Row security ANPA

adeel

VIP Member
Hello there
We have security in place for f060116 table only for supervisor anpa.
so the supervisor only can see their team in employee master.

I am going to implent to *All instead of only above table which make more sense to block entire tables in JDE.

Just wondering is there any issue with that?

note i will not apply to HR and FIN supervisor as they are power users.

Thanks
 
Adeel,

That is a fairly subjective question as it depends on what parts (and related tables) of JDE you use.

The best way forward would be to check which tables include ANPA (a relatively simple SQL) and ensure that for your organisation (Australian spelling) such a row security entry would cause no issues.

Here is the Oracle SQL:
SELECT
(Select SIMD From OL910.F9860 Where SIOBNM = TDOBNM AND SIFUNO = 'TBLE') Table_Description,
a.*
FROM PD910.F98711 a
WHERE TDOBND = 'ANPA'
ORDERBY TDOBNM
 
Thanks Peter. there are around 30 + tables when i did xref in jde other day.
It is good to secure just in case users get data browser by mistake and they may browse table and have access yo all employee. Giving another level of security. i thought it might be a performance issue.

Thanks.
 

Attachments

  • screen.jpg
    screen.jpg
    19.1 KB · Views: 8
Last edited:
Thanks Peter
I implemented the row security *all but when user create PO it is giving error business unit not exists, the reason is that the ANPA field exists in f0006 as well. find attach the list of all tables.
I don't know how I can exclude one table as our has inclusive row security. May be I need to create business unit security top of *ALL supervisor row security?

Thanks
AD
 
Adeel,

We have row security set up on MCU for *ALL tables and have additional MCU row security for specific tables. So what I'm suggesting is have two entries, the first not allowing access to *ALL tables and the second allowing access to F0006. The search sequence looks for the table name first and then *ALL.
 
Thanks Peter. i think i under what you said and i will try that.
I assume the second entry will have long range instead of employee id i used in first entry which is 6000 shown below.

first entry
table =*all
data item =supervisor
from=6000
to = 6000

second entry
table=f0006
data item= supervisor
from=1
to=999999999

Thanks
 
Adeel,

That looks like it should work. If you can test it in you test/dev system/environments.
 
Thanks Peter
It worked I also added three more table which has data and MCU ranges just to avoid issue in the future. Now I know how to fish. :)
For curiosity. When I did xref I found each tables has the table sequence e.g 92, 107 etc, Is this something I need to worry about? Just wondering higher number will override? if have multiple tables with same data items

Thanks
AD
 
Adeel,

I'm not sure what the table sequence is, where is it (table and column)?

But I know that it would not affect the way security works. Security workbench entries are searched first by user, then by role (supposedly using the role sequence in ascending order for multiple roles assigned to the user, but this may not work properly), then finally the role *PUBLIC. With in the user/role the search uses the object name first, then *ALL. The search proceeds until an entry is found.
 
Hi Peter

Look at the attachment, when you type xref in fastpath and search on the data item, you see the table seq.
I guess within users/roles level if you have many row security which may conflicting and the first search table sequence wins? same as role sequence. my thought.

thanks
AD
 

Attachments

  • tableseq.jpg
    tableseq.jpg
    24.2 KB · Views: 9
Adeel,

That sequence refers to the column sequence within the table (F98711.TDPSEQ).

Here is a SQL that will produce the same information:

select tdobnd Data_Item_Name,
(
Select FRDSCR From DD910.F9202 Where FRDTAI = TDOBND AND FRSYR = ' ') Data_Item_Description,
tdobnm Table_Name,
(
Select SIMD From OL910.F9860 Where SIOBNM = TDOBNM AND SIFUNO = 'TBLE') Table_Description,
tdpseq Table_Sequence
FROM PD910.F98711
where tdobnd = 'ANPA'
order by tdobnm
 
Hi Jon,

Regarding performance I would say that about 30% clients who use MCU security (who are in turn maybe 40% of total) apply to *ALL. I think it used to give more performance issues than with 9.1.
 
Back
Top