3 of 22

Why should we perform PS security audit?

Your organization is responsible for its PeopleSoft users. Conduct an audit of security for the following reasons:

To know which employees (users) have access to which information.
To identify if any changes need to be made to users’ roles (addition/removal).
To ensure that terminated employees do not have roles assigned.

4 of 22

How Users are Created

= District

= PS Support

KEY

Enter job data in HCM.

1:00 AM: FOR EMPLOYEES WITH NO USER ID�The M_HR_CRT_ID job runs nightly at 1 am to create the basic user profile and assign the M_EMPLOYEE role.

User ID – Pulls from Personal Information
Description – Pulls from Personal Information
Email address – Pulls from Personal Information
Assigns M_EMPLOYEE role and Primary Permission List (district #)
Assigns the default temp password (First 4 of LAST NAME IN CAPS + Last 4 of SSN)

1:15 AM: FOR ALL ACTIVE EMPLOYEES�The DYNROLE_PUBL process runs at 1:15 am for all active employees and assigns the M_EE_XXX role (where XXX is the district #).

NOTE: After the 1:00 and 1:15 processes, a new employee can log into PeopleSoft ESS (to view paycheck, for example) and Portal with the default temporary password.

If the user will need to use Finance or HCM,�you (your organization’s PeopleSoft contact) submit a ServiceNow Ticket with the requested role assignments.

5 of 22

User Profiles Screen: General Tab

6 of 22

User Profiles Screen: Descriptions

1	User ID	Same value as Empl ID. The User ID is used to log into PeopleSoft Portal and ESS.
2	Description	This is the employee's name but is not the same field as the name in Personal Information; the value may or may not be the same.
3	Account Locked Out?	Only PeopleSoft Support can lock accounts. Typically, the only employees with locked accounts are those who should not be allowed to access even PeopleSoft Employee Self-Service (ESS) to view a paycheck.
4	Password	Used to log into PeopleSoft Portal and ESS.
5	Email address (user)	The User email address (not the same field as the one entered in HR Personal Information) is where the system sends routing/workflow email notifications, absence approval emails (Manager), and password reset emails. IMPORTANT: Employees can edit their User Email Address in Portal or ESS > Nav Bar > My Profile. Anyone who resets passwords for your organization can also edit this using the Distributed User Profiles screen.
6	Primary Permission List	Defines which district’s data the user can see. All users need this value filled in. Example: M_SEC_BU_02000 for District 20
7	Row Security	Defines which district’s data the user can see. Only HCM users need this value filled in. Exception: If your organization uses ESS Personal Info, employees will need Row Security. Example: M_TL_020_ALL to see all employees at District 20

7 of 22

User Profiles Screen: Roles Tab

Roles Roles define which screens, reports, and queries the user can access. Basic roles that every employee is given: M_EMPLOYEE: Gives access to view paycheck. M_EE_XXX: A dynamic role. The permissions in this role are district-specific. XXX = District #

8 of 22

Sample Support Tickets associated with the User Profile

“The employee’s name doesn’t show correctly in PeopleSoft.”
“The employee doesn’t want her middle name to show in PeopleSoft.”
Likely the user is seeing their name pulling from the User Description (not what’s entered in Personal Information). User Description appears on Workflow screens and on 2 screens within ESS (My Profile, Change Password). PeopleSoft Support can change the Description, if desired – enter a ServiceNow ticket.

Description (User’s Name):

“The employee’s workflow isn’t going to his email account.”
“The employee cannot use Forgot My Password functionality.”
The user should verify/enter the User Email Address from ESS > My Profile.

Email Address:

“I can’t get to the Job Data screen.” This indicates that the necessary role is not assigned to the user.

Roles:

“I can get to the Job Data screen but I can’t find anyone.” This indicates that the role is assigned but the Row Security is not.
“I am responsible for resetting passwords for my district and I can’t find Employee 123456.” This might be because Employee 123456 changed districts or is employed at multiple districts and the employee’s Primary Permission List is set to the other district. You can only find users with the same Primary Permission List as you. PeopleSoft Support can update the user’s Permission List values.

Primary and Row Security:

9 of 22

Identifying a User’s Roles

Query: M_USER_ROLES

In both PeopleSoft HCM and Finance you can run the query called M_USER_ROLES. Look in the “Role Name” column to see the roles that each employee has. If the employee is set up in both HCM and Finance, you will need to run the query in both environments to view those roles.

To access the M_USER_ROLES query in Finance you must have the M_KK_ENTER_BUDGETS or M_KK_INQUIRY roles; in HCM you must have the M_HR_SPECIALIST or M_HR_SPECIALIST_RDO roles.

10 of 22

Where can I learn more about each Role?

https://crc.sdcoe.net/resources/security

11 of 22

Role Combinations That Add Risk (HCM)

12 of 22

Role Combinations That Add Risk (FIN)

13 of 22

New Hires (Onboarding)

Does your organization have a process in place to review a new hire’s roles (inherited from another PeopleSoft organization)?

When an employee joins your organization, here is the recommended process:

Use the M_USER_ROLES query in HCM and/or FIN to review the user’s existing roles, if any.
If roles need to be added or removed, or if workflow needs to change, submit a ServiceNow ticket with the request.
PeopleSoft Support will:

Log into HCM and Finance and add/remove specified roles, and update workflow, if necessary
Update the Primary Permission list (and Row Security for HCM, if necessary)

The user should go to ESS > NavBar > My Profile and update/verify email address (this email is used for workflow and Forgot My Password)

14 of 22

Terminations (Off-boarding)

Does your organization have a process to request that roles are removed when an employee is terminated?

When an employee leaves your organization, here is the recommended process:

Submit a ServiceNow ticket to indicate that the employee has left and the PeopleSoft access needs to be removed.
PeopleSoft Support will:

Log into HCM and Finance and removes all roles
Leave the Primary Permission list as is
Leave M_EMPLOYEE role so the employee can still view paychecks in ESS

If you want the employee to have no access at all, please indicate that you would like PeopleSoft Support to lock the account (cannot view paychecks).

15 of 22

M_USER_ROLES Query

In both PeopleSoft HCM and Finance you can run the query called M_USER_ROLES to audit Roles, Primary Permission List, Row Security, and Locked Out Status.
If the employee is set up in both HCM and Finance, you will need to run the query in both environments.
The HCM results include “HR Status” (Active/Inactive).
To access the M_USER_ROLES query in Finance you must have the M_KK_ENTER_BUDGETS or M_KK_INQUIRY roles; in HCM you must have the M_HR_SPECIALIST or M_HR_SPECIALIST_RDO roles.

16 of 22

Roles (by Role Name)

Which PeopleSoft HCM and Finance roles does each employee have?

Sample pivot table (HCM query):

Run this for HCM or Finance.
Set up the pivot table as shown here.
Filter by Role Name to review each role.
This example is for looking at all of the employees who have the M_HR_SPECIALIST role.
Remember that the HCM query will include HR Status (Active, Inactive).

17 of 22

Roles (by Employee Name)

Which PeopleSoft HCM and Finance roles does each employee have?

Sample pivot table (HCM query):

Run this for HCM or Finance.
Set up the pivot table as shown here.
Review each employee’s roles.
Do any changes need to be made?
Are there any terminated employees who still have roles assigned?

18 of 22

SSN (National ID)

Q: Who can see SSNs?

A: The following 14 HCM roles can see SSNs:

M_CRED_DISTRICT
M_CRED_DISTRICT_RDO
M_HR_PERSONAL_DATA
M_HR_PERSONAL_DATA_RDO
M_HR_SPECIALIST
M_HR_SPECIALIST_RDO
M_HR_JOB_EDIT_ONLY
M_HR_JOB_RDO
M_PAYROLL_SPECIALIST
M_PAYROLL_SPECIALIST_RDO
M_PAYROLL_ADMINISTRATOR
M_PAYROLL_ADMINISTRATOR_RDO
M_PAYROLL_CBO
M_PAYROLL_CBO_RDO

Alternative roles to use if the employee should not access SSNs:

M_HR_JOB_DATA: Job Data but no access to Personal Information screen
M_HR_JOB_EMPL_DATA: Employment Data link on Job Data screen only
M_HR_JOB_BENEFITS: Benefits Program Participation link on Job Data screen only
M_HR_PERSON_CONTACT: Contact Information tab on Personal Information screen only
M_HR_PERSON_REGIONAL: Regional tab on Personal Information screen only

19 of 22

Password Resets

Q: Who can perform password resets?

A: M_SECURITY_LEVEL1 role in HCM. This role allows for password resets using the Distributed User Profile screen in Portal (not HCM or Finance).

20 of 22

SecureAuth (VPN)

Q: Who has SecureAuth (VPN) access?

A: M_REMOTE_USER role. These are staff with SecureAuth access.

21 of 22

Locked out?

Q: Are any users locked out?

A: Use the M_USER_ROLES in HCM. Check User Locked Out (Column J).�If “Yes” this indicates a user account is locked. Typically, the only employees with locked accounts are those who should not be allowed to access even PeopleSoft Employee Self-Service (ESS) to view a paycheck.

Sample pivot table (HCM query):

1 of 22

2 of 22

3 of 22

4 of 22

5 of 22

6 of 22

7 of 22

8 of 22

9 of 22

10 of 22

11 of 22

12 of 22

13 of 22

14 of 22

15 of 22

16 of 22

17 of 22

18 of 22

19 of 22

20 of 22

21 of 22

22 of 22