1. Notifications Guide
  2. Understanding Security Implications of Invoking Notifications

Understanding Security Implications of Invoking Notifications

The notifications that you design will publish information from your JD Edwards system to your subscribers. Therefore, you must be aware of JD Edwards security so that the subscribers get the information they need and do not get the information from which they are secured. In general, the security of your notifications will depend on two things:

  • The resources or objects that you include in your notification, such as Watchlists or orchestrations, and the resources that they, in turn, invoke.

  • The user ID under which the notification runs.

As described in Creating a Notification, if your notification is set to "Run as Subscriber" then the notification will run under the user ID of each person who subscribed to the notification. Therefore, all subscribers need authority to access all objects upon which the notification depends.

If the notification is not set to "Run as Subscriber" then the notification will run under the credentials of the user who started the scheduler (proxy user). Therefore, that user ID will need authority to access all objects upon which the notifications depend.

Oracle recommends that your proxy user's data security mirrors that of the notification's subscribers. This ensures that the data subscribers receive in the notifications is appropriate for them. For example, if your subscribers only have access to sales information for a certain region, make sure that your proxy user does not have global access to sales information. Give careful consideration to data security concerns when deciding to run your notifications as a proxy user.

As described in Creating a Notification, you can include a Watchlist or an orchestration in your notification that determines when a notification is sent and what information is included in the message. Watchlists and orchestrations are both UDOs and are subject to UDO security. Also, the schedule that you assign to the notification is a UDO.

If you revoke a user's existing view security, make sure you consider any notification subscriptions they may have. If the Run As Subscriber option is enabled, the subscriber will see that the subscription is no longer valid in the Subscription Manager. However, if the Run As Subscriber is not enabled for that notification, that user may continue to receive notification messages even though they no longer have view security. To ensure that subscribers no longer receive notifications after their view security has been revoked, copy the original notification using the Save As feature in Orchestrator Studio and delete the original notification. This will force subscribers to resubscribe to the new notification.