Roles that get assigned programmatically to users are called Dynamic Roles in PeopleSoft.
These can be very useful in helping the security administrator assign/unassign roles to a large number of users and even automate the whole process.
On the other hand, you can also have static members who are manually assigned to a role.
Dynamic Rules
PeopleSoft offers three ways by which Roles can be dynamically assigned to User profiles.
These are PeopleSoft Query, PeopleCode, and Lightweight Directory Access Protocol (LDAP).
The security admin can use a combination of PeopleSoft Query and PeopleCode, or PeopleSoft Query and Lightweight Directory Access Protocol (LDAP) to arrive at the list of users who will be assigned the role.
Query Rule
The query rule is the most common one and uses a PeopleSoft Query to select the users that will be assigned the role.
The PS Query you create for this purpose should be a Role Query and should return OPRIDs.
You can take inspiration from the delivered ALL_USERS query to build your own Role Query.
PeopleCode Rule
This option allows you to specify a record, field, event, and function associated with the role rule.
Your rule function should populate the %RoleDynamicMembers array with the required users to be assigned the role.
Here’s a basic example of how this can be done.
Function RxDynRole() &sqlUsers = CreateSQL("SELECT OPRID FROM PSOPRDEFN WHERE <some condition>"); While &sqlUsers.Fetch(&sUserID) %RoleDynamicMembers.Push(&sUserID); End-While; End-Function; |
Directory Rule
This rule uses the Directory business interlink to retrieve user and group information from the directory.
When the Directory rule is selected, PeopleCode Rule gets enabled as well and the DynRoleMembers function in FUNCLIB_LDAP.OPRID.FieldFormula is selected. This is how the directory rule is implemented.
Adding Dynamic Role to All Users
For adding a Dynamic role to all users, select the Query Rule Enabled checkbox and use the delivered ALL_USERS query.
Execute the Rules.
The query ALL_USERS returns all users from the PSOPRDEFN table, so the role will be dynamically assigned to users.
Removing All Dynamic Members
For removing all Dynamic members from a Role, select the Query Rule Enabled checkbox and use the delivered NO_USERS query.
Execute the Rules.
The query NO_USERS doesn’t return any users, so all the dynamic members would be unassigned.
Peoplesoft Dynamic Role Process
You can execute dynamic roles from three pages in PeopleSoft based on what roles need execution and who the rules are executed for.
Executing a single Role for all users
This is done from the Roles page as explained in the “Adding Dynamic Role to All Users” section.
Nav: PeopleTools > Security > Permissions and Roles > Roles | Dynamic Members tab
Executing all Roles assigned to a single user
This is done from the User profile page.
All Dynamic roles that the user is part of will be executed.
This will result in other qualifying users being assigned/unassigned these roles as well.
Nav: PeopleTools > Security > User Profiles | Roles tab
Executing all Roles for all users
This is done from the Run Dynamic Role Rules page.
All Dynamic roles in the system would be executed when run from this page.
Nav: PeopleTools > Security > Permissions and Roles > Run Dynamic Role Rules
Scheduling the Dynamic Role Process
When the dynamic roles process is executed, it publishes the ROLESYNCHEXT_MSG message and the subscription PeopleCode assigns the role to users.
However, depending on the use case, this might not be a once-off event – you might want to have new users (who get created down the line) taken care of too.
So the security admin will need to schedule the DYNROLE_PUBL App Engine process to run in a periodic manner.
You can add the PRCSMULTI component on the Process Definition Options page of the DYNROLE_PUBL App Engine.
This will allow it to be run from the System process request page.
When you run it from this page, use an appropriate Recurrence to achieve the frequency that suits you.
Troubleshooting – Dynamic Role not assigned
Check the rule is returning the OPRID affected
If it’s a Query rule, add the OPRID in question to the where clause and run the SQL to check if it’s returning the expected row.
If other rules are used, check the logic in a similar fashion to ensure that the OPRID is returned.
Check if the DYNROLE_PUBL App Engine process is scheduled
It is important to schedule this process so that new users are assigned the dynamic role.
Check the status of ROLESYNCHEXT_MSG message
DYNROLE_PUBL App Engine published the ROLESYNCHEXT_MSG. It is the subscription PeopleCode that actually adds the role to the user.
