7 Managing Data Source Security

This chapter contains the following topics:

7.1 Understanding Data Source Security for EnterpriseOne Tables

A JD Edwards EnterpriseOne installation adheres to Oracle's secure-by-default security model by restricting access to EnterpriseOne tables created in the database. During a Platform Pack installation, the installer creates two initial roles (referred to as group profiles on iBMi and groups on UDB) that define access to data source tables. The following table shows the privileges for each role:

Data Source Role Alter Table Create Index Select Insert Update Delete
JDE Admin X X X X X X
JDE User     X X X X

An X denotes the privilege enabled for tables.

Important:

During the installation, an administrator can modify the names of these roles in the Platform Pack Installer. Therefore, the names of the roles might not reflect the names in the preceding table. For more information, see "Working with the Platform Pack" in the JD Edwards EnterpriseOne Installation and Upgrade guides, which you can access here:

http://docs.oracle.com/cd/E61420_01/index.htm

After running the Platform Pack installation and before running the installation workbenches, you must create the equivalent security definitions for the data source in EnterpriseOne. You create these definitions in the Grant Data Source Privileges (P986117) application, which stores the data source security records in the F986117 table. If a database administrator has additional roles defined for the data source, make sure that these roles are defined in P986117 as well.

This security is applied during table creation and pertains only to new tables created anywhere in EnterpriseOne including tables created from Object Management Workbench, an ESU process, table conversions, UBEs for copying tables, and so forth. Security is defined at the data source level and does not impact EnterpriseOne applications security or row security that is defined for users in the Security Workbench.

JD Edwards EnterpriseOne uses only the select, insert, update, and delete privileges defined in the "JDE User" record in P986117. The "JDE Admin" record with the alter table and create index privileges in P986117 is simply used for record keeping and enables access to the database without having to ask the database administrator to create a database role and login credentials.

Although not recommended, you can also disable data source security for a data source. When data source security is disabled, new tables created in the data source have all privileges granted through the *PUBLIC role.

7.1.1 How Data Source Security is Applied in an Install Versus Upgrade

For a new EnterpriseOne applications installation, all tables in the data source are secured with the roles specified in the Platform Pack Installer.

For an EnterpriseOne upgrade, only tables created by the Platform Pack are secured with the roles specified during the install. Existing business data and control tables are not secured by the install. In the business data and control tables data source, set up roles for a database administrator and database user. Add these same roles to the Grant Data Source Privileges (P986117) application in EnterpriseOne.

7.1.2 Before Performing Table Conversions

Table conversions do not recognize the roles specified in the Platform Pack Installer. Therefore, you must make sure that you add the new roles in P986117 before performing table conversions. The table conversion recreates the table with the new layout, using the security definition you created on the Deployment Server using P986117.

7.2 Adding, Reviewing, and Modifying Data Source Security

Use the Grant Data Source Privileges (P986117) application to add, review, and modify security records for EnterpriseOne table access. EnterpriseOne stores these security records in the F986117 table.

To set up data source security records, you must first select the data source in the Data Sources (P986115) application, and then you can set up security for the data source in P986117.

Navigation to P986115: In EnterpriseOne, select the Navigator menu, EnterpriseOne Menus, EnterpriseOne Life Cycle Tools, System Administration Tools, Data Source Management, Database Data Sources.

To add a data source security record to EnterpriseOne:

Important:

You must use role (or group) names that exist in the database. This application will not create the roles for you.
  1. On Machine Search & Select, select the data source and then click the Select button.

  2. On Work With Data Sources, click Find to load the data source records in the grid.

  3. Select the row for the data source and from the Row menu, select Database Privilege.

    EnterpriseOne displays any existing privileges defined for this data source.

  4. On Work With Data Source Privilege, click the Add button.

    Note:

    If there is an existing data source security record, you can create a new record by selecting the existing record, selecting Copy DSrc Records from the Row menu, and then modifying the copied record with a new name and privileges for the new record.
  5. On Manage Data Source Privileges, in the Data Source field, enter the name of the data source or click the search button in the field to select a data source.

    After identifying the data source, the Data Source Type field displays the database type of the data source you selected.

  6. Make sure that the Enable Database Security check box is selected.

  7. In an empty row in the grid, add a record for the database administrator role:

    1. In the Data Source Database User / Role column, enter the exact name of the database administrator role defined in the Platform Pack Installer.

    2. In the Type column, enter or select 1 for the Database Administrator type.

    3. Press Tab to see the "Database Administrator" description and default privileges for the record.

  8. In the next empty row in the grid, add a record for the database user:

    1. In the Data Source Database User / Role column, enter the exact name of the database user role defined in the Platform Pack Installer.

    2. In the Type column, enter or select 2 for the Database User type.

    3. Press Tab to see the "Database User" description and the default privileges for the record.

  9. In the new records, you can adjust the default security according to your security requirements or model by selecting or clearing the check boxes in the following columns:

    • All Privileges. Selecting this check box enables all privileges.

    • Alter Table

    • Allow Index

    • Allow Select

    • Allow Insert

    • Allow Update

    • Allow Delete

  10. Click the OK button to save the records.

To review or modify data source security records:

  1. On Machine Search & Select (P986115), select the data source and then click the Select button.

  2. On Work With Data Sources, click Find to load the data source records in the grid.

  3. Select a row with the data source and from the Row menu, select Database Privilege.

  4. On Work With Data Source Privilege (P986117), click Find to view the current security for the selected data source.

    In the records displayed in the grid, a check mark denotes the privileges granted to each record.

  5. To modify a security record, in the appropriate row, click in any column to enable or disable the table privilege. If you enable the "All Privileges" column, then all privileges are granted.

    Remember, the privileges that you define for the role must reflect the privileges for the role in the data source.

  6. Click OK to save.

    Note:

    As an alternative method to modify a data source security record, you can select a record and then select Manage Privilege from the Row menu.

To disable data source security:

  1. On Work With Data Source Privilege, click the Add button.

  2. On Manage Data Source Privileges, enter the name of the data source or click the search button to browse and select a data source.

  3. Clear the Enable Database Security check box.

  4. On the "Warning Disable Database Security" dialog box, click OK to turn off database security.

    Disabling the security grants all privileges to *PUBLIC in EnterpriseOne.

  5. Click the OK button.

    Note:

    As an alternative method to disable data source security, you can access the security record in the Work With Data Source Privilege form, and then from the Row menu, select Disable Database Security.