John Vaillancourt
Senior Director, Services and Solutions
Integrated Technology Services
San Diego County Office of Education
PeopleSoft Security Audit
Guiding Questions
2
Why should we perform PS security audit?
3
Your organization is responsible for its PeopleSoft users. Conduct an audit of security for the following reasons:
How Users are Created
4
= District
= PS Support
KEY
Enter job data in HCM.
1:00 AM: FOR EMPLOYEES WITH NO USER ID�The M_HR_CRT_ID job runs nightly at 1 am to create the basic user profile and assign the M_EMPLOYEE role.
1:15 AM: FOR ALL ACTIVE EMPLOYEES�The DYNROLE_PUBL process runs at 1:15 am for all active employees and assigns the M_EE_XXX role (where XXX is the district #).
If the user will need to use Finance or HCM,�you (your organization’s PeopleSoft contact) submit a ServiceNow Ticket with the requested role assignments.
User Profiles Screen: General Tab
5
User Profiles Screen: Descriptions
6
1 | User ID | Same value as Empl ID. The User ID is used to log into PeopleSoft Portal and ESS. |
2 | Description | This is the employee's name but is not the same field as the name in Personal Information; the value may or may not be the same. |
3 | Account Locked Out? | Only PeopleSoft Support can lock accounts. Typically, the only employees with locked accounts are those who should not be allowed to access even PeopleSoft Employee Self-Service (ESS) to view a paycheck. |
4 | Password | Used to log into PeopleSoft Portal and ESS. |
5 | Email address (user) | The User email address (not the same field as the one entered in HR Personal Information) is where the system sends routing/workflow email notifications, absence approval emails (Manager), and password reset emails. IMPORTANT: Employees can edit their User Email Address in Portal or ESS > Nav Bar > My Profile. Anyone who resets passwords for your organization can also edit this using the Distributed User Profiles screen. |
6 | Primary Permission List | Defines which district’s data the user can see. All users need this value filled in. Example: M_SEC_BU_02000 for District 20 |
7 | Row Security | Defines which district’s data the user can see. Only HCM users need this value filled in. Exception: If your organization uses ESS Personal Info, employees will need Row Security. Example: M_TL_020_ALL to see all employees at District 20 |
User Profiles Screen: Roles Tab
7
Roles Roles define which screens, reports, and queries the user can access.
Basic roles that every employee is given:
|
Sample Support Tickets associated with the User Profile
8
Description (User’s Name):
Email Address:
Roles:
Primary and Row Security:
Identifying a User’s Roles
9
Query: M_USER_ROLES
In both PeopleSoft HCM and Finance you can run the query called M_USER_ROLES. Look in the “Role Name” column to see the roles that each employee has. If the employee is set up in both HCM and Finance, you will need to run the query in both environments to view those roles.
To access the M_USER_ROLES query in Finance you must have the M_KK_ENTER_BUDGETS or M_KK_INQUIRY roles; in HCM you must have the M_HR_SPECIALIST or M_HR_SPECIALIST_RDO roles.
Where can I learn more about each Role?
10
Role Combinations That Add Risk (HCM)
11
Role Combinations That Add Risk (FIN)
12
New Hires (Onboarding)
Does your organization have a process in place to review a new hire’s roles (inherited from another PeopleSoft organization)?
When an employee joins your organization, here is the recommended process:
13
Terminations (Off-boarding)
Does your organization have a process to request that roles are removed when an employee is terminated?
When an employee leaves your organization, here is the recommended process:
14
M_USER_ROLES Query
15
Roles (by Role Name)
16
Sample pivot table (HCM query):
Roles (by Employee Name)
17
Sample pivot table (HCM query):
SSN (National ID)
Q: Who can see SSNs?
A: The following 14 HCM roles can see SSNs:
18
Alternative roles to use if the employee should not access SSNs:
Password Resets
Q: Who can perform password resets?
A: M_SECURITY_LEVEL1 role in HCM. This role allows for password resets using the Distributed User Profile screen in Portal (not HCM or Finance).
19
SecureAuth (VPN)
Q: Who has SecureAuth (VPN) access?
A: M_REMOTE_USER role. These are staff with SecureAuth access.
20
Locked out?
Q: Are any users locked out?
A: Use the M_USER_ROLES in HCM. Check User Locked Out (Column J).�If “Yes” this indicates a user account is locked. Typically, the only employees with locked accounts are those who should not be allowed to access even PeopleSoft Employee Self-Service (ESS) to view a paycheck.
21
Sample pivot table (HCM query):
How to Get Started? Security Resources
22