7 Using Security Workbench

This chapter contains the following topics:

• Section 7.1, "Understanding Security Workbench"

• Section 7.2, "Understanding Exclusive/Inclusive Row Security"

• Section 7.3, "Creating Security Overrides"

• Section 7.4, "Managing Application Security"

• Section 7.5, "Managing Action Security"

• Section 7.6, "Managing Row Security"

• Section 7.7, "Managing Column Security"

• Section 7.8, "Managing Processing Option and Data Selection Security"

• Section 7.9, "Managing Tab Security"

• Section 7.10, "Managing Hyper Exit Security"

• Section 7.11, "Managing Exclusive Application Security"

• Section 7.12, "Managing External Calls Security"

• Section 7.13, "Managing Miscellaneous Security"

• Section 7.14, "Managing Push Button, Link, and Image Security"

• Section 7.15, "Managing Text Block Control and Chart Control Security"

• Section 7.16, "Managing Media Object Security"

• Section 7.17, "Managing Application Query Security"

• Section 7.18, "Managing Data Browser Security"

• Section 7.19, "Managing Published Business Services Security"

• Section 7.20, "Copying Security for a User or a Role"

• Section 7.21, "Reviewing and Deleting Security Records on the Work With User/Role Security Form"

• Section 7.22, "Running Security Workbench Records Reports"

7.1 Understanding Security Workbench

Use Security Workbench to apply security to JD Edwards EnterpriseOne applications, application versions, forms, and other objects within JD Edwards EnterpriseOne that are described in this chapter. You can apply security for these objects to users, roles, or *PUBLIC. JD Edwards EnterpriseOne stores security information in the F00950 table and caches the security information in the web server's memory for the web clients and each workstation's memory on Microsoft Windows clients. For Microsoft Windows client users, changes made to security are applied after the user exits JD Edwards EnterpriseOne and signs back in. For the security changes to take affect on web clients, you must restart the web server or clear the web server's cache using the Server Administration Workbench (SAW) application.

When applying object level security, you need to consider how JD Edwards EnterpriseOne checks for security. When a user signs in, the system first checks the user ID for security. If no object security is assigned to the user ID, then it checks the role (if the user is part of a specific role), and then finally it checks *PUBLIC.

Note:

You can access Security Workbench on the JD Edwards EnterpriseOne web client, as well as the Microsoft Windows client.

7.2 Understanding Exclusive/Inclusive Row Security

You use row security to either restrict or allow users from viewing, updating, deleting, or adding certain records (rows) to a table. Prior to setting up any kind of row security (whether at the user level, role level, or *PUBLIC level), security administration determines whether your system will use inclusive or exclusive row security. Exclusive row security blocks users from accessing the database for a secured range of values that you define. Inclusive row security allows users to access the database for a valid range of values that you define. You use the EnterpriseOne Security program (P98OWSEC) to set up user security.

You use the Row Security application in the Security Workbench program (P00950) to define database values to be excluded or included depending on your JD Edwards EnterpriseOne security configuration. You can set up row security for a user, role, and *PUBLIC. Exclusive row security and inclusive row security are mutually exclusive; you cannot use a combination of the two.

To illustrate exclusive and inclusive row security, assume that user MG5700778 should be able to view records in the Address Book table (F0101) that have a business unit value from 1 through 20 and from 51 through 70. In addition, this user should be able to update records in the Address Book table that have a business unit value from 1 through 20. This user cannot insert or delete any records in the Address Book table. The following examples show the records you must define and the SQL statements that the system performs for both exclusive and inclusive row security.

7.2.1 Exclusive Row Security

This table shows the records that you define using the Row application in Security Workbench when you use exclusive row security to secure your system:

User	Table	Data item	From Value	Thru Value	Add	Change	Delete	View	Alias
MG5700778	*ALL	CostCenter	1	20	N	Y	N	Y	MCU
MG5700778	*ALL	CostCenter	21	50	N	N	N	N	MCU
MG5700778	*ALL	CostCenter	51	70	N	N	N	Y	MCU
MG5700778	*ALL	CostCenter	71	ZZZZZZZZ	N	N	N	N	MCU

This example shows the Select operation that the system performs against the F0101 table:

SELECT * FROM TESTDTA.F0101 WHERE ( ABMCU NOT BETWEEN ' 21' AND ' 50'  
AND ABMCU NOT BETWEEN ' 71' AND ' ZZZZZZZZ' ) ORDER BY ABAN8 ASC 

This example shows the Update operation that the system performs against the F0101 table:

UPDATE TESTDTA.F0101 SET
ABALKY='MG5700778',ABTAX='456456456',ABALPH='John
Doe',ABDC='JOHNDOE',ABMCU=' 1',ABSIC=' ',ABLNGP=' ',ABAT1='E',ABCM=' 
',ABTAXC='  WHERE ( ABAN8 = 9999999.000000 ) AND ( ABMCU NOT BETWEEN ' 
21' AND ' 50' AND ABMCU NOT BETWEEN ' 51' AND ' 70' AND ABMCU NOT 
BETWEEN ' 71' AND ' ZZZZZZZZ' )

Note:

Row security is applied for the range of values that have N in the appropriate Add/Change/Delete/View action.

7.2.2 Inclusive Row Security

This table shows the records that you define using the Row application in Security Workbench when you use inclusive row security to secure your system:

User	Table	Data Item	From Value	Thru Value	Add	Change	Delete	View	Alias
MG5700778	F0101	CostCenter	1	20	N	Y	N	Y	MCU
MG5700778	F0101	CostCenter	51	70	N	N	N	Y	MCU

This example shows the Select operation that the system performs against the F0101 table:

SELECT * FROM TESTDTA.F0101 WHERE ( ( ABMCU BETWEEN ' 1' AND ' 20' OR 
ABMCU BETWEEN ' 51' AND ' 70' ) ) ORDER BY ABAN8 ASC 

This example shows the Update operation that the system performs against the F01010 table:

UPDATE TESTDTA.F0101 SET ABALKY=' ',ABTAX='546',ABALPH='John 
Doe',ABDC='JOHNDOE',ABMCU=' 60',ABSIC='
',ABUSER='MG5700778',ABPID='EP01012',ABUPMJ=101214,ABJOBN='DEN123456',
ABUPMT=154030.000000 WHERE ( ABAN8 = 6864221.000000 ) AND ( ABMCU 
BETWEEN ' 1' AND ' 20' )

Important:

The presence of a single record or a set of security records in the Security Workbench table (F00950) with all N values for one or more operations for a table and data dictionary combination will disallow that user from performing that particular operation on the table.

Note:

Row Security is applied for range of values that have Y in the Add/Change/Delete/View action

As illustrated in the examples, when you define data access security using exclusive row security, you identify a range of values that are to be secured from the user. When you define data access security using inclusive row security, you identify a range of values that the user can access. Depending on your security setup, inclusive row security can increase performance over exclusive row security. The reason for the performance increase is due to the select and update statements that the middleware generates. Performance can be improved if the use of inclusive row security results in a small range of valid values in the row security application rather than specifying a large range of secured values in the row security application to use exclusive row security.

7.2.2.1 Activating Inclusive Row Security

The system assumes Exclusive Row Security unless you specify inclusive row security.

Use these steps to activate inclusive row security:

1. Enter P00950 in the Fast Path.

2. On the Work With User/Role Security form, select Exclusive/Inclusive from the Form menu.

3. On the Inclusive/Exclusive Row Security form, select the Inclusive Row Security option.

4. Click OK.

If your system is prior to JD Edwards EnterpriseOne Tools Release 8.9, you must manually enter a record in the Security Workbench table using SQL to indicate to your system that inclusive row security is to be used. Use this Insert SQL statement as an example:

Insert into SYS7333.F00950 (FSSETY, FSUSER, FSOBNM, FSDTAI, FSFRDV, 
FSSY, FSATN3) Values(' ','EXCLUSIVE',' ', ' ', ' ', ' ' , '1')

7.3 Creating Security Overrides

This section provides an overview of security overrides, provides a prerequisite, and discusses how to add security overrides.

7.3.1 Understanding Security Overrides

Security overrides operate as exceptions to existing security records. They specify that users are unsecured from a JD Edwards EnterpriseOne object. In other words, security overrides allow users access to a particular object, even if another security record in the system specifies that access is not allowed.

Security overrides enable you to create object security more efficiently, with fewer security records to manage. For example, you might have a scenario that requires securing four out of five versions of an application from a group of users. Instead of creating four security records to prevent users from accessing each of the four versions, you can create two security records to achieve the same result. First, you would create a security override for the application version that you want users to access. This security override would specify that this version is not secured. These are the high level steps to create security overrides in Security Workbench:

1. Create a security record for the version, making sure that the security options are cleared.

2. Create a security record that secures users from accessing the application, including all versions of the application. In Security Workbench, you would select the application and then select the Run security option, which secures users from running the application.

As a result, when users try to access the application version, the security override for the version operates as an exception to the second application security record, allowing users access to the version of the application. All other versions of the application are secured.

You can create security overrides for these JD Edwards EnterpriseOne objects:

• Applications

• Actions

• Processing options

• Tabs

• Hyper exits

• External calls

• Push buttons, links, and images

• Media objects

Creating security overrides simplifies the process of applying security to various JD Edwards EnterpriseOne items. The following table provides some scenarios in which you could use security overrides to set up your security:

Scenario	Method
Allow a user or group of users access to a single form in an application. These users are otherwise restricted from using the application.	To set up: Create a security override for the form. Create a security record to prevent users from accessing the application.
Secure users from using all but one push button on a form in an application. This security shall apply to all versions of the application as well.	To set up: Create a security override for the push button. Create a security record to prevent users from using all push buttons on the form.
Allow only one user in a role access to an external application.	To set up: Create a security override for the user that gives the user access to the external application. Create a security record that prevents the role from accessing the external application.
Secure users from all action buttons except Add and Copy on a form in a particular version of an application.	To set up: Create a security override to specify that Add and Copy action buttons are not secured on a form in a particular version of an application. Create a security record to secure all actions on the form.

7.3.2 Prerequisite

Before you can create a security override for a JD Edwards EnterpriseOne object, you must first understand how a standard security record for the object is created in Security Workbench. See the appropriate sections in this chapter for instructions on how to apply security to JD Edwards EnterpriseOne objects such as applications, processing options, tabs, and media objects.

7.3.3 Adding Security Overrides

Enter P00950 in the Fast Path.

1. On the Work With User/Role Security form, select the Form menu, Set Up Security, and then select the menu for the type of object for which you want to create a security override.

2. On the security form, enter the user or role ID in the User / Role field.

   Enter a complete user or role, which includes *PUBLIC.

3. In the Display UnSecured Items region, complete the appropriate fields, and then click Find.

   This step provides a list of unsecured items for the user, role, or *PUBLIC in the UnSecured node.

4. Expand the UnSecured node to view the individual applications or versions, and the forms associated with each, that do not already have security set for them.

   After you expand the node, each item that you select appears in the grid.

5. Select the item in the node that you want to create a security override for.

6. In the Create with region, make sure that the security options are cleared or not selected.

7. Drag the item from the UnSecured node to the Secured node.

   This action creates a security override for the user or role that can operate as an exception to a another security record for the user or role.

7.4 Managing Application Security

This section provides an overview of application security and discusses how to:

• Review the current application security settings for a user or role.

• Add security to an application.

• Secure a user or role from all JD Edwards EnterpriseOne objects.

• Remove security from an application.

7.4.1 Understanding Application Security

Application security enables you to secure these types of items from users:

• Applications

  When you secure an application, you secure all versions and forms associated with the application.

• Versions

  You can secure access to a version of an application while leaving other versions available to the user.

• Forms

  You can secure access to a single form in an application or application version.

You can secure users from running or installing (or both) a particular application, version, or form within an application. You cannot define application security at the subform level. As an alternative, you could define column security at the form level (power form level) and every instance of the data dictionary item (either on the power form header or subform grid) follows the defined security.

This section also explains how to add a *ALL object and change all of the applications for a particular user or role from unsecured to secured.

7.4.2 Reviewing the Current Application Security Settings for a User or Role

Enter P00950 in the Fast Path.

1. On the Work With User/Role Security form, select the Form menu, Set Up Security, Application.

2. On the Application Security form, enter the user or role ID in the User / Role field.

   Enter a complete user or role, which includes *PUBLIC but not wildcards.

3. In the Display UnSecured Items region, complete the appropriate fields to determine which items have already been secured for the user or role, and then click Find:

   • Application

     Enter an application name, such as P01012. You can also enter *ALL to display all applications.

   • Version

     Enter a version name, such as ZJDEC0001, if you want to check only a specific version of an application. You can also use an asterisk to display all versions.

   • Form Name

     Enter a form name, such as W01012A. You can also enter an asterisk to display all forms.

4. Expand the Secured node to view the security settings for the user or role in the detail area.

7.4.3 Adding Security to an Application

Enter P00950 in the Fast Path.

Note:

You cannot secure the Data Browser program using the Application Security form. Security Workbench provides a separate option for securing this program.

See Managing Data Browser Security.

1. On the Work With User/Role Security form, select the Form menu, Set Up Security, Application.

2. On the Application Security form, enter the user or role ID in the User / Role field.

   Enter a complete user or role, which includes *PUBLIC but not wildcards.

3. In the Display UnSecured Items region, complete the appropriate fields, and then click Find.

   • Application

   • Version

     Enter a particular version of the application that you entered in the Application field. If you leave this field blank, the system displays all versions associated with the application in the UnSecured node.

   • Product Code

     Enter a product code to display all applications, versions, and forms associated with a particular product code. This field does not work in conjunction with the Application or Version fields.

     The search results appear under the UnSecured node.

4. Expand the UnSecured node to view the individual applications or versions, and the forms associated with each, that do not already have security set for them.

   After you expand the node, the individual items also appear in the grid.

5. In the Create with region, select one or both of these security options:

   • Run Security

     Select this option to secure users from running the application.

   • Install Security

     Select this option to prevent the just-in-time installation (JITI) of anything necessary to run the application.

6. Complete one of these steps:

   • Drag applications, versions, or forms from the UnSecured node to the Secured node.

   • From the Row menu, select All Objects to move all applications to the Secured node.

   • From the Row menu, select Secure to All to move all objects that are under the UnSecured node to the Secured node.

     If you secured an individual form, only the form appears under the Secured node. If you secured an application or version, the application or version and the forms associated with each appear under the Secured node.

7. To change the security on an item, select the item under the Secured node, select the appropriate security option, and then, from the Row menu, select Revise Security.

   In the grid, the values under the Run and Install fields change accordingly.

7.4.4 Securing a User or Role from All JD Edwards EnterpriseOne Objects

Enter P00950 in the Fast Path.

1. On the Work With User/Role Security form, select the Form menu, Set Up Security, Application.

2. On the Application Security form, enter the user or role ID in the User / Role field.

   Enter a complete user or role, which includes *PUBLIC but not wildcards.

3. In the Display UnSecured Items area, enter *ALL in the Application field to select all JD Edwards EnterpriseOne objects, and then click Find.

4. Expand the UnSecured node and then click *ALL in the detail area.

5. In the Create with region, select one or both of these options:

   • Run Security

     Use this option to secure users from running all applications.

   • Install Security

     Use this option for JITI only.

6. Complete one of these steps:

   • Drag *ALL from the UnSecured node to the Secured node.

   • From the Row menu, select All Objects to move *ALL to the Secured node.

   • From the Row menu, select Secure to All to move *ALL from UnSecured node to the Secured node.

7.4.5 Removing Security from an Application

Access the Application Security form.

On the Application Security form, perform one of these steps:

• Under the Secured node, select an application, version, or form and click Delete.

• Drag an application, version, or form from the Secured node to the UnSecured node.

• Select Remove All from the Row menu to move all items from the Secured node to the UnSecured node.

7.5 Managing Action Security

This section provides an overview of action security and discusses how to:

• Review the current action security settings for a user or role.

• Add action security.

• Remove action security.

7.5.1 Understanding Action Security

Action security enables you to secure the buttons that enable users to perform particular actions, such as adding, deleting, inquiring, revising, or copying a record. These buttons typically reside on the toolbar in a form. Do not confuse these buttons with buttons that are located on other parts of a form.

You can define action security at the application, version, and form level. You cannot define action security at the subform level. As an alternative, you could define column security at the form level (power form level) and every instance of the data dictionary item (either on the power form header or subform grid) follows the defined security.

Oracle recommends that after you add action security to an application, you should test the application to make sure that the security works as desired. For example, adding action security to an Add or OK button in some applications that have editable grids does not prevent users from adding new records or modifying existing ones. For these applications, you would have to add additional security to the application as well.

See Also:

• Managing Push Button, Link, and Image Security.

• Managing Hyper Exit Security.

7.5.2 Reviewing the Current Action Security Settings

Enter P00950 in the Fast Path.

1. On the Work With User/Role Security form, select the Form menu, Set Up Security, Action.

2. On the Action Security form, enter the user or role ID in the User / Role field and click Find.

   You can enter *PUBLIC but not wildcards.

   Current action security settings for the user or role appear under the Secured node in the tree.

3. To see if an action security is applied to a particular application, version, or form, complete a combination of these fields in the Display Secured Item region, and then click Find:

   • Application

     Enter an application name, such as P01012.

   • Version

     Enter a version of the application entered in the Application field to see if action security is applied to the version.

   • Form Name

     Enter a form name, such as W01012A.

4. Expand the Secured node and click a secured item to view the current security settings for the user or role in the detail area.

7.5.3 Adding Action Security

Enter P00950 in the Fast Path.

1. On the Work With User/Role Security form, select the Form menu, Set Up Security, Action.

2. On the Action Security form, enter the user or role ID in the User / Role field and click Find.

   You can enter *PUBLIC but not wildcards.

   Current action security settings for the user or role appear under the Secured node in the tree.

3. To find the applications, versions, or forms to which you want to apply action security, complete any of these fields under the Display UnSecured Items heading, and then click Find:

   • Application

     Enter an application name, such as P01012. Enter *ALL to display all applications.

   • Version

     Enter a version of the application you entered in the Application field. If you leave this field blank, all versions associated with the application will appear in the UnSecured node.

   • Product Code

4. Expand the Unsecured node to view individual applications, versions, and forms in the detail area.

5. In the Create with region, select any of these options:

   • Change

   • Add

   • Delete

   • OK/Select

   • Copy

   • Scroll To End

     When you select the OK/Select function, both the Select and OK buttons will be disabled on forms regardless of the setting for any of the other functions. The reason that separate options exist for OK/Select and the other functions is to allow a user to select records from a Find/Browse or Inquiry form but not be able to perform those actions that you secured. For example, a valid setup would be to set OK/Select to Y and set Change to N. The user will be able to select records but not change them. However, if you set OK/Select to N and Change to Y, the OK and Select buttons will be disabled even if the form is in update mode.

6. To secure the actions on an application, version, or form, perform one of these steps:

   • Drag the application, version, or form from the UnSecured node to the Secured node.

   • From the Row menu, select All Objects to move all items to the Secured node.

   • From the Row menu, select Secure to All to move all objects under the UnSecured node to the Secured node.

     For example, to set delete security on an application, select the Delete option. Next, drag the application from the UnSecured node to the Secured node. The detail area will reflect the delete security that you set for this application, which means that the user you entered cannot perform the delete action on this application.

     The applications or forms now appear under the Secured node and they have the appropriate action security.

7. To change the security on an item, select the item under the Secured node, select the appropriate security option, and then, from the Row menu, select Revise Security.

   In the grid, the values for the security options change accordingly.

7.5.4 Removing Action Security

Enter P00950 in the Fast Path.

1. On the Work With User/Role Security form, select the Form menu, Set Up Security, Action.

2. On the Action Security form, enter the user or role for which you want to change action security in the User / Role field, and then click Find.

3. To delete action security from an application, version, or form, do one of these:

   • Under the Secured node, select an application, version, or form and click Delete.

   • Under the Secured node, drag an application, version, or form from the Secured node to the UnSecured node.

   • Select Remove All from the Row menu to move all applications and forms from the Secured node to the UnSecured node.

7.6 Managing Row Security

This section provides an overview of row security and discusses how to:

• Add row security

• Remove row security

7.6.1 Understanding Row Security

Row security enables you to secure users from accessing a particular range or list of data in any table. Use row security sparingly because it can adversely affect system performance. Additional processing occurs for each data item that you set with row security.

You can set up row security at three levels:

• User

• Group

• *PUBLIC

JD Edwards EnterpriseOne first looks for row security at the user level, then at the group level, and then at the *PUBLIC level. If you set any of the security at a higher level, such as at the user level, the software ignores lower-level security settings, such as the group or *PUBLIC levels.

Before you set up row security for an item in a table, you should verify that the item is actually in that table. For example, the F0101 table contains the data item AN8. Therefore, you can set up row security for that item. However, the same table does not contain data item PORTNUM. Setting row security on this item for the F0101 table has no effect.

You set up row security on a table, not on a business view. You should verify that the object that you want to secure uses a business view over a table containing the object. For example, the Work With Environments application (P0094) uses business view V00941 over the F00941 table. You could secure the data item RLS (Release) because it is in the F00941 table. On the other hand, the same item is not in the F0094 table. If you attempt to secure the item on the F0094 table, data item RLS is not secured.

Note:

You can find the tables, applications, forms, business views, and so on that use a data item by launching the Cross Reference application (P980011) after you build cross-reference tables (F980011and F980021).

7.6.2 Prerequisite

Before you can set up row security, you must activate row security in Data Dictionary Design.

See "Creating a Data Dictionary Item" in the JD Edwards EnterpriseOne Tools Development Tools: Data Dictionary Guide.

7.6.3 Setting Up Data Dictionary Spec Files

After you activate row security in Data Dictionary Design, log out of JD Edwards EnterpriseOne and delete these spec files, which are located in the \pathcode\spec directory:

• dddict.xdb

• dddict.ddb

• ddtext.xdb

• ddtext.ddb

• glbltbl.xdb

• glbbltbl.ddb

If you do not use data dictionary replication, you must delete these spec files for each path code directory on your machine and every workstation, inlcuding the enterprise server, where this security needs to be activated. These spec files are automatically rebuilt as data dictionary items are referenced the next time the user signs onto JD Edwards EnterpriseOne when just-in-time installation (JITI) is enabled for the environment.

Note:

If your system is prior to JD Edwards Applications Release 8.11, and you are using terminal servers in an environment that does not use JITI, you must rebuild the data dictionary and global table spec files using R92TAM and R98CRTGL to get the changed data dictionary information to the terminal servers

7.6.4 Adding Row Security

Enter P92001 in the Fast Path.

1. On the Work With Data Items form, click Find.

   Note:

   You can enter search criteria in the Search Description field and the query by example (QBE) row to narrow your search.

2. Select the data item that you want to secure, and click Select.

   The Data Item Specifications form appears.

3. On the Item Specifications tab, select the Row Security option and click OK.

   This option must be selected for row security to work.

4. Click OK.

5. Exit the data dictionary application.

6. In Solution Explorer, enter P00950 in the Fast Path and press Enter.

7. On the Work With User/Role Security form, select the Form menu, Set Up Security, Row.

8. On the Row Security form, complete the User / Role field and then click Find to display current row security.

9. Complete these fields, either in the first open detail area row (to add security) or in a pre-existing detail area row (to change security):

   • Table

     You can enter *ALL in this field.

   • Data Item

     This field is required.

   • From Value

     This field is required.

   • Thru Value

   • Add

   • Change

   • Delete

   • View

10. Click OK to save the security information.

7.6.5 Removing Row Security

Enter P00950 in Fast Path.

1. On the Work With User/Role Security form, select an object.

2. From the Form menu, select Set Up Security, Row.

3. On the Row Security form, complete the User / Role field and click Find.

   Note:

   If you accessed the Row Security form from the Work With User/Role Security form for a specific record, the user or role associated with the security record appears in the User / Role field by default.

4. Select the security record or records in the detail area, and then click Delete.

5. On Confirm Delete, click OK.

6. Click OK when you finish deleting row security.

   If you do not click OK after you delete the row security records, the system does not save the deletion.

7.7 Managing Column Security

This section provides an overview of column security and discusses how to:

• Add column security

• Remove column security

7.7.1 Understanding Column Security

This section explains how to add and revise column security. You can secure users from viewing a particular field or changing the value for a particular field. This item can be a database field, or a field that is defined in the data dictionary but is not in the database.

Note:

You can find the tables, applications, forms, business views, and so on, that use a data item by launching the Cross Reference application (P980011) after you build the cross-reference tables (F980011and F980021).

You can set up column security on a table, an application, an application version, or a form. Even if an application uses a business view that does not contain the data item that you want to secure, you can still secure it, as long as the item appears on a form in the application.

7.7.1.1 Column Security Options

When you use Column Security you can set View, Add, and Change options to secure a field. For the field to appear on a table, application, application version, or form, the View option must be set to Y. When the View option is set to N for a field, that field does not appear on the object. Add and Change options depend on the View option being set to Y for the field. The Add and Change options are independent of each other.

You can set the View and Add options to Y and the Change option to N. With security defined in this manner, the field appears on the object and is enabled when the user enters the object in add mode. If the user enters the object in update mode, the field appears but is disabled.

You can set the View and Change options to Y and the Add option to N. With security defined in this manner, the field appears on the object and is enabled when the user enters the object in update mode. If the user enters the object in add mode, the field appears but is disabled.

You can set all three options to Y. With security defined in this manner, the field appears on the object and is enabled in both add and update mode.

7.7.1.2 Column Security on a Table

Before you set up column security on a table, do these:

• Verify that the object that you want to secure is in the table.

• Verify that the object that you want to secure is part of an application that uses a business view over a table containing the object.

• Verify that the object that you want to secure uses a business view that includes the column containing the object.

For example, if you want to apply column security to data item RLS (Release Number) in the F00941 table, RLS must be an item in that table, and it must also be part of an application using a business view over that table. Finally, the business view over the F00941 table must include a column containing the data item RLS.

If all of these conditions are met, you can successfully apply column security to the data item. Setting column security on a table also means that you set security on the data item for any other applications that use the F00941 table.

7.7.1.3 Column Security on an Application

Before you set up column security on an application, do these:

• Verify that the object that you want to secure is in the application.

• Verify that you are securing the correct data item in an application (data item descriptions can be similar, if not identical).

For example, if you want to apply column security to data item UGRP (UserRole) in the Object Configuration Manager application (P986110), you first verify that the item is in the application. Because it is in the application, you can apply security to the data item. However, note that data items UGRP, MUSE, USER, and USR0 all contain the identical data description of User ID. Verify the item by its alias, not by its data description.

7.7.1.4 Column Security on an Application Version

You can secure users from using columns (or fields) in a version of an application. When you secure a column in a version, the system secures the column in all forms associated with that application version.

Before you set up column security on an application version, do these:

• Verify that the object that you want to secure is in the version of the application.

• Verify that you secure the correct data item in an application (data item descriptions can be very similar, if not identical). Verify the item by its alias, not by its data description.

7.7.1.5 Column Security on a Form

Security Workbench enables you to secure the column in one particular form, either in an application or in a version of an application.

Before you set up column security on a form, do these:

• Verify that the object that you want to secure is in the form.

• Verify that you secure the correct data item in the form (data item descriptions can be very similar for different data items).

7.7.2 Adding Column Security

Enter P00950 in Fast Path.

1. On the Work With User/Role Security form, select the Form menu, Set Up Security, Column.

2. On the Column Security form, complete the User / Role field, and then click Find to display current column security for the user or role.

3. To add new security, go to the last row of the detail area and enter information into any of these fields:

   • Table

   • Application

   • Version

     If you want to add column security to a particular version, enter a version of the application that you entered in the Application field.

   • Form Name

     You can enter *ALL in any of these fields; however, after *ALL is entered for a table, application, or form for a specific data item, you cannot enter *ALL again for that data item.

4. Complete these fields:

   • Data Item

   • View

     If the value for View is N, the data item will not appear on any of the objects identified in Step 3, making Add and Change functions obsolete.

   • Add

   • Change

5. To change security, change the row values in the detail area.

6. Click OK to save the security information.

7.7.3 Removing Column Security

Enter P00950 in the Fast Path.

1. On the Work With User/Role Security form, select the Form menu, Set Up Security, Column.

2. On the Column Security form, complete the User / Role field, and then click Find.

   Note:

   If you accessed the Column Security form from the Work With User/Role Security for a specific record, the user or role associated with the security record appears in the User/Role field by default.

3. Highlight the security record or records in the detail area and click Delete,and then click OK on Confirm Delete.

4. Click OK when you finish deleting column security.

   If you do not click OK after you delete the security records, the system does not save the deletion.

7.8 Managing Processing Option and Data Selection Security

This section provides overviews of processing option and data selection security and discusses how to:

• Review the current processing option and data selection security settings.

• Add security to processing options and data selection.

• Remove security from processing options and data selection.

• Use R009505 to update data selection security.

7.8.1 Understanding Processing Option Security

You can secure users from changing, prompting for values, and prompting for versions of specific processing options. By itself, setting security that prohibits users from prompting for versions does not prevent them from changing values in the processing option. If you do not want users to use processing option values, you might want to set security so that users are secured from the "prompt for" value and "prompt for" versions.

For example, to set prompt-for-values security, which also automatically sets change security, select the Prompt for Values option. Next, drag one application at a time from the UnSecured node to the Secured node. The detail area reflects the prompt-for-values and change security that you set for these applications. This procedure means that the user you entered cannot prompt for values or change processing options on any applications that you dragged to the Secured node.

This task also explains how to add a *ALL object and how to move all of the applications for a particular user or role from unsecured to secured.

7.8.2 Understanding Data Selection Security

You can secure users from modifying, adding, deleting, and viewing the data selection for batch applications or specific versions of batch applications. This security applies to the data selection during submission of a batch application (or report).

7.8.2.1 Implementation Considerations

Data selection security only applies to web clients. You can set up data selection security by running the Security Workbench application on the Windows client. However, the security is only enforced for end users submitting batch applications from the web client. It is not enforced for other means of launching reports, such as RUNUBE and RUNUBEXML commands or the scheduler.

The Data Selection row exit on the Work with Batch Versions form allows a user to modify the data selection for a version or report. Oracle recommends that the JD Edwards EnterpriseOne security administrator secures the Data Selection row exit using existing hyper exit security in addition to setting up proper data selection security.

For example, data selection security is set up for a user on a batch application version so that the user cannot modify existing rows but can add new rows. However, the user can access the Data Selection row exit and use this row exit to add rows to the existing data selection. When the user clicks OK, the data selection specification is saved to the version. When the user takes the Data Selection row exit again, all rows become existing rows that are secured out. As a result, he cannot modify rows that he just added.

You should also consider using action security to secure the ability to add and copy versions of a batch application. Or you can set data selection security at the batch application level rather than version level. In this case, a new user-created version that was created through add or copy will still have the same data selection security.

7.8.2.2 Data Selection Security Options

The available security settings related to data selections are:

Security Setting	Description
Prompt for Data Selection	This setting prevents a user from viewing the data selection screen when submitting a report or version. The data selection criteria defined in the version are used for submission.
Full Access for Data Selection	This setting prevents a user from having a full set of the editing capabilities on the data selection screen. Specifically, it prevents a user from deleting any existing data selection criteria. When this setting is checked, two additional settings "Modify for Data Selection" and "Add for Data Selection" are enabled. All three settings can be used in combination.
Modify for Data Selection	This setting prevents a user from editing or deleting existing data selection criteria defined for a report or version. It also prevents a user from adding new data selection criteria with an OR operator, in effect either expanding or changing existing criteria. This setting is made available only when the user is not granted with Full Access for Data Selection.
Add for Data Selection	This setting prevents a user from adding new data selection criteria. This setting is made available only when the user is not granted with Full Access for Data Selection. This setting can be used in combination with the Modify for Data Selection setting.

All of the security settings can be set at the specific user, role, or *PUBLIC level for any report version or report.

7.8.2.3 Security Hierarchy

When multiple security records exist, the system applies security by following the existing security hierarchy:

1. Version level security for user.

2. Batch application level security for user.

3. *ALL level security for user.

4. Version level security for group.

5. Batch application level security for group.

6. *ALL level security for group.

7. Version level security for *PUBLIC.

8. Batch application level security for *PUBLIC.

9. *ALL level security for *PUBLIC.

Once a security record is found, the system stops searching for lower priority records.

Note:

The Java Application Server resolves the security entries for the group based on the role sequence number, and only returns one record for all groups at runtime.

7.8.2.4 Data Selection Security Scenarios

This table lists the possible data selection security scenarios. "X" indicates that the specified checkbox is checked in the Security Workbench application:

Scenario	Prompt for Data Selection	Full Access Data Selection	Modify Data Selection	Add Data Selection
Full access to data selection.	N/A	N/A	N/A	N/A
No access to data selection form. User receives error when he tries to access data selection.	X	Grayed out and checked by default	Grayed out and checked by default	Grayed out and checked by default
Read-only access.	N/A	X	X	X
User can only add new data selection rows with AND operator. User cannot modify or delete existing data selection rows.	N/A	X	X	N/A
User can only modify the right operand value for existing data selection rows. User cannot add new data selection rows or delete existing rows.	NA	X	N/A	X
User can modify existing rows and add new rows with the 'AND' operator. User cannot delete existing rows.	N/A	X	N/A	N/A

7.8.3 Reviewing the Current Processing Option and Data Selection Security Settings

Enter P00950 in the Fast Path.

1. On the Work With User/Role Security form, select Set Up Security, Proc Opt and Data Sel Security.

2. On the Processing Option and Data Selection Security form, enter a user or role ID in the User / Role field.

   Enter a complete user or role, which includes *PUBLIC but not wildcards.

3. In the Display Secured Item region, complete these fields and then click Find:

   • Application

     Enter a batch application name, such as R0006P. Enter *ALL to display all applications.

   • Version

     Enter a version of the application that you entered in the Application field.

     Current security settings for that user or role appear under the Secured node in the tree. Expand the node to view the individual secured applications. After you expand the node, the applications that are secured also appear in the detail area.

7.8.4 Adding Security to Processing Options and Data Selection

Enter P00950 in the Fast Path.

1. On the Work With User/Role Security form, select the Form menu, Set Up Security, Proc Opt and Data Sel Security.

2. On the Processing Option and Data Selection Security form, enter the user or role ID in the User / Role field and then click Find.

   Enter a complete user or role, which includes *PUBLIC but not wildcards.

3. In the Display UnSecured Items region, complete the appropriate fields and then click Find:

   • Application

     Enter an application name, such as R0006P. Enter *ALL to display all applications.

   • Version

     You can enter a particular version of the application that you entered in the Application field. If you leave this field blank, all versions associated with the application will appear in the UnSecured node.

   • Product Code

   • UBEs Only

     Select this checkbox to view only batch applications.

     You must perform this step before you can add new security. This step provides a list of applications from which you can apply processing option or data selection security.

     The search results appear under the UnSecured node. Expand the node to view applications (interactive and batch) and menus with interactive or batch applications. After you expand the node, the applications appear in the detail area.

     For example, to set security on applications within the 00 product code, you enter 00 in the Product Code field and click Find. All of the applications (interactive and batch) attached to product code 00 appear after you expand the UnSecured node.

4. In the Create with region, select one or more of these options and drag applications from the UnSecured node to the Secured node:

   • Change

   • Prompt for Values

     When you select this option, you automatically activate the Change option.

   • Prompt for Versions

   • Prompt for Data Selection

   • Full Access Data Selection

     When you select this option, you automatically activate the following two options:

   • Modify Data Selection

   • Add Data Selection

     See Data Selection Security Scenarios.

5. Perform one of these actions:

   • Drag applications from the UnSecured node to the Secured node.

   • From the Row menu, select All Objects to move all applications to the Secured node.

   • From the Row menu, select Secure to All to move all objects under the UnSecured node to the Secured node.

     The applications now appear under the Secured node and have the appropriate security.

6. To change the security on an item, select the item under the Secured node, select the appropriate security option, and then, from the Row menu, select Revise Security.

   In the grid, the values for the security options change accordingly.

7.8.5 Removing Security from Processing Options and Data Selection

Enter P00950 in the Fast Path.

1. On the Work With User/Role Security form, select the Form menu, Set Up Security, Proc Opt and Data Sel Security.

2. On the Processing Option and Data Selection Security form, enter a user or role ID for which you want to remove processing option or data selection security in the User / Role field.

   Enter a complete user or role, which includes *PUBLIC but not wildcards.

3. Click Find.

   Current security settings for that user or role appear under the Secured node in the tree. Expand the node to view the individual secured applications. After you expand the node, the applications that are secured also appear in the detail area.

4. Perform one of these steps:

   • Under the Secured node, select an application or application version and click Delete.

   • Under the Secured node, drag an application or application version from the Secured node to the UnSecured node.

   • On the Row menu, select Remove All to move all items from the Secured node to the UnSecured node.

7.8.6 Using R009505 to Update Data Selection Security

The data selection security records are stored in the security table as security type 5. You can use the R009505 batch application to clean up any existing security type 5 records.

The R009505 runs over the F00950 table with data selection on records of Security Type 5 (Processing Option and Data Selection Security). These records must have a value in the Object Name field that is a batch application or *ALL (since Security Type 5 can be set up for interactive application objects as well, those will be ignored by this batch application.) The batch application can be run in Proof or Final Mode where Final Mode will update the F00950 table records according to the values in the processing options. The F00950 table will be updated as follows given the processing option values:

PO	Y or N	Actual Record
Prompt for Data Selection Full Access Data Selection Modify Data Selection Add Data Selection	Y Y Y Y	Y Y Y Y
Prompt for Data Selection Full Access Data Selection Modify Data Selection Add Data Selection	N Y Y Y	N N N N
Prompt for Data Selection Full Access Data Selection Modify Data Selection Add Data Selection	N N Y Y	N N N N
Prompt for Data Selection Full Access Data Selection Modify Data Selection Add Data Selection	N N N Y	N N N N
Prompt for Data Selection Full Access Data Selection Modify Data Selection Add Data Selection	N N N N	N N N N
Prompt for Data Selection Full Access Data Selection Modify Data Selection Add Data Selection	Y N N N	Y N N N
Prompt for Data Selection Full Access Data Selection Modify Data Selection Add Data Selection	Y Y N N	Y Y Y Y

7.9 Managing Tab Security

This section provides an overview of tab security and discusses how to:

• Add tab security

• Remove tab security

7.9.1 Understanding Tab Security

You can secure users from changing the name of the tab and viewing the form that you call by using the tab. For example, to set up change security, select the Change option. Next, drag tabs one at a time from the UnSecured node to the Secured node. The detail area reflects the changed security that you set for the tabs. This security means that the user you entered cannot change the tabs that you dragged to the Secured node.

Note:

If you secure a user from an application, you cannot also secure the user from certain tabs on a form in that application. This restriction prevents redundant double security. Similarly, if you secure a user from a tab, you cannot secure the user from the application that contains the tab.

You can define Tab security at the application, version, and form level. You cannot define Tab security at the subform level. As an alternative, you could define column security at the form level (power form level) and every instance of the data dictionary item (either on the power form header or subform grid) follows the defined security.

Note:

Portlets are handled by the system as if they are subforms; therefore, portlets have the same Tab security limitation.

7.9.2 Adding Tab Security

Enter P00950 in the Fast Path.

1. On the Work With User/Role Security form, select the Form menu, Set Up Security, Tab Security.

2. On the Tab Exit Security form, complete these fields and click Find:

   • User / Role

     Enter a complete user or role, which includes *PUBLIC but not wildcards.

   • Application

     You can view security for a specific application or enter *ALL to display all applications.

     Current security settings for the user or role appear under the Secured node in the tree. Expand the nodes to view the secured tabs. After you expand the node, the secured tabs also appear in the grid.

3. Complete only one of these fields in the Display UnSecured Items region and click Find:

   • Application

     Enter *ALL in this field to select all JD Edwards EnterpriseOne objects.

     In the detail area, this special object appears as *ALL and displays the security that you defined for the object, such as Run Security or Install Security. The *ALL object acts as any other object, and you can use the Revise Security and Remove All options from the Row menu.

   • Product Code

     You must perform this step before you can add new security. This step provides a list of applications from which to select.

     The search (application or product code) appears under the UnSecured node. Expand the node to view applications (interactive and batch) and the associated tabs. After you expand the node, the applications or tabs also appear in the detail area.

     For example, to set security for tabs in applications within the 00 product code, you enter 00 in the Product Code field and click Find. All of the applications (interactive and batch) attached to product code 00 appear after you expand the UnSecured node.

4. In the Create with region, select one or more of these options:

   • Change

     Select this option to prohibit a user or role from changing information on the tab page.

   • View

     Select this option to hide the tab from the user or the role.

5. Drag tabs from the UnSecured node to the Secured node.

   These tabs now appear under the Secured node.

6. To change the security on an item, select the item under the Secured node, select the appropriate security option, and then, from the Row menu, select Revise Security.

   In the grid, the values for the security options change accordingly.

7.9.3 Removing Tab Security

Access the Work With User/Role Security form.

1. From the Form menu, select Set Up Security, Tab Security.

2. On the Tab Exit Security form, complete these fields and click Find:

   • User / Role

     Enter a complete user or role, which includes *PUBLIC but not wildcards.

   • Application

     You can view security for a specific application or enter *ALL to display all applications.

     Current security settings for that user or role appear under the Secured node in the tree. Expand the node to view the secured tabs. After you expand the node, the secured tabs also appear in the grid.

3. Perform one of these steps:

   • Under the Secured node, select a tab and then click Delete.

   • Under the Secured node, drag a tab from the Secured node to the UnSecured node.

   • On the Row menu, select Remove All to move all tabs from the Secured node to the UnSecured node.

7.10 Managing Hyper Exit Security

Menu bar exits, also referred to as hyper exits, call applications and allow users to manipulate data. You can secure users from using these exits. Hyper exit security also provides restrictions for menu options. This section discusses how to:

• Add hyper exit security

• Remove hyper exit security.

7.10.1 Adding Hyper Exit Security

Enter P00950 in the Fast Path.

1. On the Work With User/Role Security form, select the Form menu, Set Up Security, Hyper Exit Security.

2. On the Hyper Exit Security form, complete these fields and click Find:

   • User / Role

     Enter a complete user or role ID, which includes *PUBLIC but not wildcards.

   • Application

     View security for a specific application. Enter *ALL to display all applications.

     Current security settings for the user or role appear under the Secured node in the tree. Expand the node to view the individual secured applications, such as interactive and batch. After you expand the node, the secured hyper-button exits also appear in the detail area.

3. In the Display Unsecured Items region, complete only one of these fields to locate the applications to which you want to apply exit security, and click Find:

   • Application

     If you enter *ALL in this field and select the Run Security option, all action buttons (except Close and Cancel on the web client only) including every exit under the Form, Row, and Tools options are disabled. To avoid disabled action buttons, apply Hyper Exit security at the individual application level.

   • Product Code

     You can search for all of the applications within a product code. For example, to set security on hyper-buttons in applications within the 00 product code, you enter 00 in the Product Code field and click Find. All of the applications (interactive and batch) attached to product code 00 appear after you expand the UnSecured node.

     The search (application, product code, or menu) appears under the UnSecured node. Expand the node to view applications (interactive and batch) and hyper-button exits. After you expand the node, the hyper-button exits also appear in the detail area.

4. Expand the UnSecured node to view and select applications (interactive and batch) and hyper-button exits.

   After you expand the node, the hyper-button exits also appear in the detail area.

5. In the Create with region, select the Run Security option.

   When you select this option, the grid shows an N in the Run column for each object.

6. Click Find.

7. Drag exits one at a time from the UnSecured node to the Secured node.

   The exits that you dragged now appear under the Secured node. The grid reflects the security that you set for these exits. This security prevents the user that you entered from using the exit.

Note:

Hyper Exit security with Run=N for *ALL objects is ignored on the web client for Tools Release 8.97 and earlier releases.

7.10.2 Removing Hyper Exit Security

Enter P00950 in the Fast Path.

1. On the Work With User/Role Security form, select the Form menu, Set Up Security, Hyper Exit Security.

2. Complete these fields and click Find:

   • User / Role

     Enter a complete user or role ID, which includes *PUBLIC but not wildcards.

   • Application

     View security for a specific application. Enter *ALL to display all applications.

     Current security settings for the user or role appear under the Secured node in the tree. Expand the node to view the individual secured applications, such as interactive and batch. After you expand the node, the secured hyper-button exits also appear in the detail area.

3. Perform one of these steps:

   • Under the Secured node, select a hyper exit and click Delete.

   • Under the Secured node, drag a hyper exit from the Secured node to the UnSecured node.

   • On the Row menu, select Remove All to move all hyper exits from the Secured node to the UnSecured node.

7.11 Managing Exclusive Application Security

This section provides an overview of exclusive application security and discusses how to:

• Add exclusive application security.

• Remove exclusive application access.

7.11.1 Understanding Exclusive Application Security

Exclusive application security enables you to grant access to otherwise secured information through one exclusive application. For example, assume that you use row security to secure a user from seeing a range of salary information; however, the user needs to run a report for payroll that includes that salary information. You can grant access to the report, including the salary information, using exclusive application security. JD Edwards EnterpriseOne continues to secure the user from all other applications in which that salary information might appear.

7.11.2 Adding Exclusive Application Security

Enter P00950 in the Fast Path.

1. On the Work With User/Role Security form, select the Form menu, Set Up Security, Exclusive Application.

2. On the Exclusive Application Security form, complete the User / Role field.

   Enter a complete user or role, which includes *PUBLIC but not wildcards.

3. Complete these fields in the detail area:

   • Object Name

     Enter the name of the exclusive application for which you want to allow access (the security). For example, to change the security for a user of the Vocabulary Overrides application, enter P9220 in this field.

   • Run Application

4. Click OK to save the information.

7.11.3 Removing Exclusive Application Access

Enter P00950 in the Fast Path.

1. On the Work With User/Role Security form, select the Form menu, Set Up Security, Exclusive Application.

2. On the Exclusive Application Security form, complete the User / Role field and click Find.

   Note:

   If you accessed the Exclusive Application Security form from a specific record in the Work With User/Role Security form, the user or role associated with the security record appears in the User/Role field by default.

3. Highlight the security records in the grid and click Delete.

4. On the Confirm Delete message form, click OK.

5. Click OK when you finish deleting exclusive application security.

   If you do not click OK after you delete the security records, JD Edwards EnterpriseOne does not save the deletion.

7.12 Managing External Calls Security

This section provides an overview of external call security and discusses how to:

• Add external call security.

• Remove external call security.

7.12.1 Understanding External Call Security

In JD Edwards EnterpriseOne, certain applications exist that are not internal to JD Edwards EnterpriseOne; they are standalone executables. For example, the Report Design Aid, which resides on the Cross Application Development Tools menu (GH902), is a standalone application. You can also call this application externally using the RDA.exe. By default, this file resides in the \E810\SYSTEM\Bin32 directory.

7.12.2 Adding External Call Security

Enter P00950 in the Fast Path.

1. On the Work With User/Role Security form, select the Form menu, Set Up Security, External Calls.

2. On the External Calls Security form, complete these fields and click Find:

   • User / Role

     Enter a complete user or group ID, which includes *PUBLIC but not wildcards.

   • Executable

     Enter the name of the external application, such as debugger.exe. When you enter information into this field, the software searches only for the indicated application.

     Current security settings for that user or group appear under the Secured node in the tree. Expand the node to view the individual secured applications, such as debugger.exe.

3. In the Create with region, select the Run Security option.

4. Complete one of these steps:

   • Drag applications from the UnSecured node to the Secured node.

   • To move all applications to the Secured node, select All Objects from the Row menu.

     The external call applications now appear under the Secured node and have the appropriate security.

     For example, to set run security on the Business Function Design application, select the Run Security option and then drag the Business Function Design node from the UnSecured node to the Secured node. The detail area reflects the run security that you set for this application, which means that the user you entered could not run the Business Function Design application.

5. To change the security on an item, select the item under the Secured node, select the Run Security option, and then, from the Row menu, select Revise Security.

   In the grid, the value in the Run field changes accordingly.

7.12.3 Removing External Call Security

Enter P00950 in the Fast Path.

1. On the Work With User/Role Security form, select the Form menu, Set Up Security, External Calls.

2. On the External Calls Security form, complete these fields and click Find:

   • User / Role

     Enter a complete user or group ID, which includes *PUBLIC but not wildcards.

   • Executable

     Enter the name of the external application, such as debugger.exe. When you enter information into this field, the software searches only for the indicated application.

     Current security settings for that user or group appear under the Secured node in the tree. Expand the node to view the individual secured applications, such as debugger.exe.

3. Perform one of these steps:

   • Under the Secured node, select an application and click Delete.

   • Under the Secured node, drag an application from the Secured node to the UnSecured node.

   • On the Row menu, select Remove All to move all applications from the Secured node to the UnSecured node.

7.13 Managing Miscellaneous Security

This section provides an overview of miscellaneous security and discusses how to manage miscellaneous security features.

7.13.1 Understanding Miscellaneous Security

JD Edwards EnterpriseOne security enables you to secure users and roles from:

• Read/write reports

• Workflow status monitoring

7.13.1.1 Read/Write Reports Security

JD Edwards EnterpriseOne enables administrators to prevent specific users and roles from running reports that update JD Edwards EnterpriseOne database tables (read/write reports). Administrators can assign users to a user profile called No Update Report Creation User (NUR), which restricts users to running only read-only reports. When an NUR user runs a report, JD Edwards EnterpriseOne prevents the report from making table input/output (I/O) calls to databases that can affect business data. Users assigned to this profile can create and run read-only reports, but are restricted from creating or running existing UR reports. NUR users can copy existing UR reports and run the copied report, although the software disables the report's ability to change business data and displays a warning that the copied report cannot be updated. NUR users can edit NUR reports in Report Design Aid, but are prevented from even opening existing UR reports in RDA.

7.13.1.2 Workflow Status Monitoring Security

Users can access Workflow Modeler, (a scaled-down version of Process Modeler) to design JD Edwards EnterpriseOne workflow models. Process Modeler Server includes a JD Edwards EnterpriseOne Portal-based component called Model Viewer, which enables users with appropriate access to monitor the status of a workflow and perform workflow administration tasks directly from the Viewer.

Miscellaneous security includes these Workflow Status Monitoring settings, which determine the operations a user can perform from the Model Viewer:

• Secured

  Restricts users from accessing any Model Viewer tasks using the Portal.

• Partial

  Allows users to view workflow models and to monitor their status, but restricts these users from performing any administrative tasks.

• Full

  Allows users to access all Model Viewer tasks using the JD Edwards Collaborative Portal. Users can view workflow statuses and perform administrative tasks.

7.13.2 Managing Miscellaneous Security Features

Enter P00950 in the Fast Path.

1. On the Work With User/Role Security form, select the Form menu, Set Up Security, Misc Security.

2. On the Miscellaneous Security form, complete the User / Role field and click Find.

   Enter a complete user or role, which includes *PUBLIC but not wildcards.

3. To change Read-Only Report security, select one of these options:

   • Read / Write

   • Read Only

4. To change Workflow Status Monitoring security, select one of these options:

   • Secured

     Prevents users from viewing or administering workflow.

   • View

     Allows users to view workflow but prevents them from making changes.

   • Full

     Allows users to view and administer workflow.

5. Click OK to accept the changes.

7.14 Managing Push Button, Link, and Image Security

This section provides an overview of push button, link, and image security and discusses how to:

• Add push button, link, and image security.

• Remove push button, link, and image security.

Note:

Push button, link, and image security is enforced only for interactive applications in the JD Edwards EnterpriseOne HTML client and the Portal. It is not supported on the Microsoft Windows client.

7.14.1 Understanding Push Button, Link, and Image Security

JD Edwards EnterpriseOne enables you to secure users from using or viewing push button, link, and image controls. You can secure users from using a control but still allow them to view it. Or you can prevent users from both using and viewing a control.

Note:

In JD Edwards EnterpriseOne forms, static text and text boxes can be made into links. However, you can only apply security to static text links, not to text box links.

Security Workbench displays the objects that you want to secure in a hierarchical tree structure that contains nodes for each application, application version, and form. Security Workbench only displays the forms that contain push button, link, and image controls. You can secure an individual control by dragging the control from the UnSecured node to the Secured node. In addition, you can secure all controls—push buttons, links, or images—on a form by dragging the form node to the Secured node. You can perform the same action on applications and application versions. For example, to secure all the links within an entire application, you drag the application from the UnSecured node to the Secured node to secure all the links in every form within the application as well as within any versions of the application. If you drag an application version node to the Secured node, only the links in that application version are secured.

Note:

For security purposes JD Edwards EnterpriseOne does not allow cross site scripting to be executed.

7.14.1.1 Push Button, Link, and Image Security on Subforms

You can secure push buttons, links, and images on both embedded and reusable subforms in JD Edwards EnterpriseOne. If you secure controls on an embedded subform, only the controls within that subform are secured. For reusable subforms, the behavior of the security depends upon the context in which the reusable subforms are used in power forms. If you apply security to a reusable subform under a power form, then only the controls in that reusable subform for that particular power form are secured, even if the reusable subform is used by another power form, as shown in this diagram:

Figure 7-1 Push Button, Link, and Image Security on a Reusable Subform - Scenario 1

Description of "Figure 7-1 Push Button, Link, and Image Security on a Reusable Subform - Scenario 1"

However, if you apply security to a reusable subform under a power form, and that subform is reused in the same power form, the security is applied to both subforms, as shown in this diagram:

Figure 7-2 Push Button, Link, and Image Security on a Reusable Subform - Scenario 2

Description of "Figure 7-2 Push Button, Link, and Image Security on a Reusable Subform - Scenario 2"

Because security functions differently on embedded subforms than it does on reusable subforms, Security Workbench provides a way for you to distinguish between the two forms. To make this distinction, the tree structure in Security Workbench displays the embedded subform using its form ID, and it displays the reusable subform using its form title.

7.14.2 Adding Push Button, Link, and Image Security

Enter P00950 in the Fast Path to access the Work With User/Role Security form.

1. From the Form menu, select Set Up Security, and then select the menu for push buttons, links, or images, depending on the type of object that you want to secure.

2. Complete the User / Role field and click Find.

   Enter a complete user or role, which includes *PUBLIC.

3. In the Display UnSecured Items region, complete the appropriate fields and then click Find:

   • Application

     Enter an interactive application name, such as P01012. Enter *ALL to display all applications.

     Note:

     Batch applications are not supported.

   • Version

     You can enter a particular version of the application that you entered in the Application field. If you leave this field blank, Security Workbench displays all unsecured versions associated with the application in the UnSecured node.

   • Product Code

     Enter a product code to display all applications, versions, and forms associated with a particular product code. This field does not work in conjunction with the Application and Version fields.

   The search results appear under the UnSecured node.

4. Expand the UnSecured node to view the individual applications or versions, and the forms associated with each.

   Only the forms that contain controls are displayed.

5. Under the Create with region, select the type of security that you want to apply:

   • View

     This option prevents the user from using and viewing the control.

   • Enable

     This option prevents the user from using the control. However, the control is still visible.

6. Use one of these actions to secure the items:

   • Drag items from the UnSecured node to the Secured node.

   • From the Row menu, select All Objects to move all applications to the Secured node.

     The system displays the items under the Secured node that have the appropriate security. You can view the security for each item in the grid.

7.14.3 Removing Push Button, Link, and Image Security

Enter P00950 in the Fast Path.

1. On the Work with User/Role Security form, select the Form menu, Set Up Security, and then the menu for push buttons, links, or images.

2. Enter a user or role ID from which you want to remove the security in the User / Role field.

   Enter a complete user or role, which includes *PUBLIC but not wildcards.

3. Click Find.

   Current security settings for that user or role appear under the Secured node in the tree. Expand the node to view the individual secured applications. After you expand the node, the applications that are secured also appear in the detail area.

4. Perform one of these steps:

   • Under the Secured node, select an application or application version and click Delete.

   • Under the Secured node, drag an application or application version from the Secured node to the UnSecured node.

   • On the Row menu, select Remove All to move all items from the Secured node to the UnSecured node.

7.15 Managing Text Block Control and Chart Control Security

This section provides an overview of text block control and chart control security and discusses how to:

• Review current text block control and chart control security settings.

• Add text block control and chart control security.

• Remove text block control and chart control security.

7.15.1 Understanding Text Block Control and Chart Control Security

JD Edwards EnterpriseOne enables you to secure users from using or viewing text block and chart controls. You can secure users from using a control but still allow them to view it. Or you can prevent users from both using and viewing a control.

In JD Edwards EnterpriseOne, a text block or chart control can have separate segments that contain links to other objects. You cannot secure these individual segments of a control. When you secure a text block or chart control, security is applied to the entire control.

See Also:

• "Understanding Text Block Controls" in the JD Edwards EnterpriseOne Tools Development Tools: Form Design Aid Guide.

7.15.2 Reviewing Current Text Block Control and Chart Control Security Settings

Enter P00950 in the Fast Path.

1. On the Work With User/Role Security form, select Set Up Security from the Form menu, and then select the menu for text block control or chart control.

2. Enter the user or role ID in the User / Role field and click Find.

   You can enter *PUBLIC but not wildcards.

   The system displays the control security settings for the user or role under the Secured node in the tree.

3. To see if control security is applied to a particular application, version, or form, complete a combination of these fields in the Display UnSecured Items region, and then click Find:

   • Application

     Enter an application name, such as P01012.

   • Version

     Enter a version of the application entered in the Application field to see if control security is applied to the version.

   • Form Name

     Enter a form name, such as W0101G.

4. Expand the Secured node and click a secured item to view the current security settings for the user or role in the detail area.

7.15.3 Adding Text Block Control and Chart Control Security

Enter P00950 in the Fast Path to access the Work With User/Role Security form.

1. From the Form menu, select Set Up Security, and then select the menu for text block control or chart control, depending on the type of control that you want to secure.

2. Complete the User / Role field and click Find.

   Enter a complete user or role, which includes *PUBLIC.

3. In the Display UnSecured Items region, complete the appropriate fields and then click Find:

   • Application

     Enter an interactive application name, such as P01012. Enter *ALL to display all applications.

     Note:

     Batch applications are not supported.

   • Version

     You can enter a particular version of the application that you entered in the Application field. If you leave this field blank, Security Workbench displays all unsecured versions associated with the application in the UnSecured node.

   • Product Code

     Enter a product code to display all applications, versions, and forms associated with a particular product code. This field does not work in conjunction with the Application and Version fields.

   The search results appear under the UnSecured node.

4. Expand the UnSecured node to view the individual applications or versions, and the forms associated with each.

   Only the forms that contain controls are displayed.

5. Under the Create with region, select the type of security that you want to apply:

   • View

     This option prevents the user from using and viewing the control.

   • Enable

     This option prevents the user from using the control. However, the control is still visible.

6. Use one of these actions to secure the items:

   • Drag the text block or chart control from the UnSecured node to the Secured node.

   • Select the control that you want to secure and then select Secure Selected from the Row menu.

   • From the Row menu, select All Objects to move all applications to the Secured node.

     The system displays the items under the Secured node that have the appropriate security. You can view the security for each item in the grid.

7.15.4 Removing Text Block Control and Chart Control Security

Enter P00950 in the Fast Path.

1. On the Work with User/Role Security form, select the Form menu, Set Up Security, and then the menu for text block control or chart control security.

2. Enter a user or role ID from which you want to remove the security in the User / Role field.

   Enter a complete user or role, which includes *PUBLIC but not wildcards.

3. Click Find.

   Current security settings for that user or role appear under the Secured node in the tree. Expand the node to view the individual secured applications. After you expand the node, the applications that are secured also appear in the detail area.

4. Perform one of these steps:

   • Under the Secured node, select an application or application version and click Delete.

   • Under the Secured node, drag an application or application version from the Secured node to the UnSecured node.

   • On the Row menu, select Remove All to move all items from the Secured node to the UnSecured node.

7.16 Managing Media Object Security

This section provides an overview of media object security and discusses how to:

• Review the current media object security settings for a user or role.

• Add media object security.

• Remove media object security.

7.16.1 Understanding Media Object Security

JD Edwards EnterpriseOne enables you to secure users from adding, changing, deleting, or viewing media objects within interactive applications, forms, or application versions. You can apply media object security to ensure that media object attachments cannot be modified or tampered with after they have been added.

If you apply view security to media object attachments, Security Workbench automatically prevents the user from adding, deleting, or changing media objects. If you apply change security to media object attachments, Security Workbench automatically prevents the user from deleting the media object.

Media object security enables you to use media object attachments as a mechanism for recording justifications for transactions and for legal purposes. For example, your company may have a business process that requires clerks to use media object attachments to document the reason or justification for adjusting a price on an item in a transaction. In this case, you would allow the clerks to add and view media object attachments in an application, but secure them from deleting or modifying them. In addition, this type of security prevents users from modifying or deleting attachments that others have added. As a result, the media object attachments provide secured information about previous transactions. This information can be reviewed by interested parties for legal or other purposes.

Note:

Media object security is enforced only in interactive applications on the JD Edwards EnterpriseOne web client and the Portal. It is not supported on the Microsoft Windows client.

Also, media object system functions enforce media object security in the web client. When running applications that have media object security applied to them, the system logs the security information for the system functions in the web client debug log file.

7.16.2 Reviewing the Media Object Security Settings

Enter P00950 in the Fast Path.

1. On the Work With User/Role Security form, select the Form menu, Set Up Security, Media Object.

2. On the Media Object Security form, enter the user or role ID in the User / Role field and click Find.

   You can enter *PUBLIC but not wildcards.

   The system displays current media object security settings for the user or role under the Secured node in the tree.

3. To see if a media object security is applied to a particular application, version, or form, complete a combination of these fields in the Display UnSecured Items region, and then click Find:

   • Application

     Enter an application name, such as P01012.

   • Version

     Enter a version of the application entered in the Application field to see if media object security is applied to the version.

   • Form Name

     Enter a form name, such as W0101G.

4. Expand the Secured node and click a secured item to view the current security settings for the user or role in the detail area.

7.16.3 Adding Media Object Security

Enter P00950 in the Fast Path.

1. On the Work With User/Role Security form, select the Form menu, Set Up Security, Media Object.

2. On the Media Object Security form, enter the user or role ID in the User / Role field and click Find.

   You can enter *PUBLIC but not wildcards.

   Current media object security settings for the user or role appear under the Secured node in the tree.

3. To find the applications, versions, or forms to which you want to apply media object security, complete any of these fields in the Display UnSecured Items region, and then click Find:

   • Application

     Enter an application name, such as P01012. Enter *ALL to display all applications.

   • Version

     Enter a version of the application you entered in the Application field. If you leave this field blank, all versions associated with the application will appear in the UnSecured node.

   • Product Code

4. Expand the Unsecured node to view individual applications, versions, and forms in the detail area.

5. In the Create with region, select any of these options:

   • Change

   • Add

   • Delete

   • View

     Note:

     If you apply view security to media object attachments, Security Workbench automatically prevents the user from adding, deleting, or changing media objects. If you apply change security to media object attachments, Security Workbench automatically prevents the user from deleting the media object.

6. To secure the media objects on an application, application version, or form, perform one of these steps:

   • Drag the application, version, or form from the UnSecured node to the Secured node.

   • From the Row menu, select All Objects to move all items to the Secured node.

   • From the Row menu, select Secure to All to move all objects beneath the UnSecured node to the Secured node.

     For example, to set delete security, select the Delete option. Next, drag the application from the UnSecured node to the Secured node. The detail area will reflect the media object security that you set for this application.

     The applications or forms now appear under the Secured node, and they have the appropriate media object security.

7.16.4 Removing Media Object Security

Enter P00950 in the Fast Path.

1. On the Work With User/Role Security form, select the Form menu, Set Up Security, Media Object.

2. In the User / Role field, enter a user or role ID from which you want to remove media object security.

   Enter a complete user or role, which includes *PUBLIC but not wildcards.

3. Click Find.

   Current security settings for that user or role appear under the Secured node in the tree. Expand the node to view the individual secured applications. After you expand the node, the applications that are secured also appear in the detail area.

4. Perform one of these steps:

   • Under the Secured node, select an application or application version and click Delete.

   • Under the Secured node, drag the item that is secured from the Secured node to the UnSecured node.

   • On the Row menu, select Remove All to move all items from the Secured node to the UnSecured node.

7.17 Managing Application Query Security

This section provides an overview of Application Query Security and discusses how to:

• Set Up Application Query Security for Applications

• Set Up DataBrowser Query Security

• Select Error or Warning Messages

• Find Existing Query Security Records

• Edit Query Security Records

• Delete Query Security Records

• Enable or Disable Security

• Exclude Users

• Configure Error Messages Using DD Items

• Configure Fields

7.17.1 Understanding Application Query Security

Application Query Security prevents users from performing searches if they have not entered search criteria in the form filter fields or QBE fields. If users try to perform a search without entering search criteria, they receive an error or warning message that alerts them that their search has been suppressed. If users enter search criteria, then the search functionality will proceed.

7.17.2 Setting Up Application Query Security for Applications

You set up application query security at the form level for all users.

Use these steps to set up application query security:

1. Access your web client application.

2. In the Fast Path field, type P00950.

   The Work with User/Role Security form displays.

3. From the Form menu, click Set Up Security, and then click App Query Security.

   From the Form menu, click Set Up Security, and then click App Query Security. The Work with Application Query Security form displays.

4. From the Form menu, click Add Application.

   The Setup Application Query Security form displays.

5. Select Application.

6. In the Application Name field, enter the application name to which you are adding query security, or click the Search button and select an application from the Interactive Application Search and Select form.

7. In the Form Name field, enter the form name to which you are adding query security, or click the Search button and select a form from the Interactive Application Search and Select form.

   For example, if you enter W01012B in the Form Name field, then the options you assign for the query security will apply to the Work With Address Book (W01012B) form.

8. Select one of the following Field Entry Requirements:

   • At Least One Form Filter or QBE Field

     Select this option if users must enter search criteria into at least one filter field on the form or QBE column.

   • Configured Fields

     Select this option to select one or more required form filter fields or QBE fields for the form.

9. Select one of the following Message Types:

   • Error

     Select this option if you want an error message to pop up when users try to execute a query that does not satisfy the Field Entry Requirements specified previously.

   • Warning

     Select this option if you want a warning message to pop up when users try to execute a query that does not satisfy the Field Entry Requirements specified previously.

10. Click OK.

7.17.3 Setting Up DataBrowser Query Security

You set up databrowser query security records if you want to secure users from entering wide open queries from the Data Browser. Similar to Application Query Security, you can specify required filter fields and QBE columns the user must enter when querying via the Data Browser.

Use these steps to set up DataBrowser query security:

1. Access your web client application.

2. In the Fast Path field, type P00950.

   The Work with User/Role Security form displays.

3. From the Form menu, click Set Up Security, and then click App Query Security.

   The Work with Application Query Security form displays.

4. From the Form menu, click Add Application.

   The Setup Application Query Security form displays.

5. From the Form menu, click Add Application, and then select Databrowser.

   Notice that DATABROWSE already displays in the Application Name field, and the databrowser options display.

   • At Least One Form Filter Field or QBE Field

     Select this option if users must enter search criteria into at least one filter field on the form or QBE column.

   • Configured Fields

     Select this option to select one or more required form filter fields or QBE fields for the form.

6. Select one of the following Message Types:

   • Error

     Select this option if you want an error message to pop up when users try to execute a query that does not satisfy the Field Entry Requirements specified previously.

   • Warning

     Select this option if you want a warning message to pop up when users try to execute a query that does not satisfy the Field Entry Requirements specified previously.

7. Click OK.

7.17.4 Selecting Error or Warning Messages

You can opt for users to see an error or warning message when they try to search for data without entering search criteria on a form.

Use these steps to select error or warning messages:

1. Access your web client application.

2. In the Fast Path field, type P00950.

   The Work with User/Role Security form displays.

3. From the Form menu, click Set Up Security, and then click App Query Security.

   The Work with Application Query Security form displays. Any query security instances that have already been set up display in the grid.

4. From the grid, select the existing record, and then click Select.

   The Setup Application Query Security form displays with all of the application and form name query security information.

5. Select one of the following Message Types:

   • Error

     Select this option if you want an error message to pop up when users try to execute a query that does not satisfy the Field Entry Requirements specified above.

   • Warning

     Select this option if you want a warning message to pop up when users try to execute a query that does not satisfy the Field Entry Requirements specified previously.

6. Click OK.

7.17.5 Finding Existing Query Security Records

Use these steps to find existing query security records:

1. Access your web client application.

2. In the Fast Path field, type P00950.

   The Work with User/Role Security form displays.

3. From the Form menu, click Set Up Security, and then click App Query Security.

   The Work with Application Query Security form displays. Any query security instances that have already been set up display in the grid.

4. Select Application Secured to view the application that have query security, or select Excluded Users to view the list of users excluded from the query security.

   For each Application Query Security record, you can define one or more users that are excluded from the security. These users are called Excluded Users. See the "Excluding Users" section of this document for details.

5. Click Close.

7.17.6 Editing Existing Query Security Records

You can edit records with existing information like Field Entry Requirements, Error type and enable and disable security records.

Use these steps to edit an existing query security record:

1. Access your web client application.

2. In the Fast Path field, type P00950.

   The Work with User/Role Security form displays.

3. From the Form menu, click Set Up Security, and then click App Query Security.

   The Work with Application Query Security form displays. Any query security instances that have already been set up display in the grid.

4. Click Find.

5. From the grid, select the existing query security record, and then click Select.

   The Setup Application Query Security form displays with all of the application and form name query security information.

6. Select one of the following Field Entry Requirements:

   • Form Filter Field

     Select this option if users must enter search criteria into at least one filter field on the form or QBE column.

   • QBE Fields

     Select this option if you want users to enter search criteria into a QBE field on a grid.

7. Select one of the following Message Types:

   • Error

     Select this option if you want an error message to pop up when users try to execute a query that does not satisfy the Field Entry Requirements specified above.

   • Warning

     Select this option if you want a warning message to pop up when users try to execute a query that does not satisfy the Field Entry Requirements specified previously.

8. Click OK.

7.17.7 Deleting Query Security Records

Deleting a query security records removes it from EnterpriseOne.

Use these steps to delete a query security record:

1. Access your web client application.

2. In the Fast Path field, type P00950.

   The Work with User/Role Security form displays.

3. From the Form menu, click Set Up Security, and then click App Query Security.

   The Work with Application Query Security form displays. Any query security instances that have already been set up display in the grid.

4. From the grid, select the existing record, and then click Delete.

   A dialog box displays that says, "Are you sure you want to delete the selected item?"

5. Click OK.

7.17.8 Enable or Disable Query Security Records

You can set up an Application Query Security record and enable or disable it at a different time. When you disable an Application Query Security record, the record will not be enforced on the users using the application.

Use these steps to enable or disable query security records:

1. Access your web client application.

2. In the Fast Path field, type P00950.

   The Work with User/Role Security form displays.

3. From the Form menu, click Set Up Security, and then click App Query Security.

   The Work with Application Query Security form displays. Any query security instances that have already been set up display in the grid.

4. From the grid, select the existing record, and then click Select.

   The Setup Application Query Security form displays with all of the application and form name query security information.

5. Select one of the following options:

   • Enable

     Select this option if you want application query security to be turned on for the application you are editing.

   • Disable

     Select this option if you want application query security to be turned off for the application you are editing.

6. Click OK.

7.17.9 Excluding Users

Application Query Security is applied to all users (*PUBLIC), which encompasses all users. Some users may need to perform an open ended fetch for a particular reason. Therefore, some users need to be excluded from the application query security. The Exclude Users form enables you to exclude one or more users from the application security record.

Use these steps to exclude users:

1. Access your web client application.

2. In the Fast Path field, type P00950.

   The Work with User/Role Security form displays. Any query security instances that have already been set up display in the grid.

3. From the Form menu, click Set Up Security, and then click App Query Security.

   The Work with Application Query Security form displays. Any query security instances that have already been set up display in the grid.

4. From the grid, select the existing record, and then click the Row exit.

5. Click Exclude Users.

   The Exclude Users form displays.

6. In the User ID field, enter the ID of the user you want to exclude from the Application Query Security you have set up for the record you selected.

7. Click OK.

7.17.10 Configuring Error Messages Using Data Dictionary Items

You can configure the custom error message by using the following Data Dictionary Items. This ability enables you to add custom messages using Glossary Overrides.

• POFERR – Applications Query Security Error

• POFWAR - Applications Query Security Warning

Use these steps to configure error messages using data dictionary items:

1. Access your web client application.

2. In the Fast Path field, type DD.

3. Click work with Data Dictionary Items.

4. In the Alias field of the QBE line, enter POFERR.

5. Click Find, and then select the DD Item.

   By default it comes with default error message in item glossary.

6. From the Row menu, click Glossary Overrides.

7. Click Add.

8. Enter the appropriate information, and then click OK to save.

9. In the Work with Data Dictionary Items form click Find and select the entered record.

10. Click Select to enter the custom message.

11. Enter the text in the attachment and click on OK to save the data.

7.17.11 Configuring Fields

Configuring fields enables you to select one or more specific form filter fields, QBE fields, or both for the required search criteria.

Use these steps to configure fields:

1. Follow the steps for Setting Up Application Query Security for Applications, making sure to select the Configured Fields option.

2. From the Tools menu, click Configured Fields.

   The available form filter fields and QBE fields display.

3. Select the required fields for the search value, and then click Save.

7.18 Managing Data Browser Security

This section provides an overview of Data Browser security and discusses how to:

• Add Data Browser security.

• Remove Data Browser security.

7.18.1 Understanding Data Browser Security

Data Browser security enables you to grant permission to users, roles, or *PUBLIC to access the Data Browser program. There are two levels of Data Browser security that you can assign to users. The first level grants access to the Data Browser, which users can use to perform public or personal queries. After you grant this access, you can grant an additional level of security that allows Data Browser users to select a particular table or business view that they wish to query.

You can also use the Copy feature in Security Workbench to copy Data Browser security from one user or role to another.

See Also:

• "Viewing the Data in Tables and Business Views" in the JD Edwards EnterpriseOne Tools Foundation Guide.

7.18.2 Adding Data Browser Security

Enter P00950 in the Fast Path.

1. On the Work With User/Role Security form, select the Form menu, Set Up Security, Data Browser.

2. On the Data Browser Security form, enter the user or role ID in the User / Role field and click Find.

   You can enter *PUBLIC but not wildcards.

3. In the Data Browser hierarchical security permissions region, select one or both of these options, depending on the level of security that you want to grant:

   • Allow access to launch Data Browser.

     This option gives users access to the Data Browser, which they can use to perform personal or public queries.

   • Allow access to Search and Select for Tables or Business View Queries.

     This option gives users the ability to search and select the table or business view that they want to query.

     Note:

     This option is enabled only after you select the first option.

4. Click OK.

   Note:

   To activate Data Browser security changes, you must refresh the jdbj security cache using the SAW.

7.18.3 Removing Data Browser Security

You can remove Data Browser security using the Data Browser Security form or the Work With User/Role Security form. To remove security using the Data Browser Security form, clear the security check boxes for a user, role, or *PUBLIC. Using the Work With User/Role Security form, search for the security record and then delete the Data Browser security record from the grid.

7.19 Managing Published Business Services Security

This section provides an overview of published business services security and discusses how to:

• Review the current published business services security records.

• Authorize access to published business services.

• Add multiple published business services security records at a time.

• Delete published business services security.

7.19.1 Understanding Published Business Services Security

JD Edwards EnterpriseOne provides security to ensure that web service consumers are authenticated in the JD Edwards EnterpriseOne system and authorized to access published business services. The authentication of users of published business service users is handled by the Business Services Server and EnterpriseOne security server. After a user is authenticated by the JD Edwards EnterpriseOne security server, the system checks if the user is authorized to run a published business service by retrieving records from the JD Edwards EnterpriseOne F00950 security table, which contains all the object security records.

Note:

This section discusses only the authorization of users to access published business services.

For published business services, JD Edwards EnterpriseOne uses a "secure by default" security model which means that users cannot access a published business service unless a security record exists that authorizes access. For all other objects in JD Edwards EnterpriseOne, access is granted unless otherwise secured or restricted.

You manage published business services security using Security Workbench (P00950), the application used to manage all object security in JD Edwards EnterpriseOne. In P00950, you can add, copy, modify, or delete security records for published business services. When a user tries to access or run a published business service, verification of authorization is done through an API that queries records in the F00950 security table.

As with all object security in JD Edwards EnterpriseOne, you can assign published business service security to a user, role, or *PUBLIC. You can create a security record that allows a user or role access to:

• A particular method in a published business service.

• All methods in a published business service.

• All published business services.

It is recommended that you set up security by role first. This method makes setting up published business services security easier; instead of defining security for individual users, you can define security for the role and then assign users to the appropriate roles. If an individual in a role needs a different security setup, you can assign security at the user level, which overrides the role settings.

In addition, you can create a security record that disallows access to a published business service. Typically, there is no need to add security records that disallow access because by default, access to published business services is not allowed. However, creating a security record that disallows access can be an efficient method to set up published business services security. For example, to allow a role access to all but a small subset of published business services, you can:

• Enter *ALL in the fields for the published business service and published business service method to create a security record that allows the role access to all published business services.

• Create security records for the same role that disallows access to a subset of published business services.

7.19.1.1 Inherited Security

When creating a published business service, a developer can configure it to pass its context to any published business service that it calls. In this configuration, authorization for the called published business service is inherited; that is, if the calling business service is authorized, then the called business service is authorized as well. In this scenario, the system does not check the security for the called business service.

However, it is possible (though not supported) to configure a published business service so that it does not pass its context to another business service. In this scenario, the security or authorization for the called published business service is not inherited. Even if a user is authorized to access the calling or parent business service, the system also checks if access to the called business service is allowed. As a result, if there is not a security record that allows access to the called business service, the system will produce an exception or error, denying access to the called business service.

7.19.1.2 How JD Edwards EnterpriseOne Checks Published Business Services Security

JD Edwards EnterpriseOne checks security for published business services in the same sequence that it checks security for all other JD Edwards EnterpriseOne objects—first by user, then role, and finally *PUBLIC. The system applies the first security record found. In addition, for the user, role, and *PUBLIC, the system checks for published business services security in this sequence:

• Published business service + method.

• Published business service.

• *ALL.

Note:

Using *ALL to set up object security in Security Workbench is not related to the *ALL functionality that is used to sign into JD Edwards EnterpriseOne. *ALL in Security Workbench enables you to assign a user, role, or *PUBLIC to all objects of a particular type. *ALL during sign-in enables users to sign into JD Edwards EnterpriseOne with all the roles that have been assigned to them.

This illustration shows how the system checks for published business services security for a user signed in with *ALL and a user signed in with a specific role:

Figure 7-3 *Role 1 has the highest role sequence.

Description of "Figure 7-3 *Role 1 has the highest role sequence."

If a user is assigned to multiple roles and signs in as *ALL, the system uses role sequencing to determine which security record is used. A system administrator sets up role sequencing when setting up user and role profiles.

See Sequencing Roles.

7.19.1.3 Published Business Services Security Log Information

The log file provides administrators with information that you can use for troubleshooting business service security without revealing details that could possibly create a gap in the security.

When a web service attempts to access a published business service in JD Edwards EnterpriseOne, the system records the authorization information in the log file. If the logging level is set to "Debug," the log file records whether authorization was granted or denied. If the log level is set to "Severe," the system only logs information if the attempt to access a web service fails. This is an example of the information provided in the log file:

Access to <method name> in <published business service name> is <granted/denied>⇒
 for <user name> with <role name>.

See Also

• Server Manager Guide for information on how to view business service security log file information.

• JD Edwards EnterpriseOne Business Services Server Reference Guide for information on how to configure JD Edwards EnterpriseOne to authenticate users of published business services.

7.19.2 Reviewing the Current Published Business Services Security Records

You can use the Work With User/Role Security form in P00950 to review existing published business services security records. The query by example row of the grid enables you to display all security records for published business services. You can further narrow the search by locating the records for a user, role, or a particular published business service.

In addition, you can review published business services security records by running the Security Audit Reports—Security by Object (R009501) and Security by User/Role (R009502).

See Running a Report that Lists Published Business Service Security Records.

From the Security Maintenance menu (GH9052), select Security Workbench (P00950).

1. On the Work with User/Role Security form, enter S in the Security Type column and then click Find.

2. To narrow the search by user or role, enter a user or role in the query by example field in the User / Role column and then click Find.

3. To view the security records for a particular published business service, complete the query by example field at the top of the Published BSSV column and then click Find.

7.19.3 Authorizing Access to Published Business Services

In P00950, you can create security records that allow a user, role, or *PUBLIC access to:

• A particular method in a published business service.

• A published business service.

• All published business services.

From the Security Maintenance menu (GH9052), select Security Workbench (P00950).

1. On Work with User/Role Security, select the Form menu, Set Up Security, Published BSSV.

   By default, *PUBLIC is in the User / Role field. If any records exist for *PUBLIC, those records appear in the grid.

2. On Published Business Service Security Revision, enter the user, role, or *PUBLIC to which you want to allow access to a published business service.

3. To allow access to a particular method in a published business service:

   1. On Published Business Service Security Revision, click the visual assist in the Published BSSV column to search for and select a published business service.

   2. On the same form, click the visual assist in the Published BSSV Method column to select the method that you want to allow access to.

      On Published BSSV Method, you must enter the published business service again in the Published BSSV column to see a list of all the methods for the published business service. The system displays published business services by the method that is being exposed in the published business service. A published business service that contains multiple methods will have multiple rows in the grid, one for each method.

   3. Select the row that contains the method that you want to secure and then click the Select button.

   4. On Published Business Service Security Revision, click the visual assist in the Execute Allowed column and then select Y to allow access to the published business service method.

4. To allow access to a published business service (including all its methods):

   1. Click the visual assist in the Published BSSV column to search for published business services.

   2. On Select Business Service, complete the Business Service field and click the Find button.

   3. Select the published business service that you want to secure and then click the Select button.

   4. On Published Business Service Security Revision, in the row that contains the published business service, enter *ALL in the Published BSSV Method column.

   5. In the same row, click the visual assist in the Execute Allowed column and then select Y to allow access to the published business service.

5. To allow access to all published business services:

   1. Enter *ALL in the row under the Published BSSV column.

   2. Enter *ALL in the row under the Published BSSV Method column.

   3. Click OK.

   4. In the same row, click the visual assist and then select Y to allow access to the published business services objects.

      By default, users are not allowed access to published business services objects in JD Edwards EnterpriseOne. However, you can select N to create a security override that disallows access to an object.

7.19.4 Adding Multiple Published Business Services Security Records at a Time

Security Workbench provides a form that you can use to add multiple published business services security records at a time.

From the Security Maintenance menu (GH9052), select Security Workbench (P00950).

1. On Work with User/Role Security, select the Form menu, Set Up Security, Published BSSV.

2. On Published Business Service Security Revision, from the Form menu, select Secure by Method.

3. On the Secure by Method form, enter the user, role, or *PUBLIC for which you want to set up published business services security, and then click the Find button.

   The system displays published business services by the method that is being exposed in the published business service. A published business service that contains multiple methods will have multiple rows, one for each method.

4. Use the query-by-example fields at the top of the grid to refine your search. For example, if you want to set up security for all methods that perform an add or delete, you search for those methods by typing add* or delete* in the Published BSSV Method query by example field in the grid.

5. Select the check box next to the items that you want to secure.

6. Click either the Allow Execute or Disallow Execute button.

7. On Confirm Batch Secure, click OK.

   The system displays the number of records that were added or updated.

7.19.5 Deleting Published Business Services Security

To delete published business services security records, you can use the same form that you used to authorize access to published business services.

In addition to this method, you can use the Work with User/Role Security form in P00950 to delete the records in the same way that you would delete any other object security record.

See Deleting Security on the Work With User/Role Security Form.

From the Security Maintenance menu (GH9052), select Security Workbench (P00950).

1. On Work With User/Role Security, select the Form menu, Set Up Security, Published BSSV.

2. On Published Business Service Security Revision, enter the user, role, or *PUBLIC from which you want to delete a published business services security record and then click Find.

3. Click the check box next to the each record that you want to delete and then click the Delete button.

4. Click OK to confirm the delete.

7.20 Copying Security for a User or a Role

This section provides an overview of copying security for a user or a role and discusses how to:

• Copy all security records for a user or a role.

• Copy a single security record for a user or a role.

7.20.1 Understanding How to Copy Security for a User or a Role

You can copy the security information for one user or role, and then use this information for another user or role. When you copy security, you can either overwrite the current security for the user or role, or you can add the new security information to the existing security information. You can also copy all of the security records for a user or role, or you can copy one security record at a time for a user or role.

7.20.2 Copying All Security Records for a User or a Role

Enter P00950 in the Fast Path.

1. On the Work With User/Role Security form, select the Form menu, and then select Copy Security.

2. Select one of these options:

   • Copy and Add

     When you copy and add security settings, you do not overwrite preexisting security for user or role.

   • Copy and Replace

     When you copy and replace security settings, the software deletes the security information for a user or role, and then copies the new security information from the selected user or role.

3. Complete these fields and click OK:

   • From User / Role

   • To User / Role

     The system saves the security information and returns you to the Work With User/Role Security form.

7.20.3 Copying a Single Security Record for a User or a Role

Enter P00950 in the Fast Path.

1. On the Work With User/Role Security form, locate a security record.

2. Select the security record row that you want to copy, and then click Copy.

3. Complete the To User / Role field and click OK.

   The system saves the security information and returns you to the Work With User/Role Security form.

7.21 Reviewing and Deleting Security Records on the Work With User/Role Security Form

This section provides an overview on how to review security records and discusses how to:

• Review security on the Work With User/Role Security form.

• Delete security on the Work With User/Role Security form.

7.21.1 Understanding How to Review Security Records

On the Work With User/Role Security form in P00950, you can review security records for a user or role based on security type, such as action, application, row, or any of the other types of security that can be added in P00950. The system displays all the security records for the user or role based on the security type that you select. For example, when you search for application security records for the AP Role, the system displays all the application security records for the AP role in the application grid.

The settings for each security type are displayed as columns in the grid. The columns that appear in the grid are based on the security type that you select. For example, application security provides two different levels of security: run and install. When you search for application security records, P00950 displays only the columns for Run and Install in the grid. However, action security contains several settings, such as OK/Select, Copy, Delete, OK, and so forth. When you search for action security records, the grid displays only columns for each of these security settings. The value in the column, either Y or N, indicates whether or not each setting is secured.

In addition, you can search on all security records of a particular security type. As a result, the system displays records for every user and role with the security type that was specified. You can search on all Security Workbench records by clicking the Find button.

Note:

You can also review and delete security records on the form used to add a particular type of object security record, such as application, action, row, and so forth. Refer to the section on how to manage a particular type of object security for more information.

7.21.2 Reviewing Security on the Work With User/Role Security Form

Enter P00950 in the Fast Path to access the Work With User/Role Security form.

1. On the Work With User/Role Security form, click Find.

2. To search for records by user or role, complete the User/Role field and then click Find.

3. To narrow the search by security type, click the Search button in the Security Type column to select a code and then click the Find button.

7.21.3 Deleting Security on the Work With User/Role Security Form

Enter P00950 in the Fast Path.

1. On the Work With User/Role Security form, click Find.

2. To search for records by user or role, complete the User/Role field and then click Find.

3. To narrow the search by security type, click the Search button in the Security Type column to select a code and then click the Find button.

4. Select a record in the grid, and then click Delete.

5. On Confirm Delete, click OK.

   Security Workbench deletes the security record and refreshes the grid.

7.22 Running Security Workbench Records Reports

This section provides an overview of the Security Workbench Records reports and discusses how to:

• Run the Security Audit Report by Object version (R009501, XJDE0001).

• Run the Security Audit Report by User version (R009502, XJDE0001).

• Run the Security Audit Report by Role version (R009502, XJDE0002).

7.22.1 Understanding the Security Workbench Records Reports

JD Edwards EnterpriseOne provides two Security Workbench Records reports—Security by Object (R009501) and Security by User/Role (R009502)—that you can run to review the current security records by object type and user or role. The Security Workbench Records reports list security records for these objects:

• Interactive and batch applications.

• Tables (rows and columns).

• Published business services.

Before choosing which report to run, you should consider the data that you want the report to produce. Run the Security by Object report (R009501) to generate a report that lists the security records based on a particular object, object type, or product code. You can refine the data selection for this report to list only records for a particular user ID, role, or a combination of user ID and role. Run the Security by User/Role report (R009502) to generate a report that lists all the application, row, column, and published business service security records for a particular user ID, role, or *PUBLIC.

Each report contains processing options that you can use to define the output of the report. Along with the processing options, you can use the Data Selection form in the Batch Version program (P98305W) to further refine the data that the report produces.

Each security record in the report indicates the level of security, or type of security, that is applied to the object. For application security, each record indicates if a user or role has permission to install, run, or both install and run the application. For row security, each record indicates if view, add, change, or delete security have been applied. For column security, each record indicates if view, add, or change security have been applied. For published business service security, each record indicates whether a user or role has access to the published business service object.

How you set up your report determines how readily you can find gaps in your security plan. For example, if you have a highly sensitive application and you want to ensure that only the appropriate users have access to it, you can refine the R009501 report (Security Audit Report by Object) to list only the security records for that particular application.

7.22.1.1 Example of Security by Object Report (R009501)

This example shows the results of running the R009501 report. The report has been set up to list all the security records for the P00950 program.

Figure 7-4 Example of Security by Object Report.

Description of "Figure 7-4 Example of Security by Object Report."

7.22.1.2 Example of Security Audit Report by User (R009502, XJDE0001)

This example shows the results of running the Security Audit Report by User version of the R009502 report. The report lists the security records for a particular user in order of application, row, and then column. This example shows only the first page of the report, which lists the application security records for the user ID.

Figure 7-5 Example of Security Audit Report by User Report

Description of "Figure 7-5 Example of Security Audit Report by User Report"

7.22.1.3 Example of Security Audit Report by Role (R009502, XJDE0002)

This example shows the results of running the Security Audit Report by Role version of the R009502 report. The data selection of the report has been defined to list security records for the OWTOOL role. This example shows the third page of the report, which lists the row and column security records for the OWTOOL role.

Figure 7-6 Example of Security Audit Report by Role

Description of "Figure 7-6 Example of Security Audit Report by Role"

7.22.2 Run the Security Audit Report by Object Version (R009501, XJDE0001)

Access the Work With Batch Versions - Available Versions form. To do so, enter P98305W in the Fast Path.

1. In the Batch Application field, enter R009501 and click the Find button.

2. Select the Security Audit Report by Object version.

3. To define processing options for the report, select Processing Options from the Row menu, and then complete the processing options as appropriate:

   • User ID or Role (optional)

     Enter a user ID or role to refine the report to generate only records based on that particular user ID or role.

   • Report on Application Security

     Leave blank if you want the report to include application security records. Enter 1 to exclude application security records.

   • Report on Row Security

     Leave blank if you want the report to include row security records. Enter 1 to exclude row security records.

   • Report on Column Security

     Leave blank if you want the report to list application security records. Enter 1 to exclude application security records.

   • Report on Published BSSV Security

     Leave blank if you want the report to list published business service security records. Enter 1 to exclude published business service security records.

     Note:

     In addition, to generate a report that displays published business service security records, you need to add an additional condition in the Data Selection form, as discussed below.

4. On the Work With Batch Versions - Available Versions form, click Select.

5. On the Versions Detail form, select the Data Selection check box and click the Submit button.

6. On the Data Selection form, you can add a condition to filter on a particular object, object type, or product code.

   If the processing option is set to list published business service security records, you must add the following condition after the default Where condition:

   And BC Source Language (F9860) (SRCLNG) [BC] is equal to "SBF"
   

7. Click the OK button.

8. On the Printer Selection form, define the location for the output of the report and then click OK to submit it.

7.22.3 Run the Security Audit Report by User Version (R009502, XJDE0001)

Access the Work With Batch Versions - Available Versions form. To do so, enter P98305W in the Fast Path.

1. In the Batch Application field, enter R009502 and click the Find button.

2. Select the Security Audit Report by User version.

3. To define processing options for the report, select Processing Options from the Row menu, and then complete the processing options as appropriate:

   • Role (optional)

     To refine the report to generate only records based on a particular role of the user, enter a role.

   • Report on Application Security

     Leave blank if you want the report to include application security records. Enter 1 to exclude application security records.

   • Report on Row Security

     Leave blank if you want the report to include row security records. Enter 1 to exclude row security records.

   • Report on Column Security

     Leave blank if you want the report to list column security records. Enter 1 to exclude column security records.

   • Report on Published BSSV Security

     Leave blank if you want the report to list published business service security records. Enter 1 to exclude published business service security records.

4. On the Work With Batch Versions - Available Versions form, click Select.

5. On the Versions Detail form, select the Data Selection check box and click the Submit button.

6. On the Data Selection form, use the User ID left operand to define the user ID that you want the report to list security records for.

7. Click OK.

8. On the Printer Selection form, define the location for the output of the report and then click OK to submit it.

7.22.4 Run the Security Audit Report by Role Version (R009502, XJDE0002)

Access the Work With Batch Versions - Available Versions form. To do so, enter P98305W in the Fast Path.

1. In the Batch Application field, enter R009502 and click the Find button.

2. Select the Security Audit Report by Role version.

3. To define processing options for the report, select Processing Options from the Row menu, and then complete the processing options as appropriate:

   • Role (optional)

     Do not use this option for this report. Instead, enter the role in the Data Selection form.

   • Report on Application Security

     Leave blank if you want the report to include application security records. Enter 1 to exclude application security records.

   • Report on Row Security

     Leave blank if you want the report to include row security records. Enter 1 to exclude row security records.

   • Report on Column Security

     Leave blank if you want the report to list application security records. Enter 1 to exclude application security records.

   • Report on Published BSSV Security

     Leave blank if you want the report to list published business service security records. Enter 1 to exclude published business service security records.

4. On the Work With Batch Versions - Available Versions form, click Select.

5. On the Versions Detail form, select the Data Selection check box and click the Submit button.

6. On the Data Selection form, use the User ID left operand to define the role that you want the report to list security records for.

7. Click OK on the Data Selection form.

8. On the Printer Selection form, define the location for the output of the report and then click OK to submit it.

7.22.5 Running a Report that Lists Published Business Service Security Records

You can use the Security Workbench Records reports to generate a list of published business service security records by object, user, or role. However, before you run the report, you must use the Data Selection form to specify the published business service object type.

Access the Work With Batch Versions - Available Versions form. To do so, enter P98305W in the Fast Path.

1. In the Batch Application field, enter either R009501or R009502 and click the Find button.

2. Select the version of the report that you want to run.

3. On the Work With Batch Versions - Available Versions form, click Select.

4. On the Versions Detail form, select the Data Selection check box and click the Submit button.

5. On the Data Selection form, enter these conditions and then click OK:

   Where BC Object Type (F9860) (FUNO) is equal to "BSFN"
   And BC Source Language (F9860) (SRCLNG) [BC] is equal to "SBF"
   

6. On the Printer Selection form, define the location for the output of the report and then click OK to submit it.