Recently i was working on implementing Application Designer definition security in one of PeopleSoft instance. Well, i read the peoplebooks, employed the past knowledge and found one severe drawback of using definition group and primary permission list as a way to restrict access to Peoplesoft objects via App D .
We know there are three rules using which def security via definition group is controlled . Peoplebook says :
Is the definition type assigned to any definition group? If not, then anyone has update access to it. For this reason, you should add all definition types to at least one definition group.
Is the definition type a part of a definition group assigned to the user’s primary permission list? If not, the system denies access and displays a message, such as “definition_name is not a definition that you are authorized to access.”
Do all the definition groups of which the definition type is a member have the display-only option enabled? If so, then the system displays the message “definition_name is not a definition that you are authorized to update.”
The definition type appears with the Save command disabled.
Now consider this :
You create different def groups and Primary PL's to secure the object definitions and deploy that. However, when a new object is created in the applications(by migration or explicit creation), that object is nt added to any definition group by itself and by the rule 1 , every user in application gets full access on that object !!!!!!!! and there is no way to control that until you open a def group and add that definition (and u hv no idea what definition could have been added and at what time) ........
In reality the definition security concept by way of def group/Primary PL has no meaning then !!!!!
Please post your comments .....
More info coming up ...keep following to know more areas of development Oracle should work upon .
Normally there are dev, uat and production env.
In dev, there are lot more developers have access. If a developer want to secure his objects, he can simply put them into groups and manage them. I understand it is not very convenient.
For UAT, admin should manage all the objects migrated. The same applies to production.
Please post this question to peopletools forum.
Dev box : if we open a def group and try opening field/record type definitions its takes around 5 mins in a large customised applications .Which is very unfeasible to manage every time a new object is created at multiple times a day frequency .
Prod Instance : Above issue applies to this . Also, in usual circumstances , developers have read only access to all objects . developements keep on happening and there are so many developers working in any organisation .so its not feasible to open the def groups and add the left out objects every time a migration is sent .Apart from this, if a developer fails to report of his newly created objects, admin needs to check all the 27 objects type after certain interval to make sure no objects are left out .
What i wish, if the first rule is avoided, in prod boxes we can make use of **All Definitions** reference [i understand its no definition group] and grant display access to everyone else and full access to admins .. and we are done for ever ...never need to intervene in this