Resources‎ > ‎

Security


Users

In order to use PeopleSoft, employees need to be set up as users with the appropriate roles. This is done by the CRC. When your organization originally went live with PeopleSoft, you submitted to the CRC a spreadsheet of all users (separate lists for Finance and HCM). On your spreadsheet you included the employee's name, ID, email address, and roles to assign. These users were loaded into Production, validated by the CRC, and able to log in and work on the day of Go Live.

How Users Are Created (Nightly Process)

Now that you are live on PeopleSoft HCM, here is how users are created. After you enter job data in HCM, two scheduled jobs run at night to create user accounts and assign basic roles. These jobs are called M_HR_CRT_ID and DYNROLE_PUBL. The next day the employee can log into ESS. Please note that if the employee will use Finance or HCM, you need to submit a HEAT ticket with the requested role assignments.

How Users Are Created

You will need to notify the CRC (HEAT Ticket) when a user needs to be inactivated. Please see Section 4 "When to Submit a HEAT Ticket" for more information.

Roles

Role Descriptions (Excel)

Roles allow a user to access certain pages, reports, and queries. Refer to these files for descriptions of each role: Finance Roles v5.0.xlsxHCM Roles v5.0.xlsx. To download these files to Excel, please scroll to the bottom of this page and use the red arrow (download) for the desired file.

Basic Roles

Everyone gets 2 basic roles:
  • M_EMPLOYEE: Gives to access to view paycheck, and
  • M_EE_XXX: The permissions in this role are district-specific. XXX = District #.
    For example, 099 has it configured so employees use ESS for Absence Requests, Personal Information, Benefits Information Viewing, and Travel & Expenses; 022 has Personal Information and Absence Requests.
Basic Roles

Common Finance Roles

PeopleSoft Finance users need to be assigned Finance roles. Here are some common Finance roles. "INQUIRY" means Read Only.
  • M_SEC_CF_NOCASH: Provides ChartField security to enter transactions (if you don’t have this role you can navigate to a page to which you have access but you can’t save an entered ChartField)
  • M_KK_INQUIRY: To view budget screens and reports
  • M_PO_REQUESTER: To create requisitions
  • M_PO_INQUIRY: To view POs
  • M_GL_CREATE_JOURNALS: To create GL journal entries
  • M_QUERY VIEW: To run queries based on your role assignment

Common HCM Roles

PeopleSoft Human Capital Management (HCM) users need to be assigned HCM roles. Here are some common HCM roles. "RDO" means Read Only; in HCM each role has an RDO version.
    • M_HR_SPECIALIST: To enter personal data and job data (and more)
    • M_HR_SPECIALIST_RDO: To view personal data and job data (and more)
    • M_HR_PERSONAL_DATA: To enter personal data but not job data
    • M_PAYROLL_ADMINISTRATOR: All access that Payroll Specialist has, but includes access to the Payroll Query Tree, DBT, and Combo Code Table.
    • M_TL_TIMEKEEPER: Data entry for Timekeepers.
    • M_QUERY VIEW: To run queries based on your role assignment

    Queries to Audit Security

    Here are queries you can use to check employees' roles and workflow setup. 

    M_USER_ROLES (HCM, FIN)
    In both PeopleSoft HCM and Finance you can run the query called M_USER_ROLES. Look in the “Role Name” column to see the roles that each employee has. If the employee is set up in both HCM and Finance, you will need to run the query in both environments to view those roles. You must have the M_HR_SPECIALIST role to run this query in HCM and the M_KK_INQUIRY role to run it in Finance.

    M_WF_ALL_ROUTING (FIN)
    In PeopleSoft Finance you can run the query called M_WF_ALL_ROUTING to see the approvers and routing. You must have any M_WF_ role (an approval role) to run this query in Finance. NOTE: To review HCM workflow, run the HCM query called M_USER_ROLES and filter by Approver roles. For Personnel Action Form routing, look for M_WF_ roles.

    M_SEC_ROLE_NAVIGATION
    In both PeopleSoft HCM and Finance you can run the query called M_SEC_ROLE_NAVIGATION. It will include a role's components and navigations.
    M_SEC_ROLE_NAVIGATION
    • Role Name %: Look up the role name. Search for the ones that begin with “M_” only.
    • Component %: Enter a % in Component to return all values. A component is a collection of related pages or tabs (Advanced users – go to Ctrl + Shift + J on a page to see the Component name.)

    When to Submit a HEAT Ticket

    New Employee - Addition of Roles

    If a new employee needs to be assigned Finance or HCM roles, submit a HEAT ticket with the requested role assignments. An authorized staff member from your organization must submit this ticket to document that this change is approved.

    Employment Status Change - Addition or Removal of Roles

    When an employee's employment status changes (leaves the district, new position, etc.) an authorized staff member from your organization needs to submit a HEAT ticket to request the addition or removal of roles. It is very important that roles are removed when they should no longer be assigned. NOTE: If the employee handles approvals, please note that the routing needs to be reassigned to another employee prior to the removal of roles.

    Examples

    Example 1 - Position Change: Employee works at District A and has 10 HCM roles assigned to him. He changes positions within District A and needs 2 HCM roles removed. District A needs to submit a HEAT ticket indicating which roles need to be removed.

    Example 2 - Employee Leaves District: Employee works at District A and has 10 HCM roles assigned to him. He will no longer work for District A. District A needs to submit a HEAT ticket to indicate that the employee has left and the PeopleSoft access needs to be removed. NOTE: If the employee handles approvals, indicate in the ticket the name and ID of the user who will assume the approvals; this needs to be done prior to the removal of roles. The CRC will: (1) Log into HCM and Finance and removes all roles, (2) leave the Primary Permission list as is, and (3) leave M_EMPLOYEE role so the employee can still view paychecks in ESS. If you want the employee to have no access at all, please indicate that you would like the CRC to lock the account (cannot view paychecks).

    Example 3 - Employee Leaves District and Moves to Another PeopleSoft District: Employee leaves District A and is now employed by District B. District A submitted a HEAT ticket to remove permissions from the user. District B needs to submit a ticket to grant permissions to the user and specify which roles and approval routing (in case they need to be an approver) are needed.
     

    Password Resets

    Password resets can be handled by the user (employee) or by authorized district staff.

    Self-Service Password Reset

    All users are capable of resetting their own PeopleSoft passwords. First, the user must set up a security question and verify the user email address. This is done from the Portal Main Menu or Employee Self-Service Main Menu on the My Profile screen. Then, if a password is forgotten, the user can click Forgot My Password from the Portal login or ESS login screen. Upon entering the User ID and answering the security question, a new temporary password will be emailed to the user's email address. Please refer to the Employee Self-Service Guide for full directions.

    Forgot My Password

    Authorized District Staff (M_SECURITY_LEVEL1)

    Each organization has a set of staff capable of resetting PeopleSoft passwords. In order to reset a user’s password, these staff must be authorized to perform this task and be assigned a PeopleSoft role called M_SECURITY_LEVEL1. Level 1 Security represents password resets only, and not other security functions. Password resets are done through PeopleSoft Portal only (not HCM or Finance).

    If you are responsible for resetting passwords for your district or charter school, a job aid is available upon request (not posted online). It describes how to use the Distributed User Profile screen in PeopleSoft Portal to reset a password and flag the account to require that a new password is created upon login. It also explains how to walk an employee through the “Forgot My Password” setup. For more information, please the CRC at 800-289-1500.
    Ĉ
    Peyri Herrera,
    Aug 17, 2016, 2:15 PM
    Ĉ
    Peyri Herrera,
    Aug 17, 2016, 2:16 PM
    ć
    Peyri Herrera,
    Aug 17, 2016, 4:28 PM