Restricting SYSADMIN role to be assigned to users

htan

Member
How do you restrict SYSADMIN role from being assigned in Role Relationship program? We have a Help Desk role for help desk to do all user creation related tasks including create new user, assigning role, change user password. I am stuck with restricting SYSADMIN role being assigned to a user.
I have tried setting up row security on F95921, and that results in no one can see all existing role records that had been assigned to the users. I have tried setting up row security on F0092 so SYSADMIN role can only be viewed, but any type of row security will result in sign in error in the log that looks like below.

4924/5216 MAIN_THREAD Tue Dec 18 09:53:21.999000 Jdb_ctl.c3488

Starting OneWorld



4924/5216 WRK:Starting jdeCallObject Tue Dec 18 09:53:26.843000 jdecsec.c343

Unable to fetch proxy info: the client must call jdeSecValdiateUserByPwd or jdeSecValidateUserByToken first



4924/5216 WRK:Starting jdeCallObject Tue Dec 18 09:53:26.859000 jdecsec.c343

Unable to fetch proxy info: the client must call jdeSecValdiateUserByPwd or jdeSecValidateUserByToken first



4924/5216 WRK:Starting jdeCallObject Tue Dec 18 09:53:26.859001 jdecsec.c343

Unable to fetch proxy info: the client must call jdeSecValdiateUserByPwd or jdeSecValidateUserByToken first



4924/5216 MAIN_THREAD Tue Dec 18 09:53:26.968000 Jdb_ctl.c1148

JDB4100001 - Failed to validate Env handle


When asking for help from Oracle, the developer there replied, "We recommend restricting important application access only to SYSADMIN." But I thought it is ridiculous to have CNC admin to do mundane tasks like assigning role to users.

Do you have a creative idea to resolve this situation?

HT
8.12/8.96F1 SQL Server 2000 Windows 2003
 
[ QUOTE ]
But I thought it is ridiculous to have CNC admin to do mundane tasks like assigning role to users.


[/ QUOTE ]

Assigning roles to users falls under security administration and JDE security is part of the CNC job description. Even though it's not one of the most exciting things to do at times it still needs to be done and is all part of the job.

There was a similiar post recently for a similiar type of issue. Someone suggested creating a custom app with ER to filter out the unwanted records. Never tried it myself but you may want to look into that.
 
[ QUOTE ]
But I thought it is ridiculous to have CNC admin to do mundane tasks like assigning role to users.
-~-~-~-~-~-~-~-~-~-~-~-

Assigning roles to users falls under security administration and JDE security is part of the CNC job description. Even though it's not one of the most exciting things to do at times it still needs to be done and is all part of the job.


[/ QUOTE ]

MMMMM...user security...that is how I got my avatar (see left)...

...it only hurts when I stop...
 
But why can't a CNC admin focus on a bigger picture like setting up security in Security Workbench that affects larger user community and have to work on dealing with individual user requests?

Or spending time on upgrading, installing ESU that has greater impact on the system where CNC skills are more valuable there?
 
In a perfect world that would be the case. Unfortunately, the key management of a lot of companies can't spell CNC, let alone summarize what they do. As a consequence, the segregation of duties is often just not there (thank you SarbOx for forcing companies to think before mixing technical and application roles!), and CNCs do much more than the high level work that you lay out. I have had to work on password resets ("and for the 99th time, no, I can NOT send you your password"), application troubleshooting (AND correction) and other things in addition to trying to corral change managment, ESUs, service packs, tools releases and the like.
 
Hi, let us go to the original request of your restriction to assigning SYSADMIN role to a user.
- If you can restrict application P95921 to only a few key users, you do not need to use row security. I assume all role assignment should be done by P95921. We apply N access for application security for P95921 on all IT users. *PUBLIC has not access to P95921.

- Only when you have to grant P95921 to many users you need to think about using row security to F95921. If you have problem on this, please email me your security records.

Hope it helps.

Harry
 
Back
Top