Background
Recently one for our customer, for
whom we had implemented PeopleSoft HCM 9.1 few years back, asked us to revisit
and re-design their Data Permission Security as the business need had changed
since implementation.
The customer has employees in USA
and Canada and has separate HR Administrator for both the regulatory region. During implementation,
Data permission security was implemented for the components and reports having
sensitive employee information using the PeopleSoft delivered Security Type
-005 i.e. Job Reg-Region.
Business Issue
Due to increase in the workforce,
the customer wanted to
reorganize their HR Administrator’s span of control. They wanted the
HR Administrator to be
responsible for employees in a location or groups of location.
So, when the HR Administrator accesses a component
containing employee data, he/she should have access to the employees of those
locations only, for which the HR Administrator has the data security permission.
If this was the only requirement from
the customer, it would
have been a simple case of using the PeopleSoft delivered Security
Type -002 i.e Job Location.
But the customer’s business need was not limited to that. They
wanted the HR
Administrator not to have access to the employees of the “HR” department in
those locations, for which otherwise they have access through data security
permission.
In PeopleSoft, when we grant a permission
list access to data in a security set , using more than one security access type , the security access creates
a union, not a join or an intersect, with the two types.
For example, if we enable the Job Location and Job Deptid Non Tree security access types for the PPLJOB security set and grant a permission list access to employees in location A and employees in department B, HR Administrator with the permission list can access all employees in location A or all employees in department B; their access is not restricted to employees in both location A and department B.
For example, if we enable the Job Location and Job Deptid Non Tree security access types for the PPLJOB security set and grant a permission list access to employees in location A and employees in department B, HR Administrator with the permission list can access all employees in location A or all employees in department B; their access is not restricted to employees in both location A and department B.
SOAIS Solution
We created a custom Security Type
within the Security Set PPLJOB using Business Unit, Location and Department.
This helped us to meet the customer requirement of intersect of location and
department to determine the span of control for the HR Administrator. The HR
Administrators were given access to the combination of locations and departments
based on their span of control except for the HR department.
Please find below the snapshot of the configuration
Snapshot of the Configuration
- Custom Security Access Type 102 within Security Set PPLJOB.
- Screenshot of Security by Permission List using the custom Security Access Type 102.
Contributed by Debasish
