4 Replies Latest reply: Sep 10, 2013 4:55 AM by AK_Rev RSS

    Concepts Oracle should look upon --1) Definition Security

    AK_Rev

      Hi All,

       

      Recently i was working on implementing Application Designer definition security in one of PeopleSoft instance. Well, i read the peoplebooks, employed the past knowledge and found one severe drawback of using definition group and primary permission list as a way to restrict access to Peoplesoft objects via App D .

       

      We know there are three rules using which def security via definition group is controlled . Peoplebook says :

       

      1

      Is the definition type assigned to any definition group? If not, then anyone has update access to it. For this reason, you should add all definition types to at least one definition group.

      2

      Is the definition type a part of a definition group assigned to the user’s primary permission list? If not, the system denies access and displays a message, such as “definition_name is not a definition that you are authorized to access.”

      3

      Do all the definition groups of which the definition type is a member have the display-only option enabled? If so, then the system displays the message “definition_name is not a definition that you are authorized to update.”

      The definition type appears with the Save command disabled.

       

      Now consider this :

      You create different def groups and Primary PL's to secure the object definitions and deploy that. However, when a new object is created in the applications(by migration or explicit creation), that object is nt added to any definition group by itself and by the rule 1 , every user in application gets full access on that object !!!!!!!! and there is no way to control that until you open a def group and add that definition (and u hv no idea what definition could have been added and at what time) ........

       

      In reality the definition security concept by way of def group/Primary PL has no meaning then !!!!!

       

      Please post your comments .....

       

      More info coming up ...keep following to know more areas of development Oracle should work upon .

       

      Reg,

      AK