In addition to policies that control the development environment, you should implement policies regarding secure application development by design.
This chapter contains these topics:
When adding menus or menu selections in the JD Edwards World system, you should consider how you will secure user access to the menu or selection. Group menu selections with similar functionality on the same menu so that you will be able to secure entire menus rather than menu selections. Use the more secure Advanced Operations (Gxx31) and Set Up (Gxx41) menus with higher Menu Level values to contain menu selections that should be restricted.
If you add your own customized programs to the JD Edwards World environment, your programs should check Action Code Security to determine whether users have access to the program and what actions they may perform.
If you add your own customized programs to the JD Edwards World environment, your programs should also check Function Key Security to determine whether users have access to the program and what function keys and selection exits they may run.
If you add your own customized interactive programs to the JD Edwards World environment, your videos should be designed with security in mind. Do not display sensitive information in videos that a wide population of users will need to access. Do not add file update capabilities to videos that should be used as ”inquiry only” by most users.
If you add your own customized reports to the JD Edwards World environment, your reports should be built to run via the DREAM Writer interface to take advantage of the security and flexibility provided by DREAM Writer.
If you add your own customized programs that accept user input through either batch or interactive means, you should consider all user input ”untrusted” until it is edited against pre-determined values. Use the JD Edwards Data Dictionary and User Defined Codes to avoid hard-coded program edits.
If you add your own customized files, include at a minimum the following audit fields, where xx represents the file prefix:
xxPID Program ID
xxJOBN Work Station ID
xxUSER Last Updated by User ID
xxUPMJ Date Last Updated
xxUPMT Time Last Updated
xxTORG Transaction Originator User ID
xxUPAJ Date Added
xxTENT Time Entered
After these audit fields are added, they may appear in interactive programs using the common utility program P0045 - Display Audit Information. Note that these fields only provide the origination and ”last touched” information; they do not provide a complete audit trail. Use Database Audit Manager (DBAM) if you need a complete audit trail.
Use the electronic signature feature of DBAM to require user authentication within the JD Edwards World application. This is done for sensitive transactions that require enhanced authentication. JD Edwards World applications must be enabled for electronic signature in the transaction entry or modification program. Applications enabled for electronic signature include:
P3002 Bill of Material Revisions
P3003 Routing Master Revisions
P3013 ECO Parts List
P30225 ECO Workbench
P41080 Lots by Item
P4818 Order Approval