Security Workbench problem

SULLY1

VIP Member
I'm am building security from the ground up starting with *PUBLIC/APPLICATION SECURITY/NO.

I found what appears to be a big hole in security. Exp. Inquiry only user has access to P01012, P03013, P04012 with action security NO for add, change,delete and copy. If you take the form exit from P01012 to P03013 and the record does not exist(thinks it's add mode) the ok is NOT grey out. This is true for P04012 as well.

I also found this to be the case in Supplier Ledger Inquiry P0411 where you can add a p.o. from the form exit "Purchases Orders" P4310 even though the action security says NO to add, change, delete and copy.

I have a call into JDE and they were able to reproduce the problem! Can anyone else reproduce?

Patty
 
I got a F4301 header record written but no F4311 line record before I got an
"action invalid" message after keying the line and moving cursor to next
line.

Dave Mallory Denver Water OW Xe SP 17.1 Oracle 8.1722 NT 4.0
 
Hi Patty
I agree with you. The meaning of OK button varies from form to form. In someforms, Ok button means that you can modify. In these kind of forms,sometime Ok button is controled by Change security and in some forms it is controlled by Select/OK security. Sometimes even the same form behave differently depending upon which Row/Form exit you are taking.( If you disable OK/Select button along with change then it will ok) So basically we are following the same security model which you are following( Ok/Select is enabled)... but we are taking some additional steps to disable the row/form exists that can lead to this kind of behiviour (Unluckly we can not disable All row/form exits with *All because it is part of specs).

Hope this help
Vivek Mohan
XE, SP 18.1, Oracle 8.1.7.3.0
Windows NT Enterprise Server
 
JDE has entered Sar # 5960422 for this problem. Their work around for now is to put security at the form level and not the object level. This could add hundreds of records to my security table if this happens for all form interconnects. We are testing it now.

The only reason JDE even considered entering a sar is because the security works at the object level in B733.1 which is our production environment right now. I was playing around with service packs and it looks like the way the okay button is handled was changed between service pack 13 and 15.1. I could be wrong.

Patty
 
Back
Top