This chapter contains the following topics:
Section 9.4, "Managing Data Sources for User Sign-in Security"
Section 9.5, "Enabling and Synchronizing the jde.ini Sign-in Security Settings"
Use the User Security application (P98OWSEC) to create, test, and change user security for JD Edwards EnterpriseOne and the logically attached database management systems. The security architecture prevents users from viewing the database or system password and from bypassing EnterpriseOne applications to view and change data. EnterpriseOne uses an encryption algorithm to ensure that applications other than EnterpriseOne security cannot access passwords transmitted across the network.
You can also set up a unified logon server for an EnterpriseOne server. The unified logon server enables EnterpriseOne to use the domain logon information to determine user security. In an EnterpriseOne unified logon scenario, a user needs to enter a user ID and a password only at network logon.
This section contains the following topics:
A user profile must already exist for a user before you can create user security records for that user. You can create security records one at a time for each of the users, you can set security for a role, or you can set security for all users.
Typically, users within a specific role use similar security information. Oracle recommends that you create a model user with security information that you can copy to create security records for other users. The P98OWSEC application provides a copy function that simplifies the creation of security records.
Note:
When you copy security records to a user, security records must not already exist for that user. If you try to copy user security to a user with existing user security records, you will receive an error message.You should keep user security simple. Managing EnterpriseOne user IDs and system (database) user IDs can become complicated quickly. The simplest way to set up user security is to have all data sources share the same system user ID and password by leaving the data source field blank when you initially create user security records for users or roles on the Security Revisions form.
When you leave the data source field blank, the P98OWSEC application automatically enters DEFAULT in the field. The DEFAULT data source enables you to create one security record for all users. Each time a user accesses a table through an EnterpriseOne application, the software searches for a security record for that user and the specific data source where the table resides. If the software does not find a specific record, then it uses the default data source, which is the security record that you created with the DEFAULT data source field.
You use system user IDs to manage user access to databases. Although you should try to maintain as few system user IDs as you can, occasions arise that require you to set up database security in addition to the EnterpriseOne object and user security for specific users and specific tables. For example, you might need to create system users with additional authority to what the typical system user needs.
It is difficult to monitor and administer accounts that are not in use. An administrator should disable these accounts to stop unauthorized access to EnterpriseOne. See Creating User Sign-in Security in this section for information on how to disable an account.
Before you complete the tasks in this section:
For initial installations of EnterpriseOne, you must set up system user(s) using the Work With System Users (P980001) program to populate the F98OWPU table. You must set up system users before you can add and associate an EnterpriseOne user to a system user using EnterpriseOne Security (P98OWSEC).
Caution:
If you attempt to add a user with the P98OWSEC program before you add the system user through the P980001 program, the system may add an invalid record to the F98OWPU table. You might have to delete the invalid record from F98OWPU using the SQL Query tool.In the JD Edwards EnterpriseOne Installation and Upgrade Documentation Library, see "Working With Signon Security" in the EnterpriseOne Installation or Upgrade guide that is applicable to your platform and database:
Set up all user records in the Address Book application (P01012).
Create user profiles using the User Profile application (P0092).
Attach the proper Address Book record to the user or role profile.
Review and set the appropriate processing options before using the P98OWSEC application for the first time.
See Setting Processing Options for User Profile Revisions (P0092).
Access the Work with User Security form.
Click Add.
Note:
Do not use the GlobalPasswordPolic option in the Form menu. This form contains password settings that apply only to users who are using the User Profile Self-Service application (P0092SS).On the Security Revisions form, complete one of these fields:
User ID
If you enter a user ID that already exists, you can modify data source information for the user. The system disables all other fields and options for the user ID.
Role
If you enter a role that already exists, you will overwrite the security record for role when you enter information on the form.
Note:
When you type information in one of these fields, the system disables the other field. For example, if you type ROLE1 in the User Class/Role field, the User ID field becomes unavailable for data entry.Complete these fields:
Data Source
If you leave this field blank, you will set security for all data sources. DEFAULT appears in the Data Source field when you tab out of the field.
System User
Password
We recommend you complete at least the System User field.
If you create records by role or for all users at one time, the Password field is populated according to the processing option that you select.
In the User Status area, select one of these options:
Enabled
With User Status enabled, security allows the user to sign in. This option is the default setting when you create user security.
Disabled
With User Status disabled, security prohibits the user from signing in to the software.
Note:
If a user commits a security violation, such as exceeding the maximum number of allowed password attempts, the software automatically sets the value for User Status to Disabled. The system administrator must access the user security record for the user and set User Status to Enabled before the user can sign in. In addition, the system administrator can access Administrative Password Revisions to reset the password of the user, which also restores a user profile to the status of enabled.If you want to set limits on the passwords for users, complete these fields:
Allowed Password Attempts
Enter the number of invalid password attempts allowed before the system disables access for the user.
Password Change Frequency
Enter the number of days until the system requires the user to change the password.
Daily Password Change Limit
Enter the allowed number of times a user can change a password in a day.
Force Immediate Password Change
Click this option to require the user to change the password on the next sign-in.
Click OK to save the current user security information.
A user profile must already exist for a user before you can create user security records for that user. In addition, when you copy security records to a user, security records must not already exist for that user. If you try to copy user security to a user with existing user security records, you will receive an error message.
Note:
You should create a model user with security information that you can copy to create other users. Typically, users within a specific role use similar security information.Access the Work With User Security form.
On the Work With User Security form, find the user, and then perform one of these actions:
To copy all user security records for a user or role, select the user or role in the tree structure, and click Copy.
To copy a single user security record for a user or role, select the security record row in the detail area, and select Copy Record from the Row menu.
On the Copy User Records form, enter a valid user ID in the To User / Role field and click OK.
Access the Work With User Security form.
On the Work With User Security form, complete the User ID / Role field.
Click Find.
Select the appropriate record in the tree structure, and then select Revise Security from the Row menu.
On the Security Detail Revisions form, complete these fields, as necessary:
User Status
Under User Status, you can enable or disable a user profile.
Password Change Frequency
Allowed Password Attempts
Note:
For a role, select the appropriate option from the Change box to enable each field.Click OK.
Access the Work With User Security form.
From the Form menu, select Revise All.
On the Security Detail Revisions form, in the Change box, select any of these options to enable the related field:
User Status
Frequency
Attempts
Change Limit
Complete any of these fields, and then click OK:
User Status
This field enables you to enable or disable user profiles.
Password Change Frequency
Allowed Password Attempts
Force Immediate Password Change
This field requires the user to change the password on the next sign-in.
Access the Administration Password Revisions form.
Note:
You can also access Administrative Password Revisions from the User Security application. On the Work with User Security form, find the user, select the user in the tree structure, and then select Password Revisions from the Row menu.Enter the user ID that you want to force a password change during sign-in. The user ID is the default value in this field when the user record is highlighted and Password Revision is activated.
Enter a new password. On this form, the system does not restrict the password choices. Any password is valid.
Enter the password again to verify it.
Select this option to force the user to change the password during the next sign-in.
Use this feature to require all machines to use EnterpriseOne sign-in security. This procedure enables mandatory security only for the environment that you are signed into when you make this change.
Access the Work With User Security form.
Select Req / Not Req from the Form menu.
On the Sign On Security - Required/Not Required form, click the lock icon to change the Security Server to Required or Not Required.
Note:
If you set up the security as Not Required and have security turned on through the jde.ini file on the enterprise server, users that comment out signon security in their jde.ini files will still not be able to access any data sources without knowing the system user ID and password.When attempting to access a table in a secured data source, users will receive a database password entry form. If system user IDs and passwords are confidential, no one will be able to access the secured tables.
If you know the specific user or role, you can review the user's or role's security history by using the EnterpriseOne Security application. You can also search for specific information for all users. For example, to see the users who were deleted on a given day, you can search on event type 06 (Delete User) and a specific event date.
Use the Security History form exit from the Work with User Security application (P98OWSEC) to review this history or audit records regularly according to your organization's security policy.
The [SECURITY] section in the jde.ini on the security server must include the History=1 setting for the system to record security history. This setting turns on the auditing for user sign-in and sign-off actions.
Security audit records can grow quickly and increase the size of the database. Therefore, you should set up a policy to purge security audit records regularly from the Security History table (F9312) using database tools. Keep a copy of these records for audit purposes.
This section contains the following topics:
You add data sources to user and role records in user security to authorize users and roles to access EnterpriseOne databases. You can also revise the system user and password for existing data sources.
Access the Add Data Source form.
Complete one of these fields or options:
User ID
Complete this field to add a data source to a specific user.
Role
Complete this field to add a data source to a specific role.
All Users
Select this option to add a data source to all users.
Complete these additional fields and click OK:
Data Source
Leave this field blank to set the data source information for all data sources. When you leave this field blank, the system automatically enters DEFAULT in the field.
System User
Access the Work With User Security form.
Complete the Data Source field, and then click Find.
Note:
You can also enter both a data source and user ID/role. If you select just a data source, the change will affect all users.Select the data source in the tree structure and then, from the Row menu, select Revise Data Source.
The Data Source Revisions form appears. If you chose a specific user or role, this form displays the user ID or the role name and the data source information. If you chose only the data source, this form automatically selects the All Users option with the data source information.
Complete the System User field and click OK.
This field is necessary to access databases within the software. Depending on what you selected from the tree on the Work With User Security form, this information will apply to a specific user, a specific role, or all users.
Access the Work With User Security form.
Complete the Data Source field, and then click Find.
Select the appropriate record in the tree structure, and then click Delete.
Note:
For a user, you can also select a row in the detail area for the user, and then click Delete.The Remove Data Source form appears. If you chose a data source for a specific user or role, this form displays the user ID or the role name with the data source name. If you chose only the data source, this form displays only the data source name.
Important:
If you performed the search by data source without including a specific user or role, when you click OK on Remove Data Source, you remove the data source for all users.Click OK to remove the data source.
Access the Work With System User form.
Locate a system user and then click Select.
On the System Users Revision form, complete these fields and then click OK:
Password
Enter a new password for the system user/data source combination.
Password Verify
Enter the password again for verification purposes.
This section contains the following topics:
Setting Auxiliary Security Servers in the Workstation jde.ini
Changing the Timeout Value Due to Security Server Communication Error
You must modify the enterprise server and the workstation jde.ini files to enable and synchronize security settings between the enterprise server and the workstation.
Note:
For the EnterpriseOne workstations, enable security by changing settings in the workstation jde.ini file. You should make these changes on the deployment server-resident jde.ini file that is delivered to the workstation through a package installation.Locate the jde.ini file that will be sent to the workstation as part of a package installation.
This file is located on the deployment server in the release share path:
\\xxx\CLIENT\MISC\jde.ini
Where xxx is the installed release level of the software (for example, 810).
Using a text editor such as Notepad, view the jde.ini file to verify this setting:
[SECURITY] SecurityServer=Enterprise Server NameDefaultEnvironment=Default Environment
This table explains the variable values:
| Setting | Value |
|---|---|
| Security Server | The name of the enterprise server. For workstations to sign on and run batch reports on the enterprise server, this value must be the same for both the workstation and the enterprise server. |
| DefaultEnvironment | A name that identifies any valid environment. If no value is specified, security is not enabled for that workstation. |
Within the [SECURITY] section of the workstation jde.ini file, you can set as many as 10 auxiliary security servers. This example shows how the jde.ini file might look:
[SECURITY] NumServers=Numeric Value SecurityServer=Enterprise Server Name (primary) SecurityServer1=Enterprise Server Name (auxiliary) SecurityServer2=Enterprise Server Name (auxiliary)
This table explains the variable values:
| Setting | Value |
|---|---|
| NumServers | The total number of security servers (primary and auxiliary) that you set under the [SECURITY] section of the jde.ini file. For example, if you set one primary and four auxiliary servers, the NumServers value is 5. You can set NumServers to any value between 1 and 10. If you do not include the NumServers setting, the system assumes that you have only one server. |
| SecurityServern | The name of an EnterpriseOne Enterprise Server. The primary and auxiliary security server names must all correspond to valid Enterprise Servers. The values for both the workstation and the Enterprise Servers must be the same for workstations to sign on to and run batch reports from the Enterprise Server.
The variable value n can be a number between 1 and 10. This number defines the auxiliary security server. |
You might need to change a setting in the workstation jde.ini file if you receive an error such as:
Failure to Communicate with Security Server.
Change this section:
[JDENET] connectTimeout=30
To change the Enterprise Server jde.ini file for security, you should verify the server jde.ini file settings as shown in this task. Use these settings to specify the internal security parameters, valid users and passwords, environments, and data sources.
Locate the enterprise server's jde.ini file.
Using an ASCII editor, such as Notepad, view the jde.ini file to verify these settings:
[JDENET_KERNEL_DEF4] dispatchDLLName=name of host dll dispatchDLLFunction=JDEK_DispatchSecurity maxNumberOfProcesses=1 beginningMsgTypeRange=551 endingMsgTypeRange=580 newProcessThresholdRequests=0 [SECURITY] Security Server=Enterprise Server Name User=user ID Password=user password ServerPswdFile=TRUE/FALSE DefaultEnvironment=default environment
This table explains the variable values:
| Setting | Value |
|---|---|
| dispatchDLLName | Values for Enterprise Server host platforms are:
For UNIX platforms, values are case-sensitive. |
| SecurityServer | The name of the Enterprise Server. This value must be the same for both the workstation and the Enterprise Server for workstations to run batch reports on the Enterprise Server. |
| User | The ID of a user with access to the F98OWSEC. This is the ID used to connect to the DBMS; therefore, this value must match that of the target DBMS. |
| Password | The password for the user ID with access to the F98OWSEC. This is the password used to connect to the DBMS; therefore, this value must match that of the target DBMS. |
| ServerPswdFile | This parameter is valid for servers operating under UNIX operating systems.
The setting of this parameter determines whether the system uses special password handling for batch reports running on the server:
When the system runs a batch report on the server, it runs the report using a string of line commands and parameters that includes the user password. Under UNIX operating systems, it is possible to use the process status command (ps command) to query the status of a job and view the parameters that were used to start the process. As a security measure, you can enable special handling by the software. When enabled, the software does not include the user password in the parameter list for a batch process. Instead, it includes the name of a file that contains the user password. This file is deleted as soon as the batch report reads the password. |
| DefaultEnvironment | The name of a valid environment for accessing the security table (for example, PD810). |
Within the [SECURITY] section of the server jde.ini file, you can set one to 10 auxiliary security servers. You set multiple auxiliary security servers to establish levels of default servers. For example, if a machine cannot access a given security server, the machine tries the next security server that is defined in the [SECURITY] section. The settings for the auxiliary security servers might look like this example:
[SECURITY] NumServers=Numeric Value SecurityServer=Enterprise Server Name (primary) SecurityServer1=Enterprise Server Name (auxiliary) SecurityServer2=Enterprise Server Name (auxiliary)
This table explains the variable values:
| Setting | Value |
|---|---|
| NumServers | The total number of security servers (primary and auxiliary) that you set under the [SECURITY] section of the jde.ini file. For example, if you set one primary and four auxiliary servers, the NumServers value is 5. You can set NumServers to any value between 1 and 10. If you do not include the NumServers setting, the system assumes that you have only one server. |
| SecurityServerx | The name of an Enterprise Server. The primary and auxiliary security server names must all be valid enterprise servers. The values must be the same for both the workstation and Enterprise Servers for workstations to log onto and run batch reports from the enterprise server.
The variable value x can be any number between 1 and 10. This number defines the auxiliary security server. |
You should define only one process for the security network. You can set multiple processes, but they are probably not necessary. Under the [JDENET_KERNEL_DEF4] section of the server jde.ini file, verify that this parameter is set:
[JDENET_KERNEL_DEF4] maxNumberOfProcesses=1
This section contains the following topics:
For configurations in which the Enterprise Server is on a Windows machine, to set up unified logon, you need to modify only the [SECURITY] section of the jde.ini file. When a user signs on, these settings alert the software to use unified logon.
When the Enterprise Server is on a non-Windows platform, you need to set up a Windows service for unified logon. This service identifies the unified logon server for EnterpriseOne. You also need to set the unified logon settings in the [SECURITY] section of the jde.ini file.
Important:
When you use unified logon, you need to use the same user ID for the Windows domain and JD Edwards EnterpriseOne so that the records for each are synchronized. For example, if the user ID for a user in the Windows domain is USER1, the user ID for EnterpriseOne must also be USER1. If the user IDs are different, unified logon does not work for the user.Locate the jde.ini files on the server and on the workstation.
To modify the jde.ini setting to enable or disable unified logon:
In the server jde.ini file, add these settings in the [SECURITY] section:
[SECURITY] SecurityMode=0, 1 or 2
| Value | Description |
|---|---|
| 0 | Accepts only users set up for standard sign-in security. |
| 1 | Accepts only users set up for unified logon. |
| 2 | Accepts users set up for both unified logon and standard sign-in security. |
In the workstation jde.ini file, add these settings in the [SECURITY] section:
[SECURITY] UnifiedLogon=0 or 1
| Value | Description |
|---|---|
| 0 | Disables unified logon for the workstation. This setting is the default value. |
| 1 | Sets unified logon for the workstation. |
| server_name | Enter the name of the server on which the unified logon server data resides. |
If the Enterprise Server is not a Windows server, you should set up services for unified logon on the Deployment Server. The Deployment Server is always a Windows server.
To set up a service for unified logon:
On the deployment server, in Windows Explorer, access the \Unified Logon directory and run the file UniLogonSetup.exe.
The Unified Logon Server Setup form appears. On this form, you define the Windows service for unified logon servers. You can also remove these services on this form.
Complete these fields:
Unified Logon Service Name
Enter the name for the unified logon server.
EnterpriseOne Port Number
The port number for the unified logon server should match the EnterpriseOne port number of the server for which you want to set up unified logon.
Service Executable Filename
Enter the directory path for the unified logon service program.
Enter the name of the unified logon log file, including the full directory path.
The default user list contains all authenticated network users.
To create a custom user list, enter the users or the groups in the Users or User Groups box to add the user information to the unified logon user list.
Note:
Generally, the default Windows list of authenticated network users lists users by group.Click the Install Service button to save the service information for the unified logon server.