I helped some folks the other day with an issue that had the potential to be very serious for them; exposure of production data without someone needing to login to the production system. Not good.

The Problem

For testing purposes they have copies of their production PeopleSoft databases; one for Financials and one for HCM. These copies are refreshed regularly and there are scripts run against them to handle some cleaning/sanitizing of the production data, so that the database can be used for testing.

They have some people that they allow to login to these test environments with any account so that they can confirm the results of basic processes. The accounts don't have default passwords, so this access was limited to the people that they authorized to do testing, but testers with access to these cloned environments could login as anyone.

One of the testers (we'll call him Fred) was logged in to the Financials test environment as some other user (we'll call her Sally) to test some process that would normally be initiated by Sally in the production system.

While doing this testing, Fred wanted to enter his timesheet data so he clicked on a link to go to the production HCM system for time entry. Much to his surprise, he was logged in to HCM as Sally! So Fred goes back to the test Financials environment, logs in as a different user, clicks the link into production HCM and sure enough he is logged in as that user in production HCM. To Fred's credit, Fred alerted the PeopleSoft support team there instead of snooping around in HCM.

How did that happen?

The problem comes from the fact that the production environments were configured to trust each other for PeopleSoft Single Signon, but the node names and node passwords were not changed as part of the environment cloning logic.

So when Fred signed on to the cloned Financials environment, the PS_TOKEN cookies generated are identical to what the production environment would generate (the details of PS_TOKEN cookie are documented in PeopleBooks, but the node name and node password are the important pieces here).

How could this be prevented?

There are several different ways of preventing this from happening. Let's take the pragmatic ones first.

1) Change the node password as part of the refresh script.

This is the easiest, most expedient thing to do. It is the absolute minimum way to solve this problem.

Although this solves the security problem, it introduces a headache for security auditors because the app server logs in the production environment will be full of warnings about failed logins from bad node passwords. That means that testers accessing production while logged in to the test environment will be indistinguishable from someone trying to break in by generating their own PS_TOKEN cookies.

It's not nice to annoy your security auditors by purposely creating log entries that look like break-in attempts, but are actually OK :-)

2) Change the node name.

Changing the node name when you clone environments will also solve the problem (because then the production environments will no longer trust the cloned nodes since they don't recognize the new names). This also solves the log problem mentioned in the previous item.

Changing the node name can have an impact on Integration Broker testing, but that just means that your integration test scripts need to be aware of this. Not a huge drawback in my opinion.

3) Use distinct passwords for each account in the test environment.

This is easy enough to do, it's mainly a question of distributing the passwords to the testers so that they can get in and do their jobs. Depending on your organization, this may or may not be easy.

4) Don't provide passwords to the testers, but allow them to reset them on demand.

Similar to the previous item, but gets around the distribution issue by making it an after the fact auditing issue. If Fred requests the CEO's password in the test system, it's very easy to audit for that and force Fred to explain why he felt that was necessary.

Computer security is typically focused on preventing people from doing things, but in some cases this model of auditing and disciplining after the fact may be OK.

This model reminds me of when we took our dog to a dog trainer a long time ago that recommended leaving a steak or something else on the kitchen counter for the dog to find. This was in conjunction with hiding around the corner so that at the moment the dog put his paws up to grab the steak, you would jump out and impress upon the dog that it wouldn't be wise to do that again. A real-time security audit if you will :-)

What are some of the less pragmatic options?

5) Have a new version of PeopleTools that can detect when a database is copied, and automatically scrub key information like node passwords, GUID, etc.

The implementation of this would be platform specific, but do-able. It would complicate things like having a hot database backup server though. I'm sure those sorts of issues could be addressed though.

6) Embed additional information beyond just node name and node password (like database name) in the PS_TOKEN cookie.

One issue that I can think of with this is that older PeopleTools versions would not be able to interoperate with this, but it could be a flag on the node definition as to whether interoperability with earlier versions of PeopleTools is required. If interoperability was required, then the existing PS_TOKEN format would be used, otherwise the newer format would be used.

Why didn't they know about this?

PeopleSoft Single Signon is documented in PeopleBooks, but there aren't any great writeups out there on the implications of it when cloning a PeopleSoft environment.

There are lots of writeups out there on "How to Clone a PeopleSoft Environment", and some discuss the importance of getting the node configuration correct, but they typically come at from the perspective of just making sure the environment works; not the security implications of it.

PeopleSoft Single Signon is well documented in PeopleBooks, but it just doesn't seem to jump out at people when thinking about cloning. I will give a shout-out here to Brent Martin of ERP Associates. Brent's writeup on cloning a PeopleSoft database is the only one out there that I could find that mentions this issue at all.

Labels: 2009, Audit, Security, Sysadmin

I've recently gotten my VBA coding juices going again, and finally decided to crank out something that I've been talking about for quite some time (you'll can expect a blog entry next week that discusses my other VBA effort this week).

When I was responsible for nVision, the feature was called "Multiple Field nPlosion".

What is it?

In a nutshell, multiple field nPlosion is the ability to show slices of data for two different fields in the same axis in an nVision report. For those familiar with nVision, you can take a row or a column and tell it to generate data for values of a field, or a part of a tree. Currently, the product is limited to doing this for one field.

However, there are a lot of situations where you would want to use multiple fields for this (which is a standard OLAP requirement). One example is generating your profit and loss statement using the account tree, but when the tree hits the account details, to show the breakout of how those account values are represented by different products. In other applications, such as HR, there are a lot more examples that are simpler, such as showing benefits elections by manager over time.

So, how do you do it?

The first time I discussed how to handle this was about 10 years ago with Tom Pitra of Pitra consulting, fellow nVisionary of high standing, who successfully implemented this for a major PeopleSoft customer in the Minneapolis area.

The approach is to leverage the fact that nVision keeps its original criteria in place when running a report and then puts in criteria for values or nodes when it generates the children rows for nPlosion (generally stored in context cells in nVision... Row 1 or Column 1 in the layout). This allows the context of the values to be retained for drilldowns. We also leverage this artifact for several of our products, most notably our Excel Add-in.

So, here are the steps used to accomplish mutliple field nPlosion:

1. Run your nVision report, nPloding the outermost field first. This gets you the rows for that field, formatting, as well as the first set of numbers.
2. Run a macro that fixes the inserted rows, so that they have all the criteria as if they were designed using the nVision designer. To reduce the size of the file, nVision only puts the values or nodes specification into the nPloded rows (or columns). This means that the overall total row is the only place that identifies the field and/or tree and other criteria that was used to generate the nPloded value. Because this logic was written when there were a lot more limitations on cell sizes and other resources in excel, it was done this way.
3. Then, a macro should swap criteria as needed for the second run. In other words, it will need to take the fields used as labels in the first run as well as the values that should not be nPloded in the second nPlosion and turn those into non-nVision specifications (I just prepend a # in my code). Also, the macro will need to turn any label columns that are reserved for the second run into nVision specifications.
4. Then, the macro will need to append the new nPlosion specification to the places where the new nPlosion rows need to be. In my macro, I chose to do this where the lowest-level values cam in from the first run (e.g. account numbers).
5. The last step of the macro is to save the spreadsheet as a layout in the nVision/layout directory.
6. Then, you run the new layout as an nVision report. All of the processing your macro did will cause nVision to only nPlode the second field where you want, while inheriting the original criteria and location in the report. Thus, double nPloding

Here is what the final report would look like by showing departments within accounts.

Cool. Gimme the Stuff!

I've packaged this up into a single nVision layout with the macros embedded. You run the report, then push the button on the sheet to run the macro, and then run the resulting report (which will be put into E:\PT846\NVISION\LAYOUT\NPLODE01.XNV ). This means you will need two nVision report requests for this. ONe for the file attached here, and one for NPLODE01.XNV.

Here is where you can download this layout: OriginalnPlosionTest.xnv

Limitations

This example has a lot of limitations in it, so you'll want to tweak it based on your own needs. Here are a few I can think of:

• It only nPlodes the second column at detail values
• It only works for 2 fields
• It only nPlodes rows and not columns
• It isn't completely automated, which means the user has to do several steps to get the results
• It hasn't been adapted to work on the process scheduler
• Finally, there's no designer for the criteria and specifications. YOu have to put in the #'s yourself to make it work.

All of these things can be addressed by extending the work already present here.

Labels: nVision

A short follow-on to an earlier post about PeopleCode variable weirdness; did you know that you can use Unicode for PeopleCode variable names?

Great fun with your co-workers at code review time :-)

Labels: 2009, Global, PeopleCode

In our previous blog post we introduced a Continuous Integration server called Hudson to run automated tests against a PeopleSoft system for us. We didn't really get into any test content itself though; we just ran some dummy Application Engine code to show how Hudson can work with PeopleSoft.

Now that the framework piece is in place though, we can begin creating tests. For this blog post we're going to focus on testing functional aspects of PeopleSoft, not performance testing.

Functional Testing Webinar

Before getting into the details, I wanted to point out that we have an upcoming webinar on this exact topic on May 20th, so if you're interested be sure to register for that.

Functional Testing Options

There's a variety of different ways for doing functional testing. Dave Bain from Oracle recently announced the availability of a PeopleSoft specific unit testing tool called PS/Unit. We'll look at PS/Unit in an upcoming post, but if you're not familiar with unit testing you can think of it as testing the lowest level "units" of your code.

Another approach is doing browser-based testing. Browser based testing means having automated tests that drive an actual web browser instance and simulate an actual user's behavior. The primary benefit of browser based testing is that you can be reasonably sure that you are testing PeopleSoft as your users will be seeing and working with it.

In fact, browser based testing can be thought of as automating the way that most people test their PeopleSoft implementations today; which, sadly enough, is by having some of their functional users run through a series of manual tests in their browsers. Expensive, error-prone, incomplete are some of the adjectives that spring to mind when describing manual testing. Not to mention just the hassle of trying to get the functional users to participate in testing. They may be willing to participate once or twice, but if you need to incorporate any additional testing beyond your original project plan, it is a major hassle.

Browser based testing

Back in the old client/server days, PeopleSoft used to bundle SQA Robot (later purchased by Rational/IBM) because it understood something about the Windows controls used PeopleTools for creating the UI. These days the PeopleSoft UI is HTML/Javascript and there are lots of freely available tools that we can use for testing.

One tool that we like for functional testing via the browser is called Selenium. Selenium can run tests across multiple different browsers, and there is a plugin for running Selenium tests via Hudson so we can automate the execution and management of our automated tests.

Getting Started with Selenium

Before we get into running our Selenium tests in Hudson, we need to create some tests. The easiest way to do this is with the Selenium IDE, which is a Firefox plugin and can record, edit and debug tests. The tests themselves can be executed in other browsers, so we're only dependent on Firefox for our initial test development.

So if you're not already in Firefox right now, switch over to Firefox and launch the Selenium IDE plugin installer. Here is the current link, which is for version 1.0 beta 2, but you can check their download page as well to see if there are updated versions available.

Your First Test

After installing Selenium IDE, you can launch it from the Tools -> Selenium IDE menu in Firefox.



When Selenium IDE launches it automatically starts in recording mode, so you can switch back to your main Firefox window and begin working. For this first example, I

• Entered the URL for the PeopleSoft signon page


• Typed in the password (the user ID was already defaulted for me)


• Clicked "Sign In"


• Waited for the portal home page to load


• Clicked the "Logout" link

Then I switched back to the Selenium IDE window and stopped recording by clicking the Red button in the recording toolbar (unfortunately there are not keyboard equivalents for the Selenium recording toolbar). Let's see what Selenium captured for us.



The first thing to notice is that Selenium has captured http://www.gsdemo.com as the base URL. All URL commands will be relative to this (there are some extra things to know if you plan to write tests that go across more than one base URL).

The first actual command that Selenium has captured is the open command. All Selenium commands take the form of Command, Target, Value. Here the target is the URL /psp/ps/?cmd=login, which gets combined with the base URL. This opens the login page.



Next is the type command, where we entered the password. In this case Selenium realized that the pwd DOM ID for the password field was the simplest choice that would work. You'll notice that the Target editbox has become a dropdown box which shows some alternate methods of referencing the password field.



The next command is the clickAndWait command. Selenium recognized the Sign In button via it's DOM ID of Submit and used that.



The last command is also the clickAndWait command, but when we logged out, there was no unique DOM ID that was associated with the Logout link, so Selenium recognized the click by noting that the link text was Logout (eagle-eyed readers will note that the logout text in this environment has actually been customized from an earlier blog entry).

At this point we can repeatedly click the play button in the Selenium recording toolbar and watch the browser login and logout. There are actually two play buttons, one is for the current test case and one is for playing back an entire test suite (which is many test cases grouped together). In this instance it doesn't matter, but once you actually create test suites, then you'll want keep them straight in your head.

If you have any problems at this point playing back the test, you can try adjusting slider control in the Selenium IDE toolbar towards the "Slow" end. This causes Selenium IDE to wait a bit longer for commands to show some results.

Modifying the Test

Each of the commands that Selenium captured for us is modifiable, including being able to delete it. So to make our test a bit more exciting, we highlight the last command (the clickAndWait command that logged out) and delete it, since we don't want to logout just yet.

Then play the script again. This time when the script finishes you will be left on the portal home page (since we're not logging out). Pressing the Record button will start recording again at the end of the script.

This time we will navigate via the portal menu navigation to PeopleTools -> Security -> User Profiles -> User Profiles. Once the User Profiles component search page is up, we type in PTDMO and then press the Search button.

Before playing back this script, I made one manual edit. I changed the very top command from navigating to cmd=login to cmd=logout. PeopleTools will send back the signon page in both cases, but by starting with the logout command you clear server resources from the previous script run. Your system administrators will thank you for this small act of kindness :-)

When playing back the script, I have a small problem; the script does not playback successfully. It tells me that it can't find a frame named "NAV".

The source of the problem is that Selenium does not quite understand the way that PeopleTools is doing it's navigation. When we click on the first navigation link from the Portal home page Selenium records the following two commands.

1. Command: clickAndWait, Target: link=(the name of the link)


2. Command: waitForPopup, Target: _parent, Value: 30000

After we leave the portal home page though, we are getting into PeopleTools generated HTML frames. The next command that Selenium IDE records is Command: selectFrame, Target: name=NAV. The NAV is the name that PeopleTools gives to the menu frame once we leave the portal home page. What we want at this point is for Selenium to wait for the NAV frame to load before we select it, but the commands that Selenium is generating are only waiting for our top level page to load.

Rather than run the entire test at a slower rate so that we're sure that the navigation frame is loaded, we'll insert an extra command before the selectFrame command that will tell Selenium to wait for that frame to load. To do that we

1. Right click on the selectFrame


2. Select "Insert New Command" from the popup menu


3. Type waitForFrameToLoad in the Command edit box


4. Type TargetContent in the Target edit box


5. Type 30000 in the Value edit box

One cool thing about Selenium IDE is that as you enter commands, you get type-ahead support for what commands are available. Once you select a command, then you get the help text for it automatically displayed at the bottom of the IDE window. Very nice! Here's a full list of all of the different commands that Selenium supports.

The other nice thing about the IDE is that we can copy and paste our waitForFrameToLoad command instead of typing it in everywhere. There are a few more places in our navigation script where the selectFrame command is used, so we'll paste it before each one. That allows us to run our script at full speed, but have it wait for the navigation to finish loading if the webserver is slow for some reason. Note that after we finish navigating we are then waiting for the frame called "TargetContent", so we use that name instead.

Skipping Navigation

In some cases you may want to include the navigation portion in your tests, but in many cases you'll want to just test a certain functional area. A good trick for doing this is just have Selenium go straight to the page that you want instead of navigating to it.

The open command in Selenium can be used in the middle of your test scripts, not just at the beginning, so we can replace all of the navigation commands with the open command and the value "/psc/ps/EMPLOYEE/PT_LOCAL/c/MAINTAIN_SECURITY.USERMAINT.GBL". Note that we used the psc servlet instead of the default psp. That will completely bypass the portal and just load the underlying component itself.

Making Assertions

Part of testing is making assertions about the behavior that is seen. Selenium supports making assertions about things as simple as text being on the page to whether specific cookies are present (a good way of checking that you are logged in is asserting that you have a PS_TOKEN cookie) and even as detailed as making assertions about the HTML source code that has been generated for a page.

There are somewhere in the neighborhood of around 100 different things that Selenium can make assertions about, so you should be able to come up with something that helps you validate the desired functional behavior that you are testing. For the example that we have been going through I added a the assertTextPresent command with the Target set to "Confirm Password" since that is the label for one of the fields on the User Profile page. This assertion will return true if "Confirm Password" is present anywhere on the entire page.

We can make some tighter assertions by narrowing the focus from the entire page to specific elements. The above assertion could also be implemented as the assertText, which takes an element locator in addition to the text that is being checked. We saw the use of element locators when working with the login form above; an element locator is just some way of identifying a single element on the page.

PeopleTools will typically generate unique IDs for each form field on page. These are normally the underlying record name and field name for the underlying value in the database (with row numbers if working with multiple rows). In the case of checking a label, PeopleTools will generate a "label" element, with the "for" attribute referencing which form field the label is for.

In this case, we end up with our element locator as //label[@for='PSUSRPRFL_WRK_OPERPSWDCONF'] because we want the label for the OPERPSWD_CONF field from the PSUSRPRFL_WRK record.



In the above screenshot we can see that our assertTextPresent assertion passed, but our assertText assertion failed. Selenium IDE provides the reason for the failure in the log though. The assertText assertion is making an exact check of the element's text, while the assertTextPresent assertion merely checks that the text exists at all across the entire page. Since PeopleTools is generating a colon at the end of the label, we would need to incorporate that in our assertion.

Saving Our Tests

Up to this point we haven't saved our test logic at all. In the Selenium IDE window, select File -> Save Test Case (or press Ctrl-S for a keyboard equivalent). You'll be prompted for a file name. I selected TestUserProfile.html. By default Selenium stores it's list of commands in a special HTML format, which is why we used that extension.

You can also have Selenium export a test case to various other programming languages (Java, C#, Perl, PHP, Python, and Ruby are all supported currently). The benefit to using a programming language for controlling Selenium is that you can then do things like have conditional logic, common subroutines, etc. The drawback is that you lose the ability to use Selenium IDE to work with them at that point. We'll stick with the plain HTML format for now while we're still getting familiar with Selenium, but future blog posts will get into using the programming language integration.



In the above screenshot you'll notice that I expanded out one section of the Selenium IDE window. That shows us the current test case being worked (TestUserProfile). If we click File -> New Test Case, we'll get an "Untitled" entry added in the list of test cases and an empty list of commands. We would then build up our test case just like we did above and save it.

Once you have a few test cases, then you can select File -> Save Test Suite to group the test cases together. You can copy and paste commands between different test cases, so if you find one test case is starting to cover too much functionality, you can break it into multiple test cases this way. Selenium lets you run either single test cases or run an entire test suite together, so you can break things in manageable chunks without losing the ability to group things appropriately.

I did notice a bug in the test case re-ordering within the Selenium IDE window though, so after you save your test suite, you'll probably want to open to the open the test file and re-order the tests listed there so they match the order that you want to run things in.

Wrapping Up

Now that we can start coming up with some meaningful tests, the next steps from here are to incorporate the execution of our tests into our Hudson environment so that they can be run automatically for us.

We'll also want to start integrating all of this with version control. We not only want to start keeping track of the different versions of our tests, but we also want to tie the execution of our tests to changes that are happening with the underlying PeopleSoft objects.

That way if a working test starts throwing assertion errors at some point, we'll be able to see exactly what changes were implemented in PeopleSoft that caused the problem, along with who did it and the underlying reason that the changes were implemented. And if necessary, revert those changes to put things back the way they should be.

Labels: 2009, Browser, Sysadmin, Testing, VersionControl

One of the reasons that we built out Grey Sparling Version Control for PeopleSoft on top of an industry standard version control tool (Subversion) instead of building our own proprietary repository is the sheer volume of other tools available that integrate with Subversion. There's a whole host of other reasons for using Subversion as well. If you'd like to learn more about Subversion you check out the presentation that we've given at OpenWorld and various other user conferences or go check out the Subversion website.

We're going to focus on a tool called Hudson. Hudson is an open source continuous integration server from Sun (so now it's from Oracle :-). A continuous integration server can do things for you like grab your latest source code, compile it (if necessary), run tests against it, and keep track of what happened.

We're not going to be compiling any code for this blog post though. We're just using Hudson for running tests against a PeopleSoft system. This first blog post is part of a new series of blog tests covering testing PeopleSoft. We're also have some upcoming webinars on these topics as well.

Installing Hudson

One of Hudson's strong points is it's ease of installation and setup. It's taken me longer to type this much of the blog post than it did to get Hudson up and running in a demo environment.

Head over to the main Hudson website and download the latest Hudson.war file. If you use IE it may get confused and save it with a .zip extension (both .war and .jar files are just .zip files that specific meaning for Java), so be sure to rename it as hudson.war once it's downloaded.

The only dependency that Hudson has is Java 5. You can type

java -version

at a command prompt to check which version you have. You then start Hudson running by typing

java -jar hudson.war

Hudson is very configurable, but we will accept defaults for now. You can change it later if you want. By default Hudson will create a directory called ".hudson" in your HOME directory when you launch it. This directory holds all of job definitions, output, logs, etc. Note that if you want to delete Hudson later for some reason just delete this directory and the hudson.war file.

Configuring Hudson

Now that you've started Hudson you can go to http://localhost:8080/ and you'll see something like this.



I created a user account before taking this screenshot, but by default Hudson will allow anonymous access (that's actually how I was able to create the user account), so don't run the initial setup on a non-trusted network.

Next we click the link that says "create new jobs". We called our job "Application Engine Test" since we're going to have it run an Application Engine program for us (keep the name reasonably short since it goes in a lot of URLs) and we selected "Freestyle Software Project". For our purposes of running tests against a PeopleSoft system we will always select "Freestyle Software Project" for our job type.



Now we get to the job configuration page. There's a lot of options here, but we'll skip over most of them to get started. Next to each input field is a "?" link that you can link to have inline help expand if you're curious about what the items do though.



The only thing that we changed in the first section was to add some descriptive text to our job. That will appear on the job home page. It can include HTML so you can do things like add links, styling, etc. It's not required, but it's a nice touch.



In the next section of the job configuration page is where we would specify where to pull things from version control. We'll save that for a future blog post, and just leave it as "None" for now.

This is also where we configure build steps for the job. Since we're running this on Windows, we choose Windows batch command. We won't cover it in this blog post, but Hudson can also run on Unix/Linux and have multiple instances of Hudson up and running together (technically there is one master instance of Hudson which can manage multiple "slave" instances).

The command line that put in for the job is

e:\pt849\bin\client\winx86\psae -CT ORACLE -CD PTSYS -CO PTDMO -CP PTDMO -R hudson -AI HUDSON_DEMO

A fairly standard command line for Application Engine. For now we have hard-coded the user/password, but those can be externalized. The -AI parameter is the name of the Application Engine program. We created a simple one called HUDSON_DEMO for the test.

That's good enough to try things out. Scroll to the bottom of the page and save the job. This will return you to the job home page.

Running Hudson Jobs



On the left side of the page are the various actions that you can take with the job. Click the "Build Now" link to run the job (the "Build" terminology comes from the fact that compiling or building software is one of the primary purposes of a continuous integration server).

You can't see it from the screenshots, but Hudson has some nice Ajax functionality that will update the page with what is happening as the build is running.



We can see in the Build History now that we have a successful build. Clicking on the link takes us to the build results.



The output shows "No Changes" because we haven't hooked this up with version control yet. Once that is done you would see a list of whatever program changes had taken place since the last build here. We also have the build timing information (19 seconds for it to start psae and run our program). We can also see the console output from the Application Engine program.



That "Hey, it worked" message is coming the PeopleCode that we put into the HUDSON_DEMO Application Engine program.



Pretty simple, but it lets us see that the environment is properly configured. Let's see what happens when we change the PeopleCode so that it fails. We'll just add an error statement in the PeopleCode to force it to fail. Then we run the Build again.



Now our job summary page shows that the job has failed. Let's look at the console output.



More normal error messages that you might see here are from SQL errors (for example someone altered a record definition that the App Engine program depends on, but didn't update the SQL). When we get into version control integration in the future, we'll see how to use the version control repository to help us figure out why something broke.

Let's spice up our job definition a bit. Here we kicked things off manually so we could tell that it failed, but we don't want to do things manually. Manual steps cost money! We want automation.

So go back into the job configuration page. In a previous screenshot we skipped over the "Build Triggers" section, but Hudson can automatically kick off builds in a variety of ways.

One way is by monitoring the version control repository for changes. If a check-in will cause some sort of breakage, then Hudson will pick it up right away, which is much better than after rolling something into production.

Another way is after other projects/jobs get built. We use this a lot within Grey Sparling. Once our tests run successfully, that kicks off other jobs that package things up for delivery.

Another way is to have Hudson run things on a schedule. This is a good way to catch any changes that you didn't realize that you were dependent on. Kick off everything once an hour or once a night or something just to be sure that nothing is broken.

You can also have external systems trigger Hudson builds if you need something else to control when builds should be run.

Once you have decided on which methods will trigger automated builds (you're not limited to just one method), then you decide on the post build notifications.



In this example, we have setup Hudson to send emails every time we have a problem with the build. If we kick off the build again, we'll see what this looks like.



The nice thing is that we get the output in the email so we can get some idea of the nature of the problem even through our Blackberries and iPhones :-)

If we fix up our test Application Engine program and run the Build again we'll get a single notification email that the build has returned to a successful state. By default you only get success emails when the build returns to a successful state after having problems; you won't get emails every time that a successful build occurs.



The link in the email goes to a permanent link for that build so it's easy to go back and review what happened months afterwards.



You'll also notice that we can start seeing trends in the Build History here. There's a few other views in Hudson that give us these high level "weather reports" (as Hudson calls them) that we'll get into in future blog posts.

Future

Hopefully you found this introduction to using Hudson for testing PeopleSoft useful. In future blog posts we'll cover more test automation topics such as:

• Having Hudson pull changes from version control into a pristine test environment before running the tests


• Running browser based tests via Hudson


• Integration with the newly released PS/Unit unit testing tool

If you have other topics that you would like to see covered, feel free to let us know; either via comments, email or join us on some of our upcoming webinars covering these areas.

Labels: 2009, Hudson, Testing, VersionControl

I haven't had a chance to check this out yet, but I saw a Tweet that Oracle has posted the Oracle VM template for PeopleSoft HCM and Campus Solutions.

The template (along with other Oracle VM templates) is available here. According to the webpage:

• Installed applications include: PeopleSoft HRCS 9.0 and PeopleTools 8.49


• Installed technical foundations include: Oracle Database 10g, Oracle Tuxedo 9.1, and Oracle WebLogic 9.2

Awesome. Way to go Oracle.

update - June 5thI got the scoop on why the template disappeared after being posted. Basically it wasn't ready to go yet and the public posting was just a case of someone being a little too eager.

The person I spoke with was surprised at how much interest that we were seeing though. So if this is something that you are interested in working with comment here or on Oracle Mix to let the developers know.

Labels: 2009, Oracle, Virtualization

We wrote awhile back about a customization that can be done to limit a user's roles dynamically at a signon time, but wanted to point out an issue with it that came up recently during some customer discussions on our ERP Firewall for PeopleSoft product.

The essence of the customization revolved around creating extra tables for storing the "real" list of roles for a user separately so that the PeopleTools tables that stores the roles for a user can be modified at signon time. The way that PeopleTools is delivered there is one table that is both the "master" list of roles for a user and the "current" list of roles for the user's session.

A little bird told me that this may get addressed in future PeopleTools versions (let's hope for PeopleTools 8.50!), but for now the modification that we outlined in the previous blog entry is the only way to accomplish this.

So what's the problem?

Now consider the scenario where your CFO logs in from a public kiosk at a conference somewhere to enter her expense report. You have implemented the customization to limit her roles to just those that would allow her to enter expenses and not be able to do things like pull up your P&L reports when she logs in this way.

What happens when some other process runs (batch, workflow, etc.) and checks to see who is in the high level finance roles? It won't find your CFO. Not good.

And the answer?

One answer is to do a thorough search of all of the application code for role queries, references to PSROLEUSER, use of the IsUserInRole() PeopleCode function and modify those to use the customized "role master" table that the previous blog entry outlined.

Another answer is to wait for PeopleTools to support the notion of "session level" roles.

Another solution is to use some sort application level firewalling solution. Of course, we're partial to our own application firewall for PeopleSoft, but there are other ways of achieving this as well.

Labels: 2009, Firewall, Security