12 Setting Up User Sign-in Security

This chapter contains the following topics:

12.1 Understanding User Sign-in Security

Use the User Security application (P98OWSEC) to create, test, and change user security for JD Edwards EnterpriseOne and the logically attached database management systems. The security architecture prevents users from viewing the database or system password and from bypassing EnterpriseOne applications to view and change data. EnterpriseOne uses an encryption algorithm to ensure that applications other than EnterpriseOne security cannot access passwords transmitted across the network.

You can also set up a unified logon server for an EnterpriseOne server (prior to release 9.2.2 only). The unified logon server enables EnterpriseOne to use the domain logon information to determine user security. In an EnterpriseOne unified logon scenario, a user needs to enter a user ID and a password only at network logon.

12.2 Creating and Revising User Sign-in Security

This section contains the following topics:

12.2.1 Understanding How to Create and Revise User Sign-in Security

A user profile must already exist for a user before you can create user security records for that user. You can create security records one at a time for each of the users, you can set security for a role, or you can set security for all users.

Typically, users within a specific role use similar security information. Oracle recommends that you create a model user with security information that you can copy to create security records for other users. The P98OWSEC application provides a copy function that simplifies the creation of security records.

Note:

When you copy security records to a user, security records must not already exist for that user. If you try to copy user security to a user with existing user security records, you will receive an error message.

You should keep user security simple. Managing EnterpriseOne user IDs and system (database) user IDs can become complicated quickly. The simplest way to set up user security is to have all data sources share the same system user ID and password by leaving the data source field blank when you initially create user security records for users or roles on the Security Revisions form.

When you leave the data source field blank, the P98OWSEC application automatically enters DEFAULT in the field. The DEFAULT data source enables you to create one security record for all users. Each time a user accesses a table through an EnterpriseOne application, the software searches for a security record for that user and the specific data source where the table resides. If the software does not find a specific record, then it uses the default data source, which is the security record that you created with the DEFAULT data source field.

You use system user IDs to manage user access to databases. Although you should try to maintain as few system user IDs as you can, occasions arise that require you to set up database security in addition to the EnterpriseOne object and user security for specific users and specific tables. For example, you might need to create system users with additional authority to what the typical system user needs.

It is difficult to monitor and administer accounts that are not in use. An administrator should disable these accounts to stop unauthorized access to EnterpriseOne. See Creating User Sign-in Security in this section for information on how to disable an account.

12.2.2 Prerequisites

Before you complete the tasks in this section:

  • For initial installations of EnterpriseOne, you must set up system user(s) using the Work With System Users (P980001) program to populate the F98OWPU table. You must set up system users before you can add and associate an EnterpriseOne user to a system user using EnterpriseOne Security (P98OWSEC).

    Caution:

    If you attempt to add a user with the P98OWSEC program before you add the system user through the P980001 program, the system may add an invalid record to the F98OWPU table. You might have to delete the invalid record from F98OWPU using the SQL Query tool.

    In the JD Edwards EnterpriseOne Installation and Upgrade Documentation Library, see "Working With Signon Security" in the EnterpriseOne Installation or Upgrade guide that is applicable to your platform and database:

    http://docs.oracle.com/cd/E61420_01/index.htm

  • Set up all user records in the Address Book application (P01012).

  • Create user profiles using the User Profile application (P0092).

    See Provisioning User and Role Profiles.

  • Attach the proper Address Book record to the user or role profile.

  • Review and set the appropriate processing options before using the P98OWSEC application for the first time.

    See Setting Processing Options for User Profile Revisions (P0092).

12.2.3 Forms Used to Create and Revise User Sign-in Security

Important:

If the Long Password feature is enabled, EnterpriseOne disables P98OWSEC and redirects you to the P98LPSEC application instead. P98LPSEC contains the same features and functionality as P98OWSEC. Therefore, the steps in this section can be used when working in P98LPSEC. For information on how to enable the Long Password feature, see Chapter 13, "Enabling Long Passwords in EnterpriseOne."
Form Name FormID Navigation Usage
Work With User Security W98OWSECE Security Maintenance (GH9052), User Security (P98OWSEC) Access forms to work with user security.
Security Revisions W98OWSECB On the Work With User Security form, click Add. Create user security.
Copy User Records W98OWSECN On the Work With User Security form, select the user or role and click Copy to copy all security records. To copy a single user security record, select the security record from the detail area, and select Copy Record from the Row menu. Copy user security.
Security Detail Revisions W98OWSECI On the Work With User Security form, select the appropriate record, and then select Revise Security from the Row menu. Revise user and role security.
Administration Password Revisions W98OWSECF Security Maintenance menu (GH9052), Administrative Password Revisions (P98OWSEC) Change a sign-in password.
Sign On Security - Required/Not Required W98OWSECG On the Work With User Security form, select Req / Not Req from the Form menu. Require all machines to use JD Edwards EnterpriseOne sign-in security.

12.2.4 Creating User Sign-in Security

Access the Work with User Security form.

  1. Click Add.

  2. On the Security Revisions form, complete one of these fields:

    • User ID

      If you enter a user ID that already exists, you can modify data source information for the user. The system disables all other fields and options for the user ID.

    • Role

      If you enter a role that already exists, you will overwrite the security record for role when you enter information on the form.

      Note:

      When you type information in one of these fields, the system disables the other field. For example, if you type ROLE1 in the User Class/Role field, the User ID field becomes unavailable for data entry.
  3. Complete these fields:

    • Data Source

      If you leave this field blank, you will set security for all data sources. DEFAULT appears in the Data Source field when you tab out of the field.

    • System User

    • Password

      We recommend you complete at least the System User field.

      If you create records by role or for all users at one time, the Password field is populated according to the processing option that you select.

  4. In the User Status area, select one of these options:

    • Enabled

      With User Status enabled, security allows the user to sign in. This option is the default setting when you create user security.

    • Disabled

      With User Status disabled, security prohibits the user from signing in to the software.

      Note:

      If a user commits a security violation, such as exceeding the maximum number of allowed password attempts, the software automatically sets the value for User Status to Disabled. The system administrator must access the user security record for the user and set User Status to Enabled before the user can sign in. In addition, the system administrator can access Administrative Password Revisions to reset the password of the user, which also restores a user profile to the status of enabled.
  5. If you want to set limits on the passwords for users, complete these fields:

    • Allowed Password Attempts

      Enter the number of invalid password attempts allowed before the system disables access for the user.

    • Password Change Frequency

      Enter the number of days until the system requires the user to change the password.

    • Daily Password Change Limit

      Enter the allowed number of times a user can change a password in a day.

    • Force Immediate Password Change

      Click this check box to require the user to change the password on the next sign-in.

  6. Click OK to save the current user security information.

12.2.5 Copying User Sign-in Security

A user profile must already exist for a user before you can create user security records for that user. In addition, when you copy security records to a user, security records must not already exist for that user. If you try to copy user security to a user with existing user security records, you will receive an error message.

Note:

You should create a model user with security information that you can copy to create other users. Typically, users within a specific role use similar security information.

Access the Work With User Security form.

To copy user security:

  1. On the Work With User Security form, find the user, and then perform one of these actions:

    • To copy all user security records for a user or role, select the user or role in the tree structure, and click Copy.

    • To copy a single user security record for a user or role, select the security record row in the detail area, and select Copy Record from the Row menu.

  2. On the Copy User Records form, enter a valid user ID in the To User / Role field and click OK.

12.2.6 Revising User and Role Sign-in Security

Access the Work With User Security form.

  1. On the Work With User Security form, complete the User ID / Role field.

  2. Click Find.

  3. Select the appropriate record in the tree structure, and then select Revise Security from the Row menu.

  4. On the Security Detail Revisions form, complete these fields, as necessary:

    • User Status

      Under User Status, you can enable or disable a user profile.

    • Password Change Frequency

    • Allowed Password Attempts

      Note:

      For a role, select the appropriate option from the Change box to enable each field.
  5. Click OK.

12.2.7 Revising All User Sign-in Security

Access the Work With User Security form.

  1. From the Form menu, select Revise All.

  2. On the Security Detail Revisions form, in the Change box, select any of these options to enable the related field:

    • User Status

    • Frequency

    • Attempts

    • Change Limit

  3. Complete any of these fields, and then click OK:

    • User Status

      This field enables you to enable or disable user profiles.

    • Password Change Frequency

    • Allowed Password Attempts

    • Force Immediate Password Change

      This field requires the user to change the password on the next sign-in.

12.2.8 Changing a Sign-in Password

Access the Administration Password Revisions form.

Note:

You can also access Administrative Password Revisions from the User Security application. On the Work with User Security form, find the user, select the user in the tree structure, and then select Password Revisions from the Row menu.
User ID

Enter the user ID that you want to force a password change during sign-in. The user ID is the default value in this field when the user record is highlighted and Password Revision is activated.

New Password

Enter a new password. On this form, the system does not restrict the password choices. Any password is valid.

New Password - Verify

Enter the password again to verify it.

Force Immediate Password Change

Select this option to force the user to change the password during the next sign-in.

12.2.9 Requiring Sign-in Security

Use this feature to require all machines to use EnterpriseOne sign-in security. This procedure enables mandatory security only for the environment that you are signed into when you make this change.

Access the Work With User Security form.

  1. Select Req / Not Req from the Form menu.

  2. On the Sign On Security - Required/Not Required form, click the lock icon to change the Security Server to Required or Not Required.

    Note:

    If you set up the security as Not Required and have security turned on through the jde.ini file on the enterprise server, users that comment out signon security in their jde.ini files will still not be able to access any data sources without knowing the system user ID and password.

    When attempting to access a table in a secured data source, users will receive a database password entry form. If system user IDs and passwords are confidential, no one will be able to access the secured tables.

12.3 Reviewing User Sign-in Security History

If you know the specific user or role, you can review the user's or role's security history by using the EnterpriseOne Security application. You can also search for specific information for all users. For example, to see the users who were deleted on a given day, you can search on event type 06 (Delete User) and a specific event date.

Use the Security History form exit from the Work with User Security application (P98OWSEC) to review this history or audit records regularly according to your organization's security policy.

12.3.1 Prerequisite

The [SECURITY] section in the jde.ini on the security server must include the History=1 setting for the system to record security history. This setting turns on the auditing for user sign-in and sign-off actions.

12.3.2 Forms Used to Review User Sign-in Security History

Form Name FormID Navigation Usage
Work With User Security W98OWSECE Security Maintenance (GH9052), User Security (P98OWSEC) Access forms to review security history.
Work With Security History W98OWSECC On the Work With User Security form, from the Form menu, select Security History. Click Find to review the security history records.

12.3.3 Purge Audit Table Records

Security audit records can grow quickly and increase the size of the database. Therefore, you should set up a policy to purge security audit records regularly from the Security History table (F9312) using database tools. Keep a copy of these records for audit purposes.

12.4 Managing Data Sources for User Sign-in Security

This section contains the following topics:

12.4.1 Understanding Data Source Management for User Sign-in Security

You add data sources to user and role records in user security to authorize users and roles to access EnterpriseOne databases. You can also revise the system user and password for existing data sources.

12.4.2 Forms Used to Manage Data Sources for User Sign-in Security

Form Name FormID Navigation Usage
Work With User Security W98OWSECE Security Maintenance (GH9052), User Security (P98OWSEC) Access forms to set up user security.
Add Data Source W98OWSECS On the Work With User Security form, from the Form menu, select Add Data Source. Add a data source to a user, role, or all users.
Data Source Revisions W98OWSECH On the Work With User Security form, select a data source, and then select Revise Data Source from the Row menu. Change the system user for a data source.
Remove Data Source W98OWSECK On the Work With Security form, select the appropriate record in the tree structure, and then click Delete. Remove a data source. If you chose a data source for a specific user or role, this form displays the user ID or the role name with the data source name. If you chose only the data source, this form displays only the data source name.
Work With System Users W980001A In Solution Explorer, enter P980001 in the Fast Path. Locate a system user.
System User Revisions W980001C On the Work With System Users form, select a system user and then click the Select button. Change the system user password.

12.4.3 Adding a Data Source to a User, a Role, or All Users

Access the Add Data Source form.

  1. Complete one of these fields or options:

    • User ID

      Complete this field to add a data source to a specific user.

    • Role

      Complete this field to add a data source to a specific role.

    • All Users

      Select this option to add a data source to all users.

  2. Complete these additional fields and click OK:

    • Data Source

      Leave this field blank to set the data source information for all data sources. When you leave this field blank, the system automatically enters DEFAULT in the field.

    • System User

12.4.4 Revising a Data Source for a User, Role, or All Users

Access the Work With User Security form.

  1. Complete the Data Source field, and then click Find.

    Note:

    You can also enter both a data source and user ID/role. If you select just a data source, the change will affect all users.
  2. Select the data source in the tree structure and then, from the Row menu, select Revise Data Source.

    The Data Source Revisions form appears. If you chose a specific user or role, this form displays the user ID or the role name and the data source information. If you chose only the data source, this form automatically selects the All Users option with the data source information.

  3. Complete the System User field and click OK.

    This field is necessary to access databases within the software. Depending on what you selected from the tree on the Work With User Security form, this information will apply to a specific user, a specific role, or all users.

12.4.5 Removing a Data Source for a User, Role, or All Users

Access the Work With User Security form.

  1. Complete the Data Source field, and then click Find.

  2. Select the appropriate record in the tree structure, and then click Delete.

    Note:

    For a user, you can also select a row in the detail area for the user, and then click Delete.

    The Remove Data Source form appears. If you chose a data source for a specific user or role, this form displays the user ID or the role name with the data source name. If you chose only the data source, this form displays only the data source name.

    Important:

    If you performed the search by data source without including a specific user or role, when you click OK on Remove Data Source, you remove the data source for all users.
  3. Click OK to remove the data source.

12.4.6 Changing the System User Password

Access the Work With System User form.

  1. Locate a system user and then click Select.

  2. On the System Users Revision form, complete these fields and then click OK:

    • Password

      Enter a new password for the system user/data source combination.

    • Password Verify

      Enter the password again for verification purposes.

12.5 Enabling and Synchronizing the jde.ini Sign-in Security Settings

This section contains the following topics:

12.5.1 Understanding Security Setting Synchronization

You must modify the enterprise server and the workstation jde.ini files to enable and synchronize security settings between the enterprise server and the workstation.

Note:

For the EnterpriseOne workstations, enable security by changing settings in the workstation jde.ini file. You should make these changes on the deployment server-resident jde.ini file that is delivered to the workstation through a package installation.

12.5.2 Changing the Workstation jde.ini File for Sign-in Security

Access the jde.ini file.

  1. Locate the jde.ini file that will be sent to the workstation as part of a package installation.

    This file is located on the deployment server in the release share path:

    \\xxx\CLIENT\MISC\jde.ini
    

    Where xxx is the installed release level of the software (for example, 810).

  2. Using a text editor such as Notepad, view the jde.ini file to verify this setting:

    [SECURITY]
    SecurityServer=Enterprise Server 
    NameDefaultEnvironment=Default Environment
    

    This table explains the variable values:

    Setting Value
    Security Server The name of the enterprise server. For workstations to sign on and run batch reports on the enterprise server, this value must be the same for both the workstation and the enterprise server.
    DefaultEnvironment A name that identifies any valid environment. If no value is specified, security is not enabled for that workstation.

12.5.3 Setting Auxiliary Security Servers in the Workstation jde.ini

Within the [SECURITY] section of the workstation jde.ini file, you can set as many as 10 auxiliary security servers. This example shows how the jde.ini file might look:

[SECURITY]
NumServers=Numeric Value
SecurityServer=Enterprise Server Name (primary)
SecurityServer1=Enterprise Server Name (auxiliary)
SecurityServer2=Enterprise Server Name (auxiliary)

This table explains the variable values:

Setting Value
NumServers The total number of security servers (primary and auxiliary) that you set under the [SECURITY] section of the jde.ini file. For example, if you set one primary and four auxiliary servers, the NumServers value is 5. You can set NumServers to any value between 1 and 10. If you do not include the NumServers setting, the system assumes that you have only one server.
SecurityServern The name of an EnterpriseOne Enterprise Server. The primary and auxiliary security server names must all correspond to valid Enterprise Servers. The values for both the workstation and the Enterprise Servers must be the same for workstations to sign on to and run batch reports from the Enterprise Server.

The variable value n can be a number between 1 and 10. This number defines the auxiliary security server.


12.5.4 Changing the Timeout Value Due to Security Server Communication Error

You might need to change a setting in the workstation jde.ini file if you receive an error such as:

Failure to Communicate with Security Server. 

Change this section:

[JDENET]
connectTimeout=30

12.5.5 Changing the Enterprise Server jde.ini File for Security

Verify that the jde.ini file settings for security on the Enterprise Server are configured properly as described in this section. Use Server Manager to configure these settings which specify the internal security parameters, valid users and passwords, environments, and data sources.

In Server Manager, locate the configuration group settings for the Enterprise Server to verify these settings:

[JDENET_KERNEL_DEF4]
dispatchDLLName=name of host dll
dispatchDLLFunction=JDEK_DispatchSecurity
maxNumberOfProcesses=1
beginningMsgTypeRange=551
endingMsgTypeRange=580
newProcessThresholdRequests=0
[SECURITY]
Security Server=Enterprise Server Name
User=user ID
Password=user password
ServerPswdFile=TRUE/FALSE
DefaultEnvironment=default environment

This table explains the variable values:

Setting Value
dispatchDLLName Values for Enterprise Server host platforms are:
  • HP9000, libjdeknet.sl

  • RS/6000, libjdekrnl.so

  • Windows (Intel), jdekrnl.dll

  • Windows (Compaq AlphaServer), jdekrnl.dll

  • iSeries, JDEKRNL

For UNIX platforms, values are case-sensitive.

SecurityServer The name of the Enterprise Server. This value must be the same for both the workstation and the Enterprise Server for workstations to run batch reports on the Enterprise Server.
User The ID of a user with access to the F98OWSEC. This is the ID used to connect to the DBMS; therefore, this value must match that of the target DBMS.
Password The password for the user ID with access to the F98OWSEC. This is the password used to connect to the DBMS; therefore, this value must match that of the target DBMS.
ServerPswdFile This parameter is valid for servers operating under UNIX operating systems.

The setting of this parameter determines whether the system uses special password handling for batch reports running on the server:

  • Set the value to TRUE to instruct the system to enable special handling of passwords.

  • Set the value to FALSE to disable special handling.

When the system runs a batch report on the server, it runs the report using a string of line commands and parameters that includes the user password. Under UNIX operating systems, it is possible to use the process status command (ps command) to query the status of a job and view the parameters that were used to start the process.

As a security measure, you can enable special handling by the software. When enabled, the software does not include the user password in the parameter list for a batch process. Instead, it includes the name of a file that contains the user password. This file is deleted as soon as the batch report reads the password.

DefaultEnvironment The name of a valid environment for accessing the security table (for example, PD810).

12.5.6 Setting Auxiliary Security Servers in the Server jde.ini

Within the [SECURITY] section of the server jde.ini file, you can set one to 10 auxiliary security servers. Use Server Manager to configure these settings. You set multiple auxiliary security servers to establish levels of default servers. For example, if a machine cannot access a given security server, the machine tries the next security server that is defined in the [SECURITY] section. The settings for the auxiliary security servers might look like this example:

[SECURITY]
NumServers=Numeric Value
SecurityServer=Enterprise Server Name (primary)
SecurityServer1=Enterprise Server Name (auxiliary)
SecurityServer2=Enterprise Server Name (auxiliary)

This table explains the variable values:

Setting Value
NumServers The total number of security servers (primary and auxiliary) that you set under the [SECURITY] section of the jde.ini file. For example, if you set one primary and four auxiliary servers, the NumServers value is 5. You can set NumServers to any value between 1 and 10. If you do not include the NumServers setting, the system assumes that you have only one server.
SecurityServerx The name of an Enterprise Server. The primary and auxiliary security server names must all be valid enterprise servers. The values must be the same for both the workstation and Enterprise Servers for workstations to log onto and run batch reports from the enterprise server.

The variable value x can be any number between 1 and 10. This number defines the auxiliary security server.


12.5.7 Verifying Security Processes in the Server jde.ini

You should define only one process for the security network. You can set multiple processes, but they are probably not necessary. In Server Manager, verify that the following parameter is set under the [JDENET_KERNEL_DEF4] section for the Server jde.ini file:

[JDENET_KERNEL_DEF4]
maxNumberOfProcesses=1

12.6 Managing Unified Logon

Important:

Unified logon is supported prior to release 9.2.2 only.

This section contains the following topics:

12.6.1 Understanding Unified Logon

For configurations in which the Enterprise Server is on a Windows machine, to set up unified logon, you need to modify only the [SECURITY] section of the jde.ini file. When a user signs on, these settings alert the software to use unified logon.

When the Enterprise Server is on a non-Windows platform, you need to set up a Windows service for unified logon. This service identifies the unified logon server for EnterpriseOne. You also need to set the unified logon settings in the [SECURITY] section of the jde.ini file.

Important:

When you use unified logon, you need to use the same user ID for the Windows domain and JD Edwards EnterpriseOne so that the records for each are synchronized. For example, if the user ID for a user in the Windows domain is USER1, the user ID for EnterpriseOne must also be USER1. If the user IDs are different, unified logon does not work for the user.

12.6.2 Modifying the jde.ini Setting to Enable or Disable Unified Logon

Locate the Security configuration settings for the Enterprise Server and the jde.ini file settings on the workstation.

To modify the settings to enable or disable unified logon:

  1. In Server Manager, modify the Security Mode setting in the Security settings for the Enterprise Server. Valid values are:

    • Standard Sign-on Only. Accepts only users set up for standard sign-in security.

    • Unified Logon Only. Accepts only users set up for unified logon.

    • Standard and Unified Logon. Accepts users set up for both unified logon and standard sign-in security.

  2. In the workstation jde.ini file, add these settings in the [SECURITY] section:

    [SECURITY]
    UnifiedLogon=0 or 1
    
    Value Description
    0 Disables unified logon for the workstation. This setting is the default value.
    1 Sets unified logon for the workstation.
    server_name Enter the name of the server on which the unified logon server data resides.

12.6.3 Setting Up a Service for Unified Logon

If the Enterprise Server is not a Windows server, you should set up services for unified logon on the Deployment Server. The Deployment Server is always a Windows server.

To set up a service for unified logon:

  1. On the deployment server, in Windows Explorer, access the \Unified Logon directory and run the file UniLogonSetup.exe.

    The Unified Logon Server Setup form appears. On this form, you define the Windows service for unified logon servers. You can also remove these services on this form.

  2. Complete these fields:

    • Unified Logon Service Name

      Enter the name for the unified logon server.

    • EnterpriseOne Port Number

      The port number for the unified logon server should match the EnterpriseOne port number of the server for which you want to set up unified logon.

    • Service Executable Filename

      Enter the directory path for the unified logon service program.

    • Log Filename

      Enter the name of the unified logon log file, including the full directory path.

      The default user list contains all authenticated network users.

  3. To create a custom user list, enter the users or the groups in the Users or User Groups box to add the user information to the unified logon user list.

    Note:

    Generally, the default Windows list of authenticated network users lists users by group.
  4. Click the Install Service button to save the service information for the unified logon server.

12.6.4 Removing a Service for Unified Logon

To remove a service for unified logon:

  1. Run UniLogonSetup.exe.

    The Unified Logon Server Setup form appears.

  2. From the Unified Logon Service Name menu, select a unified logon server, and then click the Uninstall Service button.