NHA,
Welcome to the JDEList, as I see this is your first post. If you search the JDEList, I believe you'll find two camps about security: 1. secure all program access and only grant back as needed, or 2. grant all program access and secure out as needed. Also, your approach to security will depend on the version of OW you are running as well as the user interface being used (OW Explorer, Solution Explorer, or Web). For us, using approach # 1 made the most sense because we wanted to make sure that someone didn't accidentally have access to a program without us knowing about it. For our go-live over 3 years ago, we established roles for each functional area and established the programs and levels of access needed for each role, and then assigned users to a specific role. We also created our own custom set of menus for use in OW Explorer, and disabled fast path access for all users, as additional ways of securing the system. Now, if someone wishes to have access to a program or report, they submit a request and we get approval (or denial) from the department who "owns" that application. We also keep a log of all security changes made, including who requested the change, who approved the change, when the change was made, what the change was, and who (in CNC land) made the change. This has proven very helpful to us in administering security on several occasions.
We are not using Solution Explorer, but I've read that JDE is moving towards that interface, especially in B9. This may cause us to re-evaluate our security setup, but for OW Explorer in our current environment, our setup is doing the job for us.
Best of luck to you in your security endeavors.