roles, menus and security best practice: process based roles kristina o’leary brian connor jd ...

Roles, Menus and SecurityBest Practice: Process Based Roles

Kristina O’LearyBrian Connor

JD Edwards E1 Xe through to Version 9

Product Awareness Sessions

ALL Out Webinar Programwww.alloutsecurity.com

Product Awareness Sessions (English, Spanish and French)ALL Out for EnterpriseOneALL Out for WorldALL Out for IBMi

Education SessionsReporting, Segregation of Duties and ComplianceMultiple Roles“Open to Closed without Pain” (E1 only)ALL Out Product AwarenessTask View Best Practice

Technical Webinars – E1 Cost justifying an upgradeChoosing the right platform

ALL Out for E1 – Xe to Version 9Agenda

ALL Out the company

Product Strategy

Common Practice vs. Best PracticeMultiple Roles in Standard E1Best Practice for RolesBest Practice for Menus (Task Views)Best Practice for Security

StartOut Template from ALL OutStandard Process Based RolesStandard Task ViewRole Based SecurityE1 Pages

Demonstration

ALL Out

Colorado Registered LLCOracle PartnerSoftware has been Validated by OracleJD Edwards World and EnterpriseOne solution providerEstablished in 2004 to address security and SOX issues faced by JDE clients

Product implements “Best Practice” E1 V9 (in all versions - even in Xe)Security Set-up and ManagementMenu Set-up and ManagementMultiple Roles ManagementReporting & SOD Rules and Reports

ALL Out is a Toolset to help manage standard JDE tables

E1 Customers – 140+

Hickory Springs - NCKorbel Champaign - CASpirax Sarco - UKPowerStream - ONERCO - ONMenu Foods - ON National Oilwell - TXNektar - CAAEP – NJDean Foods - TXDiamond Foods - CAHarlan – INColbond – NLMeritage Homes – AZMultotec – South AfricaSantam – South AfricaJP Avax - Greece

Hard Rock Hotel - MSMizuno - GAChoctaw Nation - OKHenry Company - CAWBIP – NDBeverly Micro – MAHanson – UKValley Crest – CANorgine – UKBellco Health - NYKenwood Trucks - ANZOil Search – AustraliaMary Kay – TXWestfield – CAChristies Auctions – UKAl Baker – UAEHenry Company - CA

USER

Role 90

Role 80

Role 70

Role ARole A

Role B Role B

Role DRole D

Role C Role C

E EF F

Tasks and 1 Task ViewRole Based Menu Filtering

SECURITY

Multiple RolesAs designed in E1

Sign on*ALL Roles

Reports & S of D?

Security file empty

Menu + Sec. out of Synch

Role Sequencer Conflicts

If set-up correctlyit virtually eliminates

security management.All you are doing is assigning

and de-assigning roles

Users Switching Roles

Best Practice for Roles

Achieve Best PracticeUse Role Based Menus and Security and E1 PagesSmall Process Based Roles – “Users change – Processes Don’t”Process based roles are necessary to achieve segregation of duties

Role AP Manager will likely contain SoD breachesSecurity needs to be “Deny ALL, Grant Back”Role based security should be “Yes” settings at role levelRole based menu filteringHave separate roles for functional security and data security

Application and action code security in functional roleData security (row and column security) in a separate roleAllows for more flexibility and reusability when assigning roles to users

Roles should not have Segregation of Duties conflicts within themResolve role sequencer conflicts to user or Super Role

JDE *Groups (Xe) vs. Roles (9.0)

8.9 - 9.1 ERP 8.0 (Solution Explorer)

Xe (OneWorld Explorer)

Security: F00950 ROLES *GROUPS *GROUPS

Security: F0092

ROLES Note: role needs an F0093 environment

records.

*GROUPS Confusingly may also be referred to as SYSTEM

ROLES

*GROUPS

Security: F95921ROLES are assigned to users in F95921 – Note

include in *ALL flag

*GROUPS are assigned to USERS in F0092

*GROUPS are assigned to users in F0092

Roles: F9006 MENU FILTERING (F9006) for ROLES

FINE CUT (F9006) for ROLES

Initial Menu Defined in F0092

Menus MENU FILTERING (F9006) for ROLES

MENU ROLES are defined in the UDC

H95 RL‘G’ Menus

Role RelationshipsROLES are assigned to users in F95921 – Note

include in *ALL flag

MENU ROLES are assigned to USERS in

F95921 – Note ‘Default’ role flag

Assigned in F0092 for USERS and *GROUPS

Benefit of Multiple Role Setup (JDE 8.9++)

JD Edwards/Oracle has invested significant resources into developing multiplerole based menus and security in E1. The concept delivers tremendous benefits.

Process Based Roles Vs. User Based Roles

ROLES = PROCESSES (voucher entry, payment approval, etc.)

ROLES = USERS (AP Clerk, AP Manager)

Processes are relatively static. Once they are defined in E1 they are unlikely to change.

Users come and go, get promoted, move departments – this process inherently implies change.

As a user’s responsibility changes so the role assignment changes, but the underlying menus and security do not.

This implies a lot of security and menu changes and the creation of new role(s) to adjust to the user’s job.

Best Practice for Task Views

Achieve Best Practice for Task ViewsSingle Task View

Shallow Menus – one folder deepClicks cost you money

Remove “Dead Ends” using Menu Filtering

Use local language to reduce staff training

OneWorld Explorer Menus (Xe/ERP8)

• Users have one initial menu assigned in F0092 (‘G’ Menu)• Need to customize menus if you wish to restrict users to options without using

F00950 security.• Tables are F0082 (menus), F00821 (menu options) and F0083 (menu

descriptions)ALLOut allows you to automatically convert to Solution Explorer – and optionally creating

role Menu Filtering using users’ initial menus.

Solution Explorer Menus (ERP 8 – 9.1)

ApplicationsExternal Call

UBE’s

• JDE programs and folders are defined as ‘tasks’ (Tasks Table F9000) usually as folders (type ‘07’) or as application (‘01’) or UBEs (‘02’).

• ‘Alternative Language’ descriptions can be defined for tasks within table F9002 (Task Alternate Descriptions)

• Tasks are then assigned to one another within a parent/child relationship (Task Relationship F9001)

Solution Explorer permits multiple ‘task views’ to exist – However, ALLOut recommends the use of a single view for simpler maintenance

Task View

Role Based Menu Filtering (FineCut)

Menu Filtering (Fine Cut in ERP 8.0) gives you the ability to hide tasks by role Empty folders are hidden and user will have simpler menus.

Allows unauthorized versions to be hidden without requiring F00950 version level security.

In all versions of JDE, users can choose which role menu they see. We recommend you can force *ALL in 9.0.

The table that stores the fine cut records is F9006.

Security Best Practice

• You need Application and Action Code security• Operate in a ‘Closed’ or ‘Deny All’ security environment• Avoid using ‘N’ Settings, except at *PUBLIC

• Security is easier to understand when the only ‘N’ records in the F00950 table are at *PUBLIC and *ALL level. You should not need many additional ‘N’ settings at the user or role level.

• Use security sparingly at version level and form level• Use this only where specifically required.

• Avoid user level security, put all security in roles• Exception: Resolve role sequencer conflicts at user level• Use small, processed based security so that your work is reusable and clean

• Avoid putting ‘data’ security and ‘program’ security in the same roles• You will need little Solution Explorer Security

• When you have a ‘closed’ system, you do not need Hyper Exit Security! This type of security creates maintenance issues in exponential proportion to the number of records you create.

Why Segregation of Duties

Why Segregation of DutiesSegregation of duties is critical for achieving effective internal controlReduces risk of erroneous and inappropriate actionsCritical functions should be separated among employeesWhen functions cannot be separated, a manual review of activities is requiredSegregation of duties is a deterrent to fraud. One user does not have sufficient access to perform all steps of a process

Example: A user can create a fictitious vendor or make changes to a vendor master file, enter a purchase order for this vendor, and then issue payment to the vendor.

Segregation of Duties in JD Edwards E1There is typically more than one way to initiate a transactionSecuring access via a menu is not sufficient (too many row exits and forms exits that allow a user to access a program)Determining high risk conflicts and implementing effective SOD rules requires a partnership between IT, Finance and Internal (or External) auditorsAutomate user access reporting to determine what rules are being violated

Closed (Deny ALL) vs. Open Security Model

OPEN SYSTEM App + Action Code

CLOSED SYSTEM (“Deny ALL”)

App + Action Code *PUBLIC

*ALL “Y” settings *PUBLIC

*ALL “N” settings

“

*PUBLIC Some “N” settings

*PUBLIC Some “Y” settings

ROLES or *GROUP Lots of “N” settings

ROLES or *GROUP Lots of “Y” settings

USERS No security or “Y/N” settings

USERS No security or “Y” settings

JD Edwards “Hierarchy” of effective security records (Xe/ERP8)

1. Form Version2. Form3. Program Version 4. Program5. *ALL Programs

1. Form Version2. Form3. Program Version4. Program5. *ALL Programs

1. Form Version2. Form3. Program Version4. Program5. *ALL Programs

User

*Group/Role

*Public

Stro

nges

t

Wea

kest

JD Edwards “Hierarchy” of effective security records (8.9++)

1. Form Version2. Form3. Program Version 4. Program5. *ALL Programs

1. Form Version2. Form3. Program Version4. Program5. *ALL Programs

1. Form Version2. Form3. Program Version4. Program5. *ALL Programs

1. Form Version2. Form3. Program Version4. Program5. *ALL Programs

User

Role #20

Role #10

*Public

Stro

nges

t

Wea

kest

JDE Role Sequencer (8.9++)

Example with Action code Security For access to program P04010

Example with Row Security For access to company field ‘CO’

Actual record for Role 1 (sequence #60) NNNYNY Actual records for Role 1

(sequence #60)

Value Range: 1 thru 1 YYYY

Actual record for Role 2 (sequence #50)

YYYYYYY

Actual records for Role 2 (sequence #50)

Value Range: 3 thru 3 YYYY

What is effective for User

(Winning record is determined by the role sequencer)

NNNYNY

What is effective for User

(Winning records are determined by the role sequencer)

Value Range: 1 thru 1 only

Row security in E1 – Only the role with the highest role sequence is used .

• A role is defined in F0092 but its description and sequencer number is defined in F00926!

• (Note F00926 does not exist in Xe or ERP8)

Best Practice for Process Based Roles

Standard RolesTask ViewSecurity

E1 Page Generator

Standard Process Based RolesComprehensive Role Template

Role Task View Security

Tasks & Task View

Standard Roles

Role Based Security

Process Based Implementation

E1 Pages

Standard Process Based Menus & Roles

YourMenus & Roles

Modify spreadsheet to suit your business.Generate Roles

Select Destination for Roles Worksheet

Copy Roles from Spreadsheet into ALL Out User/Role Maintenance Form

Create F0092 Records for Roles

Next Step: Extract Security

Specify Destination Spreadsheet for Security Worksheet

Copy Security from Spreadsheet intoALL Out Security Upload Form

Paste into ALL Out Security Upload FormCreate F00950 Security Records

Application and Action Code Security for ‘DENY ALL’

Extract Menu and Create Task View

Specify Destination Spreadsheet for Menu Worksheet

Copy from Spreadsheet into ALL Out Menu Management Grid

Create New Task ViewALL Out Menu Maintenance: Form Exit/Task Views

Create a New Task View

Paste into ALL Out Menu Management Gridand click Update to Database

Create F9000 and F9001 Task and Task Relationship Records

Admire Your New Task View(you may need to log out and back in)

Generate E1 Tab Pages from Spreadsheet

Specify Output Location:dat_file is in folder where E1 Generator resides

See Oracle Support Document 1401833.1 (E1: E1Page: Overview, Download, and Quick Start Guide for the E1 Page Generator)

For Tools release 9.1.2 or higher

For Tools release 9.1

Preview dat_files

Run generatPages.bat

Review Output in output_pages

Open folder, and preview html file

Add Page to E1 Environment: P982400Click Add

Enter Object Name, Product code and Page Title.Click Upload Content

Browse and Select the Output Page to UploadUpload the zip file from with output_pages folder

Upload Content and Click ‘View Page’

View Page in E1!

Define Activity Statuses in UDC 95/US

Define Activity Status Flows: P982405

Simple Status Flow: Editing to Approve. Status flows can be as restrictive or lenient as you need them to be.

Click on Status to Update.In this example, updating from Editing to Approve

After page is ‘Approved’ Form Exit: Admin/Publish

From Published User Generated Contents: Click Add and Assign Users and/or Roles to Page

Page Name

User/Role

Publishing Page to Role Creates ‘H’ TypeSecurity Record in F00950 Table

Last Step: Activate PageP982400: Form Exit/Activate

Log Out and Log Back to View Page

Demonstration

ALL Out Contacts

Sales SupportHazel @ alloutsecurity.com

Consulting

Brian ConnorBrian.Connor@ alloutsecurity.com

Kristina O’LearyKristina.Oleary@alloutsecurity.com