Wednesday, March 13, 2019

Do I have to use the Navigator?

Navigator exposed from the NavBar
I have seen several very clever Navbar customizations including:
  • Auto-expand the Navigator when expanding the Navbar and
  • Showing the breadcrumb path in the Navigator.
These customizations seem quite valuable to anyone that uses the Navigator. And who doesn't use the Navigator? It is the primary delivered navigation method for Classic content. But are we really supposed to depend on the Navigator? If so, should these customizations be incorporated into the product? Or are we missing the point of Fluid navigation? Does Fluid provide an alternative?

Let's start with a review of Self-Service. With a complete Self-Service Fluid rollout, do you need to use the Navigator to launch any Self-Service functionality? No. Every Self-Service transaction is available from a tile. Consider Personal Details. When an HCM Self-Service user launches Personal Details from a tile, PeopleSoft opens a WorkCenter-like experience, allowing the user to navigate through the Personal Details components using a left-hand sidebar. Again, did we need the Navigator for any of this functionality? No. But that was Fluid. What about Classic? In PeopleSoft HCM PUM 29 there are 400+ Fluid components and nearly 7,000 Classic components. How would you navigate to those 7,000 Classic components without the Navigator? Classic components predate Fluid and therefore aren't represented by tiles. Imagine if they were? How many homepages would you need to house 7,000 tiles? How many tiles would you have per homepage? Too many! So we use the navigator... but wait!

Let's review the list of Fluid navigation options:

  • Homepages
  • Tiles
  • Navigation Collections (published as tiles)
  • Related Actions
  • Activity Guides (Fluid, optimized as well as HCM ESS Activity Guides with categories)
  • WorkCenters (Enterprise Components Fluid WorkCenters or Classic WorkCenters)
  • Master/Detail
  • Side page 1
  • Two-panel layout

Many of these options are configurable and do not require Application Designer (Developer not required).

Fluid WorkCenter (Master/Detail) with Classic+ Components

Here is how I believe Fluid navigation should work. Keep in mind that Fluid navigation spans both Classic and Fluid components. Fluid navigation is not just for Fluid Components.


      Role-based homepage with business process-based tiles
    1. Homepages should be role based. My homepage collection should depend on the hats I wear in my organization.
    2. Within each homepage, I should have business process-based tiles. These tiles should launch WorkCenter-like Navigation Collections, Activity Guides, and so on. For example, if I am a PeopleSoft developer, then I should see a tile for managing security. When launched, that security tile will display a left-hand panel for navigating within the Security business process. If I manage payroll, then I might expect to find a tile labeled "Payroll WorkCenter USA" that includes navigation for all of the components associated with the Payroll business process. Remember, the items in the left-hand sidebar of a Navigation Collection or WorkCenter may be a combination of Classic, Classic +, and Fluid.
    3. From certain transaction pages, I should see Related Actions that allow me to drill from one transaction to a related transaction.
    Related Actions that drill from one component to another
    Done right, 95+% of my work will launch from tiles. The Navigator becomes my safety net. I reach for the Navigator once a year or every few years to complete some obscure configuration task reserved for implementation.


    What about the Navbar? We often think of the Navbar as an intermediate step used to launch the Navigator, but the Navbar is a homepage of tiles. Instead of a container for the Navigator, the Navbar is an always-present homepage with tiles I can launch from anywhere in PeopleSoft. Let's say you work in Procurement and often answer questions about Purchase Orders. You have your regular buyer and procurement duties, but you must be ready at a moment's notice to answer a question or solve a problem. To prepare for the inevitable interruption, you add your most common inquiry business process tiles to the Navbar. You are now two-clicks from the answer to any question.

    Now I ask you, "if you never use the Navigator, do you still desire a customization to automatically expand the Navigator when opening the Navbar?" I think not.

    How did we get here? I believe we are in an intermediate navigational state. Classic used breadcrumbs. Fluid uses business processes. I believe the problem is that our Classic content was moved into the Fluid navigation paradigm (PeopleTools 8.55) without usable business process maps (Navigation Collections, WorkCenters, and so on). We, therefore, must build our own business process maps using Fluid navigation tools to align Classic content with Fluid navigation.

    Building navigation is a critical phase of any Fluid implementation. Get it wrong and you may find yourself rolling back Fluid in favor of Classic (no joke, I have seen this before). When implementing Fluid we often focus on Self-Service, and rightly so. Self-Service comprises the majority of our headcount. But often Self-Service users are a minority of our actual time spent using PeopleSoft. Oracle has done a great job of building Fluid navigation for Self-Service users. What's missing? Fluid navigation for Classic. Today that is our job. As developers and business analysts, we must build that missing business process based navigation for our back office users.

    We believe that navigation is a critical component to a successful Fluid implementation and that is why we devote the first day of our Fluid 1 course to Fluid navigation. To learn more or to schedule a course, visit us online at jsmpros.com.


    Tuesday, March 12, 2019

    Collaborate 2019

    Collaborate 2019 is just around the corner. San Antonio is one of my favorite conference locations, with the riverwalk right outside the conference center. I will be presenting the following sessions next month at Collaborate:


    I look forward to seeing you there!

    Thursday, March 07, 2019

    Branding Shortcut

    Starting with his post PeopleTools 8.55.x - Branding - Part I - What has changed, Sasank Vemana provides a series of articles describing how to brand Fluid. If your organization supports multiple branding themes, then the PeopleTools delivered branding module and branding macros concept described by Sasank are a perfect fit. Although a fair amount of effort to configure, I didn't mind the macro concept provided in PeopleTools 8.55. But when PeopleTools delivered 8.56 with a brand new macro set and guidance suggesting we either start over with the new macro set or update ours with their new macros (which included evaluating all of our other macro changes), I folded. The scale had tipped. I realized that branding macros were not a "once and done" proposition. It was clear that maintaining branding macros would be more time consuming than injecting a little CSS into Oracle delivered stylesheets. I have this rule: If a configuration alternative exists, but that configuration alternative requires significantly more ongoing maintenance effort than customizing, I will choose the customization. Why? the point of configuration is to simplify Lifecycle Management. If the configuration alternative is more effort, complicating Lifecycle Management, then it is not a good alternative. It is counterproductive. PeopleTools includes very good compare tools for managed definition customizations. It is these great compare tools that sometimes make customizations simpler to maintain than configuration alternatives. This is not the case (yet -- I say "yet" because I believe this will change in the future) for configuration options that may become invalid (or broken) during an update/upgrade/selective adoption.

    If your organization has just one global branding theme, you may find this approach much simpler. This is the approach I used with PeopleTools prior to the attribute-based branding module:

    1. Open a Fluid homepage.
    2. Using your browser's developer tools, mock up the changes desired.
    3. Be sure to make your selector more qualified than Oracle's. I suggest including the ID of a higher level element, but do NOT use an ID that starts with win0div as these IDs change with every New Window launched from the base PeopleSoft window.
    4. Copy these changes into a new PeopleSoft free-form sub stylesheet.
    5. Add this new stylesheet to PSSTYLEDEF_FMODE.
    6. Test.
    7. Visit a Fluid transaction page to identify further changes required to finalize the Fluid branding theme.

    Here is some sample CSS to get you started:

    How does this work? Unlike the branding module, which replaces and/or changes Oracle-delivered CSS, we allow Oracle's CSS to be sent to web browsers unchanged. Just as before the customization, a user's web browser will parse Oracle's CSS, building a list of rules. But when the browser reads our rules injected at the very end, the browser will ignore Oracle's rules because ours will be both more specific and interpreted last.

    What about Classic and Classic Plus? Same principle, just a different stylesheet. Classic uses PSSTYLEDEF_TANGERINE and DEFAULT_THEME_FLUID. I prefer PSSTYLEDEF_TANGERINE because it is a structured stylesheet, allowing us to inject one object, very minor customization.

    What about Lifecycle Management? When applying PeopleTools patches and updates, it is very likely Oracle will replace PSSTYLEDEF_FMODE, erasing your one-line customization. Restoring the customization, however, is trivial. Just re-insert the free form sub stylesheet. It is possible that Oracle may change the HTML structure of Fluid and Classic pages resulting in CSS selector modifications, etc. We, therefore, must test after every update and be prepared to modify accordingly. However, I have used this approach with Fluid from 8.55 through 8.57 with no updates necessary.

    Did you find this article helpful? Are you interested in learning more about PeopleTools, including productivity shortcuts such as this one? Take your PeopleTools skills to the next level by registering for one of our courses at jsmspros.com

    Thursday, February 21, 2019

    Where is My New Optional Default Tile?

    Navigation is critical to any business application. Classic used breadcrumbs for navigation. As I'm sure you noticed, Fluid is different, using Tiles and Homepages as the starting point for application navigation.
    "In Fluid, tiles and homepages represent the primary navigation model, replacing Classic's breadcrumb menu."
    In Classic, breadcrumb navigation is managed by administrators. It is fixed, not variable, not personalizable. Users cannot personalize Classic navigation (other than creating favorites). Did I say Fluid is different? Yes. Fluid gives users significant control over their navigational view by allowing them to personalize tiles and homepages. This can cause significant problems, with users removing tiles that represent critical business functions. There are a few solutions for this problem (disable personalization, mark tiles as required, etc, see Section 4 of Simon's blog post for ideas). What I want to focus on is confusion regarding optional default tiles, where an optional default tile doesn't default onto a homepage. Here is the scenario:
    • A homepage already exists
    • As an administrator, you configure a new tile as Optional Default



    After configuring the homepage, all users that have NOT personalized will see the tile. Put another way, any user that has personalized the homepage will not see the new tile (and a simple accidental drag and drop will result in a personalization). Here is what users that personalize will see:


    If it is optional default, what happened to the default part? When users personalize their homepages, PeopleSoft clones the current state of the homepage into a user table. Let's say Tom and Jill both personalize their home pages. Tom will now have a personalized copy of the default configuration and Jill will have an entirely different personalized copy.



    Administrators will continue to insert optional default content into homepages, but Tom and Jill will not see those optional default tiles. Tom and Jill's homepages are now detached from the source. We can push optional default tiles into Tom's and Jill's copies by using the Tile Publish button available to each homepage content reference (in the portal registry). This App Engine program inserts a row for each optional default tile into each user's copy of the homepage metadata.

    Pretty clear and straight forward so far? OK, let's make it more complicated. Let's say an administrator adds a new optional default tile to the default homepage described above and presses the Publish Tile button. After the App Engine runs, the administrator notices Tom sees the tile, but Jill does not. What went wrong? If Jill doesn't have security access to the tile's target, Jill won't see the new tile. Let's say Jill is supposed to have security access so we update permissions and roles. We check Jill's homepage again. Does Jill see the tile? No. Why not? When we published the tile, Jill did not have security access so PeopleSoft didn't insert a row into Jill's personalization metadata. How can we make this tile appear for Jill? We could publish again. If we recognize and resolve the security issue immediately after publishing, this may be reasonable.

    Let's play out this scenario a little differently. Some time has passed since we published. Tom has seen and removed the new tile from his homepage. One day Tom is at the water cooler talking about this annoying new tile that just appeared one day so he removed it. Jill overhears Tom and logs in to look for this annoying tile. After some searching, however, she doesn't see it on her homepage. She calls the help desk to find out why she doesn't have access to the annoying tile (that she will probably remove after seeing it). This is when you discover the security issue and make the tile available to Jill. For Jill to see this tile as a default, however, you will need to republish the tile. When you republish the tile, what will happen to Tom's homepage? Yes, you guessed it. Tom will see the tile appear again and will likely call the help desk to complain about the annoying tile that just reappeared.

    What's the solution? At this time there is no delivered, recommended solution. The App Engine is very short, containing a couple of SQL statements. Using it as a guide, it is trivial to write a one-off metadata insert for Jill and all others affected by the security change without affecting Tom. When writing SQL inserts into PeopleTools tables, however, we must consider cache, version increments, and many other risk factors (I probably would not do this). I would say it is safer to annoy Tom.

    --

    Jim' is the Principal PeopleTools instructor at JSMPROS. Take your PeopleTools skills to the next level by scheduling PeopleTools training with us today!

    Friday, February 15, 2019

    HEUG Alliance 2019

    With the HEUG Alliance 2019 conference starting in a few weeks, it is time to finalize our session schedules. Reviewing the agenda, I see many great education sessions from partners such as Presence of IT, SpearMCAppsian, and Mutara Inc as well as many, many customer sessions covering important topics including security, user experience, integration, tools, add-on products and so on. This is clearly an Alliance we don't want to miss! On Monday I will be presenting new PeopleTools Tips and Techniques and then on Wednesday, I am leading the workshop PeopleSoft Fluid: Zero to Hero in an Afternoon. Session details:
    I look forward to seeing you at Alliance 2019!

    Friday, January 25, 2019

    Dialog and Popup Parameters

    If you have implemented or reviewed Fluid self-service, you may have noticed all inline editable grids have been replaced with read-only "actionable" grids. Oracle's PeopleSoft Fluid UX Standards discourage the use of inline editable grids in favor of secondary modal popup pages. Sasank recently showed us how to implement actionable grid rows, the primary self-service replacement for inline editable grids. With the row action indicator approach, each row presents a read-only summary, with details and edit behavior rendered in a secondary modal popup page. Modal secondary pages are not new to Fluid, but are definitely more important with Fluid (since inline editable grids are now discouraged). This is a pattern we teach almost every week. Something that has always bugged me about PeopleSoft modal popups is the parameter string. Here is the example string from PeopleBooks:

    "bAutoClose@1;bPopup@1;"

    Notice that these are two boolean properties with very specific names, allowing only 1 or 0 for values. So what is my problem? These properties and values are hidden from design-time compiler checking because they are wrapped in quotes. This offers no design time assurance. If we make a mistake, we won't know until runtime. Am I the only one that has spent hours debugging a typo hidden in a string? You know what I would like instead? I would like an object with strongly typed, named properties that I can set at design time. The compiler will see these properties and confirm that I am using them correctly. I decided to put one together and share it with the community. You can find the very simple code on our psdialogparams project GitHub repository. Feel free to download, change, submit pull requests, etc.

    As you review the various parameters available to dialogs, popup menus, etc, you will notice similarities and differences. My intention was to place all similarities in a base class, but then allow implementation-specific subclasses (menus, dialogs, etc). Using inheritance I was able to place all common code (such as toString()) in the base class. But how is the base class to know what properties exist in the subclasses? Really good question that I'm not going to fully answer, but the basics are PeopleCode App Class reflection (thank you Integration Broker team).

    To learn more about this topic or other PeopleTools-specific topics, please register for one of our PeopleTools classes. Do you have a group and want to host a custom training event? Review our course catalog and contact us for more details or to schedule.

    Tuesday, November 13, 2018

    Security: The PeopleSoft Social Threat Vector

    In the old Mission Impossible television series from the '60s and '70s, a team of expert agents socially engineer an incredible swindle to catch a bad guy, elicit a confession, release a hostage, etc. These deceptions often included room reconstructions, elaborate disguises, rerouted telephone calls, fake news broadcasts, etc. The con had to be so good the prey had no clue. If it weren't for the regular cut-aways to "reality," viewers wouldn't be able to tell fiction from truth. I remember one episode where the IMF (the Mission Impossible team) had to convince the "bad guy" that his plot succeeded (fake news broadcast). Another episode required making a person think his victim was still alive. Incredible social engineering. It is a lot of fun to watch this unfold when good guys are conning bad guys to preserve national security. But what about when the charade is run by a bad actor attempting to steal from our organization?

    Imagine you are a manager, professor, grant owner, or someone else responsible for transactions in PeopleSoft. You receive a workflow notification e-mail requesting you to approve a PeopleSoft transaction. Since you receive these emails all the time, you don't think much of it. You click the link and see your usual login screen. You authenticate and continue processing the transaction. This is a regular, every day scenario, but let me tell you, IT SCARES THE DAYLIGHTS OUT OF ME! Why? Let's review:

    • I received an e-mail with a link.
    • I clicked the link.
    • I entered my PeopleSoft credentials into the page that appeared.

    It may really have been PeopleSoft or it may have been a Mission Impossible-style bluff designed to make me think I was logging into PeopleSoft. If the latter, I just gave away the front door key to my ERP kingdom and there is no telling what a bad actor will do. Actually, I can give you a couple of ideas of what they will do:

    • Change your direct deposit to an off shore account,
    • Use query to download sensitive information and sell it,
    • Steal Accounts Payable information,
    • Setup fake employees to be paid through the regular payroll,
    • Setup fake vendors for payment, and
    • Change bank account information for vendors.

    How do I know this? Because I've seen it happen! This is not a PeopleSoft security issue, it is all about social engineering. It is about bad actors targeting individuals through phishing, spear phishing, and whaling. Every day good people are tricked into giving their credentials to bad people.

    The most common solution is to train employees to stop clicking links in e-mails. But what is a little awkward is that PeopleSoft comes preconfigured with workflow notifications that contain links. Doesn't it seem a little ironic that most of us have anti-phishing training and policies that tell our users not to click links and then our ERP system sends e-mails with links? To compound the situation, organizations create alerts, notifications, and scheduled processes that send e-mails with links. These links keep sensitive data out of e-mails and in controlled ERP systems. This was supposed to improve security. The problem is that bad people tempt good people into clicking fake links. So what can we do?

    1. Stop sending links or
    2. Protect PeopleSoft with multi-factor authentication.

    I really don't like the first option. Removing links from all PeopleSoft notifications would be a significant modification. I know some customers that do this. It is manageable and I would rather do this than nothing at all. At least my PeopleSoft implementation would be in compliance with my standard corporate security policies.

    But removing links from PeopleSoft e-mails doesn't fix the problem. Users may still receive phishing e-mails with links to pseudo-PeopleSoft signon screens and may still give away their credentials. This is where multi-factor authentication protects us, and is why I prefer option 2. Not only do we avoid customizations and improve the user experience through targeted e-mail links, we protect our Enterprise system in the event an unsuspecting user accidentally passes credentials to a bad actor. With multi-factor authentication, compromised credentials are useless. The bad actor still needs that extra factor to authenticate.

    I have seen many different multi-factor authentication implementations using a variety of tools. Most of them are generic solutions retrofitted into PeopleSoft, and not built specifically for PeopleSoft. Occasionally I run into a multi-factor PeopleSoft retrofit written by someone that learned just enough about PeopleSoft to write a security "plugin" (Yikes!). If it were my system to protect, I would choose Appsian's Multi-factor Authentication. Appsian's product is deeply embedded in PeopleSoft, allowing us to protect sensitive information.

    Social engineering is today's cyber crime threat vector. Strong password controls, secure networks, and education are critical to defending our systems, but can't protect against a well engineered social attack. It's time to do something about it.

    Are you interested in learning more about PeopleTools and how you can protect your PeopleSoft implementation? Contact us to schedule your next PeopleTools training class.

    PS: I really wanted to name this post PeopleSoft Social Security Attack Vector. You get it? PeopleSoft Social -- Security Attack Vector... oh never mind. You know what they say, "If you have to explain a joke..." ... and now you know why I titled it something different ;)