1. Administration Guide
  2. Understanding File Security Maintenance for UNIX and Linux

Understanding File Security Maintenance for UNIX and Linux

Overall, only two accounts ever need operating system access to the JD Edwards EnterpriseOne environment files and version executables: the account that starts and stops JD Edwards EnterpriseOne, and the account that builds the environment SPEC and BSFN files. Normally, these accounts are the same.

Specification (SPEC) files are the first part of the environment files. You access these files by the JD Edwards EnterpriseOne kernel processes. These files should never be accessed directly by an operating system user. Because of this, security on these files should be read/write for the user and role. They are not executables, so no reason exists for setting the executable option for any user, or role.

Business function security should be similar to SPEC file security. This enables the business function code to be viewed, but not modified directly on the server. In general, both business function changes and SPEC file changes are controlled by the deployment server.

You should prevent access to the JD Edwards EnterpriseOne executable files to prevent other users from attempting to start JD Edwards EnterpriseOne. Running the same version of JD Edwards EnterpriseOne on the same system and using the same JDE.INI settings can cause unpredictable results. In most cases, the second startup will fail, but giving users access to the shutdown procedures can enable them to shut down JD Edwards EnterpriseOne.

You must keep the jde.ini file as secure as possible. This file contains a database user name and password that enables JD Edwards EnterpriseOne security to function. This database account is given read authority to the JD Edwards EnterpriseOne Security table (F98OWSEC), which controls JD Edwards EnterpriseOne access.

Access to the F98OWSEC table, which contains privileged database user names and passwords, could give a user the ability to manipulate any data in the database, regardless of its sensitivity or security. Because of this, you should restrict access to the jde.ini file as much as possible.