PeopleFluent Learning 23.07 Release Notes
PeopleFluent is pleased to announce the PeopleFluent Learning 23.07 update. PeopleFluent Learning 23.07 was released for general availability on 7 July, 2023. If you are a hosted (SaaS) customer, please contact your PeopleFluent Customer Success Manager to request a schedule for upgrading your sites.
This documentation describes the functionality changes in PeopleFluent Learning 23.07, including new and deprecated features. If you have any questions about the enhancements or the new features, please contact your PeopleFluent representative.
Resolved Issues
PeopleFluent Learning 23.07 includes a number of bug-fixes and you are encouraged to review them in the Resolved Issues Report.
Summary of Enhancements
The features and enhancements described in this documentation apply to PeopleFluent Learning and will be available when the customer is upgraded to this version.
Because PeopleFluent Learning is configurable per customer, new features may affect each customer's individual implementation differently. For more information about any new feature, and how it can be used in specific implementations, contact your PeopleFluent representative.
This guide is not a tutorial, although some background explanation is provided for each of the key features to better appreciate how these might affect your organization.
The following new features are included in PeopleFluent Learning 23.07:
- Bridge Integration
- LTI Authentication
- Create Proxy Launch Learners
- Data Encryption & Transfer
- PGP Encryption
- Inbound Encryption
- Outbound Encryption
- External SFTP Transfer
- Exam Enhancements
- Exam Data Loaders
- Question Pools Data Loader
- Exam Generation Setting - Attempts
- Exam Module Status Change
- Additional Enhancements
- Clone or Copy with Read-Only Permissions
- Bulk Create Proxied Launch
- Permissions Data Loader
- MFA One-Time Password
- Program Status Changes
Bridge Integration
The Bridge Integration exists to allow Bridge customers to utilize some aspects of PeopleFluent Learning. The primary example is for the Exam Engine. This would allow Bridge customers to take advantage of some advanced functionality. For example, having a pool of questions that can be reused across multiple exams, timed assessments, and other sophisticated exam functionality.
LTI Authentication
To allow administrators to Single Sign-On (SSO) from Bridge to PeopleFluent Learning, Bridge uses the LTI 1.2 for authentication. This is based on the OAuth standard, which PeopleFluent currently partially supports.
Creating Administrators
The LTI authentication process may need to provision new users in PeopleFluent Learning as administrators. The information to create new user accounts is part of the LTI "launch" data. The fields are passed as URL-encoded form fields. When the post request is received, PeopleFluent Learning will parse the data and do the following:
-
If the user exists and is active in the system, log them in to PeopleFluent Learning to their home page.
-
If the user doesn't exist, create them using the data above. They will need a specific role that is not the full System Administrator.
-
If the organization doesn't exist, create it at Level 1 with the URL unencoded tool_consumer_instance_name as the name and code (modified to meet code requirements for allowed characters).
NOTE: When using Firefox, users will need to disable Enhanced Tracking Protection Protection for the Bridge site because PeopleFluent Learning is framed within Bridge. Failure to disable the tracking protection will prevent administrators from accessing the Catalog Editor and User Editor in PeopleFluent Learning. Instructions for disabling the setting can be found online.
Enabling LTI Authentication
To enable the integration, Bridge will work with PeopleFluent staff on the Bridge configuration, which includes some metadata about the PeopleFluent Learning instance. Additionally, in PeopleFluent Learning the following Bridge configuration information needs to be added to the ekp.properties file:
- bridge.consumerKey - This is obtained from Bridge as part of their LTI setup.
- bridge.consumerSecret - This is obtained from Bridge as part of their LTI setup.
- bridge.instance - This is the URL for the Bridge instance, which will match the tool_consumer_instance_guid setting in the Bridge configuration XML file.
In addition, the following changes need to be made in the PFL system configuration:
- Enable cross-site scripting protection: Disable
- Enable Referrer Policy: Origin when cross-origin
- Advanced: IFrame Protection (Clickjacking): Disabled
- Finally, it is recommended to set a Default New User Profile with a role configured with only those features the Bridge Administrators will need, rather than as System Administrators. For example, if the use case would be to allow using PeopleFluent Exams in Bridge, they would not need the "Learning Center" (Current Courses, Catalog Search, Workspace Review,etc.).
A profile is a user account designated as a profile, with the appropriate role, skin, and setting the First Screen to "Manage" which is in the Manage Center shown above. Once that user account is created, under Logical Domains set that user as the Default New User Profile.
This means Bridge Administrators will be created using this profile, with the right role access and limited navigation for the key features they need.
Create Proxy Launch Learners
When a learner launches an exam in Bridge via Proxied Launch, the user is created in PeopleFluent Learning, which is a system configuration setting. However, by default they are placed in the UNASSIGNED Organization. The new functionality will create the user in the correct organization unit based on the Bridge account and subaccount IDs.
When the Bridge account has the learn_scorm_base64_url_external_id setting enabled, the learner ID sent via AICC (proxy launch) is a base64 encoded value that will include the necessary information to move the users to the correct Organization unit.
When this value is decoded, the account and subaccount IDs can be identified. These are used to create the learner user accounts in PeopleFluent to the corresponding Organization unit.
- Bridge Account ID is the Level1Code for the user.
- Bridge Subaccount ID is the Level2Code for the user.
If the Organization unit does not exist, this functionality will also create the organization.
Data Encryption and Transfer
PGP Encryption
By using a start-up configuration in the ekp.properties file, the application needs to designate the necessary keys for encryption and decryption. Currently, the system only allows one key for decrypting inbound data feeds and another key for encrypting outgoing scheduled reports.
Decryption - There is a public and private key pair that should be generated by the company hosting PFL; for SaaS Customers, PeopleFluent Professional Services can generate the keys. The public key can be provided to customers to encrypt the data at their source (such as an HRIS system). The private key will then be used by PF Learning to decrypt the files as part of the Inbound Decryption described below.
Encryption - This will use a public key from the customer that will receive an encrypted export of data (report). This would be used to encrypt the exported file as described in the Outbound Decryption section below.
Configuration - Either or both files need to be renamed and placed in the {ekp}/WEB-INF/conf folder:
- The private key created for decrypting inbound data feeds must be named inbound_private_key.asc.
- The public key created for encrypting outbound scheduled reports must be named outbound_public_key.asc.
Inbound Decryption
For files that are imported as part of the OPML process, there needs to be a flag whether or not the file needs to be decrypted. If this flag is set, PF Learning will use the private key corresponding to the public key provided to the customer to encrypt the file.
NOTE: The UI-based importers and the API-based “contentHandler” importers would not be affected, and the functionality will remain the same as today. Files imported via these methods must be unencrypted.
Outbound Encryption
Scheduled Reports
When scheduling a report, there is an option to encrypt the output file, if the public key setting exists within the ekp.properties file. It will not appear if the key does not exist.
NOTE: The encryption does not apply:
-
If the selected output format is HTML (for viewing in a browser); it only applies to the other format types.
-
“Run now in Browser” when editing a previously scheduled report; it only applies to the file generated according to the schedule.
OPML Exports
For reports that are exported as part of the OPML process, there needs to be a flag whether or not the file is encrypted. This would use the public key provided by the customer to encrypt the file.
NOTE: API-based exports would not be affected. Data exported via standard APIs is decrypted. The batchReport API, which can be used to retrieve a specific report, will return the report file, which may be encrypted.
External SFTP Transfer
The current OPML / Background task functionality allows for an export to be sent via SFTP in the XML/URL location (using sftp://username:password@sftp.url.endpoint format). However, this is not an option for scheduled reports, and there is no option for using SSH Key instead of usernames and passwords.
When scheduling a report, the application will have an option to send the output via SFTP to an external location designated by the customer, such as on the customer’s server.
SFTP Location Setup
To accomplish this, a new feature is needed to store SFTP locations (URLs and ports) and corresponding credentials or SSH Key file.
Required fields will depend on the selection:
- If the Use Password option is selected, the Password and Confirm Password fields would be required, but the Load SSH Key would not be required.
- If the Use SSH Key option is selected, the Load SSH Key file would be required, but the Password and Confirm Password fields would not be.
The Password field is encoded in the database, such that it can be decoded when a scheduled report needs to be sent via SFTP (see below).
Finally, there is a function to Test Connection. This will attempt to connect using the credentials provided, and return an error message to the screen if it fails.
NOTE: There are some issues with the functionality that will be addressed in a 23.07.x patch, which will be scheduled as soon as it can be completed:
-
When the recipient SFTP server is configured on Windows, the full path may be required.
-
When the recipient SFTP server is configured on Linux, there may be issues transferring the file.
Sending via SFTP
In the scheduling screen, there would be an option to select a configured SFTP Transfer location. If the user scheduling the report does not have Role Access Control to SFTP Transfer Location, the drop-down will not appear. If the user has either Read Only or Unrestricted set in the Role Access Control, the Locations listed in the drop-down are based on permission for each location.
When the report is run according to the schedule, the LMS will:
- Output the file to the Report Location (default to /nd/fresco/batchreports)
- If there is an error writing to the location, log the error in the EKP.LOG file.
- Send the file via SFTP to the location specified
- If there is an error in connection, log the error in the EKP.LOG file.
- Send the notifications as per usual. If the selection to attach the output file is used, the attachment is the encrypted file.
Exam Enhancements
Exam Data Loaders
In 22.07, PeopleFluent Learning made exam import functionality, using the background task (OPML) process, originally built for one specific customer available to all customers. This feature was more fully documented in a separate Exams Import Guide available with 22.07. With 23.07, the functionality is added to the UI so the CSV files can be imported manually.
Exam Data Loader
This allows the creation of a new exam, and set the exam-level metadata (title, description, passing score, attempt limit, participant review, etc).
Exam Section Data Loader
This allows the creation of a new section on an existing exam, and sets the section-level metadata (section title, section description, random/specific questions, layout, etc).
Exam Section Question Data Loader
This data loader will allow assigning questions to an existing section of an existing exam. For random-question sections, only the question pool is needed. For specific-question sections, if question IDs are not specified, all of the questions in the question pool are added to the section. Please note that with specific-question sections, it is possible to add the same question more than once.
NOTE: For 23.07, there is no ACTION column, so these will ADD new exams, sections, or questions. This is the same as the OPML loaders.
Question Pools Data Loader
The ability to create Question Pools in bulk will make the migration easier. Although this may not be necessary for ongoing support. It will include the ability to move a child pool from one parent to another.
CSV Columns
The following columns are in the CSV file. The lower number “level” columns have to be populated if a higher level number is being added, updated, or deleted; For example, levels 1 and 2 are required if Level 3 is the pool to which the action applies. All other columns are optional.
- Action - A for Add, U for Update, AU for Add/Update, or D for Delete
- Level 1 Name - question pool name
- Level 2 Name - question pool name
- Level 3 Name - question pool name
- Level 4 Name - question pool name ...
- Level ## Name - the question pols are hierarchical
- Default Question Prefix - string
- Default Weight - ##.##
- Default Difficulty - ##.##
- Default Usage Limit - ###
- Reminder Recipients - pipe separated list of user ids
- Frequency - daily|weekly|biweekly|monthly
- PermTemplateName - source name of a question pool from which to copy permissions
- PermReplace - y|n
Exam Generation Settings - Attempts
This is a relatively minor change to an existing process. Currently, an Exam Template can be used to Generate Exam Module.
There is an issue with the Maximum Number of Attempts for Each Participant. This value is not transferred to the module.
On 4.1 Define Launch Properties, the Course Attempts > Attempts Allowed is populated with the value when the Maximum Number of Attempts for the exam.
Exam Module Status Change
Update exam-as-module status when exam status changes – currently when an exam is regraded from a failed status, the exam status is updated however the learning module linked to the exam is not automatically updated and requires manual intervention. The change is when the exam is marked as passed the module status is not already complete, module is changed to completed.
Migrate Exam ID
There is an existing functionality to migrate learning object IDs that changes the learning object ID (display ID). The same functionality is replicated for exams.
NOTE: The screen provides the warning “As the number of records to be checked can be quite extensive, this function may take several minutes.”
Additional Enhancements
Clone or Copy with Read Only Permissions
A new feature was added to allow user with Read Only permissions to a cloneable object, to be able to Clone or Copy that object.:
- Catalog
- Exam
- Question
- Assessment Template
- Email Template
- System Role
Not included as the functionality for copying repository items doesn't create a new database object, just a new reference to the same object:
- Repository Folders
- Repository Files
This is controlled by a new System Configuration setting "Enable cloning/copying for Read Only permission," when combined with Unrestricted access in Role Access Control, will allow cloning/copying of Read Only object.
NOTE: The following features are not affected by this change and are not affected by the new configuration option, as they already permit Clone/Copy for users with Read Only Permissions:
- Module
- Report Wizard
- Goal Programs (part of the Performance license
- Terms of Use
Bulk Create Proxied Launch
Rather than creating exam packages (AICC format) one at a time, allow GP Strategies administrators to create multiple exam packages at a time. The current process only allows for one at a time.
UI Changes
Add an item under the Bulk Action on Learning Modules, to generate the proxied launch package for all checked modules.
This would launch a modal window to select the encoding - similar to the Catalog Editor > 4.2 Proxied Launch Package.
If any module selected is not an Online type, an error message is displayed instead of the modal.
Generating Packages
Clicking the Generate Packages button will loop through the existing process to create the package for each selected course, and then ZIP all of the packages into a single file for download.
Permissions Data Loader
The new data loader will allow administrators to add permissions on Question Pools, Exam Pools, Questions, Exams, Courses, Reports, etc. The loader does not remove permission settings.
CSV Columns
The following columns are in the CSV file. The lower number "level" columns have to be populated if a higher level number is being added, updated, or deleted. For example, Levels 1 and 2 are required if Level 3 is the pool to which the action applies. All other columns are optional.
- Object ID - The ID of the object for which the permission is to be set, more information below.
- Object Type - The code of the object type representing the entity (i.e. "LO" for learning module, "SE" for session, "CT" for catalog, "TS" for exam, "TP" for exam pool, "QN" for question, "QP" for question pool, "F" for repository file, "FD" for repository folder, "CR" for certification, "CM" for competency model, "JP" for job profile catalog, "RT" for standard report, "RE" for report wizard)
- Identity ID - The ID of the identity (e.g. user ID, role ID, org ID, etc.) that the permission is granted to
- Permission Code - The permission code (i.e. Read = 1, Write = 2)
- Identity Type - The code of the identity type that this permission entry is related to (i.e. "U" for user type, "R" for role type, "O" for org type, "OX" for exclude org type, "G" for user group type, "UA1","UA2",...,"UA8" for user attribute type)
- Operator - This is either AND or OR, and represents the setting "All of the following criteria/One of the following criteria" in the permission settings user interface
Please note that this data loader does not currently handle all of the object types that support permission setting. The value of the ObjectID column must be one of the following:
- Learning Module: the ID of the module as displayed on the Learning Modules page
- Session: the Session Code and module ID combined by the "+" character. Example: "Session1+Course1"
- Catalog: the full catalog path, delimited by the "/" character. Example: "CatalogType1/Catalog1a"
- Exam: the ID of the exam as displayed on the Exams page
- Exam Pool: the full exam pool path, delimited by the "/" character. Example: "ExamPoolLevel1/ExamPoolLevel2"
- Question: the ID of the question as displayed on the Questions page
- Question Pool: the full question pool path, delimited by the "/" character. Example: "QuestionPool1/TopicPoolA"
- Repository File: the RPID value shown in the URL of the file's "Properties" link in the Repository Manager
- Repository Folder: the RPID value shown in the URL of the folder's "Properties" link in the Repository Manager
- Certification: the certification code as displayed on the Certifications page
- Competency Model: the name of the competency model as displayed on the Competency Models page. Please note: only top-level competency models can be assigned permissions
- Job Profile Catalog: the catalog name as displayed on the Job Profiles page
- Standard Reports: the report name as displayed on the Reports page. Example: "R101"
- Report Wizard: the report ID as displayed on the Report Wizard page
The value of the IdentityID column must conform to the following requirements:
- User ("U"): the identity ID is normally the username. However, if multiple assignments are allowed in the system, then the identity ID is the assignment reference code
- User Group ("G"): the identity ID is the user group name as displayed on the User Groups page
- Role ("R"): the identity ID is the role code as displayed on the System Roles page. Example: "S" for the Learner role
- Organization ("O") and Exclude Organization ("OX"): the identity ID is the full organization path, beginning with "ROOT/" and delimited by the "/" character. Example: "ROOT/APAC/Thailand/Bangkok"
- User Attribute ("UA1"..."UA8"): the identity ID is the user attribute code as displayed on the User Attribute configuration page
Object Types
For 23.07, only the following object types can be updated via the data loader. Other object types may be added in a future release.
- Modules
- Sessions
- Catalogs
- Exams
- Exam Pools
- Questions
- Question Pools
- Repository Files
- Repository Folders
- Certifications Competency Models
- Job Profile Catalogs
- Standard Reports
- Report Wizard Reports
MFA One-Time Password
A new security feature will allow multi-factor authentication in the form of a one-time password (code) that is emailed to users. Obviously, users will need a valid email address to receive the code. Users will not be allowed to log in without entering a valid code. The following describes the workflow used.
Configuration Options
The following items can be configured:
- Enable MFA - A System configuration is added to require MFA for all users.
- Reauthentication Period - A system configuration setting for the number of days after which users are sent a new code and prompted to enter it. (maximum 90)
- Code Validity Period - This system configuration is a number of minutes for which the emailed code is valid, after which a new code is sent. (maximum 60).
- Number of Attempts - A system configuration for the number of wrong attempts when entering the code. (minimum of 1 maximum of 15)
Additionally, a new flag was added at the user level to allow individual users to bypass the MFA process.
Program Status Changes
A number of changes to PeopleFluent Learning Programs were made in 23.07 .
- Ensuring the End Date for the program matches the latest end date for submodules.
- Ignoring the Start Date for a program in the transcript when it is created via Program Data Loader
- Preventing a program from being reverted from Completed to In Process via the Participants page in the Catalog Editor, which is currently prohibited for all other learning types.
- The percentage completed is refined to account for mandatory and optional submodules, especially within nested programs.
- Two changes to the processing of program transcripts after changes are made to the submodules.
- Ensuring programs will mark IN PROCESS consistently after the first module is COMPLETED, regardless of the method to indicate the module is completed.