Peoplesoft integration

ObserveID Peoplesoft integration maintains communication with the Peoplesoft Human Capital Management system - version 9.2 using the Oracle Data Provider for .NET. The ObserveID administrator can configure it to operate in any mode: as a read-only data feed or a read-write integration. It determines the number of integration operations available and the applicable area. A read-only Peoplesoft integration best fits into into the concept of the HR Source and feeds the account information to the identity creation. For a read-write integration, provisioning can be implemented within such operations as: account creation, account deletion, lock and unlock, and others.

Peoplesoft is a comprehensive business and industry solution that enables organizations to increase productivity, accelerate business performance, and provide a lower cost of ownership. Herein, it is described how to set up the integration with Peoplesoft, how to configure it, and what makes up the schema of the Peoplesoft Integration Data.

In this section:

  • Overview
  • Peoplesoft integration operations: READ-ONLY
  • Peoplesoft integration operations: READ-WRITE
  • Setup of Peoplesoft integration
  • First load of data from Peoplesoft target
  • Coding integration rules

Overview

The Peoplesoft integration allows one to create identities from the integration data or to establish provisioning and manage Peoplesoft accounts. From the high-level perspective, the following Integration Data is retrieved from Peoplesoft:

  • Accounts with assigned entitlements;
  • Roles with implicit permissions;
  • Properties attributed to accounts, roles, permissions and the resource.

To create a Peoplesoft integration in ObserveID and get it ready for use, the base setup and configuration flow includes the following steps:

  1. Prerequisites must be implemented on Peoplesoft for ObserveID.
  2. Connection parameters must be set up on ObserveID for Peoplesoft.
  3. The first load of data from Peoplesoft to ObserveID should be completed.
  4. Coding integration rules according to the business case requirements is the final step before the system is ready.

Peoplesoft integration operations: READ-ONLY

A Peoplesoft Integration can perform the following operations on the Integration Data in the read-only mode:

A Peoplesoft Integration can perform the following operations on the Integration Data in the read-only mode:

Integration Operation

Used by

General description

Integration-Specific Requirements

Target Management

Pull Data

DataImport task, Identities Update, most workflows

Within the Peoplesoft integration, the Integration Data is imported from Peoplesoft to ObserveID.

For what the Integration Data is fetched from the Peoplesoft target, refer to the schema of Peoplesoft integration data.

Correlation and Customization Rules can be configured to recognize the Identity for an account and the account type.

Refer to the requirements to Correlation and Customization Rules.

Test Connection

DataImport task

It is possible to troubleshoot if there is a connection between ObserveID and the Peoplesoft target.

n/a

Access Detection

Detect Access

Audit Log report type of Analytics

The Peoplesoft integration can help one track the user’s sessions on the Target.

600 is the default period in seconds for the Consider Session Closed parameter.

User sessions detected on the Peoplesoft target can be compiled into a report.

The detected session records are provided with extra details:

  • system properties, such as: session ID, start\end time, account name, type, etc.

Peoplesoft-specific additional properties of the detected sessions

Peoplesoft integration operations: READ-WRITE

A Peoplesoft Integration includes the READ-ONLY operations and also perform the following operations on the Integration Data in the READ-WRITE mode:

Integration Operation

Used by

General description

Integration-Specific Requirements

Account Management

Create Account

Permanent Access Request, Temporary Access Request

The Peoplesoft integration can create accounts.

It requires Additional Properties to be established for accounts. The Additional Properties are coded with Provisioning Rules.

Only capable of creating the “NON” class accounts. Affected tables are:

  • PSOPRALIAS
  • PSUSERATTR
  • PS_ROLEXLATOPR
  • PSVERSION
  • PSOPRDEFN

The Additional Properties mandatory on the creation of an Peoplesoft account are:

  • AccessId
  • DefaultNavigationHomePageD
  • Description
  • OperatorClass
  • ProcessProfileClass
  • RowSecurityClass

For any Peoplesoft requirements on what account properties are required and\or allowed to be set, refer to Provisioning Rules.

Delete Account

Account Removal, the Finish action on Temporary Access Request

The Peoplesoft integration can delete accounts. The respective history records are stored for every Identity.

Affected tables:

  • PSOPRDEFN
  • PSUSEREMAIL
  • PSROLEUSER
  • PSOPRALIAS
  • PSUSERATTR
  • PS_ROLEXLATOPR
  • PSUSERPRSNLOPTN

Offboarding, Emergency Deprovisioning

When an Identity is terminated, their Peoplesoft account(-s) are deprovisioned according to the Peoplesoft Leaver Rule.

During Identity Termination, the Peoplesoft integration Leaver Rule can set one of the following available options:

  • the Peoplesoft accounts can be locked;
  • the Peoplesoft accounts can be locked and deprovisioned of all or some Entitlements;
  • the Peoplesoft accounts can be deleted.

For coding the Peoplesoft Leaver Rule, refer to the Coding Integration Rules section below.

Lock Account

Privileged Unlock Request, Firecall Unlock Request

When the Peoplesoft integration unlocks and locks the Privileged or Firecall accounts, it sets the usage period for the account.

When a Peoplesoft account is locked, its ACCTLOCK flag is set in the PSOPRDEFN table.

Unlock Account

Privileged Unlock Request, Firecall Unlock Request

When a Peoplesoft account is unlocked, its ACCTLOCK flag is removed from the PSOPRDEFN table.

Update Account Additional Properties

 

 

Affected tables:

  • PSUSEREMAIL
  • PSVERSION
  • PS_ROLEXLATOPR
  • PSOPRDEFN

The Additional Properties allowed on the update of a Peoplesoft account are:

  • PrimaryEmail
  • BusinessEmail
  • WorkEmail
  • BlackberryEmail
  • HomeEmail
  • OtherEmail
  • OperatorClass
  • RowSecurityClass
  • AccessId
  • ProcessProfileClass
  • DefaultNavigationHomePage
  • UserIdAlias
  • Language
  • Currency
  • ExpertEntry
  • OperatorType
  • AllowSwitchUser

For what information can be displayed for a Peoplesoft account, refer to the schema of PeoplesoftD integration data.

Grant Account Entitlements

Grant Account Entitlements

Permanent Access Request, Temporary Access Request, Manage Access

The Peoplesoft integration can assign an account with an entitlement.

The Peoplesoft entitlements that can be assigned are:

  • Roles

Revoke Account Entitlements

Manage Access

The Peoplesoft integration can revoke an entitlement from the account.

The Peoplesoft entitlements that can be revoked are:

  • Roles

Setup of Peoplesoft integration

The connection parameters specified below must be populated in ObserveID for the Universal Connector to connect to Peoplesoft as a Target. The connection parameters are established in: ObserveID > Identity Automation > Integrations > {specific Peoplesoft integration} > Details.

Peoplesoft integration configPeoplesoft integration config

Connection parameter

Description

Environment Type

Environment the new integration pertains to. The Na option establishes no environment.

Integration Name

Automatically generated name for the new integration. The name is created by combining the Integration Type with what is established as Environment Type, Alternate Name, and Description for the new integration.

Alternate Name

Any preferred name for the new integration.

Description

Any valid text to differentiate one integration from another. This text is displayed in addition to the integration name in several UI elements, e.g., dropdown lists, in the system.

Login Url

URL of the user interface for logging in to Peoplesoft.

Host name or IP address

Host name or IP address of the VM with the database of Peoplesoft deployed on.

Port

A port to use for the connection to the database.

Service Name

The TNS alias given to the database for incoming remote connections.

User

Username for the user that would be used for the connection by Universal Connector.

Password

Password for the user that would be used for the connection by Universal Connector.

Role

Role that would be used for the connection.

Peoplesoft tables prefix

 

Once the Details are filled out, remember to click Save. And then to click Test Connection. Both should be successful. Otherwise, use the Access Log to troubleshoot the configuration.

First load of data from Peoplesoft target

After the connection parameters are established for Peoplesoft in ObserveID, and the connection test is successfully completed, next is the first load of data. It allows the systems to set up an initial point starting from which it is possible to determine and synchronize deltas later. For what data is loaded, refer to the schema of Peoplesoft integration data.

There is a DataImport task that is used to perform the first load, as well as other data imports since then.

The DataImpor task is created for the Peoplesoft integration automatically when the integration gets saved. However, if anything, it is possible manually to create a DataImport task in:

  • ObserveID > Identity Automation > Workflows

The DataImport task is considered finishing successfully, if the integration data (i.e. accounts, the resource, roles and additional properties) is imported and shows up for the Peoplesoft integration in ObserveID.

Coding integration rules

By C#-coding the integration rules, the functional capabilities of the Peoplesoft integration become ad hoc configured to meet the requirements of a specific business case. In addition to flexibility, an essential factor of data management is the possibility of making it consistent across multiple systems in the organization’s infrastructure. The integration rules help to determine identity data from the Peoplesoft integration.

Below, with the Dependable variables \ parameters as examples, the IT manager can understand how to define the integration and identity data. Rule requirements differ for a READ-ONLY HR Source integration and a READ-WRITE integration.

Functional area

Integration Rules

Description

Dependable variables \ Parameters

Identity correlation

Correlation Rule for READ-ONLY

Not needed.

n/a

Correlation Rule for READ-WRITE

The name properties of the Peoplesoft account can be compared with the name properties of the Identity, and thus, utilized for the correlation rule, unless business-driven needs require otherwise.

The correlation establishes the Identity as the owner of an account.

Identity’s Name

Peoplesoft account’s Name

Differentiating accounts by type

Customization Rule for READ-ONLY

Should set the User type for all Accounts imported from Peoplesoft.

n/a

Customization Rule for READ-WRITE

Given that Peoplesoft uses the name of the Identity for creating the login name of a Peoplesoft account, the name of the Identity is used for differentiating the Peoplesoft accounts by the type

Identity’s Name

Account Creation

Provisioning Rules for READ-ONLY

Not needed.

n/a

Provisioning Rules for READ-WRITE

Provisioning Rules set additional properties for the Peoplesoft accounts created or updated in ObserveID.

The following additional properties of a Peoplesoft account, in addition to the mandatory properties, can be set with the Provisioning Rules:

  • AccountCountry
  • Address1
  • Address2
  • Address3
  • AllowSwitchUser
  • Birthdate
  • BlackberryEmail
  • BusinessEmail
  • City
  • County
  • Currency
  • ExpertEntry
  • FirstName
  • FullName
  • HomeEmail
  • Language
  • LastName
  • MiddleName
  • Multilangual
  • NameInitials
  • NamePrefix
  • NameSuffix
  • NameTitle
  • OperatorType
  • OtherEmail
  • Postal
  • PreferredFirstName
  • PrimaryEmail
  • Sex
  • State
  • UserIdAlias
  • WorkEmail

Identity’s Name

Identity’s Email

Identity Termination

Leaver Rule

Peoplesoft integration has no constraints on how the accounts should be deprovisioned in case of the termination of an Identity. And all Leaver Rule options are applicable.

The Leaver Rule defines how to treat the Peoplesoft accounts if an Identity gets terminated.
  • .LockAndRemoveAllEntitlements
  • Delete
  • .Lock
  • .TransferOwnership
  • .DoNothing