Solution Explorer/Security Headaches!

Buster DAN

Active Member
Having recently upgraded from Xe to 8.9 yesterday I took my first in depth look at Solution Explorer and Security in 8.9.

Armed with various Peoplesoft documents I thought it would not be too hard to come up with a new security policy and procedure for our company........ hmmmm yeah right!!

In Xe we always used One World menu's so now i am looking ar Role Based task views I think. In terms of security well we completely dumped that in 8.9 as we plan to completely revise this.

Then the headaches start!! :p

I can find my way around the screens and create new roles, task views, variants, relationships, sequence roles... but the fundamental thing that I am missing is how to best tie all this together into a coherent security/role policy, that we can adopt from now onwards and we wont have to chase around trying to understand what access individual users have.

In the past we followed the JD Edward model of excluding all users from everything and then adding access where appropriate. Under 8.9 is this policy still appropriate? With the greater flexibility of Solution Explorer should we instead use Fine Cut to more closely replicate roles but only restrict access in Security where there is the possibly of linking out to applications that they should not access. Basically what i am saying is should we aim to simply restrict access with Task Views and supplement this with some Securtity Workbench entries?

In addition we have all the Old XE user groups which are now shown as Roles in 8.9. These groups previously linked to menu's that quite closely replicated individual user roles in the company, but between say the various groups with a finance department there is a lot of replication within the menu's. Should we therefore start with a with a "Master" finance task and then use multiple talk roles and Fine Cut to specify the access that each departmental user should have. Then by using the role relationships that link into Security I can prgressively restrict what access say a general Finance assistant might have compared to the Financial Controller.

I do think this is a really critical area of the system that we must get right so I'd really appreciate any advice or suiggestions.

Cheers

DANNY
 
Danny,

You're on the right path, but the path is long and the learning curve steep. Here are some answers to your questions:

"In the past we followed the JD Edward model of excluding all users from everything and then adding access where appropriate. Under 8.9 is this policy still appropriate?"

Absolutely.

"Basically what i am saying is should we aim to simply restrict access with Task Views and supplement this with some Securtity Workbench entries?"

No, there is no substitute for the "all doors closed" security policy. Security by menu (if I hide it, they can't use it) is poor security. There are so many backdoors on the system, you'll leave too many holes.

"These groups previously linked to menu's that quite closely replicated individual user roles in the company, but between say the various groups with a finance department there is a lot of replication within the menu's. Should we therefore start with a with a "Master" finance task and then use multiple talk roles and Fine Cut to specify the access that each departmental user should have."

Yes, that is a very good practice. Think of it this way, under Solution Explorer, everyone shares the same menu. That menu is the End-User taskview. You use finecut to build a filter (role-based taskview) to cut down the complexity of that menu to only show those tasks that the user needs to do their job.

Gregg Larkin
North American CNC and Security Guy
Praxair, Inc.
 
Hi Greg, thanks for the reply.

Ok, no problem with the security policy in that case...that much I understand.... the next stumbling block however is that although I have the "One World Menu's" role, I can't see "End User Tasks" which kind of makes it tricky to do a Fine Cut on this.

I have seen End User Tasks referred to in the documentation but I am unsure if this is as default role shipped with 8.9 (and someone has deleted) or whether it refers to best practice and a suggestion that each site should create a "End User Tasks" role in the same way. If I go into the P9000 (Work with Task Views) there is no entry for "End User Tasks"

I'm going to play again tomorrow though...as you say that path seems to be very long, steep, curvy, probably yellow and no doubt a Wicked Witch will pop up somewhere along the way!! :p
 
Hi,
=20
We are on ERP8, not 8.9, and I don't have any experience with security
in 8.9. I don't know if that may skew my perspective.
=20
We currently use both group and role-based security. Most of the
security is applied to groups, and we use the "deny all, grant back
access as needed" model. This works well, except it doesn't apply to
versions. So we have implemented role-based menu security to prevent
users from accessing specific versions. We actually only need to use
version security on a couple of applications.
=20
The experience with this is that menu security is much more difficult to
maintain than group security:
1. To review an item, you must go to the item on the menu, not just
review a list. (I'm interested to hear corrections to this statement, if
there are any.)
2. The default when you add a new menu item is to allow everyone to
access it - the opposite of our security model.
=20
The really annoying thing about it is that we have to implement two
full, separate security systems in the one application, just to secure a
couple of items.
=20
Because of this, we have actually decided it's better to make a copy of
the programs that need version security, and treat Copy 1 as Version 1,
and Copy 2 as Version 2. Then application security can secure the
programs, and we can use just one security system.
=20
Regards,
Mark Suters
=20
ERP8, Update 1, SP22_S1, Windows 2000, SQL Server 2000, Citrix Metaframe
XP SP3
=20

#########################################################################=
############
Note:
This message is for the named person's use only. It may contain confiden=
tial,
proprietary or legally privileged information. No confidentiality or pri=
vilege
is waived or lost by any mistransmission. If you receive this message in=
=20error,
please immediately delete it and all copies of it from your system, destr=
oy any
hard copies of it and notify the sender. You must not, directly or indir=
ectly,
use, disclose, distribute, print, or copy any part of this message if you=
=20are not
the intended recipient. Stockland and any of its subsidiaries each reserv=
e
the right to monitor all e-mail communications through its networks.

Any views expressed in this message are those of the individual sender, e=
xcept where
the message states otherwise and the sender is authorized to state them t=
o be the
views of any such entity.

Thank You.
#########################################################################=
############
 
Re: RE: Solution Explorer/Security Headaches!

Mark;

FYI. One of the enhancements promised in 8.10 is version security. I have not seen it yet, as I am planning an upgrade for a client now, but it sounds like you will be able to add security to a version just like you do to the template now.
 
It's odd that you cannot 'see' the End User Tasks Task View. Not much I can say about that except that it should be there. It's possible it is flagged as a Secured Task View, but then you mentioned it's not in the file.

In any case, I thought I'd mention that the only Task Views you can use Fine Cut on are those that are flagged as Role-Based Task Views. OneWorld Menus is typically not flagged as Role Based.

I would find out why End User Tasks is not there and use that. Since this is the JDE/PSFT way of implementing, it will go a lot better for you in the future.

Regards
 
We are in the process of going from B7332 to 8.0 then to 8.9 and which we are currently at PY. I cannot answer all your questions but I do have some input. Security applied in the previous version will role up to B9. We did run into one problem where we needed to delete each group (now role) and recreate them. I am still getting my head around Solution Explorer tasks and relationships.

I am also going to use the Solution Explorer security in the Security Workbench and assign each role to one of the three default modes. Basically full access, limited access with fast path and limited access without fast path. This combined with the strict security to objects should be satisfactory.
 
Back
Top