E9.2 How do I block access to security for all users?

[sontu99]

I am a new JDE user and am struggling to learn the concepts of security. My company has recently discovered that if users know the Fastpath codes for P98owsec and P95921, they can change their passwords and roles themselves without an administrator!!! This is a clearly huge security hole that I have been tasked to resolve.

So far my best guess from research would be to lock down both of these programs in Security Workbench for *PUBLIC. But...do I do this using Action Security? Application Security too, maybe? I also can't figure out how to add the actual record. Or what to do with the lock/"Secured" icon on the bottom and how to add items to it. Can anyone please dumb this down for me? I have tried reading lots of articles and haven't had much luck understanding the overall concepts it seems

 

[DSauve]

Don't leave Fast Path access open! You should look into setting up Task Explorer Security (type "A") records in P00950, denying access to Fast Path to *PUBLIC and granting back access to only those roles/users who should have it. Besides securing P98OWSEC and P95921 there are many other applications you should secure (like P00950 and P0092). If you haven't already, I'd recommend working with a knowledgeable consultant, and there are several business partners out there who specialize in helping you secure your JDE system (like ALLOut Security or Q Software).

 

[sontu99]

Don't leave Fast Path access open! You should look into setting up Task Explorer Security (type "A") records in P00950, denying access to Fast Path to *PUBLIC and granting back access to only those roles/users who should have it. Besides securing P98OWSEC and P95921 there are many other applications you should secure (like P00950 and P0092). If you haven't already, I'd recommend working with a knowledgeable consultant, and there are several business partners out there who specialize in helping you secure your JDE system (like ALLOut Security or Q Software).

Thank you!

 

[ChrisPa]

If you are/were operating with those records open to all users then it sounds like you are operating in a very "security open" environment.

There are LOTS of little nooks and crannies where users can cause untold grief. Leaving Fast Path open to all, without locking users out of these, invites trouble. Think company constants, module constants... it also leaves open all the failures to segregate duties. Think for example an AP operator able to enter suppliers, supplier bank accounts, purchase orders and invoices on suppliers without segregation.

Advisers will probably steer you to a security closed environment. This sets Role *PUBLIC for Object *ALL for Application security to N for Run and Install. Then grants back all needed UBE and APP items back to users on the basis of need. This task can be very onerous, and is likely to take a significant time, depending on the complexity of your environment. It will cause initial pain, but that will abate over time as security settles in to give people only the appropriate access. Once this is done, the granting or restriction of fastpath is no longer a particularly significant issue.

Main security in this environment relies on Application Security to stop you running stuff in the first place (or permit you depending on open or closed status). Action Security determines what you can do in interactive applications - add, change, delete - and processing option security determines the level of access you get over running UBE's to determine data selections and processing options.

 

[BPConnor]

I am a new JDE user and am struggling to learn the concepts of security. My company has recently discovered that if users know the Fastpath codes for P98owsec and P95921, they can change their passwords and roles themselves without an administrator!!! This is a clearly huge security hole that I have been tasked to resolve.

So far my best guess from research would be to lock down both of these programs in Security Workbench for *PUBLIC. But...do I do this using Action Security? Application Security too, maybe? I also can't figure out how to add the actual record. Or what to do with the lock/"Secured" icon on the bottom and how to add items to it. Can anyone please dumb this down for me? I have tried reading lots of articles and haven't had much luck understanding the overall concepts it seems

Based on your screenshot, you area fully open security environment. The *PUBLIC *ALL all Y record is not needed as open access is the default behavior for JDE. You can secure by adding a type 3 record for P00950, P95921 and others, but you will soom discover that there are MANY more programs that users should not be accessing. The best method is as others have mentioned to apply a *PUBLIC *ALL Run/Install =N + *ALL Action for Add, CHange, Delete, Copy, Scroll to end = N (leave ok/select set to Y. However, once this is done, users can only run what you have given them access to so the role based access control needs to be setup first. If you aren't sure how to do all of this, I would strongly recommend you get in touch with a JDE consulting partner to discuss your options.

 

[Harry Chen]

A few things for your to consider:
1. You have application *all=Y in *public (all doors open) right now. So the short term is to
a. deny Fast Path by putting a Solution Explorer security in *public. You might need to create menus so users can run them from menus instead of running from Fast Path.
b. deny P98owsec and P95921 in application security in *public
c. FYI - normally we allow a user to change his own password. Then you can grant P98owsec but deny the relevant form like W98OWSECE.
Using Application security is better than controlling row exit, form exit.
2. Long term solution is to plan your security to be all doors closed with application *all=N in *public. As you need to know what application to grant, it might take some time and planning.
Hope it helps. I will be happy to share my knowledge and experience with you. I have gone through it myself some years ago.
--Harry