Understanding Exclusive/Inclusive Row Security

You use row security to either restrict or allow users from viewing, updating, deleting, or adding certain records (rows) to a table. Prior to setting up any kind of row security (whether at the user level, role level, or *PUBLIC level), security administration determines whether your system will use inclusive or exclusive row security. Exclusive row security blocks users from accessing the database for a secured range of values that you define. Inclusive row security allows users to access the database for a valid range of values that you define. You use the User Security application (P98OWSEC) to set up user security.

You use the Row Security application in the Security Workbench application (P00950) to define database values to be excluded or included depending on your JD Edwards EnterpriseOne security configuration. You can set up row security for a user, role, and *PUBLIC. Exclusive row security and inclusive row security are mutually exclusive; you cannot use a combination of the two.

To illustrate exclusive and inclusive row security, assume that user MG5700778 should be able to view records in the Address Book table (F0101) that have a business unit value from 1 through 20 and from 51 through 70. In addition, this user should be able to update records in the Address Book table that have a business unit value from 1 through 20. This user cannot insert or delete any records in the Address Book table. The following examples show the records you must define and the SQL statements that the system performs for both exclusive and inclusive row security.