Default Environment and 8.9 Security

Hi List,
I found another interesting feature with 8.9 security I want to share with you.

Lets say I have PROFILE1 and PROFILE2 associated with my user ID. PROFILE2 gives permission to run PROGRAM_X. PROFILE1 can access PY9 and PD9, PROFILE2 can access only PD9. There is no conflict in security between the two profiles.

Now, when I log into PD9 with user_ID GERD and profile *ALL I should get the combined security settings for PROFILE 1 and 2. However PROFILE2 is ignored (I will not have permission on PROGRAM_X), when my Default Env in the [DB SYSTEM SETTINGS] stanza is set to PY9.
It works as expected when the Default Env is set to PD9 and I log into PD9.

Can anybody explain this? In the first case I found in the debug_log this line:

SELECT * FROM SY9/F00950 WHERE ( FSUSER = 'PROFILE1' OR FSUSER = 'GERD' OR FSUSER = '*PUBLIC' ) ORDER BY ...

It is ignoring PROFILE2 when the Default Env is set to PY9. When it is set to PD9 I get this:

SELECT * FROM SY9/F00950 WHERE ( FSUSER = 'PROFILE1' OR FSUSER = 'PROFILE2' OR FSUSER = 'GERD' OR FSUSER = '*PUBLIC' ) ORDER BY ...

as I would have expected already in the first place.

In other words: for a profile to work it must be accessible for the default env in jde.ini !
I do have PD and PY installed on my WS.

Very, very strange! What is the meaning of the default env in the WS´s jde.ini anyway?
Sorry about the long post.

Thanks, Gerd

I think the sql statement is based on the fact that only profile1 is allowed to use the PY environment, so it's just looking at profile 1's authority in that environment. If you find out anything from PS, I'd like to hear the response.

Ok, PROFILE1 is not not allowed in PY. But I am logging into PD! The only thing that points to PY is the DEFAULT ENV.

Thanks, Gerd

Como vai Gerd,

I have always been a bit sceptical of the multi-role concept and have avoided it for XE. Sounds like I should avoid it in 8.9 as well. I'm glad I'm not planning my security around that feature. Good luck!

Gregg Larkin
Praxair, Inc.
North American PeopleSoft
Enterprise One System Administrator

Gregg, I guess it does work somehow. Or should I say: "One can make it work" ?
Only, there are too many variables that make the head spin. And some features are simply not documented, and like this one, probably not even intended.
Like you said yourself in another thread: looks like OW security just got more complicated. Much more, I would say.

Gerd

If you need to use multiple roles for security and don't want to deal with PS's security app, you should look at QSoftware's product. We are using it now with Xe. It works great. The will have it certified for ERP8.9 within the next month according to a sales person. Let me know if you have any questions about it.

Good news from PSFT R/L: it´s a known problem, SAR 6927608. It´s supposed to be fixed in SP2_F1.

Gerd

Gerd,

I have been workign on Erp8.9 and the way I see roles/Profile work is depended on the Pathcode/Environment. When You are logging in if you try to choose the role with Environment typed in.. it looks for all the role which have access to this pathcode.... So My question is are you have the same issue logged in either environment without making changes in Jde.ini...

The way I understand is this.. It first looks at the environment ( whether in jde.ini or the environment you are logging in)...it then determine which Profile/Role have rights to this environment. and basically fromt here on use only thoses profile in its SQL statement..

I would be definately interested in Knowing Is this happening to you when you log into either evironment,without changing the JDE.ini...

J_J,
if I have a default env (in JDE.INI) that shares a pathcode with the environment I am logging in to it seems to be working. However, this is not how it´s suppoded to be. The default env should only make a difference during login, not afterwards.
As I said, it´s a known bug and we will apply the fix (SP2_F1) asap.
Thanks, Gerd