User Full Access Report

User Full Access Report

Report ID: security-user-access Category: Security Parameters: oprid (required) — the PeopleSoft User ID to audit

Purpose

This report generates a consolidated view of everything a single PeopleSoft user can access. It expands all roles and permission lists to show the full scope of a user’s security profile in one document. This is useful for security audits, access reviews, onboarding/offboarding verification, and compliance reporting.

What It Covers

The report walks the full PeopleSoft security hierarchy for the specified user:

1. User Details. Account status, authentication method, direct permission list assignments
2. Roles. All roles assigned to the user (including dynamic roles)
3. Permission Lists. Unique permission lists derived from assigned roles, with a reverse map showing which roles grant each
4. PeopleTools Access. Client tool access (Application Designer, Data Mover, etc.)
5. Menu/Component Access. All menu authorizations grouped by menu, showing components and display-only status
6. Service Operations. All authorized Integration Broker service operations
7. Component Interfaces. All authorized component interfaces
8. Process Groups. Authorized process scheduler groups
9. Query Tree / Row-Level Security. Accessible records via query tree security

Tables Queried

Data Flow

1. Fetch user details from PSOPRDEFN
        |
        v
2. Fetch all roles from PSROLEUSER
        |
        v
3. Batch-fetch permission lists for all roles
   from PSROLECLASS
        |
        v
4. Collect unique permission list ClassIDs
        |
        v
5. For ALL unique ClassIDs, fetch:
   - PeopleTools access (PSAUTHITEM special entries)
   - Menu authorizations (PSAUTHITEM + PSMENUITEM)
   - Service operation auths (PSAUTHWS)
   - Component interface auths (PSAUTHBUSCOMP)
   - Process group auths (PSAUTHPRCS)
   - Query tree access groups (SCRTY_ACC_GRP)
        |
        v
6. For query trees: walk tree hierarchy to
   resolve accessible leaf records
        |
        v
7. Generate consolidated Markdown report

How to Run

This report can be launched in two ways:

1. From the User Detail Page: Navigate to any user’s detail page and click the Run Full Access Report button in the right sidebar. The report automatically uses the current user and database.

2. From the Reports Page: Go to Reports > Run New Report > User Full Access Report. Enter the OPRID manually.

Report Output

The generated report contains:

• Summary table with counts for each access category
• User Details with account status, authentication, and direct permission lists
• Roles table with dynamic assignment indicators
• Permission Lists table showing which roles grant each permission list
• PeopleTools Access table showing Yes/No for each client tool
• Menu/Component Access grouped by menu name, with component links, labels, and display-only flags
• Service Operations table with operation and permission list links
• Component Interfaces table with interface and permission list links
• Process Groups table listing authorized process groups
• Query Tree tables showing accessible records with tree and access group context

All object names in the report are linked back to their detail pages in psLens for easy navigation.

Interpreting Results

• Large number of roles: Users with many roles may have accumulated access over time. Review whether all roles are still needed.
• Overlapping permission lists: Multiple roles may grant the same permission list. While not harmful, it can make access reviews harder.
• PeopleTools access: Application Designer, Data Mover, and Object Security access should be limited to developers and security administrators.
• Display-only flags: Components marked as display-only mean the user can view but not modify data through those pages.
• Process groups: Verify that users only have access to process groups relevant to their job function.