E8.1 What is the best way to assign an 'Environment' to a user ?

[Rauf]

What is the best way to assign an 'Environment' to a user ? On 'Role' level or 'User' level ?
We have lot of rolls with multiple environments assigned. So the issue is that a new user assigned to the role might get access to all environments assigned to the roles ( which is not what we required). One way to control this, is to assign the environment on user level ( assign only the roles which the user supposed to access). But I think, this is not the correct way. I guess, I should create different roles for different environments.

Any suggestions are greatly appreciated.

 

[Papdog]

Rauf- we create roles and assign the environment(s) to those roles

 

[MFreitag]

Beginning with EnterpriseOne 8.9 and later applications releases, it is no longer valid to attach environments to the User Profile. Environments should only be attached to Roles.

With EnterpriseOne XE and ERP8, during the login process the system checks the User Profile for a valid environment. However, with E1 8.9 and later the system ignores environments that are attached to the user profile and uses only environments attached to a role.

Source: E1: ENV: How to Manage Environments - Should Environments be Added at the User Level or Role Level? (Doc ID 647914.1)

So with your prehistoric system you can still assign environments to users This search took me around 10 seconds btw.

Edit: Just noticed your signature says 8.12, but the title says 8.1, so that tricked me.

 

[ice_cube210]

Source: E1: ENV: How to Manage Environments - Should Environments be Added at the User Level or Role Level? (Doc ID 647914.1)

So with your prehistoric system you can still assign environments to users This search took me around 10 seconds btw.

Edit: Just noticed your signature says 8.12, but the title says 8.1, so that tricked me.

Interesting document - though this statement in the document " Environments assigned at the user level are not used." I would say it is not technically correct because you can still assign an environment at the user level and it does take effect (tested on 9.2 , 9.2.4.5). So if a user has an environment list at the user level in F0093 then it will not allow the user to log into any other environments other than those listed in F0093.

Sometimes you want to restrict which environments (even test environments) users can log into, and you don't want to duplicate your whole set of roles for each environment. That can also increase the number of roles a user may need. and on the other hand, they say don't assign more than 30 roles to a user

 

[JEMILLER]

What is the best way to assign an 'Environment' to a user ? On 'Role' level or 'User' level ?
We have lot of rolls with multiple environments assigned. So the issue is that a new user assigned to the role might get access to all environments assigned to the roles ( which is not what we required). One way to control this, is to assign the environment on user level ( assign only the roles which the user supposed to access). But I think, this is not the correct way. I guess, I should create different roles for different environments.

Any suggestions are greatly appreciated.

I agree with the other comments made.

Just keep in mind that in order for a role to be effective in an environment, that role needs to have the environment assigned to it. If that role is then granted to a user they then derive access to that environment. (This was not always the case. I believe pre 8.11 SP1 that a role was active for a user regardless of what environments were assigned to that role.)

I generally avoid assigning environments at the user level but I typically use a Dev/Test, Pre-Production and Production "island" approach to my CNC configuration. This allows me to have some of my security tables, such as F95921 and F0093 separated by island. So Dev/Test roles assigned to users can be different than what they get assigned in Pre-Production or Production (and even Training if there is a dedicated training setup). Users then typically get more authority in non-production environments for project work, testing, etc than they have in Production.

 

[MFreitag]

The article only states that it is not valid anymore to do so, but it definetly still works keep in mind that you need the same sequence number for user and role environment assignment

I've done it before and will probably do it again in some cases, but not for productive environments as i'm always trying to keep that in a certified or valid ORACLE way

 

[Rauf]

Rauf- we create roles and assign the environment(s) to those roles

Hello Papdog,

If you are assigning multiple environments to a single role, how do you manage the security.

For example, UserA and UserB, and Role1 is with environments JP1 and JP2.
UserA needs access on JP1 and JP2, and UserB should be restricted to JP2 only.
So if we assign the Role1 to both UserA and UserB, both user will be able to access both environments.

So...