Restrict users from using XML CallObject and XMLList requests

kiran g

kiran g

Well Known Member
Hi,

I am working on JDE EnterpriseOne 8.10(TR 8.93). I want to restrict certain users from accessing data using XMLRequest APIS like XMLList and XMLCallObject.

I created some users who are restricted to view column information like Address Number AN8 from F0101 through column security. When such user log-in into JDE system, he can not see Address Number column in P01012. But the same user can extract same Address Number data using XMLList.

Similar behavior observed while adding records. If I restrict user from adding record in F0101 for AN8, same user can call insert BSFN through XMLCallObject.

Is there any way to restrict user only to access certain tables through XMLRequest??

One more thing I have observed with XMLRequest API. suppose I created one user who can access 'DV810' only, but user can login into any other environment using XMLRequest without any error.

How can I resolve these issues?? Can someone enlighten me on this issues??

Thanks in advance,
Kiran
 
I think you're looking too much into this.

If I were you, I would block access to the IP Port for all computers EXCEPT those that need access to JDE (the webservers for example). I would consider putting a firewall between the JDE environment and everyone else - otherwise it IS certainly an issue.

Look for my document "hacking oneworld" for information that points in that direction - its an older document, but it has relevant web security information in it.
 
Back
Top