Security – PeopleSoft Financials 9.2 – ChartField Security with Query and5
Overview of ChartField SecurityChartfieldSecurity Secures those on-screen pages where ChartFields with monetary amounts andsensitive data are displayed ChartFields available: Account, Alta count, DeptID, Operating Unit, FundCode, Project ID etc. Allows access for an end-user according to their “need to know” level Option to choose method and ChartFields via which Security canbe implemented Can choose up to two ChartFields to be secured Can be implemented via either the user ID, role, or permission list Access is provided through building rules that are specific to the organization Rules can be built for multiple products or combinations of products Multiple products can be chosen, such as: General Ledger, Expenses,Payables, Asset Management etc. Deloitte LLP and affiliated entitiesnVision Security Implementing One Authoritative Source of Data Security – PeopleSoft Financials 9.2 – ChartField Security with Query and6
Advantages of usingChartField SecurityChartfieldSecurity Transactions for only AuthorizedChartFields: Once active, end users only seetransactions for authorized Chartfields Users restricted to select or enter onlythose authorized ChartField values Key to seeing authorized values inthe Prompt Tables is to have theSecurity Rules “built” into theunderlying security table. Works in conjunction with Business Unitand Ledger Security Super users can also be defined Security Values “built” for the end-user canbe viewed from the Assign Rule toUser/Role/Permission List page Deloitte LLP and affiliated entitiesnVision Security Implementing One Authoritative Source of Data Security – PeopleSoft Financials 9.2 – ChartField Security with Query and7
How does ChartField Security work?ChartfieldSecuritySecure ChartField options pageOnce an option is selected here, ChartFieldSecurity is active!Options: Deny or Grant AccessDesigned such that transactions containing one or morethan one line with secured ChartFields are not accessible Deloitte LLP and affiliated entitiesnVision Security Implementing One Authoritative Source of Data Security – PeopleSoft Financials 9.2 – ChartField Security with Query and8
How to configure ChartField SecurityChartfieldSecurityDecide security options Should partial access be provided? Which ChartFields should be secured? Which method is the mostappropriate?Define the Rules How will ChartField Security be administered? Through Tree Nodes, Values, Ranges, or Wildcards?Associate Rules with the ChartField security method chosen: Users, Roles or Permission Lists123Build Rules’ values in respective security table4Enable ChartField security on the secure ChartField options page5 Deloitte LLP and affiliated entitiesnVision Security Implementing One Authoritative Source of Data Security – PeopleSoft Financials 9.2 – ChartField Security with Query and9
1. Partial access – Deny accessor grant accessExampleGrantaccessDenyaccessPros untDRAsset1001 100CRLiability1002 100 End-user is able to view the journal entry as long as he/she has access to one secured ChartField Seamless transition End-user is unable to view the journal entry and gets the error message of Contacting theSecurity Administrator Only able to see the journal entry if access to all secured ChartFields provided Depends on the needs of the organization! Grant Access: Ease of use exists since user frustration is minimized Deny Access: Can create user frustration especially if the error messages are constant and propermaintenance of ChartField Security does not exist Deloitte LLP and affiliated entitiesnVision Security Implementing One Authoritative Source of Data Security – PeopleSoft Financials 9.2 – ChartField Security with Query and10
2. Define rules ChartfieldSecurityCan create multiple combinations within the same rule of a tree node, value, wildcard etc. Deloitte LLP and affiliated entitiesnVision Security Implementing One Authoritative Source of Data Security – PeopleSoft Financials 9.2 – ChartField Security with Query and11
3. Associate rules with ChartFieldSecurity method ChartfieldSecurityCan associate more than just the products chosen at the Overall level here.Caveat is that all the products selected here in the Rule Definition must also be selectedin the Secure ChartField Options page Deloitte LLP and affiliated entitiesnVision Security Implementing One Authoritative Source of Data Security – PeopleSoft Financials 9.2 – ChartField Security with Query and12
Implementation vs. MaintenanceInitial setup Secure ChartFieldoptions Define security rules Deloitte LLP and affiliated entitiesnVision Security ChartfieldSecurityPost initial setup Copying existing ruleassignment Assigning rules to methodselectedImplementing One Authoritative Source of Data Security – PeopleSoft Financials 9.2 – ChartField Security with Query and13
ChartField Security –Design tips to keep in mindChartField Security – Allor nothingEnabled by user level –Initial one-time effort insetting up all users fororgOnce product enabledon overall level, rulesand associations tousers/roles/permissionlists must be madeUsing tree nodes basedon secured ChartFieldtree allows initial set-upand maintenanceprocess to become muchfaster Deloitte LLP and affiliated entitiesnVision Security ChartfieldSecurityImplementing One Authoritative Source of Data Security – PeopleSoft Financials 9.2 – ChartField Security with Query and14
Query Security Deloitte LLP and affiliated entitiesnVision Security Implementing One Authoritative Source of Data Security – PeopleSoft Financials 9.2 – ChartField Security with Query and15
QuerySecurityOverview of queries Front-end PIA Queries. Tool that can be used to generate flexible extracts of information needed Multiple navigations to access. Query Manager: Modify and run existing queries. Ability to create queries Query Viewer: Run queries on this page. Read only version How to configure Query Security through permission listsSecure access toQuery Viewer orQuery ManagernavigationSetup Query Profilesthat allow ability torun/create queriesProvide access totables through QueryAccess Groups Outcome: wide-open access to all data in underlying tables. Gap exists since ability to access more data here than under ChartField Security. Deloitte LLP and affiliated entitiesnVision Security Implementing One Authoritative Source of Data Security – PeopleSoft Financials 9.2 – ChartField Security with Query and16
Align Query Security withChartField SecurityQuerySecurityDelivered process End-users have access to all the data in a table that is being queried upon Data returned in queries is not automatically restricted when ChartField Security isenabled and active.2 Options Security Records and Security Joins within the QuerySecurity records Query security records – equivalent of component search records When a query security record is enabled on a record, PeopleSoft runs a “security check”based on the query security record before returning data in the results The Query Security Record is first looked towards for which values are authorized beforedata is returned in the QuerySecurity joins within the query Delivered queries or custom queries created can be joined with the underlying QuerySecurity table within the query itself Deloitte LLP and affiliated entitiesnVision Security Implementing One Authoritative Source of Data Security – PeopleSoft Financials 9.2 – ChartField Security with Query and17
Comparison of the 2 optionsQuerySecurityVia security recordsVia security joinsNeeds to be applied to every record that can bequeried uponNeeds to be applied to every Query that containsthe secured ChartFieldsMay cause issues with delivered processes thatrely on queries upon which query security recordshave been applied.Dependency: Is access to delivered Query Viewerto be provided? If so, might be unrealistic tochange every single delivered queriesDependency: How many delivered processes relyon delivered queriesIf access to Queries is to be restricted, then can bea viable optionKeep in mind How is Query Access being designed overall: What’s the need? Is access going to be wide-spread? How many users will be provided access? Is data needed to be secured? What’s the model being used – need to know vs. transparency for entireorganization? How is access being provided? Through the delivered Query Viewer page or a custom page? Through delivered Query Trees or Custom Query Trees? Deloitte LLP and affiliated entitiesnVision Security Implementing One Authoritative Source of Data Security – PeopleSoft Financials 9.2 – ChartField Security with Query and18
Implementation vs. MaintenanceQuerySecurityInitial setup Revolves around gettingQuery Security up andrunning Deloitte LLP and affiliated entitiesnVision Security Post initial setup Revolves around making surethat queries can be run onrecords Revolves around ensuring thatdata restrictions are compliedwithImplementing One Authoritative Source of Data Security – PeopleSoft Financials 9.2 – ChartField Security with Query and19
nVision Security Deloitte LLP and affiliated entitiesnVision Security Implementing One Authoritative Source of Data Security – PeopleSoft Financials 9.2 – ChartField Security with Query and20
Overview of nVision SecuritynVisionSecurity Overview of PS/nVision Tool for creating reports in Excel Reports are created when a Report Layout is selected The Report Layout defines the information that needs to be retrieved along with thespecified formatting Drill down features can also be used within nVision Reports to expose furtherinformation to make the report more useful Reports can be run from either PIA or the client version How to configure nVision SecurityRestrict access to the nVisionactions allowed throughpermission listsRestrict access to the nVisionpages through permissionlists Outcome: wide-open access to all data in the Ledger Gap exists since ability to access more data here than under ChartField Security. Deloitte LLP and affiliated entitiesnVision Security Implementing One Authoritative Source of Data Security – PeopleSoft Financials 9.2 – ChartField Security with Query and21
Delivered process: nVision ledgerbased securitynVisionSecurity Inactive unless a Reporting View is enabled Secured Reporting View – Join between the Ledger Authorization Table and theLedger Table Secured Ledger Reporting View “sits” on top of the Ledger Template Once a Secured Ledger Reporting View has been identified, PeopleSoftdefaults to the dynamic Ledger Reporting View to ensure that only authorizedvalues for the user are returned Authorized values are determined when a “match” happens between theLedger Authorization Table and the Ledger itself Secured Reporting View is a dynamic SQL view that is called upon when annVision Report request is generated Deloitte LLP and affiliated entitiesnVision Security Implementing One Authoritative Source of Data Security – PeopleSoft Financials 9.2 – ChartField Security with Query and22
Delivered process: nVision ledgerbased security (cont’d)Delivered LedgerAuthorization Table User ID field Business Unit field Ledger fieldnVisionSecurityDeliveredLedgerReporting View SQLStatementGeneratedLedgerTableBusiness Unitand LedgermatchLedger ALedger BLedgerTemplateLedger C Deloitte LLP and affiliated entitiesnVision Security Implementing One Authoritative Source of Data Security – PeopleSoft Financials 9.2 – ChartField Security with Query and23
Proposed solution –Infrastructure needednVisionSecurityCustomize Secured LedgerReporting ViewCustomize Ledger AuthorizationTable Secured ChartField needs to be addedNeeds to be able to hold repeatingvalues of secured ChartFields for thesame user ID and business unit but forthe number of different ledgers Deloitte LLP and affiliated entitiesnVision Security SQL addition needs to happen. Additionneeds to match the secured ChartFieldvalue held in the Authorization Tableand the Ledger Tabl
Query security records – equivalent of component search records When a query security record is enabled on a record, PeopleSoft runs a “security check” based on the query security record before returning data in the results The Query Security Record is first looked towards for which values are authorized before
