Dynamic Roles in Peoplesoft
Why Dynamic roles ?
1) The assignment of roles to User Profiles based on your business rules.
2) These business rules run against system(s) to assign PeopleSoft access.
3) PeopleSoft security changes in an automatically.
4) The dynamic role rule process removes and grants access to User Profiles
PeopleTools > Security > Permissions & Roles >Roles (Dynamic Member Tab/Page).
There are three ways can use to execute your rules to find the dynamic role users.
o PS/Query
o LDAP Plug-in
o PeopleCode
PS/Query
1) Access is removed or granted based on the User Profile IDs retrieved by the query.
2) Logic to select the dynamic role users will be present in the SQL of the Query.
Note: -
a) Use PSOPRALIAS_VW or PSOPRALIAS record to create the dynamic role queries.
PSOPRALIAS - Used to store ID values corresponding to various ID types. For example, stores EMPLID for Employee type, CUST_ID for customer ID. It will be easy to join the tables based on the type of the Userid.
b) Don't use any Bind variables in the role queries. They are not designed for resloving the bind variables.
c) Use Disntict caluse in the SQL to make you always retrive uniques id only. Any duplicate will the the dynamic role asssignement.
PeopleCode
1) Access is removed or granted based on the User Profile IDs pushed in to the system array variable
%RoleDynamicMembers.
2) This is used when logic is complicated and cannot be retried from the Query.
3) Logic to select the dynamic role users will be present in the Peoplecode event (Record name, Field name , Event name , Function name.) should be provided in the dynamic members tab. 4) fetch the value using create sql fetch the oprid values and push in to the system variable.
Eg:- %RoleDynamicMembers.Push(&Userid);
LDAP Plug-in
With a directory-based rule, you must assign directory groups. The PeopleCode Rule group box appears because directory rules are implemented using the DynRoleMembers PeopleCode program. This program uses the Directory business interlink to retrieve user and group information from the directory. To view the program, open the FUNCLIB_LDAP record in PeopleSoft Application Designer. Click Assign Directory Groups to select a particular directory group that exists in your LDAP server hierarchy. For example, if you have your LDAP server grouped by geographic region, your rule could assign a new self-service role to all users in the North America group. Use the Directory Group drop-down list box to select the appropriate directory group value. The values are derived from the LDAP data that you import using the Directory Group Import process.
Note :-
When you click the button execute Dynamic rules button DYNROLE_PUBL Application engine is exequted.
This app engine program reads Dynamic Role Rules, executes the rules, and publishes the results. The messages are then subscribed to and the users are assigned to the appropriate roles. This program is designed to run in an asynchronous mode, via the process scheduler.
The DYNROLE_PUBL Application Engine does not update the database directly.
Integration broker must be configured to handle Application Messaging.
DYNROLE_PUBL application engine publishes messages to ROLESYNCH_MSG.