pduncan
Member
we are upgrading from ERP 8 to 9. I used to remove/set fast path access from P0092 in 8. Where can I disable fast path user access in 9?
klwong
Legendary Poster
Welcome to the wonderful world of Solution Explorer. Fast Path access is now controlled through Security Workbench (P00950). Use the row exit for Solution Explorer. You will likely want to apply security on the Role (what you used to call Group), and set the Role to Preset One for most ordinary users.
brother_of_karamazov
Legendary Poster
[ QUOTE ]
we are upgrading from ERP 8 to 9. I used to remove/set fast path access from P0092 in 8. Where can I disable fast path user access in 9?
[/ QUOTE ]
Just out of curiosity - why are you disabling access to Fast Path?
we are upgrading from ERP 8 to 9. I used to remove/set fast path access from P0092 in 8. Where can I disable fast path user access in 9?
[/ QUOTE ]
Just out of curiosity - why are you disabling access to Fast Path?
pduncan
Member
I am doing so on recommendation of a consultant, a few posts online here, and what I was told at a security class at Oracle.
Do you think it is overkill? I am relatively new to CNC so any advice is most welcome.
Thanks
Do you think it is overkill? I am relatively new to CNC so any advice is most welcome.
Thanks
pduncan
Member
Thank you
brother_of_karamazov
Legendary Poster
[ QUOTE ]
I am doing so on recommendation of a consultant, a few posts online here, and what I was told at a security class at Oracle.
Do you think it is overkill? I am relatively new to CNC so any advice is most welcome.
Thanks
[/ QUOTE ]
It has been a longstanding E1 practice to remove Fast Path. I believe it originated in the early days with the (false) belief that hiding menu items and removing fast path was a valid security model. I believe, and have long believed that it is an insecure model and is only perpetuated by those unwilling to change or do not have a complete understanding of E1 security.
A Tolstoy quote:
"I know that most men, including those at ease with problems of the greatest complexity, can seldom accept even the simplest and most obvious truth if it be such as would oblige them to admit the falsity of conclusions which they have delighted in explaining to colleagues, which they have proudly taught to others, and which they have woven, thread by thread, into the fabric of their lives."
I hereby challenge the belief that removing a method (Fast Path) that makes the use of the EnterpriseOne product easier for end users is a good thing. I welcome open and vigorous debate, including opinions contrary to my own that holds that "If security is properly designed, the removal of Fast Path is not necessary."
I am doing so on recommendation of a consultant, a few posts online here, and what I was told at a security class at Oracle.
Do you think it is overkill? I am relatively new to CNC so any advice is most welcome.
Thanks
[/ QUOTE ]
It has been a longstanding E1 practice to remove Fast Path. I believe it originated in the early days with the (false) belief that hiding menu items and removing fast path was a valid security model. I believe, and have long believed that it is an insecure model and is only perpetuated by those unwilling to change or do not have a complete understanding of E1 security.
A Tolstoy quote:
"I know that most men, including those at ease with problems of the greatest complexity, can seldom accept even the simplest and most obvious truth if it be such as would oblige them to admit the falsity of conclusions which they have delighted in explaining to colleagues, which they have proudly taught to others, and which they have woven, thread by thread, into the fabric of their lives."
I hereby challenge the belief that removing a method (Fast Path) that makes the use of the EnterpriseOne product easier for end users is a good thing. I welcome open and vigorous debate, including opinions contrary to my own that holds that "If security is properly designed, the removal of Fast Path is not necessary."
Larry_Jones
Legendary Poster
Disabling FastPath for end users is NOT overkill. JDE is driven by Processing Option values that are set in Versions. Version Selection is not easily controlled via fastpath but can be via Menus/Tasks. So, yes - what they told you about disabling fastpath for end users is good advice.
Tom_Davidson
VIP Member
BOK,
JMHO. But while I agree restricting fastpath is not a valid security model by itself, it is a valid COMPONENT in a robust security model.
Tom
JMHO. But while I agree restricting fastpath is not a valid security model by itself, it is a valid COMPONENT in a robust security model.
Tom
gregglarkin
Legendary Poster
Jeff,
You've been out in the Florida sun a bit too long.
Your fastpath statement is a bit too simplistic. Tom and Larry have it right, removing fastpath for Joe Bagadonut users is not an end all be all, but is a good step in securing the system. Larry has an excellent point, restricting what versions users can run is a good practice. I know I've even been guilty of that. When a user calls up about a report or aplication acting weird, I've gone to fastpath and not had an issue, only to find out that the user was using a different version.
To your point, the old school of thought was take away fastpath and create custom menus and don't bother with "all doors closed" security. That school of security is crap. The correct school of security is to create an "all doors closed/grant back" model, with custom menus (taskviews), take away fast path, and lock down UTB and data browser.
- Gregg
You've been out in the Florida sun a bit too long.
To your point, the old school of thought was take away fastpath and create custom menus and don't bother with "all doors closed" security. That school of security is crap. The correct school of security is to create an "all doors closed/grant back" model, with custom menus (taskviews), take away fast path, and lock down UTB and data browser.
- Gregg
Terry DeMoure
VIP Member
You all answered ahead of me but I wanted to chime in too
to say that I agree with consensus. Regular users using FastPath will result in many inadvertent misuses of wrong versions. Power users can probably be allowed to retain their FastPath because they probably utllize IV-BV access anyway and better know better than that to use wrong version.
And one other angle I will mention, any of your companies out there that go through a SarBox audit of IT CNC will get dinged if auditor discovers FastPath available to general users.
And one other angle I will mention, any of your companies out there that go through a SarBox audit of IT CNC will get dinged if auditor discovers FastPath available to general users.
Steve King
Active Member
In 9.0 (which is what pduncan said they are going to) the Fast Path flag (FSTP) has been changed from Y/N to 0/1/2. Option 2 invalidates all of the concern about a user typing a program name and getting the wrong Version/Proc Options. Leaving Fast Path available is back on the table, and IMHO users really appreciate it. I'm with you brother_of_karamazov and I've been supporting JDE since A3.1 (20 years and counting).
From the Data Dictionary Glossary for FSTP: "2: User has Limited access to Fast Path functionality. User can't launch applications via the Object ID (for example, P01012 is the Object ID for the Address Book application) or via a task whose type is application/UBE/UDC. User can only use the mnemonics defined in the H90/FP UDC to launch an application and navigate to a menu folder or use the tasks defined in the Task Master to navigate to a menu folder."
From the Data Dictionary Glossary for FSTP: "2: User has Limited access to Fast Path functionality. User can't launch applications via the Object ID (for example, P01012 is the Object ID for the Address Book application) or via a task whose type is application/UBE/UDC. User can only use the mnemonics defined in the H90/FP UDC to launch an application and navigate to a menu folder or use the tasks defined in the Task Master to navigate to a menu folder."
jstooge
VIP Member
Hate to go against my CNC friend...but the apps folks are correct. The long ago "security" threat is nothing compared to requiring app users to go into the correct version and PO's which fast path can ignore/bypass.
brother_of_karamazov
Legendary Poster
[ QUOTE ]
In 9.0 (which is what pduncan said they are going to) the Fast Path flag (FSTP) has been changed from Y/N to 0/1/2. Option 2 invalidates all of the concern about a user typing a program name and getting the wrong Version/Proc Options. Leaving Fast Path available is back on the table, and IMHO users really appreciate it. I'm with you brother_of_karamazov and I've been supporting JDE since A3.1 (20 years and counting).
From the Data Dictionary Glossary for FSTP: "2: User has Limited access to Fast Path functionality. User can't launch applications via the Object ID (for example, P01012 is the Object ID for the Address Book application) or via a task whose type is application/UBE/UDC. User can only use the mnemonics defined in the H90/FP UDC to launch an application and navigate to a menu folder or use the tasks defined in the Task Master to navigate to a menu folder."
[/ QUOTE ]
And there you have it folks, Steve wins the prize for the person most likely to think in a manner that leads to optimal results.
Go take a look at H90/FP and see how much efficiency your organization can gain by no longer forcing users to expand 14 levels of menus for a task that they perform 432 times a day.
I bet you guys are the same ones who take away favorites too.
In 9.0 (which is what pduncan said they are going to) the Fast Path flag (FSTP) has been changed from Y/N to 0/1/2. Option 2 invalidates all of the concern about a user typing a program name and getting the wrong Version/Proc Options. Leaving Fast Path available is back on the table, and IMHO users really appreciate it. I'm with you brother_of_karamazov and I've been supporting JDE since A3.1 (20 years and counting).
From the Data Dictionary Glossary for FSTP: "2: User has Limited access to Fast Path functionality. User can't launch applications via the Object ID (for example, P01012 is the Object ID for the Address Book application) or via a task whose type is application/UBE/UDC. User can only use the mnemonics defined in the H90/FP UDC to launch an application and navigate to a menu folder or use the tasks defined in the Task Master to navigate to a menu folder."
[/ QUOTE ]
And there you have it folks, Steve wins the prize for the person most likely to think in a manner that leads to optimal results.
Go take a look at H90/FP and see how much efficiency your organization can gain by no longer forcing users to expand 14 levels of menus for a task that they perform 432 times a day.
I bet you guys are the same ones who take away favorites too.
Tom_Davidson
VIP Member
BOK,
Good for 9.0, I'll agree with you when I get there (hopefully before the next century LOL).
Of course I hope they don't find a menu I forgot to lock down
Tom
Good for 9.0, I'll agree with you when I get there (hopefully before the next century LOL).
Of course I hope they don't find a menu I forgot to lock down
Tom
Larry_Jones
Legendary Poster
"Go take a look at H90/FP and see how much efficiency your organization can gain by no longer forcing users to expand 14 levels of menus for a task that they perform 432 times a day. "
thats a very good point Jeff, but in my opinion Favorites (which can be set by the user), meets the need better than FastPath - particularly if you commonly have multiple versions for your objects.
Different strokes for different folks I suppose.
thats a very good point Jeff, but in my opinion Favorites (which can be set by the user), meets the need better than FastPath - particularly if you commonly have multiple versions for your objects.
Different strokes for different folks I suppose.
JdeInNJ
Reputable Poster
Everyone, very good points. My main concern is diabling Fast Path instead of using application security. There are too many row and form exits that can bring users to applications they should not access to rely on Fast Path.
I am on the applications side and feel power users need to have past path to work efficiently (the whole 14 levels of menu thing).
Brad
I am on the applications side and feel power users need to have past path to work efficiently (the whole 14 levels of menu thing).
Brad
digitalfallout
Active Member
Why not use role based security so then you dont have to worry about disabling fast path. Role will start with "No" to every application and then just open the ones needed.
Wally28
Member
Hi All,
I have a follow up question on this.
If we are going to give user access to fast path, they can call data browser and can access tables that they should not be accessing. Is there a way to limit a user with access to fast path to just call application and tables (using data browser) that they should be accessing?
I have a follow up question on this.
If we are going to give user access to fast path, they can call data browser and can access tables that they should not be accessing. Is there a way to limit a user with access to fast path to just call application and tables (using data browser) that they should be accessing?
