E9.1 Assess if only one user ID should be used to run all scheduled jobs in JDE

[JDE GC Analyst]

We are on E1 9.1,

Currently we have two Scheduler User ID’s set up to run scheduled jobs in JDE 9.1.

Currently we have two Scheduler User ID’s set up to run scheduled jobs in JDE 9.1. There is a requirement as per Audit to assess if only one user ID should be used to run all scheduled jobs in JDE and that no such user ID should be assigned the SYSADMIN role. Therefore, when we migrate to JDE 9.2 we can have updated schedule for jobs to run using one User ID which does not have the SYSADMIN role assigned. We are currently working on a technical upgrade from JDE 9.1 to 9.2.

One of the user IDs is set up in our system with the role SYSADMIN. As a JDE analyst, I have the role SYSADMIN assigned to my profile in JDE. This role is only to be assigned to JDE super users/ERP analyst as this role gives access to all applications within JDE 9.1. The analysts can set up users and run other security activities within JDE.

The other User ID is assigned one role which allows it to run scheduled jobs specifically for the finance module.

My question is - What would be the best way going forward in this scenario?
Do I create a new role for all the jobs combined or should I keep the two user ID's but remove the SYSADMIN role and assign a new role just to run non -finance jobs?
Is there a better way to do so in JDE 9.2?
Is there any password set for these jobs, if so where can I find them?

Thank You!

 

[markdcci]

Hello,
This thread is a few weeks old, so not sure I can be of help to you at this point. But some of my thoughts are:

You won't like this but generally for a business analyst I would not recommend that you have SYSADMIN - and especially not recommended for a superuser. There are other ways to ensure that you have access for support, etc, but there could be segregation of duties issues with that arrangement. That said, in a smaller shop you may have no choice due to lack of personnel. I guess if your auditors are OK with it for now, I would not change it but my guess is they will eventually ask for that to be changed. Generally that would be reserved for whoever in your organization is responsible for security maintenance and/or change control, usually a CNC Admin.

In the past I have used one role to run scheduler jobs that did have SYSADMIN. But that user's ID and password were restricted to the CNC Admin and other operations support type person, not an analyst. And we changed the password quarterly - which was a major pain, by the way.

It is perfectly acceptable to set up different user IDs to run different scheduler jobs, whether it's two or more. However, you have to be vigilant that the IDs have the right level of access as your system changes. Perhaps one ID per role would work best. That way as your end users' access changes the scheduler ID tied to the same role will change. This is a lot of added maintenance, however.

I don't believe there is a better way to do this in 9.2. I have run scheduler jobs from 9.0 to 9.2 and they functioned very similarly in this regard.

The passwords for the IDs used to run scheduler jobs are set up in the standard security program, P98OWSEC, as they would be for any other ID. Then, when the scheduler job is set up in the scheduler application that same password is input. Another downside of numerous scheduler IDs is that when that ID gets disabled for whatever reason the scheduler job fails.

Just my thoughts.