Application Security

1
Application Security

• Same powerful page (menu) and row level security
  from past releases

2
Physical security

• SSL between web server and browser
• SSL between app server/ web server for BI and
  App. Msg.
• Tuxedo link level encryption between web server
  and application server
• 4 tier architecture
• expose business functionality outside firewall
• Keep valuable app server data behind firewall

3
Physical Architecture
4
PeopleTools 8.1 Authentication

• Native support for two authentication methods
• PeopleSoft passwords in PSOPRDEFN
• LDAP password - via User Profile Component
  Interface Sign-on PeopleCode
• Signon PeopleCode to support other other methods
  (make it flexible)
• NT domain / unix
• Kerberos, X.509 certs etc.
• Partners helping in this are (Entrust, Verisign,
  Novell, etc)

5
PeopleTools 8.1 -- New Terminology

• PS 7.5 PS 8
• Operator --gt User
• Operator Definition --gt User Profile
• Operator Class(Menus) --gt Permission List
• Operator ID --gt User ID
• (Record still PSOPRDEFN)
• (Field still OPRID)

6
PeopleSoft Password Controls

• Extended Password Management
• Maintain Security -gt Setup -gt Password Controls
• Password Age.
• Minimum Length.
• All implemented in PeopleCode

• Character Requirements.
• Allow Password to match User ID?
• Account Lockout

7
Sign-on PeopleCode

• Runs once for each sign in
• Primarily intended to
• Extend authentication logic
• synchronize User Profile from external data
  source (LDAP)
• can also be used to declare globals -- full
  PeopleCode language support

8
No More Security Administrator

• All security maintained in Maintain Security
  -- make it centralized
• Logically Centralized
• Security Objects -- upgrade copy / compare
  support
• Application messaging where appropriate

9
Security Objects

• Stuff to secure
• (Pages, Data Rows, Processes, Queries, Sign-on
  times etc)
• Permission Lists
• Roles
• Users

10
Peopletools 7.0 - 7.5x
11
Peopletools 8.1
12
Tools in Tools

• Internet page-based security administration
  (written in and deployed through the PeopleSoft
  Internet Architecture)
• Open -- No black box
• Extensible to meet your decentralized security
  administration requirements

13
Roles

• Intermediate object between users and Permission
  Lists
• Permission Lists are assigned to a Role
• Roles are assigned to a User
• Unifies workflow and permissions
• Roles can be dynamically assigned
• Synchronizing roles-user assignment between
  databases using Application Messaging
• Upgrade support

14
User Profiles

• Synchronizing User profiles between databases
  using Application Messaging
• Not really needed with LDAP integration
• Extending User profiles
• User profile API
• My Profile Page

15
Enterprise Directory

• LDAP V3 server

• Authority on who can log in (USERID) and what
  they can do (Role)

16
PeopleSoft Security and LDAP

• Configure PeopleSoft to grab User Profiles and
  Role-User relationship from LDAP
• Row of data still inserted into PSOPRDEFN
• App Server (sign on PeopleCode) managers the
  synchronization
• Any LDAP V3 server
• Novell NDS
• Microsoft Active Directory
• Netscape (Sun iPlanet)

17
Dynamic Roles

• Dynamically assign users to Roles using a Rule
  -(PeopleCode Function or LDAP)
• Eliminating static assignment decreases
  administration costs
• Schedule Rule execution based on your environment
• LDAP containers and groups can drive your
  PeopleSoft security

18
PeopleSoft Single Sign on

• Single sign on page for all PeopleSoft
  applications
• User still chooses database (by clicking a link)
• Key to Portal UI in PeopleTools 8.1
• Technology
• Encrypted, Digitally signed
• Expiration time, in memory only
• List of trusted Nodes

19
Delivered in PeopleTools 8.1

• Novell NDS eDirectory
• LDAP password authentication
• Business Interlinks for LDAP calls
• Component Interface
• Sign-on PeopleCode
• Sample Directory Authentication

20
PeopleTools 8.1 low-level changes

• User ID Password length now 30
• Passwords stored in DB as SHA1 hash
• No More DB-level users
• No more db connects for individual users
• ValidateSignonWithDB still works
• You can run PeopleTools without using DB public
  tables (PSOPRDEFN, PSACCESSPROFILE PSSTATUS)