Understanding JD Edwards EnterpriseOne Database Security Administration
You can secure profiles and objects for JD Edwards EnterpriseOne on the IBM i with the Set Up OneWorld Authority (SETOWAUT) command. When you enter this command, a form appears that enables you to enter specific security information for the system. The authority is implemented only on the IBM i machine on which you execute the command.
The SETOWAUT command enables you to set up security for a single instance of JD Edwards EnterpriseOne or for multiple instances of JD Edwards EnterpriseOne. If you run multiple instances of JD Edwards EnterpriseOne, you can set up separate user profiles for each instance. The SETOWAUT command sets up the authorities for each JD Edwards EnterpriseOne instance, adds profile names to an authorization list, and sets object ownership for each JD Edwards EnterpriseOne instance.
Two separate authorization lists exist for maintaining security. Values in two parameters of the SETOWAUT program specify the authorization lists.
The USRPRF parameter value specifies the JD Edwards EnterpriseOne user profile. When you run the SETOWAUT program, the program automatically creates a user profile authorization list with the same name. This list secures all JD Edwards EnterpriseOne objects.
The ALLOBJECTS parameter determines how SETOWAUT secures JD Edwards EnterpriseOne objects. The recommended setting for this parameter is *NONCOEXIST. Using this setting, the resulting authorization list secures only the root directories and the libraries. This is true for all libraries except the System library; SETOWAUT secures all of the objects in the system library. The value ALLOBJ secures every object in all JD Edwards EnterpriseOne libraries and directories. This parameter is not recommended because it negatively affects JD Edwards EnterpriseOne performance.
The COEXIST option can be used for OneWorld Xe, but not for subsequent releases of JD Edwards EnterpriseOne.
The USRAUTL parameter value specifies the administrative authorization list. When you run the SETOWAUT program, the program automatically creates an administrative authorization list that gives specified users administrative access to JD Edwards EnterpriseOne. Any user who will perform basic JD Edwards EnterpriseOne administration tasks, such as Start, End, Clear IPC, and so on, on the IBM i must be added to this list. CRTOWADPRF is a supplied command that adds administrative users to this list; RMVOWADPRF is a supplied command that removes such users from the list.
Use PROFTYPE(*USER) to perform basic JD Edwards EnterpriseOne administrative tasks. Use PROFTYPE(*ADMIN) for users who need access to all JD Edwards EnterpriseOne objects. (*ADMIN is similar to security officer but can only be used for JD Edwards EnterpriseOne.
Whether you want to set up security for one instance of JD Edwards EnterpriseOne or for multiple instances, the Set Up OneWorld Authority (SETOWAUT) form appears when you run the SETOWAUT command. However, the parameter values that you enter and the parameter fields that appear on the form differ, depending on whether you set up security for one instance or for multiple instances. These parameter differences are explained in these three tables:
Parameters Present in SETOWAUT Form for Both Single and Multiple Instances of JD Edwards EnterpriseOne |
Meaning |
Value to be Entered for a Single Instance of JD Edwards EnterpriseOne |
Value to be Entered for Multiple Instances of JD Edwards EnterpriseOne |
|---|---|---|---|
USRPRF |
JD Edwards EnterpriseOne User Profile |
JD Edwards EnterpriseOne |
Configurable. Enter a new value for each instance of JD Edwards EnterpriseOne. |
USRAUTL |
Admin. Authorization List |
OWADMINL |
Configurable. Enter a new value for each instance of JD Edwards EnterpriseOne. |
Parameters Present in SETOWAUT Form for Single Instance of JD Edwards EnterpriseOne Only |
Meaning |
Value to be Entered for a Single Instance of JD Edwards EnterpriseOne |
Value to be Entered for Multiple Instances of JD Edwards EnterpriseOne |
|---|---|---|---|
OWPRF |
Modify ONEWORLD Profile |
Y is the default value. |
Parameter is not present if you enter a value other than ONEWORLD for the USRPRF parameter. |
JDEPRF |
Modify JDE Profile |
Y is the default value. |
Parameter is not present if you enter a value other than ONEWORLD for the USRPRF parameter. |
Parameter Present in SETOWAUT Form for Multiple Instances of JD Edwards EnterpriseOne Only |
Meaning |
Value to be Entered for Multiple Instances of JD Edwards EnterpriseOne |
Value to be Entered for Single Instance of JD Edwards EnterpriseOne |
|---|---|---|---|
OBJOPT |
Secure All Objects |
N is the default value. Enter Y if you want to secure all objects that appear in one or more directories. Because it can degrade system performance, entering Y is not recommended. |
Parameter is not present if you enter OneWorld as the value for the USRPRF parameter. |
This information provides a summary of the security model when you run a single instance of JD Edwards EnterpriseOne:
Library |
Description of Security |
|---|---|
JD Edwards EnterpriseOne System Library |
SETOWAUT secures all of the objects in the system library. Administrative programs, such as CLRIPC, STRNET, ENDNET, and PORTTEST, are set to adopt the authority of the owner. |
You can set up security for a single instance of JD Edwards EnterpriseOne, or you can set up security for separate JD Edwards EnterpriseOne instances. In the latter case, the SETOWAUT program creates a user profile and individual authorization lists for each instance, which establishes object ownership.
You can set up security for separate instances of JD Edwards EnterpriseOne as well. To do so, you enter a value other than ONEWORLD for the User Profile parameter and a value other than OWADMINL for the Admin. Authorization List parameter. You enter different values for these parameters for each instance of JD Edwards EnterpriseOne that you run.