How to Change the SYSADM Password in PeopleSoft

PeopleSoft Administration

How to Change the SYSADM Password in PeopleSoft: Complete Step-by-Step Guide

A complete walkthrough for changing the SYSADM (Access ID) password in PeopleSoft — covering why it must be done through Data Mover, how PSACCESSPRFL works, the exact commands for Oracle and SQL Server, and everything you need to update afterwards to keep your environment running.

📅 Updated: November 2024 ⏱ 10 min read 🏷 SYSADM · Data Mover · Security · Oracle · SQL Server

🚨 Critical Warning — Read Before You Start Changing the SYSADM password at the database level only (e.g., via SQL*Plus ALTER USER) will break your entire PeopleSoft environment. All PeopleSoft operator passwords are encrypted using SYSADM’s password as part of the encryption key. If the database password and the password stored in PSACCESSPRFL go out of sync, nobody will be able to log in. Always follow the full process described in this guide.

📋 Table of Contents

What Is the SYSADM Account?
How PeopleSoft Stores & Uses the SYSADM Password
Prerequisites & Pre-Change Checklist
Step-by-Step: Change SYSADM Password (Oracle DB)
Step-by-Step: Change SA Password (SQL Server)
PeopleTools 8.55+ Changes (PSACCESSPROFILE Table)
What to Update After Changing the Password
Verifying the Change Was Successful
Troubleshooting — When Things Go Wrong
Frequently Asked Questions

3 Places Must be updated: DB, PSACCESSPRFL, domain configs

Data Mover The only safe tool for CHANGE_ACCESS_PASSWORD

Bootstrap Data Mover must run in Bootstrap (SYSADM) mode

PT 8.55+ New PSACCESSPROFILE table replaces PSACCESSPRFL

What Is the SYSADM Account?

SYSADM is the Oracle database schema owner for PeopleSoft. It is the database-level user that owns all PeopleSoft tables, indexes, views, and sequences. When the Application Server, Process Scheduler, and Data Mover connect to the database to read or write PeopleSoft data, they ultimately connect as SYSADM (or through an Access ID that maps to SYSADM).

This is different from PeopleSoft user accounts (like PS, VP1, or any named user) which are stored in PSOPRDEFN. SYSADM is an Oracle database account, not a PeopleSoft operator.

Account	Platform	Role
SYSADM	Oracle DB	Schema owner of all PeopleSoft objects. Access ID used by all PeopleSoft processes.
SA	Microsoft SQL Server	Equivalent of SYSADM for MSSQL environments. Same concepts apply.
people	Oracle DB	Connect ID — used by PeopleSoft to establish the initial DB connection before switching to SYSADM. Has SELECT on PSSTATUS, PSOPRDEFN, PSACCESSPRFL only.
SYSADM1	Oracle DB	The default Symbolic ID — a logical name in PeopleSoft that maps to the SYSADM Access ID. Stored in PSACCESSPRFL / PSACCESSPROFILE.

How PeopleSoft Stores & Uses the SYSADM Password

Understanding this mechanism is what separates an admin who does this safely from one who locks everyone out. PeopleSoft’s access model works through three linked layers:

PeopleSoft User
PSOPRDEFN (OPRID)

→

Symbolic ID
SYSADM1

→

PSACCESSPRFL
ACCESSID + ACCESSPSWD (encrypted)

→

Oracle DB
SYSADM account

Figure 1: How PeopleSoft maps a user login to the SYSADM database account

Every PeopleSoft operator (user) is assigned a Symbolic ID (e.g., SYSADM1). That Symbolic ID maps to an Access ID and Access Password stored encrypted in PSACCESSPRFL (or PSACCESSPROFILE for PT 8.55+). When someone logs in, PeopleSoft decrypts the Access Password and uses it to connect to Oracle as SYSADM.

The encryption of the Access Password uses SYSADM’s database password as part of the key. This is why both the Oracle password and the PSACCESSPRFL record must be changed together — if they diverge, the decrypted password won’t match Oracle’s password and every login will fail with an ORA-01017: invalid username/password error.

💡 Key Concept — PSACCESSPRFL vs PSACCESSPROFILE Pre-PT 8.55: Access ID and password are stored encrypted in PSACCESSPRFL.
PT 8.55 and later: A new table PSACCESSPROFILE is used instead. The CHANGE_ACCESS_PASSWORD command in Data Mover handles both tables automatically — but if you use SQL directly, you must know which table applies to your PeopleTools version.

Prerequisites & Pre-Change Checklist

✅ Before You Start

Stop all PeopleSoft domains — Stop all Application Server domains, Process Scheduler domains, and PIA web domains before beginning. Active connections will fail mid-session if you change the password while domains are running.

Take a full database backup — Always back up the database before making any password changes. If something goes wrong you need a clean restore point.

Note your Symbolic ID — Run this SQL to check your Symbolic ID before starting:
SELECT * FROM SYSADM.PSACCESSPRFL; — The value in the SYMBOLICID column (typically SYSADM1) is what you’ll use in Data Mover.

Know your new password — Have the new password decided and written down before you start. Oracle DB passwords are case-sensitive by default in Oracle 11g+.

Have SYS credentials ready — To change the SYSADM password at the Oracle DB level you need to connect as SYS (SYSDBA) or another DBA-privileged account.

Step-by-Step: Change SYSADM Password (Oracle Database)

Follow these steps exactly and in order. Do not skip or reorder them.

Stop All PeopleSoft Domains

Before changing any passwords, stop all domains cleanly:

# Stop Application Server domain
psadmin -c stop -d APPDOM

# Stop Process Scheduler domain
psadmin -p stop -d PRCSDOM

# Stop Web Server (PIA)
psadmin -w stop -d peoplesoft

Check the Symbolic ID in the Database

Connect to Oracle as SYS or a DBA account and run:

-- Connect as SYS
sqlplus sys/<sys_password>@<TNS_ALIAS> as sysdba

-- Check PSACCESSPRFL (pre-PT 8.55)
SELECT SYMBOLICID, ACCESSID, ENCRYPTED FROM SYSADM.PSACCESSPRFL;

-- For PT 8.55+, also check PSACCESSPROFILE
SELECT SYMBOLICID, STM_ACCESS_ID, ENCRYPTED FROM SYSADM.PSACCESSPROFILE;

Note the value in the SYMBOLICID column — this is almost always SYSADM1. You will need this in Step 4.

Change the Password at the Oracle Database Level

Point of no return — do this immediately before Data Mover in Step 4

Still connected as SYS in SQL*Plus, change the SYSADM Oracle user password:

-- Change Oracle DB password for SYSADM user
ALTER USER SYSADM IDENTIFIED BY <new_password>;

-- Confirm the change
-- (optional: try connecting as SYSADM with new password)
CONNECT SYSADM/<new_password>@<TNS_ALIAS>

⚠️ As soon as you run ALTER USER, the database password is changed. PeopleSoft is now broken until you complete Step 4. Do not stop here.

Run CHANGE_ACCESS_PASSWORD in Data Mover (Bootstrap Mode)

Open Data Mover on your client machine and log in using Bootstrap Mode:

Start Data Mover (from Start → PeopleTools → Data Mover)
Select File → Bootstrap Mode (or use the Bootstrap toggle in the login screen)
Log in as: User ID = SYSADM, Password = the new password you just set in Step 3
Select your database name and connect

Once connected in Bootstrap mode, run the following script:

SET LOG C:\temp\change_sysadm_pwd.log;

-- Replace SYSADM1 with your actual Symbolic ID from Step 2
-- Replace new_password with your actual new password
CHANGE_ACCESS_PASSWORD SYSADM1 new_password;

ENCRYPT_PASSWORD *;

CHANGE_ACCESS_PASSWORD updates the encrypted password in PSACCESSPRFL (and PSACCESSPROFILE for PT 8.55+). ENCRYPT_PASSWORD * re-encrypts all PeopleSoft operator passwords using the new key.

Verify Data Mover Completed Successfully

Check the Data Mover output window and the log file you specified. You should see:

CHANGE_ACCESS_PASSWORD SYSADM1 new_password;
Successful.

ENCRYPT_PASSWORD *;
1 rows updated for operator VP1.
1 rows updated for operator PS.
... (one line per operator)
Successful.

Step-by-Step: Change SA Password (SQL Server)

For Microsoft SQL Server environments, the schema owner account is SA (or a custom account if your installation used one). The process is identical in concept but uses MSSQL syntax:

SQL Server — Complete Script

Step 1 — Change the password in SQL Server Management Studio or via T-SQL:

-- In SQL Server Management Studio or T-SQL:
ALTER LOGIN SA WITH PASSWORD = 'new_password';

-- Or via SSMS: Security → Logins → SA → Properties → Change Password

Step 2 — Open Data Mover in Bootstrap mode (login as SA with new password), then run:

SET LOG C:\temp\change_sa_pwd.log;

-- For MSSQL the Symbolic ID is typically SYSADM1 or check PSACCESSPRFL
CHANGE_ACCESS_PASSWORD SYSADM1 new_password;

ENCRYPT_PASSWORD *;

PeopleTools 8.55+ Changes (PSACCESSPROFILE Table)

Starting with PeopleTools 8.55, Oracle introduced a new table called PSACCESSPROFILE to store Access ID information, replacing the older PSACCESSPRFL. If you run CHANGE_ACCESS_PASSWORD through Data Mover, it handles both tables automatically — no manual SQL needed.

However, if you ever need to reset the Access ID manually via SQL (for example, if Data Mover won’t start because passwords are already corrupted), use this approach for PT 8.55+:

-- Reset PSACCESSPROFILE to known state (PT 8.55+)
-- Run as SYS or SYSADM in SQL*Plus BEFORE running ENCRYPT_PASSWORD in Data Mover

UPDATE SYSADM.PSACCESSPROFILE
SET STM_ACCESS_ID   = 'SYSADM',
    SYMBOLICID      = 'SYSADM1',
    STM_ACCESS_PSWD = 'new_password',  -- plain text — will be encrypted by ENCRYPT_PASSWORD
    VERSION         = 1,
    ENCRYPTED       = 0
WHERE SYMBOLICID = 'SYSADM1';

COMMIT;

-- Also reset the older table for compatibility
UPDATE SYSADM.PSACCESSPRFL
SET ACCESSID   = 'SYSADM',
    SYMBOLICID = 'SYSADM1',
    ACCESSPSWD = 'new_password',       -- plain text — will be encrypted
    VERSION    = 0,
    ENCRYPTED  = 0
WHERE SYMBOLICID = 'SYSADM1';

COMMIT;

⚠️ After Running This SQL You must immediately log into Data Mover in Bootstrap mode and run ENCRYPT_PASSWORD *; to encrypt the plain-text passwords you just wrote. Leaving passwords unencrypted in the database is a serious security risk.

What to Update After Changing the Password

The Data Mover step updates the database record. But several other configuration files still store the old password in encrypted form. You must update all of them before restarting your domains.

psappsrv.cfg

Application Server Configuration

PS_CFG_HOME/appserv/<domain>/psappsrv.cfg

Required

Run psadmin to reconfigure the App Server domain. When prompted for the Access Password, enter the new password. PSADMIN will encrypt it and write it to psappsrv.cfg:

psadmin -c configure -d APPDOM
# At "AccessPswd:" prompt, enter the new SYSADM password
# PSADMIN will encrypt and store it in psappsrv.cfg

psprcs.cfg

Process Scheduler Configuration

PS_CFG_HOME/appserv/prcs/<domain>/psprcs.cfg

Required

psadmin -p configure -d PRCSDOM
# At "AccessPswd:" prompt, enter the new SYSADM password

Config Manager

Configuration Manager (pscfg.exe)

Windows client tool — update database profile password

If applicable

If you use two-tier mode (Application Designer connecting directly to the database), update Configuration Manager: Start → PeopleTools → Configuration Manager → Profile tab → edit your profile → update the Access Password field with the new password.

integrationGateway.properties

Integration Gateway Properties

Update if IB Gateway has direct DB credentials

Check

If your Integration Gateway configuration in integrationGateway.properties stores database credentials directly, update those as well. Check the file at PSIGW.war/WEB-INF/integrationGateway.properties.

Complete Update Checklist

Component	How to Update	Required?
Oracle DB (SYSADM user)	`ALTER USER SYSADM IDENTIFIED BY new_pwd`	🔴 Yes — Step 1
PSACCESSPRFL / PSACCESSPROFILE	Data Mover: `CHANGE_ACCESS_PASSWORD`	🔴 Yes — Step 2
psappsrv.cfg (App Server)	`psadmin -c configure -d <domain>`	🔴 Yes
psprcs.cfg (Process Scheduler)	`psadmin -p configure -d <domain>`	🔴 Yes
Configuration Manager (pscfg.exe)	Update profile Access Password field manually	🟡 If using 2-tier
integrationGateway.properties	Edit file and re-encrypt via gateway admin page	🟡 Check if applicable

Verifying the Change Was Successful

After completing all steps and updating all config files, restart your domains and verify:

Start Application Server — psadmin -c start -d APPDOM — check logs for “Connected to database” message, no ORA-01017 errors
Start Process Scheduler — psadmin -p start -d PRCSDOM — verify PSPRCSRV connects successfully
Start Web Server — psadmin -w start -d peoplesoft
Log into PIA — Navigate to your PeopleSoft URL and log in as a regular user (e.g., PS or VP1). A successful login confirms the encryption is correct.
Run a test process — Submit a simple Application Engine or SQR process through Process Monitor and confirm it runs to Success.
Verify in SQL*Plus — Connect as SYSADM with the new password from SQL*Plus to confirm the database-level change is correct:
sqlplus SYSADM/new_password@TNS_ALIAS

Troubleshooting — When Things Go Wrong

🔴 Error: ORA-01017: invalid username/password; logon denied

Cause: The App Server or Process Scheduler is trying to connect with the old SYSADM password. Fix: Reconfigure the domain via psadmin -c configure -d <domain> and enter the new password when prompted for AccessPswd.

🔴 Error: “Unable to log on” after changing password — all users locked out

Cause: CHANGE_ACCESS_PASSWORD or ENCRYPT_PASSWORD was not run after changing the Oracle password. The encrypted password in PSACCESSPRFL no longer matches the Oracle password. Fix: Log into Data Mover in Bootstrap mode using the new Oracle SYSADM password and re-run: CHANGE_ACCESS_PASSWORD SYSADM1 new_password; ENCRYPT_PASSWORD *;

🔴 Error: Data Mover Bootstrap Mode fails to connect

Cause: Oracle Client or ODBC connection issue on the Windows workstation. Fix: Verify the Oracle Client is correctly installed and the TNS_NAMES.ORA / TNSNAMES entry is correct. For SQL Server environments, ensure the 32-bit System DSN is configured in C:\windows\SysWOW64\odbcad32.exe (not the 64-bit version).

⚠️ ENCRYPT_PASSWORD * runs but shows 0 rows updated

Cause: The Symbolic ID passed to CHANGE_ACCESS_PASSWORD didn’t match what’s in PSACCESSPRFL. Fix: Run SELECT SYMBOLICID FROM SYSADM.PSACCESSPRFL; and use the exact value returned. Remember it is case-sensitive.

🆘 Last Resort — If Data Mover Won’t Start & Nobody Can Log In

If you cannot start Data Mover in Bootstrap mode because the passwords are completely out of sync, reset the PSACCESSPRFL table manually via SQL*Plus as SYS, setting passwords to plain text (ENCRYPTED=0), then immediately log into Data Mover and run ENCRYPT_PASSWORD *:

-- Run as SYS in SQL*Plus
UPDATE SYSADM.PSACCESSPRFL
SET ACCESSID='SYSADM', ACCESSPSWD='new_password', VERSION=0, ENCRYPTED=0
WHERE SYMBOLICID='SYSADM1';
COMMIT;

-- For PT 8.55+
UPDATE SYSADM.PSACCESSPROFILE
SET STM_ACCESS_ID='SYSADM', STM_ACCESS_PSWD='new_password', VERSION=1, ENCRYPTED=0
WHERE SYMBOLICID='SYSADM1';
COMMIT;

-- Then immediately open Data Mover Bootstrap mode and run:
-- ENCRYPT_PASSWORD *;

Frequently Asked Questions

Q: Can I just change the SYSADM password in Oracle SQL*Plus without doing anything in PeopleSoft?

No — absolutely not. Changing the Oracle password without running CHANGE_ACCESS_PASSWORD in Data Mover will immediately break your PeopleSoft environment. The encrypted password stored in PSACCESSPRFL will no longer match Oracle’s password, and every user login attempt will fail with an Oracle authentication error. Always follow the full process.

Q: What is Bootstrap Mode in Data Mover?

Bootstrap Mode allows Data Mover to connect directly to the database using the database account credentials (SYSADM/password) rather than going through the normal PeopleSoft authentication process. This is required for operations like CHANGE_ACCESS_PASSWORD because the PeopleSoft authentication layer itself depends on the very data you are changing. In Bootstrap Mode, Data Mover bypasses PeopleSoft security and connects directly to Oracle.

Q: What is the difference between SYSADM password and the PS user password?

The SYSADM password is the Oracle database-level password for the schema owner account — it is not a PeopleSoft user. The PS user password is a PeopleSoft operator account password stored in PSOPRDEFN — it’s what you type at the PIA login screen. They are completely different. This article covers SYSADM (the database account). To change the PS operator password, go to PeopleTools → Security → User Profiles or use ENCRYPT_PASSWORD PS; in Data Mover.

Q: Do I need to change the SYSADM password after a database refresh?

Yes — this is one of the most common scenarios for running CHANGE_ACCESS_PASSWORD. When you refresh a non-production database from a production copy, the SYSADM Oracle password in the refreshed environment will typically be different from production for security reasons. Running CHANGE_ACCESS_PASSWORD with the correct password for the target environment (e.g., the DEV SYSADM password) ensures the refreshed database’s PSACCESSPRFL matches the actual Oracle password.

Q: Does changing the SYSADM password affect all PeopleSoft users?

Yes — indirectly. Because SYSADM’s password is used as part of the encryption key for all operator passwords in PSOPRDEFN, running ENCRYPT_PASSWORD * after the change re-encrypts every user’s password. Users don’t need to change their PeopleSoft login password — they can still log in with the same password they used before. The encryption is transparent to them. What changes is only the internal encrypted representation of their password in the database.

PeopleSoft Admin Training

Master PeopleSoft Security & Administration

Learn password management, security configuration, Data Mover scripting, and all critical admin tasks with hands-on lab access and expert-led instruction from corporate professionals.

✅ 30+ Hours Instructor-Led Training

✅ Real-Time Lab Access

✅ PeopleTools Upgrade & Patching

✅ Interview & Resume Support

📞 Call / WhatsApp +91-7678211866

📧 Email info@peppertechsolutions.com

#PeopleSoft #SYSADM #DataMover #PeopleSoftSecurity #ChangeAccessPassword #PeopleTools #PeopleSoftAdmin #Oracle

PepperTech