# Who Can Access This PeopleSoft Component? The SQL, and the Gotchas

> How to trace PeopleSoft component access through PSAUTHITEM, PSROLECLASS, and PSROLEUSER — the query, the four mistakes that produce wrong answers, and a faster way.

---

LLMS index: [llms.txt](/llms.txt)

---

"Who can get to this component?" is one of the most common questions a PeopleSoft security administrator gets, and PeopleSoft has no delivered screen that answers it in one place. The data lives in three tables, and the joins are easy to get subtly wrong.

## The Security Chain

PeopleSoft component access flows through a fixed chain:

1. **`PSOPRDEFN`** — user accounts
2. **`PSROLEUSER`** — which roles each user holds
3. **`PSROLECLASS`** — which permission lists each role carries
4. **`PSAUTHITEM`** — what each permission list grants: menu, component, and page entries with their authorized actions

A user can reach a component if *any* permission list on *any* of their roles has a `PSAUTHITEM` row for it.

## The Query

To list users who can access a component (for example, `USERMAINT`):

```sql
SELECT DISTINCT RU.ROLEUSER, O.OPRDEFNDESC, RU.ROLENAME, RC.CLASSID
FROM   PSAUTHITEM AI
JOIN   PSROLECLASS RC ON RC.CLASSID = AI.CLASSID
JOIN   PSROLEUSER  RU ON RU.ROLENAME = RC.ROLENAME
JOIN   PSOPRDEFN   O  ON O.OPRID = RU.ROLEUSER
WHERE  AI.BARITEMNAME = 'USERMAINT'
AND    O.ACCTLOCK = 0
ORDER  BY RU.ROLEUSER;
```

In `PSAUTHITEM`, the component name is in `BARITEMNAME`; `MENUNAME` is the menu that exposes it, and `PNLITEMNAME` narrows a row to a specific page within the component.

## Four Gotchas That Produce Wrong Answers

1. **Locked accounts.** Without `ACCTLOCK = 0` your audit lists users who cannot sign in. Fine for "who is provisioned," wrong for "who can get in today." Decide which question you are answering.
2. **The same component on multiple menus.** A component can be attached to more than one menu, and each menu grants a separate `PSAUTHITEM` row. Filtering on `MENUNAME` alone undercounts.
3. **Page-level rows.** A permission list may grant only specific pages within a component (`PNLITEMNAME`). If you are auditing access to a *specific page*, you need the page-level rows; component-level results overstate access.
4. **Display-only is still access.** `PSAUTHITEM.DISPLAYONLY = 1` means the user can see the page but not save. For a data-exposure audit, display-only access to sensitive data still counts.

And a fifth that isn't in the SQL at all: **dynamic roles.** If a role is populated by a role query or rule, `PSROLEUSER` tells you who holds it *now*, not who could acquire it tomorrow.

## The Faster Way

psLens answers this from the component's own page: search the component, and its detail page shows the permission lists that grant it, the roles that carry those permission lists, and the users who hold those roles — each one a link, so you can keep tracing in either direction. The same chain works backwards from a user or a permission list. The [Security Admin workflow](/docs/use-cases/security-admins/) shows the click path, and the [User Access report](/docs/reports/security/) produces the audit-ready Markdown version.

No SQL access required — which also means the analyst asking the question doesn't need the database account that usually comes with it.

---

### Subscribe for Updates

If you found this article helpful, subscribe to get notified of new PeopleSoft technical notes and psLens updates.











<div class="card bg-light border-0 border-start border-primary border-3 my-4 shadow-sm">
    <div class="card-body p-3">
        <form action="https://subscribe.cedarhillsgroup.com/subscribe" method="POST" class="row align-items-center g-3">
            
            <input type="text" name="website" style="position: absolute; left: -5000px;" tabindex="-1"
                autocomplete="off">
            <input type="hidden" name="redirect_to" value="https://pslens.com/subscribed/">
            <input type="hidden" name="topic_id" value="pslens">

            <div class="col-lg-5">
                <h6 class="mb-1 text-dark fw-bold">Stay Updated</h6>
                <p class="mb-0 text-muted small" style="font-size: 0.85rem;">Receive new articles directly in your inbox.</p>
            </div>

            <div class="col-md-6 col-lg-3">
                <input type="text" name="first_name" placeholder="First Name (optional)"
                    class="form-control form-control-sm">
            </div>

            <div class="col-md-6 col-lg-3">
                <input type="email" name="email" required placeholder="Email Address"
                    class="form-control form-control-sm">
            </div>

            <div class="col-12 col-lg-1">
                <button type="submit" class="btn btn-primary btn-sm w-100">Join</button>
            </div>
        </form>
    </div>
</div>
