mfrappier001
Member
Hello list,
I need to implement OneWorld application Security for 3/4 of all OneWorld
modules, 75-100 security roles, about 2500 HTML users & 30-50 FAT clients.
I've had conflicting recommendations from JDE List & several consultants as
to the BEST approach to secure this environment. I NEED YOUR BEST TECHNICAL
RECOMMENDATIONS.
Basicly, there is 2 ways to approach this:
#1 PERMISSIVE APPLICATION ACCESS:
DESC: Restrict access to *PUBLIC for *ALL applications & GRANT application
access selectively via security roles.
PROS: Very secure. Impossible to access program without explicit program
access permission. Can leave fastpath access to users.
CONS: Extremely hard to maintain & setup. Need to make sure that ALL programs
necessary to users are listed in security roles. Very tedeous to setup since
need to consider all programs in users menu, programs called from within ERs,
Exit bars/menus and business fonctions. Their is no TOOL that let's me gather
a list of program dependencies (not even cross reference tool) to make sure
I,m not missing anything. Basicly, I need to test everything manually. Test
all procedures of all programs & make sure to note down all program names.
With hundreds of programs used by all users, this seems a DAUNTING task that
could take months with a very high risk of error. This option would also
generate a great number of records in the F00950 (Security workbench table)
#2 RESTRICTIVE APPLICATION ACCESS:
DESC: Leave access to ALL applications & restrict access to necessary
programs via menus & selective application restrictions applied to security
role.
PROS: Easy to setup & maintain. Minimum number of records in Security
workbench table.
CONS: Users can't have acces to Fastpath. Risk of HTML/FAT menu tampering
unknown. Can a user tamper (in any way) their HTML menus (edit HTML source
code of a menu page) to access unpermitted programs via the JAS server.
I am very tempded to implement option 2. Please let me know ASAP your views
on the subject.
================================
[email protected]
Senior CNC (PWC)
I need to implement OneWorld application Security for 3/4 of all OneWorld
modules, 75-100 security roles, about 2500 HTML users & 30-50 FAT clients.
I've had conflicting recommendations from JDE List & several consultants as
to the BEST approach to secure this environment. I NEED YOUR BEST TECHNICAL
RECOMMENDATIONS.
Basicly, there is 2 ways to approach this:
#1 PERMISSIVE APPLICATION ACCESS:
DESC: Restrict access to *PUBLIC for *ALL applications & GRANT application
access selectively via security roles.
PROS: Very secure. Impossible to access program without explicit program
access permission. Can leave fastpath access to users.
CONS: Extremely hard to maintain & setup. Need to make sure that ALL programs
necessary to users are listed in security roles. Very tedeous to setup since
need to consider all programs in users menu, programs called from within ERs,
Exit bars/menus and business fonctions. Their is no TOOL that let's me gather
a list of program dependencies (not even cross reference tool) to make sure
I,m not missing anything. Basicly, I need to test everything manually. Test
all procedures of all programs & make sure to note down all program names.
With hundreds of programs used by all users, this seems a DAUNTING task that
could take months with a very high risk of error. This option would also
generate a great number of records in the F00950 (Security workbench table)
#2 RESTRICTIVE APPLICATION ACCESS:
DESC: Leave access to ALL applications & restrict access to necessary
programs via menus & selective application restrictions applied to security
role.
PROS: Easy to setup & maintain. Minimum number of records in Security
workbench table.
CONS: Users can't have acces to Fastpath. Risk of HTML/FAT menu tampering
unknown. Can a user tamper (in any way) their HTML menus (edit HTML source
code of a menu page) to access unpermitted programs via the JAS server.
I am very tempded to implement option 2. Please let me know ASAP your views
on the subject.
================================
[email protected]
Senior CNC (PWC)