Role best practice

Hello there

We have one role called HRADMIN, this role can not see application called online budget comparison (P09210A) and we know this program also called labar distribution etc. What is the best practice so the user should be able to see that program?

1. Should i attach the new role e.g GLINQ to that user? which has access to that application? i know they might be an issue with role conflict (sequence) or
2. Should i assign the application security and give access to the application (P09210A) to HRADMIN?

Thanks

AD

8.12
8.96.

The best practice that is recommended is to start with *PUBLIC not being able to run anything, and then grant back applications as appropriate by role.

If you followed this, then it's OK to grant that application to HRADMIN as the call to the other application would be stopped, unless HRADMIN, the user him/her self, or the user's other roles have rights to run that other application.

Thanks for the feedback.

I have situation, role PROJECT has not allow to run the application P050999 and one user wants to access this program so I attach other role called HRINQ to that user and allow HRINQ role to run the application P050999 but it is not working error called “Not authorize…”.

Looks like there is conflict in both roles but very strange that if I login to only with HRINQ role it should run but no luck. Any help will be appreciated.

Thanks

AD

This is likely a conflict in the Role Sequencing. If HRINQ has a lower sequence number than PROJECT, and there is a conflict over the rights of a particular object, then the security on PROJECT would win. In your case, that would mean that the user doesn't get to run it, even though they have the HRINQ role.

Check your role sequencing, and see in what order your roles are.

Thanks

Tell me if i did wrong to solve my situation.

I removed HRINQ and leave the Project role and secured application on user level meaning assign to user so that way they can run P050999 program based on engine behaviour below

Highest- Users
Medium - Role
Lower - Public

Question:
When i go to role relation Seq button is disable.
I assume if the PROJECT on top is the bighest sequence? e.g
PROJECT
HRINQ

Thanks
AD
--------------------

[ QUOTE ]
Question:
When i go to role relation Seq button is disable.
I assume if the PROJECT on top is the bighest sequence? e.g
PROJECT
HRINQ

[/ QUOTE ]
Answer: Nope! The role "PROJECT" being on top means its sequence value is LOWER! Only AFTER you drag & drop a role, changing it's position does the "Sequence" button get enabled.
NOTE: I suggest you do not click the "Sequence" button before understanding what the consequences are!

Hello,
I join the situation because it looks to me an interresting case where many people looks to have issue with multiple role and their sequecing.
In my position I create a "NOTALL' Role to avoid and force users to log with specific role only. Even if multiple are link to thme thy can choose only one at the time.
In term of security, at *public level we set inquiry only on application and let them allow to run UBE with DS (no PO available).
If a user have a task view created where he has to run an application where the role can't, then I set the security for this user only. It is look for me easier to manage.
In this sens, I always encourage to include only task should be use by a role, that is overide issue concerning the fact to block an application existing in a menu.
hope that did help you a bit and have a great day

I Agreed
"NOTALL" will resolve lot of issues.
Work around for my situation that there should be only one role and if users wants to access some program which you dont want to allow this role as other users in the role will have access then secure the application on user level will help

Thanks
AD

The JDE implementation of multiple roles is just depressing.

The whole role sequencing concept is a fairly epic fail:

* It doesn't scale well
* The odds of a large implementation where you can correctly predict and potentially change sequence numbers and understand the results without third party tools is pretty low.
* If you started with users logging in as specific roles, you will be fine. But if they logged in with *ALL and the security officer doesn't understand the implications of role sequencing it puts the entire setup in a bad way.


The last company I worked for I had to come to the sane conclusion and decided to implement a third party product with the foundation being *public rules locking down the major security types (application, action, form/row exits) and then effectively giving each user a single role.

Anyways, just my $.02 CAD

Malcolm

I have to respectively disagree with Malcolm. Multiple roles, Role Sequencing and Filtering have made JDE a player for bigger security implementations. The model is absolutely more complex (but worth it) and the implementation needs to be planned with a scalable framework. A bigger security project usually requires multiple everything (locations, companies, divisions, branches, roles, sequence, filtering) with complex 1 to Many relationships and a special team. Bigger companies taking the simple and quick short term route pay a long term support price for going dirty.

You have to build the bridge with a solid blueprint. The security failures in these implementations are with in-experienced consultants or quickly slapped together models. No attention to security in the project plans.

My 2centz.

[ QUOTE ]
The JDE implementation of multiple roles is just depressing.

The whole role sequencing concept is a fairly epic fail:

* It doesn't scale well
* The odds of a large implementation where you can correctly predict and potentially change sequence numbers and understand the results without third party tools is pretty low.
* If you started with users logging in as specific roles, you will be fine. But if they logged in with *ALL and the security officer doesn't understand the implications of role sequencing it puts the entire setup in a bad way....


[/ QUOTE ]

Malcolm

I couldn't agree more. Using the sequence of roles to determine how to over come conflicts is absurd. Sure, maybe in the never never land of a lab environment it might work. Or if the never never land of the startup of a new installation, in the equally fictious land of a company actually planning for, and funding a deep dive into security planning, it might work.

But that isn't reality. In the real world, security is one of the last things that gets looked at in a project. It's generally a last minute thing, and continues to be tweaked well after go-live. A few years down the road, the business needs will evolve and you will need to come up with some new security, or combination of security, that was never even a glimmer of a thought during the project.

I think the idea of developing security as a set of moduals that you then assemble like legos is a good idea. But, in my $.02 opinion, using an arbitrary numeric sequence to resolve conflicts is not the way to go.

- Gregg

Hence, why SAP has 1 upped JDE on this side... Security was/is given the required attention and definition in SAP. ~ Security should be living in an independent world with focus.

2 more centz…

[ QUOTE ]
Hence, why SAP has 1 upped JDE on this side... Security was/is given the required attention and definition in SAP. ~ Security should be living in an independent world with focus.

2 more centz…

[/ QUOTE ]

As security officer (plus CNC and chief bottle washer) I agree that security should be given more attention. But on all of the projects I've been on, the business analysts, functional experts, developers run the show. In the CRP phase, they don't want to be bothered with security, so they do their testing as appleads. Then at the tailend of the project they start to consider security.

Not to sound like a sales guy, cause I'm not, but the way to speed up the security definition phase, especially if you are defining security from scratch, is with a third party tool like q-soft or All-Out security (who's banner is ironically flashing at the top of the jdelist webpage right now). I can't speak for q-soft, but I know that All-out came up with a better solution for handling the conflicts of multiple roles than what Oracle provides out of the box.

- Gregg

It would be a blessing if JDE/BorGacle would create a screen / Process that told the Security folks (or, maybe even the users) why they couldn't do something....

If there was a means to compare two user, side by side - to identify why one can and the other can't complete tasks ... that might be a bit easier on troubleshooting...

(db)

[ QUOTE ]
It would be a blessing if JDE/BorGacle would create a screen / Process that told the Security folks (or, maybe even the users) why they couldn't do something....

If there was a means to compare two user, side by side - to identify why one can and the other can't complete tasks ... that might be a bit easier on troubleshooting...

(db)

[/ QUOTE ]

that's an easy one - just have the JDE/BorGacle Collective assimulate All-Out Security. Resistance is futile....

We have clients who use both the multiple role and the single role method. The single role method is easier to implement (without a tool) but in my view multiple roles does bring many advantages (such as less maintenance) with it.

If you do go the multiple role route then you either have the choice of managing 'exception' records at the user level or adjusting the role sequencer - which is easier depends on complexity but I would not automatically assume that user level should be a big no - if done correctly it can make sense.
For what its worth ALLOut offer a solution to the role sequencer/conflict conundrum.

Over 200 ALLOut implementations. Personal consultancy experience at over 60 client sites with QSoft and ALLOut.

db, $1,500 will get you the magic screen... http://www.qsoftware.com/quickview/index.htm

J,

I have connections... I would, probably, just have to ask....



(db)

Thanks everyone for positive and negative feedback. I am new to JDE system admin so really in a learning phase.
Just thought to ask here instead to create new post about creating/edit/delete role in JDE

Question 1
I want to copy PROJECT role to ANALYST role. The only thing I see is to select all rows in security workbench and click copy button to assign to Analyst role. This means I have to click 1550 times for each row to copy.? Any other better way?

Question 2
For me it is better to just rename the Project role to some other name e.g ANALYSTS. How to rename Role?



Thanks
AD

Hi,

I agree with Ken- It is important a global lock down in the first place.

I found difficult to deal with JDE multiple roles without a third party solution. So in order to resolve conflicts like yours we use ALLOut Security because it has got an application that identifies the conflict for a user and creates ‘Y’ settings that over-ride the role level security.

The benefit is that we can assign several roles to a user and also get a report of the situation before and after resolving the conflict.

It also helps us working with Super roles (combination of small roles) - I don’t know if you work at this level.