Tuesday, July 26, 2016

Definition Security Error "You are not authorized to access the definition XXXXXXX"

Ever wondered how come you aren't allowed to run/modify a definition (Query, AE program, App Package) through PIA or application designer ?

Let me share you an incident. ew days ago after the launch of a new security setup in PeoleSoft I was trying to run a common query for a User Profile under tab 'User ID Queries' in the component User Profile (Navigation: Peopletools - Security - User Profiles - User Profiles) and to my surprise I got following error:F

You are not authorized to access the definition XXXXXXX

Where XXXXXXX can be replaced by the definition name depending upon which definition you are trying to access and it was PT_SEC_USER_ROLES in my case. My instinct said there was something wrong with my PS query access so I quickly checked the same but didn't find anything unusual i.e I still had the access to the Query Records and nothing suspicious in Query Properties too.

After hours of digging I found the root cause and it turned out that the Query was protected through Definition Security (Navigation: PeopleTools - Security - Definition Security - Definition Groups).

In PeopleSoft we can add another level of security through definition security which overrides the other security configurations on the definitions. For Example: even if we have granted security on a CI to a user through Role/PL but in Definition Group setup we haven't allowed user to have access to this CI through PL then in the end User will not have access to that CI.

When you open the Definition Groups component from the navigation given above and click on Search, all the defined definition groups are displayed. A new definition group can also be created from the given link.


When you click on one of the definitions (PEOPLETOOLS) all the individual definition types such as AE, Records, CI, Components etc... added in this group will be displayed.


Furthermore, when Component Interface definition type is clicked, all the CIs added in this category will be displayed. We can even add a new CI in this category and as soon as the new CI is added, it will come under the security net. Similarly, whatever definition we add not just in this category but in other categories as well they will come under the security net.

If we need to grant access to someone on all the definitions added under the definition group PEOPLETOOLS, we need to just add one of the PLs assigned to the person through role in this definition group as shown below:



 As you can see, the access is given through PL at the Definition Group level and not at the individual definitions level so once the PL is added in the Definition Group it will have access all the definitions added in it. Once the PL is added here, it will start reflecting in the PL definition page under the tab Definition Security.