PeopleSoft Security with Navigation Paths for a Permission List, Role or User

This SQL allows you to view permissions and the associated navigation.  You can provide a Permission List name, Role name or User ID, or any combination of the those items to filter your results.  You should be prompted for the bind variables when run in SQL Developer.  If not values are provided it would run for all users and permission lists in your environment, which I would not recommend.

This is something that comes in handy when reviewing or auditing a user's permissions and providing the relevant navigation makes a lot more sense to most people than providing just the menu and component would.  There would obviously be better, and more efficient, ways to report this information, but for a one-off request or troubleshooting I like the speed and flexibility of SQL.  This code can also be adapted into many other navigation and security queries. 


-- ALL NAVIGATION FOR A GIVEN SECURITY ROLE, CLASSID or USER
SELECT DISTINCT RC.ROLENAME, RC.CLASSID, AI.MENUNAME, AI.BARITEMNAME, MI.PNLGRPNAME, CRPATH.NAVPATH
,DECODE(AI.DISPLAYONLY, 0, 'N', 1, 'Y') AS "Display Only"
,CASE AI.AUTHORIZEDACTIONS
    WHEN 1 THEN 'Add'
    WHEN 2 THEN 'Update/Display'
    WHEN 3 THEN 'Add, Update/Display'
    WHEN 4 THEN 'Update/Display All'
    WHEN 5 THEN 'Add, Update/Display All'
    WHEN 6 THEN 'Update/Display, Update/Display All'
    WHEN 7 THEN 'Add, Update/Display, Update/Display All'
    WHEN 8 THEN 'Correction'
    WHEN 9 THEN 'Add, Correction'
    WHEN 10 THEN 'Update/Display, Correction'
    WHEN 11 THEN 'Add, Update/Display, Correction'
    WHEN 12 THEN 'Update/Display All, Correction'
    WHEN 13 THEN 'Add, Update/Display All, Correction'
    WHEN 14 THEN 'Update/Display, Update/Display All, Correction'
    WHEN 15 THEN 'Add, Update/Display, Update/Display All, Correction'
    ELSE 'SPECIAL' END AS "Authorized Actions"
FROM PSROLEUSER RU, PSROLECLASS RC, PSAUTHITEM AI
LEFT OUTER JOIN PSMENUITEM MI
  ON MI.MENUNAME = AI.MENUNAME
  AND MI.BARNAME = AI.BARNAME 
  AND MI.ITEMNAME = AI.BARITEMNAME
LEFT OUTER JOIN 
 (SELECT CONTREFROOT, CONTREFURISEG2, CONTREFURISEG3, LISTAGG(PORTAL_LABEL,' > ') WITHIN GROUP (ORDER BY CBLEVEL DESC) AS NAVPATH 
  FROM (
    SELECT LEVEL AS CBLEVEL
    , CONNECT_BY_ROOT PR.PORTAL_OBJNAME AS CONTREFROOT
    , CONNECT_BY_ROOT PR.PORTAL_URI_SEG2 AS CONTREFURISEG2
    , CONNECT_BY_ROOT PR.PORTAL_URI_SEG3 AS CONTREFURISEG3
    , CASE WHEN PR.PORTAL_LABEL = ' ' THEN '[no label]' ELSE PR.PORTAL_LABEL END AS PORTAL_LABEL
    FROM PSPRSMDEFN PR
    START WITH PR.PORTAL_REFTYPE = 'C'
      AND PR.PORTAL_NAME = 'EMPLOYEE'  -- PORTAL NAME     
      AND PR.PORTAL_CREF_USGT = 'TARG'
    CONNECT BY NOCYCLE PRIOR PR.PORTAL_PRNTOBJNAME = PR.PORTAL_OBJNAME
      AND PR.PORTAL_NAME = 'EMPLOYEE') 
    GROUP BY CONTREFROOT, CONTREFURISEG2, CONTREFURISEG3
 ) CRPATH
 ON CRPATH.CONTREFURISEG2 = MI.PNLGRPNAME
WHERE 
-- THESE ARE THE PROMPTED VALUES
(RU.ROLEUSER LIKE coalesce(:roleuser,'%') and RC.ROLENAME LIKE coalesce(:rolename,'%') AND RC.CLASSID LIKE coalesce(:classid,'%'))
AND AI.CLASSID = RC.CLASSID
AND RC.ROLENAME = RU.ROLENAME
ORDER BY RC.ROLENAME, RC.CLASSID, AI.MENUNAME, AI.BARITEMNAME, MI.PNLGRPNAME;

Comments

Post a Comment

Popular posts from this blog

PeopleSoft PUM Image Maintenance

Image
The PeopleSoft PUM Image VMs seems to work pretty well once installed.  There is very little maintenance that I have had to perform on these environments and I can always start over by rebuilding the VM if I really break something.  Still, there have been some small issues recently that have required digging into the these environments so here are some notes to help. Database Administration The Oracle Database runs within the same VM and can be accessed using TNS with SQLPlus, SQL Developer, or most other Oracle-compatible tools.  However, I recently needed to make some adjustments to the SYSADM privileges.  For this I needed to connect as SYSDBA. 1. Login to the VM as root   (this account was setup when you installed the image) 2. Switch to the oracle  account.  This is the database owner. su - oracle 3. You then need to know the database name to connect to.  The easiest way is to look for the pmon process.  In the example be...
Read more

Getting Client IP Address in PeopleSoft

When running PeopleSoft behind a load balancer the client IP address is sometimes not reported correctly on the PSACCESSLOG table, or when using the built-in PeopleCode functions.  This definitely occurs when using Netscaler, as this is what I have the most experience with and what I have had others ask about, but other load balancer products may cause the same behavior. To get an accurate IP address you must configure the load-balancer to pass this information, which can be done using the HTTP header "X-forwarded-for".  Here is some information on Netscaler.  Refer to your load balancer documentation for details on this setup. https://docs.citrix.com/en-us/netscaler/10-1/ns-tmg-wrapper-10-con/ns-lb-wrapper-con-10/ns-lb-advancedsettings-con/ns-lb-advancedsettings-cip-tsk.html Once the load balancer is configured use PeopleCode to read the header for the actual client IP address.  You can create your own access log tables or write conditional logic based on the...
Read more

Records in a PeopleSoft Component

This simple SQL can be used to identify the records that are used behind an online PeopleSoft component.  Sometimes you just need to look at the data, sometimes you need to write scripts to manipulate or export the data.  The code below includes only the SQL Table and SQL View record types and filters out records and fields that are only related-display. Yes, you could open App Designer to find the pages and records within the component, but I wanted a quicker way that would show only the records most likely to contain the data.  I especially do not want to parse through the numerous temp tables and work records that will show up in App Designer for some components. This should work on Oracle databases.  It has bind variables to accept the component name as input so you may need to replace or pass the values, depending on your SQL tool. There are several ways to find the component name while online, if you need to.  In some environments Ctrl+Shift+J may wo...
Read more