Contents

Excluding PeopleSoft Authentication Tokens

By default, service operations include the current user’s authentication cookie (PS_TOKEN) with the message. This means the subscribing system processes the message as the user who triggered the event. There are significant security and operational reasons to consider excluding this token.

How It Works By Default

Consider this scenario with three PeopleSoft systems:

  • HCM (publishing system)
  • Campus Solutions (subscribing system)
  • Portal (subscribing system)

When user JDOE changes their password in HCM:

  1. The USER_PROFILE service operation triggers from HCM to both subscribers
  2. The message is published with JDOE’s authentication token
  3. The subscribing system validates that JDOE exists and has web service security
  4. If validation passes, the subscription code runs as JDOE

If JDOE doesn’t exist in the Portal database or doesn’t have the right web service security, the publication contract errors out:

User JDOE not authorized to invoke service operation USER_PROFILE

What Happens When You Exclude the Token

When you exclude the PeopleSoft Authentication Token for a service operation:

  • The user’s token is NOT sent to the subscribing system
  • The user profile does NOT have to exist in target systems
  • The user does NOT need web service security in the target system
  • The message is published as the “default user” configured on the node
  • The subscribing system has no record that the specific user made the change (though LASTUPDOPRID may still be in the XML payload data)

Security Benefits

Running service operations with tokens excluded is more secure in most situations and simplifies your security because you grant fewer web service security grants.

Consider the USER_PROFILE service operation: if you give all users web service security to invoke it, you have many more vectors for attack. A bad actor who takes control of an account with USER_PROFILE web service security could submit XML to change user profiles, grant roles, or lock out accounts. The delivered subscription code trusts whatever comes over the wire and commits it with straight SQL.

Pros and Cons

Pros of Excluding Authentication Tokens

  • End users triggering service operations do not have to exist in all target databases
  • End users do not need web service security in the target system
  • Simplifies Web Service security permission lists
  • Reduces attack surface for sensitive service operations

Cons of Excluding Authentication Tokens

  • LASTUPDOPRID stamps on the target system will show the default node user name instead of the actual user, which could cause auditing confusion

Node Default User Guidelines

The default user ID on your nodes should follow these guidelines:

  • It should be a generic account, NOT someone’s day-to-day account
  • The password should be extremely long and complicated
  • It should NOT have any PIA access (no iScript security) so no one can log in with this account in a web browser
  • It will need grants to any Web Services that are being run
  • It will need Component Interface grants for any CIs invoked in subscription contracts
  • It will need any Application Level Security (row level security) that may be invoked by CIs in the subscription code
  • Use different default user IDs for each node with common sense naming conventions like: IB_NODE_HCM_USER, IB_NODE_PORTAL_USER
    • This makes it immediately clear in audit reports that data was updated by an Integration Broker message and gives a quick indication of which source system
Author Info
Chris Malek

Chris Malek is a PeopleTools® Technical Consultant with over two decades of experience working on PeopleSoft enterprise software projects. He is available for consulting engagements.

Work with Chris
PeopleSoft REST APIs in Minutes, Not Months
PeopleSoft Simple Web Services (SWS)

SWS turns SQL into production REST APIs — ready for AI, modern apps, and partner integrations. One install, unlimited potential.

  • Configuration-driven, no coding required
  • JSON, XML, and CSV output
  • Works across all PeopleSoft pillars
  • Built on 25+ years of PeopleSoft expertise
Read More & Purchase
Looking for pain-free PeopleSoft web services?
PeopleSoft Simple Web Services (SWS)

A powerful PeopleSoft bolt-on that makes REST web services easy. You bring the SQL, SWS handles the rest.

  • Go from idea to production in minutes
  • Zero code migrations after install
  • JSON, XML, and CSV output supported
  • No PeopleCode or Integration Broker expertise required
Read More & Purchase
Stop Building PeopleSoft Web Services the Hard Way
PeopleSoft Simple Web Services (SWS)

Traditional PeopleSoft web services cost $3,600–$13,000 each to develop. SWS deploys production REST APIs in under 5 minutes through configuration alone.

  • No PeopleCode or Integration Broker expertise required
  • Works across Campus Solutions, HCM, and Financials
  • Built-in pagination, caching, and nested data structures
  • Trusted by institutions across higher education and government
Read More & Purchase
PeopleSoft REST APIs for AI, Modern Apps, and Integrations
PeopleSoft Simple Web Services (SWS)

Turn PeopleSoft data into clean REST APIs for AI integrations, modern applications, and vendor data feeds. Configuration-driven — no PeopleCode required.

  • Deploy production APIs in under 5 minutes
  • AI and LLM ready (RAG, chatbots, intelligent search)
  • JSON, XML, and CSV output
  • Zero modifications to delivered PeopleSoft objects
Read More & Purchase