|
|
|
Process Scheduler Security Primary Note |
| |
This Primary Note answers the most common questions about Process Scheduler Security that we have encountered.
This Primary Note contains a document on Process Scheduler Security Setup and Configuration.
This document provides an overview on how PeopleTools Security controls access to certain Process Scheduler functionality.
PeopleTools Security is used to control process and job definitions, process groups, a user’s process profile, and the level of visibility a user has within Process Monitor and Report Manager.
It also discuss about granting “special” roles to the user and what these roles do.
There are “special” delivered roles, which are ProcessSchedulerAdmin, ReportDistAdmin, ReportSuperUser.
|
|
|
|
1. What Security is needed for the user who startup the Process Scheduler?
2. How to limit the "Cancel" and "Delete" options on Process Monitor > Details page?
3. How to change Process Scheduler Status directly from Process Monitor?
4. How to allow all users on the system to run a particular process?
5. How to configure PeopleTools for new users to see the Process Schedulers listed in the Server List page?
6. How to enable "Server Name" / "Recurrence" fields from "Process Request" page?
|
| 1. What Security is needed for the user who starts up the Process Scheduler? |
|
The user should be assigned the PeopleSoft Process Scheduler system administrator role (the User ID must be a valid PeopleSoft User).
A user with this privilege can update definitions in Process Scheduler Manager and view all process requests in Process Monitor.
This role is equivalent to granting all of the privileges in the Allow Requester To group box on the Process Profile Permission page.
The user ID of the user starting the Process Scheduler can be found in Process Scheduler configuration file (psprcs.cfg).
Example:
[Startup]
;=========================================================================
; Database Signon settings
;=========================================================================
DBName=DBNAME
DBType=MICROSFT
UserId=VP1
UserPswd=xxx
ConnectId=people
ConnectPswd=xxxxxx
ServerName=
The user does not have to have the PeopleSoft Administrator role.
In order to grant a PeopleSoft Process Scheduler System Administration Role to a user ID:
1. Log in into PIA.
2. Navigate to PeopleTools > Security > User Profiles to open the profile for a user ID.
3. Select the Roles page.
4. Select the role name "ProcessSchedulerAdmin".
5. Click "Save" to save the changes.
|
2. How to limit the "Cancel" and "Delete" options on Process Monitor > Details page?
How to configure PeopleTools to prevent users from being able to cancel or delete processes from Process Monitor? |
|
This can be achieved by the proper configuration of the User Profile's Process Profile Permission List.
In order to configure the User Profile's Process Profile Permission List:
1. Log in into PIA.
2. Navigate to Peopletools > Security > User Profile to open the specific User Profile.
3. Under the General Tab at bottom left under Permission Lists is listed the Process Profile Permission List (e.g. HCSPPRFL).
4. Navigate to Peopletools > Security > Permissions & Roles > Permission Lists and open the User's Process Profile Permission List (e.g. HCSPPRFL).
5. Navigate to the "Process" Tab and click on Process Profile Permissions.
6. See the field Allow Process Request.
Update by: ALL, NONE, OWNER.
7. Set to NONE in order to prevent User Profiles with this Process Profile Permission List to cancel their submissions.
(Make sure that this User Profile does not also have ProcessSchedulerAdmin which override this setting).
User Profiles with ProcessSchedulerAdmin role will still be able to override this setting and cancel the requests.
8. Click "Save" to save the changes.
* For detailed explanation see PeopleBooks:
Home > PeopleBooks > Enterprise PeopleTools 8.4x PeopleBook: Security Administration > Setting Up Permission Lists > Defining Permissions: Setting Process Permissions
|
| 3. How to change Process Scheduler Status directly from Process Monitor? |
|
The only available options in PIA are Stop / Suspend / Restart Server from Process Scheduler > Process Monitor > Server Details page.
Stop Server (OS390 only)
Select to shut down a PeopleSoft Process Scheduler Server that is running or exhibiting problematic behavior.
Suspend Server
Select to prevent a running PeopleSoft Process Scheduler Server from accepting new process requests.
Restart Server
Select to restart a PeopleSoft Process Scheduler Server that has been suspended. If a server has been stopped, it must be restarted using PSADMIN.
Note. After selecting one of these options, click "OK" to run the command.
For PeopleTools 8.42 and higher, the Stop function will be disabled for NT & Unix schedulers.
It will still be available for OS/390 since Tuxedo is not used.
The option to Stop the process scheduler from Process Monitor is enabled from the Process Profile Permission list assigned to a particular user, by following the below steps:
1. Log in into PIA.
2. Navigate to PeopleTools > Security > User Profiles to find out the Process Profile Permission list used by the user.
3. Choose the affected user profile (for instance VP1) and look at the bottom of the page for the "Process Profile" Permission List (e.g. HCSPPRFL).
4. Navigate to PeopleTools > Security > Permission Lists & Roles and open the User's Process Profile Permission List (e.g. HCSPPRFL)
5. Navigate to the "Process" Tab and view the "Process Profile Permissions" for that user.
Look for the "Update Server Status" check box which is needed to activate or deactivate.
The check box for "Update Server Status" is what controls the ability to use this function.
6. Set the list as desired and click "Save" to save the changes.
Clear Process Scheduler and Application Server CACHE.
|
| 4. How to allow all users on the system to run a particular process? |
|
This can be achieved by the proper configuration of the process security by following the below steps:
1. Log in into PIA.
2. Navigate to PeopleTools > Process Scheduler > Processes and search by Process Type (e.g. enter "SQR" in Process Type field),
then click on the Process Name to modify.
3. Go to "Process Definition Options" tab and under "Process Groups" hit the Add (plus) button to create new process group.
4. Type-in a NEW process group name (e.g. MYPRGRP) then click "Save".
5. Navigate to PeopleTools > Security > Permissions & Roles > Permission List to create a new permission list.
6. Click on "Add a New Value" link and type-in the desired Permission List name (e.g. MYPERM).
7. Click "Add" button to create it.
8. Go to "Process" tab and click on "Process Group Permissions" to include newly created process group to permission list.
9. Click the magnifying glass - Lookup Process Group button and select the newly created Process Group (e.g. MYPRGRP) and click "OK".
10. Click "Save" button to save the changes.
11. Navigate to PeopleTools > Security > Permissions & Roles to create a new role.
12. Click on "Add a New Value" link and type-in the desired Role name (e.g. MYROLE).
13. Clink "Add" button to create it.
14. Go to "Permission Lists" tab to include newly created permission list to role.
15. Click the magnifying glass - Lookup Permission List button and select the newly created Permission List (e.g. MYPERM).
16. Click "Save" button to save the changes.
17. Navigate to PeopleTools > Security > Permissions & Roles and search by "Role Name" for the newly created role (e.g. MYROLE) to Dynamically assign the newly created role to the user(s) -- in this example ALL users.
A Dynamic Rule might have to be created to selectively select desired members.
18. Go to "Dynamic Members" tab and put a checkmark in the "Query Rule Enabled" checkbox.
19. A "Query Rule" box will appear below the "Rules" box.
20. Click the magnifying glass - Lookup Query button and search by "Role-Query Name" and type ALL_USERS in the Role-Query Name field.
21. Select ALL_USERS and click "Save" button to save the changes.
|
| 5. How to configure PeopleTools for new users to see the Process Schedulers listed in the Server List page? |
|
When attempting to go into the Process Monitor as a newly created user, this user may not be able to see the Process Schedulers listed in the Server List page.
This user probably does not have access to view the Process Scheduler(s) which are up, nor the status of those Schedulers.
To add, or remove access, follow the steps below:
1. Log in into PIA.
2. Navigate to PeopleTools > Security > User Profiles to find out the Process Profile Permission list used by the user.
3. Choose the affected user profile (for instance VP1) and look at the bottom of the page for the "Process Profile" Permission List (e.g. HCSPPRFL).
4. Navigate to PeopleTools > Security > Permission Lists & Roles and open the User's Process Profile Permission List (e.g. HCSPPRFL)
5. Navigate to the "Process" Tab and view the "Process Profile Permissions" for that user.
Activate or deactivate the "View Server Status" check box.
6. Set the list as desired and click "Save" to save the changes.
Clease Process Scheduler and Application Server CACHE.
|
| 6. How to enable "Server Name" / "Recurrence" fields from "Process Request" page? |
|
If "Server Name" / "Recurrence" Drop Down Box from "System Process Request" page are grayed, the following points need to be checked:
Checkpoints
------------
Check PeopleTools > Security > Permissions & Roles > Permission Lists > Process Page > Process Profile Permissions for the user's permission list.
The "Allow Request To" option applies to using PeopleSoft Process Monitor and PeopleSoft Process Scheduler Request pages.
These options enable the possibility to restrict the authority that a user has while monitoring scheduled processes.
Enable Recurrence Selection
Select to enable a run recurrence value for processes and jobs scheduled to run on the server.
Clear Process Scheduler CACHE for ALL Process Scheduler domains if a change was made to to "Enable Recurrence Selection" checkbox.
Solution
--------
1. Identify the user's Primary Permission List by viewing the User's Profile.
2. The field at the bottom labeled "Primary" is this user's Primary Permission List.
3. Go to this permission list and click on the "Process" page.
4. On the Process page, click on the link to Process Profile Permissions.
5. Uncheck the following flags and save the permission list.
Override Server Parameters
Override Output Destination
Update Server Status
Enable Recurrence Selection
6. Save the permission list.
After making the changes to the process definition, reboot Process Scheduler and Application Server.
|
|
|
| PeopleBooks |
|
More information about Process Scheduler Security:
PeopleBooks Library > PeopleSoft Process Scheduler > Setting Up PeopleSoft Process Scheduler Security
PeopleBooks Library > PeopleSoft Process Scheduler > Managing PeopleSoft Process Scheduler > Granting PeopleSoft Process Scheduler Administrative Rights
|
KEYWORDS:
PPROCESS, PROCESS SCHEDULER, CANCEL, RUN, SECURITY, VISIBLE, DISABLE, PROCESS REQUEST, PROCESS INSTANCE, ACCESS, RUN, NEW USER, PROCESS MONITOR |
|
|
|
