Thursday 6 March 2014

PeopleSoft HCM Data Permission Security @work



Background

Recently one for our customer, for whom we had implemented PeopleSoft HCM 9.1 few years back, asked us to revisit and re-design their Data Permission Security as the business need had changed since implementation. 

The customer has employees in USA and Canada and has separate HR Administrator for both the regulatory region. During implementation, Data permission security was implemented for the components and reports having sensitive employee information using the PeopleSoft delivered Security Type -005 i.e. Job Reg-Region.

Business Issue


Due to increase in the workforce, the customer wanted to reorganize their HR Administrator’s span of control.  They wanted the HR Administrator to be responsible for employees in a location or groups of location.

So, when the HR Administrator accesses a component containing employee data, he/she should have access to the employees of those locations only, for which the HR Administrator has the data security permission.

If this was the only requirement from the customer, it would have been a simple case of using the PeopleSoft delivered Security Type -002 i.e Job Location.

But the customer’s business need was not limited to that. They wanted the HR Administrator not to have access to the employees of the “HR” department in those locations, for which otherwise they have access through data security permission.

In PeopleSoft, when we grant a permission list access to data in a security set , using more than one security access type , the security access creates a union, not a join or an intersect, with the two types.

For example, if we enable the Job Location and Job Deptid Non Tree security access types for the PPLJOB security set and grant a permission list access to employees in location A and employees in department B, HR Administrator with the permission list can access all employees in location A or all employees in department B; their access is not restricted to employees in both location A and department B.

So , for the above business need , we cannot simply enable PeopleSoft delivered Security Type -002 i.e. Job Location and Security Type -025 i.e. Job - Deptid - non Tree.

SOAIS Solution


We created a custom Security Type within the Security Set PPLJOB using Business Unit, Location and Department. This helped us to meet the customer requirement of intersect of location and department to determine the span of control for the HR Administrator. The HR Administrators were given access to the combination of locations and departments based on their span of control except for the HR department.

Please find below the snapshot of the configuration

Snapshot of the Configuration

  • Custom Security Access Type 102 within Security Set PPLJOB.


  • Screenshot of Security by Permission List using the custom Security Access Type 102.


Contributed by Debasish