# User Full Access Report
LLMS index: [llms.txt](/llms.txt)
---
-
Target Database:
—
-
Context Type:
—
-
Alert Severity:
—
-
Triggered Time:
—
-
Firing Context:
—
## User Full Access Report
**Report ID:** `security-user-access`
**Category:** Security
**Parameters:** `oprid` (required) — the PeopleSoft User ID to audit
## Purpose
This report generates a consolidated view of everything a single PeopleSoft user can access. It expands all roles and permission lists to show the full scope of a user's security profile in one document. This is useful for security audits, access reviews, onboarding/offboarding verification, and compliance reporting.
## What It Covers
The report walks the full PeopleSoft security hierarchy for the specified user:
1. **User Details**. Account status, authentication method, direct permission list assignments
2. **Roles**. All roles assigned to the user (including dynamic roles)
3. **Permission Lists**. Unique permission lists derived from assigned roles, with a reverse map showing which roles grant each
4. **PeopleTools Access**. Client tool access (Application Designer, Data Mover, etc.)
5. **Menu/Component Access**. All menu authorizations grouped by menu, showing components and display-only status
6. **Service Operations**. All authorized Integration Broker service operations
7. **Component Interfaces**. All authorized component interfaces
8. **Process Groups**. Authorized process scheduler groups
9. **Query Tree / Row-Level Security**. Accessible records via query tree security
## Tables Queried
| Table | Purpose |
| ----------------------- | ----------------------------------- |
| PSOPRDEFN | User definition and account details |
| PSROLEUSER | User-to-role assignments |
| PSROLECLASS | Role-to-permission-list mapping |
| PSCLASSDEFN | Permission list definitions |
| PSAUTHITEM + PSMENUITEM | Menu/component authorizations |
| PSAUTHWS | Service operation authorizations |
| PSAUTHBUSCOMP | Component interface authorizations |
| PSAUTHPRCS | Process group authorizations |
| SCRTY_ACC_GRP | Query tree security access groups |
| PSTREENODE | Query tree node hierarchy |
## Data Flow
```text
1. Fetch user details from PSOPRDEFN
|
v
2. Fetch all roles from PSROLEUSER
|
v
3. Batch-fetch permission lists for all roles
from PSROLECLASS
|
v
4. Collect unique permission list ClassIDs
|
v
5. For ALL unique ClassIDs, fetch:
- PeopleTools access (PSAUTHITEM special entries)
- Menu authorizations (PSAUTHITEM + PSMENUITEM)
- Service operation auths (PSAUTHWS)
- Component interface auths (PSAUTHBUSCOMP)
- Process group auths (PSAUTHPRCS)
- Query tree access groups (SCRTY_ACC_GRP)
|
v
6. For query trees: walk tree hierarchy to
resolve accessible leaf records
|
v
7. Generate consolidated Markdown report
```
## How to Run
This report can be launched in two ways:
1. **From the User Detail Page:** Navigate to any user's detail page and click the **Run Full Access Report** button in the right sidebar. The report automatically uses the current user and database.
2. **From the Reports Page:** Go to Reports > Run New Report > User Full Access Report. Enter the OPRID manually.
## Report Output
The generated report contains:
- **Summary table** with counts for each access category
- **User Details** with account status, authentication, and direct permission lists
- **Roles table** with dynamic assignment indicators
- **Permission Lists table** showing which roles grant each permission list
- **PeopleTools Access table** showing Yes/No for each client tool
- **Menu/Component Access** grouped by menu name, with component links, labels, and display-only flags
- **Service Operations table** with operation and permission list links
- **Component Interfaces table** with interface and permission list links
- **Process Groups table** listing authorized process groups
- **Query Tree tables** showing accessible records with tree and access group context
All object names in the report are linked back to their detail pages in psLens for easy navigation.
## Interpreting Results
- **Large number of roles:** Users with many roles may have accumulated access over time. Review whether all roles are still needed.
- **Overlapping permission lists:** Multiple roles may grant the same permission list. While not harmful, it can make access reviews harder.
- **PeopleTools access:** Application Designer, Data Mover, and Object Security access should be limited to developers and security administrators.
- **Display-only flags:** Components marked as display-only mean the user can view but not modify data through those pages.
- **Process groups:** Verify that users only have access to process groups relevant to their job function.