Security Administration

Download as pdf or txt
Download as pdf or txt
You are on page 1of 296

JD Edwards EnterpriseOne Tools

Security Administration Guide Release 8.98 Update 4


E14717-05

July 2013

JD Edwards EnterpriseOne Tools Security Administration Guide, Release 8.98 Update 4 E14717-05 Copyright 2011, 2013, Oracle and/or its affiliates. All rights reserved. This software and related documentation are provided under a license agreement containing restrictions on use and disclosure and are protected by intellectual property laws. Except as expressly permitted in your license agreement or allowed by law, you may not use, copy, reproduce, translate, broadcast, modify, license, transmit, distribute, exhibit, perform, publish, or display any part, in any form, or by any means. Reverse engineering, disassembly, or decompilation of this software, unless required by law for interoperability, is prohibited. The information contained herein is subject to change without notice and is not warranted to be error-free. If you find any errors, please report them to us in writing. If this is software or related documentation that is delivered to the U.S. Government or anyone licensing it on behalf of the U.S. Government, the following notice is applicable: U.S. GOVERNMENT END USERS: Oracle programs, including any operating system, integrated software, any programs installed on the hardware, and/or documentation, delivered to U.S. Government end users are "commercial computer software" pursuant to the applicable Federal Acquisition Regulation and agency-specific supplemental regulations. As such, use, duplication, disclosure, modification, and adaptation of the programs, including any operating system, integrated software, any programs installed on the hardware, and/or documentation, shall be subject to license terms and license restrictions applicable to the programs. No other rights are granted to the U.S. Government. This software or hardware is developed for general use in a variety of information management applications. It is not developed or intended for use in any inherently dangerous applications, including applications that may create a risk of personal injury. If you use this software or hardware in dangerous applications, then you shall be responsible to take all appropriate fail-safe, backup, redundancy, and other measures to ensure its safe use. Oracle Corporation and its affiliates disclaim any liability for any damages caused by use of this software or hardware in dangerous applications. Oracle and Java are registered trademarks of Oracle and/or its affiliates. Other names may be trademarks of their respective owners. Intel and Intel Xeon are trademarks or registered trademarks of Intel Corporation. All SPARC trademarks are used under license and are trademarks or registered trademarks of SPARC International, Inc. AMD, Opteron, the AMD logo, and the AMD Opteron logo are trademarks or registered trademarks of Advanced Micro Devices. UNIX is a registered trademark of The Open Group. This software or hardware and documentation may provide access to or information on content, products, and services from third parties. Oracle Corporation and its affiliates are not responsible for and expressly disclaim all warranties of any kind with respect to third-party content, products, and services. Oracle Corporation and its affiliates will not be responsible for any loss, costs, or damages incurred due to your access to or use of third-party content, products, or services.

Contents
Preface ............................................................................................................................................................... xv
Audience..................................................................................................................................................... Documentation Accessibility ................................................................................................................... Related Documents ................................................................................................................................... Conventions ............................................................................................................................................... xv xv xv xvi

1 Introduction to JD Edwards EnterpriseOne Tools Security Administration


1.1 1.2 Security Administration Overview .......................................................................................... 1-1 Security Administration Implementation ............................................................................... 1-1

2 Understanding JD Edwards EnterpriseOne Security


2.1 2.2 2.2.1 2.3 2.4 2.5 2.5.1 2.5.2 2.5.3 2.5.3.1 2.5.3.2 2.5.3.3 JD Edwards EnterpriseOne Security Overview ..................................................................... Object-Level Security.................................................................................................................. Object Level Security Types ............................................................................................... Users, Roles, and *PUBLIC ........................................................................................................ How JD Edwards EnterpriseOne Checks Security ................................................................ Cached Security Information .................................................................................................... Clearing the Cache on a Workstation Client ................................................................... Clearing the Cache on a Web Client Using Server Manager......................................... Clearing the Cache on a Web Client ................................................................................. Method One................................................................................................................... Method Two ................................................................................................................. Method 3 ........................................................................................................................ 2-1 2-1 2-2 2-3 2-3 2-4 2-4 2-4 2-4 2-4 2-4 2-5

3 Working with User and Role Profiles


3.1 3.1.1 3.1.2 3.1.3 3.2 3.3 3.4 3.4.1 3.4.1.1 3.4.1.2 Understanding User and Role Profiles .................................................................................... How to Assign and Delete Environments for User and Role Profiles ......................... How to Assign Business Preferences to User and Role Profiles ................................... User and Role Profile Copying .......................................................................................... Understanding How Role Profiles Make Profiling Easier .................................................... Tables Used by the User Profile Revisions Application........................................................ Setting Up User Profiles............................................................................................................. Understanding User Profile Setup .................................................................................... User Profile Creation and Modification .................................................................... Batch Process for Creating User Profiles................................................................... 3-1 3-1 3-1 3-2 3-2 3-2 3-3 3-3 3-3 3-4
iii

3.4.1.3 Report Used for Reviewing User Profiles ................................................................. 3-4 3.4.2 Understanding How to Add Users ................................................................................... 3-4 3.4.2.1 How to Add an Individual User ................................................................................ 3-4 3.4.2.2 How to Add Multiple Users ....................................................................................... 3-5 3.4.3 Prerequisites ......................................................................................................................... 3-6 3.4.4 Forms Used to Set Up User Profiles.................................................................................. 3-6 3.4.5 Setting Processing Options for User Profile Revisions (P0092) .................................... 3-7 3.4.6 Creating and Modifying User Profiles.............................................................................. 3-7 3.4.7 Copying User Profiles ......................................................................................................... 3-8 3.4.8 Assigning Business Preferences to User Profiles ............................................................ 3-8 3.4.9 Creating Profiles by Using a Batch Process ..................................................................... 3-9 3.4.10 Reviewing User and Profile Definitions........................................................................ 3-10 3.5 Setting Up Roles ....................................................................................................................... 3-10 3.5.1 Understanding User Roles .............................................................................................. 3-10 3.5.2 Understanding Role-to-Role Relationships .................................................................. 3-12 3.5.3 Understanding the Sign-In Role Chooser ..................................................................... 3-12 3.5.4 Understanding the Menu Filtering Role Chooser........................................................ 3-13 3.5.5 Understanding Workstation Initialization File Parameters ....................................... 3-14 3.5.6 Forms Used to Set Up Roles ............................................................................................ 3-14 3.5.7 Creating and Modifying Roles........................................................................................ 3-15 3.5.8 Migrating Roles................................................................................................................. 3-16 3.5.8.1 Run the TC R89959211 .............................................................................................. 3-16 3.5.8.2 Run the TC R8995921 ................................................................................................ 3-16 3.5.8.3 Sequence the Roles .................................................................................................... 3-17 3.5.8.4 Add Environments .................................................................................................... 3-17 3.5.8.5 Set up the JDE.INI/JAS.INI file ............................................................................... 3-17 3.5.8.6 Server Executables..................................................................................................... 3-18 3.5.8.7 Set Up Security........................................................................................................... 3-18 3.5.8.8 Run the UBE R98OWPU........................................................................................... 3-18 3.5.8.9 Run the UBE R98OWUP (Optional) ....................................................................... 3-18 3.5.9 Sequencing Roles .............................................................................................................. 3-19 3.5.10 Adding an Environment to a Role ................................................................................. 3-20 3.5.11 Assigning Business Preferences to a Role ..................................................................... 3-21 3.5.12 Setting Up a Role Relationship ....................................................................................... 3-21 3.5.13 Enabling the Role Chooser .............................................................................................. 3-21 3.5.14 Creating Role-to-Role Relationships .............................................................................. 3-22 3.5.15 Delegating Roles ............................................................................................................... 3-22 3.5.16 Adding Roles to a User .................................................................................................... 3-23 3.5.17 Adding Users to a Role .................................................................................................... 3-23 3.5.18 Copying User Roles .......................................................................................................... 3-24 3.5.19 Adding a Language Translation to a Role .................................................................... 3-24

4 Employing Sign-in Security


4.1 4.1.1 4.1.2 4.1.3 Understanding Sign-in Security ............................................................................................... Sign-In Security Overview ................................................................................................. Security Table Access .......................................................................................................... Password Encryption .......................................................................................................... 4-1 4-1 4-2 4-2

iv

4.1.4 4.1.5 4.1.5.1 4.1.6 4.1.7 4.1.7.1 4.1.7.2

Sign-In Security Setup......................................................................................................... 4-2 Process Flow for Sign-in Security...................................................................................... 4-4 ShowUnifiedLogon Setting ......................................................................................... 4-7 Sign-in Security for Web Users .......................................................................................... 4-8 Setting Processing Options for P98OWSEC.................................................................. 4-10 Default......................................................................................................................... 4-11 Password..................................................................................................................... 4-11

5 Setting Up User Security


5.1 5.2 5.2.1 5.2.2 5.2.3 5.2.4 5.2.5 5.2.6 5.2.7 5.2.8 5.2.9 5.3 5.3.1 5.3.2 5.4 5.4.1 5.4.2 5.4.3 5.4.4 5.4.5 5.4.6 5.5 5.5.1 5.5.2 5.5.3 5.5.4 5.5.5 5.5.6 5.5.7 5.6 5.6.1 5.6.2 5.6.3 5.6.4 5.7 5.7.1 5.7.2 5.7.3 Understanding User Security.................................................................................................... 5-1 Creating and Revising User Security ....................................................................................... 5-1 Understanding How to Create and Revise User Security ............................................. 5-2 Prerequisites ......................................................................................................................... 5-2 Forms Used to Create and Revise User Security............................................................. 5-3 Creating User Security ........................................................................................................ 5-3 Copying User Security ........................................................................................................ 5-5 Revising User and Role Security ....................................................................................... 5-5 Revising All User Security.................................................................................................. 5-6 Changing a Sign-in Password............................................................................................ 5-6 Requiring Sign-in Security ................................................................................................. 5-6 Reviewing Security History....................................................................................................... 5-7 Prerequisite ........................................................................................................................... 5-7 Forms Used to Review Security History .......................................................................... 5-7 Managing Data Sources for User Security .............................................................................. 5-7 Understanding Data Source Management for User Security........................................ 5-8 Forms Used to Manage Data Sources for User Security ................................................ 5-8 Adding a Data Source to a User, a Role, or All Users .................................................... 5-8 Revising a Data Source for a User, Role, or All Users .................................................... 5-9 Removing a Data Source for a User, Role, or All Users ................................................. 5-9 Changing the System User Password............................................................................ 5-10 Enabling and Synchronizing Security Settings.................................................................... 5-10 Understanding Security Setting Synchronization........................................................ 5-10 Changing the Workstation jde.ini File for User Security ............................................ 5-10 Setting Auxiliary Security Servers in the Workstation jde.ini.................................... 5-11 Changing the Timeout Value Due to Security Server Communication Error ......... 5-11 Changing the Enterprise Server jde.ini File for Security............................................. 5-11 Setting Auxiliary Security Servers in the Server jde.ini .............................................. 5-13 Verifying Security Processes in the Server jde.ini........................................................ 5-13 Running a Security Analyzer Report .................................................................................... 5-13 Understanding the Security Analyzer Report .............................................................. 5-13 Form Used to Run a Security Analyzer Report............................................................ 5-14 Running the Security Analyzer by Data Source Report (R98OWSECA).................. 5-14 Running the Security Analyzer by User or Group Report (R98OWSECB) .............. 5-15 Managing Unified Logon........................................................................................................ 5-16 Understanding Unified Logon........................................................................................ 5-16 Modifying the jde.ini Setting to Enable or Disable Unified Logon ........................... 5-16 Setting Up a Service for Unified Logon......................................................................... 5-17

5.7.4

Removing a Service for Unified Logon ......................................................................... 5-17

6 Setting Up JD Edwards Solution Explorer Security


6.1 6.1.1 6.1.2 6.1.3 6.2 Understanding JD Edwards Solution Explorer Security....................................................... Fast Path Security Settings ................................................................................................. Solution Explorer Security Presets .................................................................................... Prerequisite ........................................................................................................................... Configuring JD Edwards Solution Explorer Security............................................................ 6-1 6-3 6-4 6-5 6-5

7 Using Security Workbench


7.1 7.2 7.2.1 7.2.2 7.2.2.1 7.3 7.3.1 7.3.2 7.3.3 7.4 7.4.1 7.4.2 7.4.3 7.4.4 7.4.5 7.5 7.5.1 7.5.2 7.5.3 7.5.4 7.6 7.6.1 7.6.2 7.6.3 7.6.4 7.6.5 7.7 7.7.1 7.7.1.1 7.7.1.2 7.7.1.3 7.7.1.4 7.7.1.5 7.7.2 7.7.3 7.8 7.8.1
vi

Understanding Security Workbench........................................................................................ 7-1 Understanding Exclusive/Inclusive Row Security................................................................ 7-2 Exclusive Row Security....................................................................................................... 7-2 Inclusive Row Security........................................................................................................ 7-3 Activating Inclusive Row Security............................................................................. 7-4 Creating Security Overrides ...................................................................................................... 7-4 Understanding Security Overrides ................................................................................... 7-4 Prerequisite ........................................................................................................................... 7-5 Adding Security Overrides ................................................................................................ 7-6 Managing Application Security ................................................................................................ 7-6 Understanding Application Security ................................................................................ 7-6 Reviewing the Current Application Security Settings for a User or Role ................... 7-7 Adding Security to an Application ................................................................................... 7-7 Securing a User or Role from All JD Edwards EnterpriseOne Objects........................ 7-8 Removing Security from an Application.......................................................................... 7-9 Managing Action Security ......................................................................................................... 7-9 Understanding Action Security ......................................................................................... 7-9 Reviewing the Current Action Security Settings ......................................................... 7-10 Adding Action Security ................................................................................................... 7-10 Removing Action Security............................................................................................... 7-11 Managing Row Security.......................................................................................................... 7-12 Understanding Row Security.......................................................................................... 7-12 Prerequisite ........................................................................................................................ 7-13 Setting Up Data Dictionary Spec Files........................................................................... 7-13 Adding Row Security....................................................................................................... 7-13 Removing Row Security .................................................................................................. 7-14 Managing Column Security ................................................................................................... 7-14 Understanding Column Security ................................................................................... 7-15 Column Security Options ......................................................................................... 7-15 Column Security on a Table..................................................................................... 7-15 Column Security on an Application ....................................................................... 7-16 Column Security on an Application Version......................................................... 7-16 Column Security on a Form ..................................................................................... 7-16 Adding Column Security................................................................................................. 7-16 Removing Column Security ............................................................................................ 7-17 Managing Processing Option and Data Selection Security ............................................... 7-17 Understanding Processing Option Security ................................................................. 7-17

7.8.2 Understanding Data Selection Security......................................................................... 7.8.2.1 Implementation Considerations.............................................................................. 7.8.2.2 Data Selection Security Options .............................................................................. 7.8.2.3 Security Hierarchy..................................................................................................... 7.8.2.4 Data Selection Security Scenarios............................................................................ 7.8.3 Reviewing the Current Processing Option and Data Selection Security Settings... 7.8.4 Adding Security to Processing Options and Data Selection ...................................... 7.8.5 Removing Security from Processing Options and Data Selection............................. 7.8.6 Using R009505 to Update Data Selection Security....................................................... 7.9 Managing Tab Security ........................................................................................................... 7.9.1 Understanding Tab Security ........................................................................................... 7.9.2 Adding Tab Security ........................................................................................................ 7.9.3 Removing Tab Security.................................................................................................... 7.10 Managing Hyper Exit Security............................................................................................... 7.10.1 Adding Hyper Exit Security............................................................................................ 7.10.2 Removing Hyper Exit Security ....................................................................................... 7.11 Managing Exclusive Application Security ........................................................................... 7.11.1 Understanding Exclusive Application Security ........................................................... 7.11.2 Adding Exclusive Application Security ........................................................................ 7.11.3 Removing Exclusive Application Access ...................................................................... 7.12 Managing External Calls Security ......................................................................................... 7.12.1 Understanding External Call Security ........................................................................... 7.12.2 Adding External Call Security ........................................................................................ 7.12.3 Removing External Call Security.................................................................................... 7.13 Managing Miscellaneous Security......................................................................................... 7.13.1 Understanding Miscellaneous Security......................................................................... 7.13.1.1 Read/Write Reports Security .................................................................................. 7.13.1.2 Workflow Status Monitoring Security.................................................................... 7.13.2 Managing Miscellaneous Security Features ................................................................. 7.14 Managing Push Button, Link, and Image Security ............................................................. 7.14.1 Understanding Push Button, Link, and Image Security ............................................. 7.14.1.1 Push Button, Link, and Image Security on Subforms .......................................... 7.14.2 Adding Push Button, Link, and Image Security .......................................................... 7.14.3 Removing Push Button, Link, and Image Security...................................................... 7.15 Managing Text Block Control and Chart Control Security ............................................... 7.15.1 Understanding Text Block Control and Chart Control Security ............................... 7.15.2 Reviewing Current Text Block Control and Chart Control Security Settings ......... 7.15.3 Adding Text Block Control and Chart Control Security............................................. 7.15.4 Removing Text Block Control and Chart Control Security ........................................ 7.16 Managing Media Object Security .......................................................................................... 7.16.1 Understanding Media Object Security .......................................................................... 7.16.2 Reviewing the Media Object Security Settings............................................................. 7.16.3 Adding Media Object Security ....................................................................................... 7.16.4 Removing Media Object Security ................................................................................... 7.17 Managing Application Query Security................................................................................. 7.17.1 Understanding Application Query Security................................................................. 7.17.2 Setting Up Application Query Security for Applications...........................................

7-18 7-18 7-18 7-19 7-19 7-20 7-20 7-22 7-22 7-23 7-23 7-24 7-25 7-25 7-26 7-27 7-27 7-27 7-27 7-28 7-28 7-28 7-28 7-29 7-30 7-30 7-30 7-30 7-30 7-31 7-31 7-32 7-33 7-34 7-34 7-35 7-35 7-35 7-36 7-37 7-37 7-38 7-38 7-39 7-40 7-40 7-40

vii

7.17.3 Setting Up DataBrowser Query Security....................................................................... 7.17.4 Selecting Error or Warning Messages............................................................................ 7.17.5 Finding Existing Query Security Records ..................................................................... 7.17.6 Editing Existing Query Security Records...................................................................... 7.17.7 Deleting Query Security Records ................................................................................... 7.17.8 Enable or Disable Query Security Records ................................................................... 7.17.9 Excluding Users ................................................................................................................ 7.17.10 Configuring Error Messages Using Data Dictionary Items........................................ 7.17.11 Configuring Fields............................................................................................................ 7.18 Managing Data Browser Security.......................................................................................... 7.18.1 Understanding Data Browser Security.......................................................................... 7.18.2 Adding Data Browser Security ....................................................................................... 7.18.3 Removing Data Browser Security .................................................................................. 7.19 Managing Published Business Services Security ................................................................ 7.19.1 Understanding Published Business Services Security ................................................ 7.19.1.1 Inherited Security ...................................................................................................... 7.19.1.2 How JD Edwards EnterpriseOne Checks Published Business Services Security ........................................................................................................ 7.19.1.3 Published Business Services Security Log Information ....................................... 7.19.2 Reviewing the Current Published Business Services Security Records.................... 7.19.3 Authorizing Access to Published Business Services ................................................... 7.19.4 Adding Multiple Published Business Services Security Records at a Time............. 7.19.5 Deleting Published Business Services Security ............................................................ 7.20 Copying Security for a User or a Role................................................................................... 7.20.1 Understanding How to Copy Security for a User or a Role....................................... 7.20.2 Copying All Security Records for a User or a Role...................................................... 7.20.3 Copying a Single Security Record for a User or a Role............................................... 7.21 Reviewing and Deleting Security Records on the Work With User/Role Security Form ............................................................................................................................ 7.21.1 Understanding How to Review Security Records ....................................................... 7.21.2 Reviewing Security on the Work With User/Role Security Form ............................ 7.21.3 Deleting Security on the Work With User/Role Security Form ................................ 7.22 Running Security Workbench Records Reports .................................................................. 7.22.1 Understanding the Security Workbench Records Reports......................................... 7.22.1.1 Example of Security by Object Report (R009501) ................................................. 7.22.1.2 Example of Security Audit Report by User (R009502, XJDE0001) ..................... 7.22.1.3 Example of Security Audit Report by Role (R009502, XJDE0002)...................... 7.22.2 Run the Security Audit Report by Object Version (R009501, XJDE0001) ................. 7.22.3 Run the Security Audit Report by User Version (R009502, XJDE0001) .................... 7.22.4 Run the Security Audit Report by Role Version (R009502, XJDE0002) .................... 7.22.5 Running a Report that Lists Published Business Service Security Records .............

7-41 7-42 7-42 7-43 7-44 7-44 7-45 7-45 7-46 7-46 7-46 7-46 7-47 7-47 7-47 7-48 7-48 7-50 7-50 7-50 7-52 7-52 7-53 7-53 7-53 7-53 7-54 7-54 7-54 7-54 7-55 7-55 7-56 7-56 7-57 7-58 7-58 7-59 7-60

8 Setting Up Address Book Data Security


8.1 8.1.1 8.2 8.3 Understanding Address Book Data Security.......................................................................... Additional Level of Private Data Security with Release 8.98 Update 4....................... Prerequisites ................................................................................................................................ Setting Up Permission List Definitions.................................................................................... 8-1 8-2 8-3 8-3

viii

8.3.1 8.3.2 8.3.3 8.4 8.4.1 8.4.2 8.4.3 8.5

Understanding Permission List Definitions .................................................................... Forms Used to Set Up Permission List Definitions......................................................... Creating Permission List Definitions ................................................................................ Setting Up Permission List Relationships ............................................................................... Understanding Permission List Relationships ................................................................ Forms Used to Create Permission List Relationships..................................................... Creating Permission List Relationships............................................................................ Enabling or Disabling Secured Private Data from Displaying in Other Applications and Output (Release 8.98.4.10) ..........................................................

8-3 8-3 8-3 8-4 8-4 8-4 8-4 8-4

9 Setting Up Business Unit Security


9.1 Understanding Business Unit Security.................................................................................... 9.1.1 UDC Sharing ........................................................................................................................ 9.1.2 Transaction Security ............................................................................................................ 9.2 Working with UDC Sharing...................................................................................................... 9.2.1 Understanding the UDC Sharing Setup ........................................................................... 9.2.2 Understanding Business Unit Security for UDC Sharing.............................................. 9.2.3 Setting Up UDC Sharing..................................................................................................... 9.2.4 Setting Up Business Unit Security for UDC Sharing...................................................... 9.2.5 Revising UDC Groups ........................................................................................................ 9.2.6 Deleting a UDC Group ....................................................................................................... 9.3 Working with Transaction Security ......................................................................................... 9.3.1 Understanding How to Set Up Transaction Security ..................................................... 9.3.1.1 Generating Transaction Security Records................................................................. 9.3.2 Setting Up Transaction Security ........................................................................................ 9.3.3 Setting Processing Options for Maintain Business Unit Transaction Security (R95301)............................................................................................ 9.3.3.1 Transaction Security..................................................................................................... 9.3.4 Setting Processing Options for Business Unit Security Maintenance Application (P95300) ........................................................................................................... 9.3.4.1 Mode............................................................................................................................... 9.3.4.2 Transaction Security..................................................................................................... 9.3.5 Revising Transaction Security............................................................................................ 9-1 9-1 9-1 9-2 9-2 9-2 9-3 9-4 9-4 9-5 9-5 9-5 9-6 9-6 9-7 9-7 9-8 9-8 9-8 9-8

10 Setting Up Application Failure Recovery


10.1 Understanding Application Failure Recovery..................................................................... 10.1.1 Prerequisites ...................................................................................................................... 10.2 Enabling/Disabling Application Failure Recovery ............................................................ 10.3 Saving Application Data ......................................................................................................... 10-1 10-1 10-2 10-2

11 Enabling LDAP Support in JD Edwards EnterpriseOne


11.1 Understanding LDAP Support in JD Edwards EnterpriseOne......................................... 11.1.1 LDAP Support Overview ................................................................................................ 11.1.2 User Profile Management in LDAP-Enabled JD Edwards EnterpriseOne .............. 11.1.3 LDAP and JD Edwards EnterpriseOne Relationships ................................................ 11.1.3.1 User Authentication Using the LDAP Server........................................................ 11-1 11-1 11-2 11-2 11-3

ix

11.1.3.2 JD Edwards EnterpriseOne User Data ................................................................... 11.1.3.3 User Data Managed by LDAP ................................................................................. 11.1.3.4 Data Managed by LDAP and JD Edwards EnterpriseOne.................................. 11.1.3.5 User Data Synchronization in LDAP-Enabled JD Edwards EnterpriseOne..... 11.1.4 Application Changes in LDAP-Enabled JD Edwards EnterpriseOne ...................... 11.1.4.1 User Password Changes ........................................................................................... 11.1.4.2 User Profile Revisions Application (P0092) Changes........................................... 11.1.4.3 EnterpriseOne Security Application (P98OWSEC) Changes .............................. 11.1.4.4 Role Relationships Application (P95921) Changes............................................... 11.1.4.5 Schedule Jobs Application Changes ....................................................................... 11.1.5 LDAP Server-Side Administration................................................................................. 11.1.6 JD Edwards EnterpriseOne Server-Side Administration............................................ 11.2 Configuring LDAP Support in JD Edwards EnterpriseOne.............................................. 11.2.1 Overview of Steps to Enable LDAP Support in JD Edwards EnterpriseOne ........ 11.2.2 How JD Edwards EnterpriseOne Uses LDAP Server Settings ................................ 11.2.3 Prerequisites .................................................................................................................... 11.2.4 Forms Used to Configure LDAP Support in JD Edwards EnterpriseOne ............. 11.2.5 Creating an LDAP Configuration ................................................................................ 11.2.6 Configuring the LDAP Server Settings ....................................................................... 11.2.7 Configuring LDAP to JD Edwards EnterpriseOne Enterprise Server Mappings . 11.2.8 Changing the LDAP Configuration Status ................................................................. 11.2.9 Enabling LDAP Authentication Mode ........................................................................ 11.3 Modifying the LDAP Default User Profile Settings.......................................................... 11.3.1 Understanding LDAP Default User Profile Settings ................................................. 11.3.2 Forms Used to Modify the LDAP Default User Profile Settings ............................. 11.3.3 Reviewing the Current LDAP Default Settings ......................................................... 11.3.4 Modifying the Default User Profile Settings for LDAP ............................................ 11.3.5 Modifying the Default Role Relationships for LDAP................................................ 11.3.6 Modifying the Default User Security Settings for LDAP.......................................... 11.4 Using LDAP Bulk Synchronization (R9200040) ................................................................ 11.4.1 Understanding LDAP Batch Synchronization ........................................................... 11.4.1.1 Example: LDAP Bulk Synchronization (R9200040) ............................................ 11.4.2 Running the LDAP Bulk Synchronization Batch Process (R9200040)..................... 11.5 Using LDAP Over SSL .......................................................................................................... 11.5.1 Understanding LDAP with SSL.................................................................................... 11.5.1.1 LDAP Authentication Over SSL for Windows and UNIX ................................ 11.5.1.2 LDAP Authentication Over SSL for iSeries ......................................................... 11.5.2 Enabling LDAP Authentication Over SSL for Windows and UNIX....................... 11.5.3 Enabling LDAP Authentication Over SSL for iSeries................................................ 11.6 Exporting User Data to the LDAP Server........................................................................... 11.6.1 Understanding the data4ldap Utility........................................................................... 11.6.2 Prerequisites .................................................................................................................... 11.6.3 Granting Access to the data4ldap Utility .................................................................... 11.6.4 Configuring Parameters Required to Run the data4ldap Utility............................. 11.6.5 Running the data4ldap Utility on Windows .............................................................. 11.6.6 Running the data4ldap Utility on Unix or Linux....................................................... 11.6.7 Running the data4ldap utility on iSeries.....................................................................

11-4 11-4 11-4 11-5 11-6 11-6 11-7 11-7 11-7 11-8 11-8 11-9 11-9 11-10 11-10 11-12 11-13 11-13 11-14 11-16 11-17 11-18 11-18 11-18 11-19 11-19 11-20 11-20 11-20 11-21 11-21 11-22 11-22 11-22 11-23 11-23 11-23 11-23 11-23 11-24 11-24 11-25 11-26 11-26 11-27 11-27 11-27

11.6.8 11.6.8.1 11.6.8.2 11.6.8.3 11.6.8.4 11.6.9 11.6.9.1 11.6.9.2

Scenarios for Uploading Users to the LDAP Server .................................................. data4ldap JDE DV812 *ALL *NO *YES ................................................................ data4ldap JDE DV812 *ALL *YES *YES ............................................................... data4ldap JDE DV812 *ALL *YES *NO ................................................................ data4ldap JDE DV812 *ALL *NO *NO................................................................. LDAP Server Behavior ................................................................................................... Tree Delete Control ................................................................................................. Microsoft Active Directory.....................................................................................

11-28 11-28 11-28 11-28 11-28 11-28 11-28 11-29

12 Understanding JD Edwards EnterpriseOne Single Sign-On


12.1 12.2 12.3 12.4 12.5 12.5.1 JD Edwards EnterpriseOne Single Sign-On Overview ...................................................... Authenticate Tokens................................................................................................................ Nodes ......................................................................................................................................... How a Node Validates an Authenticate Token................................................................... Single Sign-On Scenarios ........................................................................................................ Launching a JD Edwards EnterpriseOne Application from PeopleSoft Enterprise Portal ........................................................................................... 12.5.2 Launching a JD Edwards EnterpriseOne Application from JD Edwards Collaborative Portal.......................................................................... 12-1 12-1 12-2 12-3 12-4 12-5 12-6

13 Setting Up JD Edwards EnterpriseOne Single Sign-On


13.1 Understanding the Default Settings for the Single Sign-On Node Configuration......... 13.2 Setting Up a Node Configuration.......................................................................................... 13.2.1 Understanding Single Sign-On Configurations and Their Relationships ................ 13.2.2 Adding a Node Configuration........................................................................................ 13.2.3 Revising a Node Configuration ...................................................................................... 13.2.4 Changing the Status of a Node ....................................................................................... 13.2.5 Deleting a Node Configuration ...................................................................................... 13.3 Setting Up a Token Lifetime Configuration Record ........................................................... 13.3.1 Adding a Token Lifetime Configuration Record ......................................................... 13.3.2 Deleting a Token Lifetime Configuration Record........................................................ 13.4 Setting Up a Trusted Node Configuration........................................................................... 13.4.1 Adding a Trusted Node Configuration......................................................................... 13.4.2 Deleting a Trusted Node Configuration ....................................................................... 13.5 Configuring Single Sign-On for a Pre-EnterpriseOne 8.11 Release.................................. 13.5.1 Modifying jde.ini file Node Settings for Single Sign-On ............................................ 13.5.2 Working with Sample jde.ini Node Settings for Single Sign-On............................... 13.5.2.1 Example 1:................................................................................................................... 13.5.2.2 Example 2:................................................................................................................... 13.6 Configuring Single Sign-On Without a Security Server..................................................... 13.7 Configuring Single Sign-On for JD Edwards Collaborative Portal .................................. 13.8 Configuring Single Sign-On for Portlets............................................................................... 13.8.1 Modifying TokenGen.ini File Settings........................................................................... 13.8.2 EnterpriseOne Portlet (JSR168) ....................................................................................... 13.8.3 Collaborative Portal EnterpriseOne Menu ................................................................... 13.8.4 Hosted EnterpriseOne Portlet....................................................................................... 13-1 13-2 13-2 13-3 13-4 13-4 13-4 13-4 13-4 13-5 13-5 13-5 13-6 13-6 13-6 13-6 13-6 13-7 13-7 13-8 13-9 13-9 13-9 13-9 13-10

xi

13.8.5 CSS, ESS, SSS ................................................................................................................... 13.8.6 EnterpriseOne Links....................................................................................................... 13.8.7 CRM .................................................................................................................................. 13.9 Configuring Single Sign-On Between PeopleSoft Enterprise Portal and JD Edwards EnterpriseOne........................................................................................... 13.9.1 Understanding Single Sign-On Between PeopleSoft Enterprise Portal and JD Edwards EnterpriseOne ................................................................................... 13.9.1.1 Time Zone Adjustment for PeopleSoft Enterprise Portal .................................. 13.9.1.2 User ID Mapping for Single Sign-On ................................................................... 13.9.2 Managing User ID Mapping in JD Edwards EnterpriseOne.................................... 13.9.3 Managing User ID Mapping when Using LDAP....................................................... 13.9.4 Synchronizing User Mappings Between LDAP and JD Edwards EnterpriseOne While Using LDAP Authentication................................................... 13.9.5 Viewing User ID Mapping When Using LDAP .........................................................

13-10 13-10 13-10 13-10 13-10 13-11 13-11 13-11 13-12 13-12 13-13

14 Understanding Single Sign-On Between JD Edwards EnterpriseOne and Oracle


Single Sign-On Between JD Edwards EnterpriseOne and Oracle .................................... Prerequisites ...................................................................................................................... Oracle Single Sign-On Components...................................................................................... Single Sign-On Server ...................................................................................................... Partner Applications ........................................................................................................ mod_osso ........................................................................................................................... Oracle Internet Directory................................................................................................. Oracle Identity Management Infrastructure................................................................. Supported JD Edwards EnterpriseOne and Oracle Single Sign-On Configurations ..... Single Sign-On when Running JD Edwards EnterpriseOne on Oracle Application Server ................................................................................................. 14.4.1 Single Sign-Off .................................................................................................................. 14.4.2 JD Edwards EnterpriseOne Single Sign-On Settings when Running on Oracle Application Server .............................................................. 14.4.2.1 JD Edwards EnterpriseOne jas.ini Settings for Single Sign-On .......................... 14.4.2.2 JD Edwards EnterpriseOne TokenGen.ini Settings.............................................. 14.4.3 Settings for Configuring JD Edwards EnterpriseOne Virtual Hosts with Oracle Single Sign-On ............................................................................................. 14.5 Single Sign-On When Running JD Edwards EnterpriseOne on IBM WebSphere ......... 14.5.1 Time Zone Setting Adjustment....................................................................................... 14.6 Non-Web Client Sign-On in the Oracle Single Sign-On Configuration........................... 14.1 14.1.1 14.2 14.2.1 14.2.2 14.2.3 14.2.4 14.2.5 14.3 14.4 14-1 14-1 14-2 14-2 14-2 14-2 14-2 14-3 14-3 14-4 14-5 14-5 14-5 14-6 14-6 14-7 14-9 14-9

15 Setting Up JD Edwards EnterpriseOne Single Sign-On Through Oracle Access Manager 10g
Understanding JD Edwards EnterpriseOne Single Sign-On Through Oracle Access Manager........................................................................................... 15.1.1 JD Edwards EnterpriseOne Integration Architecture ................................................. 15.1.1.1 Single Sign-On Architecture .................................................................................... 15.1.2 Supported Versions and Platforms ................................................................................ 15.2 Setting Up Oracle Access Manager Single Sign-On for JD Edwards EnterpriseOne..... 15.1
xii

15-1 15-3 15-3 15-5 15-5

15.2.1 15.2.2 15.2.3

Prerequisites ...................................................................................................................... Creating a Host Identifier for the JD Edwards EnterpriseOne HTTP Server .......... Creating a Policy Domain and Policies to Restrict Access to JD Edwards EnterpriseOne URLs.............................................................................. 15.2.4 Defining a Resource That Controls the Highest-Level URL Prefix to Protect ......... 15.2.5 Defining Two Authorization Rules................................................................................ 15.2.6 Defining an Authorization Action ................................................................................. 15.2.7 Defining an Authentication Rule.................................................................................... 15.2.8 Defining an Access Policy and Adding the JD Edwards EnterpriseOne URL Pattern to It ............................................................................................................. 15.2.9 Defining an Authentication Rule for the JD Edwards EnterpriseOne Resources . 15.2.10 Defining an Authentication Action That Sets a Custom HTTP Header Variable Upon Successful Authentication .................................................................. 15.2.11 Defining an Authorization Expression for the JD Edwards EnterpriseOne Resources............................................................................................... 15.3 Setting Up JD Edwards EnterpriseOne for Single Sign-On Integration with Oracle Access Manager ................................................................................................ 15.4 Configuring Single Sign-Off.................................................................................................

15-5 15-6 15-6 15-7 15-7 15-8 15-9 15-10 15-10 15-11 15-12 15-12 15-13

16 Setting Up JD Edwards EnterpriseOne Single Sign-On Through Oracle Access Manager 11g
16.1 16.1.1 16.1.2 16.1.3 16.2 16.2.1 16.2.2 16.2.3 16.3 16.4 16.5 Understanding JD Edwards EnterpriseOne Single Sign-On Through Oracle Access Manager 16-1 JD Edwards EnterpriseOne Integration Architecture ................................................. Single Sign-On Architecture............................................................................................ Supported Versions and Platforms ................................................................................ Setting Up Oracle Access Manager Single Sign-On for JD Edwards EnterpriseOne..... Prerequisites ...................................................................................................................... Registering the WebGate Agent for JD Edwards EnterpriseOne HTML Server..... Configuring Oracle HTTP Server for JD Edwards EnterpriseOne HTML Server Setting Up JD Edwards EnterpriseOne for Single Sign-On Integration with Oracle Access Manager ................................................................................................ Setting Up JD Edwards EnterpriseOne for Single Sign-Off Integration with Oracle Access Manager ................................................................................................ Testing the Single Sign-On Configuration .........................................................................

16-3 16-3 16-5 16-5 16-5 16-6 16-11 16-12 16-13 16-14

17 Setting Up Single Sign-On Between JD Edwards EnterpriseOne and Crystal Enterprise


17.1 17.1.1 17.2 17.2.1 17.2.2 17.2.3 Understanding Single Sign-On between JD Edwards EnterpriseOne and Crystal Enterprise 17-1 Prerequisite ........................................................................................................................ 17-1 Configuring Single Sign-On Between JD Edwards EnterpriseOne and Crystal Enterprise............................................................................................................ 17-2 Verifying the UDC for the Crystal Enterprise Task Type........................................... 17-2 Add the Crystal Enterprise Task to the JD Edwards EnterpriseOne Menu............. 17-2 Setting Up the Default Domain in Crystal Management Console ............................ 17-3

xiii

17.2.4

Verifying the Crystal Enterprise Web Server Definition ............................................ 17-3

18 Configuring SSL for JDENET (Release 8.98 Update 4.11)


18.1 18.2 18.3 18.4 Understanding SSL for JDENET............................................................................................ Installing SSL Programs on IBM System i............................................................................ Generating an SSL Certificate and Key File ......................................................................... Configuring the Enterprise Server JDE.INI File .................................................................. 18-1 18-1 18-2 18-3

A Creating a JD Edwards EnterpriseOne LDAP Configuration for OID


A.1 A.2 A.3 A.4 A.5 Understanding JD Edwards EnterpriseOne LDAP Configuration for OID...................... Adding OID to the List of LDAP Server Types ..................................................................... Creating an LDAP Configuration for OID ............................................................................. Configuring the LDAP Server Settings for OID .................................................................... Configuring LDAP to JD Edwards EnterpriseOne Enterprise Server Mappings for OID...................................................................................................................... A-1 A-2 A-2 A-2 A-3

B JD Edwards EnterpriseOne Cookies


B.1 Web Runtime Cookies............................................................................................................... B-1

Glossary Index

xiv

Preface
Welcome to the JD Edwards EnterpriseOne Tools Security Administration Guide.

Audience
This guide is intended for system administrators and technical consultants who are responsible for setting up user, role, and application security, as well as LDAP and single-signon configurations for JD Edwards EnterpriseOne.

Documentation Accessibility
For information about Oracle's commitment to accessibility, visit the Oracle Accessibility Program website at http://www.oracle.com/pls/topic/lookup?ctx=acc&id=docacc. Access to Oracle Support Oracle customers have access to electronic support through My Oracle Support. For information, visit http://www.oracle.com/pls/topic/lookup?ctx=acc&id=info or visit http://www.oracle.com/pls/topic/lookup?ctx=acc&id=trs if you are hearing impaired.

Related Documents
You can access related documents from the JD Edwards EnterpriseOne Release Documentation Overview pages on My Oracle Support. Access the main documentation overview page by searching for the document ID, which is 876932.1, or by using this link: https://support.oracle.com/CSP/main/article?cmd=show&type=NOT&id =876932.1 To navigate to this page from the My Oracle Support home page, click the Knowledge tab, and then click the Tools and Training menu, JD Edwards EnterpriseOne, Welcome Center, Release Information Overview. This guide contains references to server configuration settings that JD Edwards EnterpriseOne stores in configuration files (such as jde.ini, jas.ini, jdbj.ini, jdelog.properties, and so on). Beginning with the JD Edwards EnterpriseOne Tools Release 8.97, it is highly recommended that you only access and manage these settings for the supported server types using the Server Manager program. See the Server Manager Guide on My Oracle Support.

xv

Conventions
The following text conventions are used in this document:
Convention Bold Italics Monospace Meaning Indicates field values. Indicates emphasis and JD Edwards EnterpriseOne or other book-length publication titles. Indicates a JD Edwards EnterpriseOne program, other code example, or URL.

xvi

1
1

Introduction to JD Edwards EnterpriseOne Tools Security Administration


This chapter contains the following topics:

Section 1.1, "Security Administration Overview" Section 1.2, "Security Administration Implementation"

1.1 Security Administration Overview


Oracle's JD Edwards EnterpriseOne Tools provides security features, including components and JD Edwards EnterpriseOne security applications, to ensure that your company's sensitive application data is protected.

1.2 Security Administration Implementation


In the planning phase of your implementation, take advantage of all Oracle sources of information for JD Edwards EnterpriseOne, including the installation guides and troubleshooting information.

Introduction to JD Edwards EnterpriseOne Tools Security Administration

1-1

Security Administration Implementation

1-2 JD Edwards EnterpriseOne Tools Security Administration Guide

2
2

Understanding JD Edwards EnterpriseOne Security


This chapter contains the following topics:

Section 2.1, "JD Edwards EnterpriseOne Security Overview" Section 2.2, "Object-Level Security" Section 2.3, "Users, Roles, and *PUBLIC" Section 2.4, "How JD Edwards EnterpriseOne Checks Security" Section 2.5, "Cached Security Information"

2.1 JD Edwards EnterpriseOne Security Overview


JD Edwards EnterpriseOne security enables a security administrator to control security for individual users and for groups of users. Setting up security correctly ensures that users in the system have permission to perform only those actions that are essential to the completion of their jobs. The User Security application (P98OWSEC) uses the F98OWSEC table to manage the JD Edwards EnterpriseOne user IDs and system (database) user IDs. Use P98OWSEC to create, test, and change user security for JD Edwards EnterpriseOne and the logically attached database management systems. See Setting Up User Security. The Security Workbench application (P00950) enables you to secure JD Edwards EnterpriseOne objects, such as applications, forms, rows, tabs, and so on. It stores all objects security records in the F00950 table. See Using Security Workbench.

2.2 Object-Level Security


JD Edwards EnterpriseOne security is at the object level. This level means that you can secure specific objects within JD Edwards EnterpriseOne, which provides flexibility and integrity for your security. For example, you can secure a user from a specific form and then, no matter how the user tries to access the form (using a menu or any application that calls that form), the software prevents access to the form. The software simplifies the process of setting up security by enabling you to set security for hundreds of objects at one time by securing all objects on a specific menu or by securing all objects under a specific system code.

Understanding JD Edwards EnterpriseOne Security

2-1

Object-Level Security

Note:

Only the objects are secured; the software does not support menu or system code security. Object security provides a higher level of integrity. For example, if you secured a specific menu to prevent users from accessing the applications on that menu, the users might still be able to access those applications through another menu or another application that accesses the applications that you wanted to secure.

2.2.1 Object Level Security Types


At specific object levels, you can set these levels of security, alone or in any combination, for users and groups:
Level of Security Application security Description Secures users from running or installing, or both, a particular application, an application version, or a form within an application or application version. You cannot define Application security at the subform level. Secures users from performing a particular action, such as adding, deleting, revising, inquiring, or copying a record. You define Action security at the application, version, and form level. You cannot define Action security at the subform level. Secures users from accessing a particular range or list of records in any table. For example, if you secure a user from accessing data about business units 1 through 10, the user cannot view the records that pertain to those business units. Column security Secures users from viewing a particular field or changing a value for a particular field in an application or application version. This item can be a database or non-database field that is defined in the data dictionary, such as the work/calculated fields. For example, if you secure a user from viewing the Salary field on the Employee Master application, the Salary field does not appear on the form when the user accesses that application. Processing option security Secures users from viewing or changing the values of processing options, or from prompting for versions and prompting for values for specific applications or application versions. For example, if you secure a user from changing the processing options for Address Book Revisions, the user could still view the processing options (if you did not secure the user from prompting for values), but would not be able to change any of the values. If you secure a user from prompting for versions, the user would not be able to see the versions for a specific application, so the user would not be able to select a different version of an application from the version that the administrator assigned. Tab security Secures users from viewing or changing fields in a tab or tabs on a given form. You define Tab security at the application, version, and form level. You cannot define Tab security at the subform level. Secures users from menu bar exits on JD Edwards EnterpriseOne forms. These exits call applications and allow users to manipulate data. Exit security also restricts use of the same menu options.

Action security

Row security

Exit security

2-2 JD Edwards EnterpriseOne Tools Security Administration Guide

How JD Edwards EnterpriseOne Checks Security

Level of Security Exclusive application security

Description Overrides row security that is set for an application. When you set exclusive application security for a user, the system overrides row security for every table that is accessed by the application that is specified. All other security still applies. Secures users from accessing standalone executables that exist external to JD Edwards EnterpriseOne. These external executables, which might include design tools, system monitors, and debugging tools, are specific to JD Edwards EnterpriseOne. Controls access to the Data Browser program. Controls access to published business services. For published business services, JD Edwards EnterpriseOne uses a "secure by default" security model which means that users cannot access a published business service unless a security record exists that authorizes access. For all other objects in JD Edwards EnterpriseOne, access is granted unless otherwise secured or restricted. Controls whether users can user or view push button, link, and image controls. Controls whether users can add, change, delete, or view media objects within interactive applications, forms, or application versions.

External calls security

Data Browser security Published business service security

Push button, image, and link security Media object security

2.3 Users, Roles, and *PUBLIC


The JD Edwards EnterpriseOne security administrator can set up security for:

A particular user This option controls security by specific JD Edwards EnterpriseOne user ID.

A user role This option controls security by role, which enables you to group users based on similar job requirements. An example is putting all of the accounts payable clerks in one role, such as Accounts Payable (AP).

All users This option controls security for all users who are designated by ID type *PUBLIC in the User or Role field. The designation *PUBLIC is a special ID within JD Edwards EnterpriseOne that automatically includes all of the users within it. You can use this ID to apply security even if you do not have a specific record set up for it in user profiles.

2.4 How JD Edwards EnterpriseOne Checks Security


When a user attempts to access an application or perform an action, JD Edwards EnterpriseOne checks security for that particular user ID. If security exists for that user ID, the software displays a message indicating that the user cannot proceed. If the user ID has no security, the software checks role profiles (if that user is part of a specific role), and then *PUBLIC for security. If no security is established at any of these levels, the software allows the user to continue. JD Edwards EnterpriseOne also provides software license security through protection codes, and it requires user validation at sign-in and when accessing new data sources.

Understanding JD Edwards EnterpriseOne Security

2-3

Cached Security Information

2.5 Cached Security Information


When changes to security are made using the Security Workbench application (P00950), the changes are not immediately recognized in any environment because the records in the system data source are cached. For security changes to be enabled, the cache must be cleared.

2.5.1 Clearing the Cache on a Workstation Client


If system administrators make changes to the P00950 table, the changes are not immediately realized on workstations that are logged on to the system while security revisions are being made. To enable security changes, you clear the workstations memory cache by signing off and signing back on to the workstation.

2.5.2 Clearing the Cache on a Web Client Using Server Manager


To clear the cache on a web client for JD Edwards EnterpriseOne Tools Release 8.97 and later releases, you use Server Manager. Use these steps to clear the cache using Server Manager:
1.

Access the Server Manager Management Console: http://server_name:port/manage

2. 3. 4. 5.

Select the JAS Server instance for which you want to clear the cache from the Instance drop-down list box. Select JDBj database caches from the Runtime Metrics section in the left pane. Select the check boxes for the caches to be cleared. Click Clear Cache. The following caches are available to be cleared:

Data Dictionary Glossary Text Data Dictionary Alpha Cache Row Column Cache JDBJ Security Cache JDBJ Service Cache Serialized Objects Menu Cache

2.5.3 Clearing the Cache on a Web Client


To clear the cache on a web client for JD Edwards EnterpriseOne Tools Release 8.96 and earlier releases, you can use any of the these three methods:

2.5.3.1 Method One


Stop and then start the JD Edwards EnterpriseOne instance on the JAS Server.

2.5.3.2 Method Two


For JD Edwards EnterpriseOne releases 8.9 and later, open the Web Server Administration Workbench (SAW) and clear the JAS cache. To access SAW for JAS, you add /saw to the end of the URL, for example:

2-4 JD Edwards EnterpriseOne Tools Security Administration Guide

Cached Security Information

http://<web server>:<port>/jde/saw Use these steps to clear the security cache on the selected JAS server:
1. 2. 3. 4.

Sign on to the SAW JAS tool. Select Work with JDBJ from the header section under the Views option. Select Security Cache from the Data Refreshing field in the upper right-hand corner of the pane. Click the Click Here to Continue button that is in the bottom pane.

The security cache on the selected JAS server is cleared.

2.5.3.3 Method 3
You can set the security cache to clear itself without stopping and starting the server or using SAW to manually clear the cache. To automatically clear the security cache at specified intervals, you configure the securityCachePurge setting in the JDBj.ini file, as illustrated here: [JDBj-RUNTIME PROPERTIES] securityCachePurge=xxxxx (where xxxxx is a number in milliseconds.)

Understanding JD Edwards EnterpriseOne Security

2-5

Cached Security Information

2-6 JD Edwards EnterpriseOne Tools Security Administration Guide

3
3

Working with User and Role Profiles

This chapter contains the following topics:


Section 3.1, "Understanding User and Role Profiles" Section 3.2, "Understanding How Role Profiles Make Profiling Easier" Section 3.3, "Tables Used by the User Profile Revisions (P0092)" Section 3.4, "Setting Up User Profiles" Section 3.5, "Setting Up Roles"

3.1 Understanding User and Role Profiles


You use the User Profile Revisions application (P0092) to add users and to set up user profiles. For every user, you must create a user profile, which defines such information as a list of environments that a user can select when signing in to JD Edwards EnterpriseOne and the language preference of the user. You can also assign roles to users. A role defines the tasks that an end user sees in JD Edwards EnterpriseOne. You can use P0092 to define specific users or roles. This definition includes:

The role to which a user belongs. For example, an accounts payable clerk would be part of the AP role. Roles are an important aspect of JD Edwards EnterpriseOne. By assigning users to roles, system administrators can set user preferences and securities that are based on the roles rather than the individual user.

The environments that the user can select when signing in to JD Edwards EnterpriseOne. Environments are assigned to roles. The language preference and country code for the text that appears on JD Edwards EnterpriseOne menus, forms, and country-specific applications.

3.1.1 How to Assign and Delete Environments for User and Role Profiles
You assign environments so that a user can select a role and environment combination when starting JD Edwards EnterpriseOne. You can assign more than one environment to a role. You can delete environments that are no longer relevant to a role.

3.1.2 How to Assign Business Preferences to User and Role Profiles


When setting up profiles, you can assign business preference codes. These codes can be used by a customized workflow process to send messages, update a database, or start an application. You define the codes for the preferences based on industry,

Working with User and Role Profiles

3-1

Understanding How Role Profiles Make Profiling Easier

business partner, or customer. Then you can create a JD Edwards EnterpriseOne workflow process that is based on whether a specific code resides in the user profile. For example, you assign the code CUS for a customer business preference, and then create a workflow process that begins whenever a user or role profile with the CUS business preference enters a sales order.

3.1.3 User and Role Profile Copying


You can copy all or part of a user or role profile. When you copy an entire user or role profile (display and environment preferences), you are creating a new user or role profile with the information from another profile. When you copy part of a user profile, you are copying the environment preferences from another profile to an already existing user profile.

3.2 Understanding How Role Profiles Make Profiling Easier


Roles eliminate the need to set up preferences for each individual user profile. By assigning individual users to a role, you can assign preferences to the role and have those settings available to all of the individual users who have that role. We recommend creating all role profiles that are needed for the enterprise first. This method makes creating user profiles easier; instead of defining specific environments, packages, and machine configurations for each user, administrators can define them for the role. If an individual in a role needs a different setup, you can assign different setups at the user profile level, which overrides the role settings. JD Edwards EnterpriseOne uses roles for these purposes:

Environments. User overrides. Application security. Creation of sign-in security records.

3.3 Tables Used by the User Profile Revisions (P0092)


The P0092 application uses these tables:

Library Lists - User (F0092) User Display Preferences (F00921) User Display Preferences Tag File (F00922) User Access Definition (F00925) Library List Control (F0093) Library List Master File (F0094) Anonymous User Access Table (F00926)

3-2 JD Edwards EnterpriseOne Tools Security Administration Guide

Setting Up User Profiles

See Also:

"Defining Machines" in the JD Edwards EnterpriseOne Tools Package Management Guide. Setting Up User Profiles. Creating and Modifying User Profiles. Creating Profiles by Using a Batch Process.

3.4 Setting Up User Profiles


This section contains the following topics:

Section 3.4.1, "Understanding User Profile Setup" Section 3.4.2, "Understanding How to Add Users" Section 3.4.3, "Prerequisites" Section 3.4.4, "Forms Used to Set Up User Profiles" Section 3.4.5, "Setting Processing Options for User Profile Revisions (P0092)" Section 3.4.6, "Creating and Modifying User Profiles" Section 3.4.7, "Copying User Profiles" Section 3.4.8, "Assigning Business Preferences to User Profiles" Section 3.4.9, "Creating Profiles by Using a Batch Process" Section 3.4.10, "Reviewing User and Profile Definitions"

3.4.1 Understanding User Profile Setup


As a system administrator, you use User Profile Revisions (P0092) to create user profiles for each user in the system. You also determine the environments that are available for each user, and set up display preferences, such as language. These steps outline the high-level process for setting up user profiles.
1.

Create all of the role profiles for the enterprise. See Setting Up Roles.

2. 3.

Create a user profile for every user. Assign to each role or user these preferences: Environments, to determine the environments that you want to be available to each role or user. Environments are assigned at the role level only. Display preferences, to determine JD Edwards EnterpriseOne display characteristics such as language, date format, and country code. The Display preferences are controlled on the User Profile Revisions form.
Note:

If you are setting up user profiles during the installation process, you must sign in to the deployment server using the deployment environment. After you have completed the installation process, you can add or modify user profiles from any machine except the deployment server.

Working with User and Role Profiles

3-3

Setting Up User Profiles

3.4.1.1 User Profile Creation and Modification


The user profile defines certain setup and display features, such as access to Fast Path, language, date format, or country code. If you select a country code for a user, the menu filtering process displays for that user any special menu selections unique to that country code. For example, if you enter CA (Canada), that user would see the Canadian Tax Information application on the appropriate menu, which users without that country code would not see.

3.4.1.2 Batch Process for Creating User Profiles


If address book records already exist for employees, you can run a batch process to automatically create user profiles from those address book records. This process can save time, ensure accuracy between the Address Book and user profile records, and ease the transition of taking JD Edwards EnterpriseOne to production. You can create user profiles through the Populate User Profiles batch application (R0092). With this process, you can assign display and environment preferences to users. This process enables you to create hundreds of new user profiles at a time.

3.4.1.3 Report Used for Reviewing User Profiles


The Summary of Environments, Packages and Profiles report (R00921) enables you to review a list of user and role profile definitions. This report summarizes the environment or environments assigned to a role and lists the users in the role. JD Edwards EnterpriseOne provides two default versions that enables you to summarize either all roles or only specific roles.

3.4.2 Understanding How to Add Users


You can create user profiles one at a time by using the User Profile Revisions application, or you can simultaneously create multiple profiles by using batch processes.
Note:

This section is a checklist for all the steps needed to add a new user. These steps do not address third-party setup issues such as assigning network user IDs.

3.4.2.1 How to Add an Individual User


If you need to add only a few users, use the User Profile Revisions program. The following list details the steps for adding user profiles one at a time.
1. 2. 3. 4. 5. 6. 7. 8.

If you plan to create a new role for the user, add an address book record with a valid search type code (for example, E for employee). If the existing role profiles are not acceptable for the new user, add a role profile. Add an address book record for the new user. Add a user profile. Add sign-in security records for the user. Use Security Workbench (P00950) to add any security overrides for the user if the user needs different security than the roles to which the user belongs. Populate the machine table for the user's machine. Use User Overrides Revision (P98950) to add any new user overrides for the user if the user needs different user overrides than the role to which the user belongs.

3-4 JD Edwards EnterpriseOne Tools Security Administration Guide

Setting Up User Profiles

3.4.2.2 How to Add Multiple Users


When you are ready to create user profiles for the first time, you might need to create hundreds of profiles simultaneously. In this case, JD Edwards EnterpriseOne provides batch processes to create the profiles. These batch processes automate the process of user profile creation. When you decide which role to assign to a user, consider application security as the most important role because:

Application security has the most extensive setup. Managing overrides to the role security is more difficult than, for example, managing overrides to deployment preferences.
Note:

Sign-in security is not based on roles because individuals must have their own passwords. A program exists with sign-in security to quickly create individual security records by role; however, after the records are created, security is assigned by an individual.

The following list details the steps that you need to perform when you add multiple user profiles simultaneously.
1. 2. 3.

Using the Address Book application (P01012), create address book records for roles that you will use in user profiles. Using the User Profile Revisions application, add the role profiles. Populate the various Address Book tables. If you are migrating data from a non-JD Edwards EnterpriseOne system, you can populate the data tables with a table conversion. Otherwise, you can manually add data to the Address Book tables.

4.

Run the Populate User Profiles (R0092) batch process to create user profile records from existing Address Book records. Normally, this report is based on address book records with a search type for employees (E).

5.

Adjust each user's role assignments. Determine the role in which you want to place an individual and manually assign each user to a role. These settings are dictated by role: Environments User Overrides Application Security

6. 7. 8.

Run the Summary of Environments, Packages and Profiles batch process (R00921) to view the new user profiles. Use Security Workbench (P00950) to apply application, action, and processing option security for roles and any individual overrides to those roles. Create sign-in security records using the EnterpriseOne Security application (P98OWSEC). You can create sign-in security records for all individuals within a role by entering one record for the role.

Working with User and Role Profiles

3-5

Setting Up User Profiles

9.

Manually populate the F00960 table. This table is automatically populated each time a machine signs in to JD Edwards EnterpriseOne. However, if you intend to use schedule packages, you must manually populate this table.

10. Create user overrides for roles.

Normally, you will not create any overrides for individuals because they can easily create their own as they use the software.

3.4.3 Prerequisites
Before you complete the tasks in this section:

Create all of the role profile information by using the User Profile Revisions application. Define: Role profiles. Environments that each role can access.

3.4.4 Forms Used to Set Up User Profiles


Form Name Work With User / Role Profiles FormID W0092D Navigation System Administration Tools (GH9011), User Management, User Profiles (P0092). On the Work With User/Role Profiles form, click Add or select a record and then click Select. On the Work With User/Role Profiles form, select Copy Environment from the Row menu. On User Profile Revisions, select Bus Preferences from the Form menu. Report Management (GH9111), Batch Versions (P98305) Usage Locate and review existing roles and profiles records and access additional forms. Create, modify, or copy a user profile.

User Profile Revisions W0092A

User Environment Revisions

W0092C

Copy environment preferences from one user profile to another. Assign or delete environments from user profiles. Assign business preferences to user and role profiles. Run the Populate User Profiles batch application (R0092) and the Summary of Environments, Packages and Profiles report (R00921).

Business Preferences

W0092E

Work With Batch Versions - Available Versions

W98305A

3.4.5 Setting Processing Options for User Profile Revisions (P0092)


Access the Processing Options form. Select the A/B Validation tab.
1.

Enter 1 to enable Address Book validation.

3-6 JD Edwards EnterpriseOne Tools Security Administration Guide

Setting Up User Profiles

When enabled, this processing option validates each new user ID against the Address Book Master (F0101) table upon the creation of a user profiles. Upon creation of a user profile, each new user ID is validated against the F0101 table. As a result, you cannot create a user profile for a user who is not already defined in the F0101 table. We recommend that you enable this setting to ensure that Work Center operates correctly. That application requires valid address book numbers.
2.

Enter 0 (or leave blank) to disable Address Book validation. When disabled, this processing option allows you to create user profiles for Address Book entries that do not yet exist in the F0101 table.

3.4.6 Creating and Modifying User Profiles


Access the User Profiles Revision form.
User ID

The code that identifies a user profile.


WhosWhoLineID

A number that identifies an entry in the Address Book system, such as employee, applicant, participant, customer, supplier, tenant, or location.
Batch Job Queue

The computer waiting line that a particular job passes through. If blank, it defaults to the job queue specified in the user's job description.
Language

A user defined code (01/LP) that specifies the language to use on forms and printed reports. Before you specify a language, a code for that language must exist at either the system level or in the user preferences.
Justification

An option that determines how text is to be read, left to right or right to left. This option is enabled only when Arabic is selected as the language. For all other languages, the system automatically selects the left to right option.
Set Accessibility Mode

An option that enables the JD Edwards EnterpriseOne web client to be accessible through the JAWS screen reader software for visually impaired users. The option is deselected by default when a user profile is created.
Date Format

The format of a date as it is stored in the database. These date formats are valid: YMD, MDY, DMY, EMD. If you leave this field blank, the system displays dates based on the settings of the operating system on the workstation. With NT, the Regional Settings in the Control Panel control the settings for the operating system of the workstation.
Date Separator Character

The character to use when separating the month, day, and year of a given date. If you enter an asterisk, the system uses a blank for the date separator. If you leave the field blank, the system uses the system value for the date separator.
Decimal Format Character

The number of positions to the right of the decimal that you want to use. If you leave this field blank, the system value is used as the default.

Working with User and Role Profiles

3-7

Setting Up User Profiles

Localization Country Code

A code that identifies a localization country. It is possible to attach specific county functionality that is triggered baed on this code using the country server methodology in the base product.
Universal Time

A code that you use to associate a time zone with a user's profile. This code represent the user's preferred time zone, and it must be a value from the UDC table (H91/TZ).
Time Format

A value that determines the user's preferred format for time-of-day. The user can choose from a 12- or 24-hour clock.
Daylight Savings Rule

The rule name that specifies the daylight savings rule for a region or country. See "Creating Daylight Savings Rules" in the JD Edwards EnterpriseOne Tools System Administration Guide.

3.4.7 Copying User Profiles


Access the Work With User/Role Profiles form.
1.

To copy an entire profile (the display and deployment preferences), select a user ID in the grid area, and then click Copy. The User Profile Revisions form appears. Because this action creates a new profile, the user profile that you create cannot already exist in JD Edwards EnterpriseOne.
Note:

Environments are assigned at the role level. See Add Environments.

2. 3.

In the User/Role field, enter a user ID to copy the profile into and change any other information. Click OK.

3.4.8 Assigning Business Preferences to User Profiles


Access the Work With User/Role Profiles form.
1. 2. 3. 4.

Click Find. Select a user profile, and then click Select. On the User Profile Revisions form, from the Form menu, select Bus Preferences. On the Business Preferences form, complete any of these fields and click OK: Industry Code This field associates the user profile with a specific industry, such as manufacturing. Business Partner Code This field associates the user profile with a specific business partner. Customer Code This field associates the user profile with a specific customer.

3-8 JD Edwards EnterpriseOne Tools Security Administration Guide

Setting Up User Profiles

Note: Click Cancel on the Business Preferences form to cancel the addition of the current business preference.

3.4.9 Creating Profiles by Using a Batch Process


Access the Work With Batch Versions - Available Versions form.
Note:

If you need to add just a few users, you should use the User Profile Revisions application.

1. 2. 3. 4.

Enter R0092 in the Batch Application field and click Find. Select the JD Edwards EnterpriseOne default version (XJDE0001) or the equivalent for the installation, and then click Select. On the Versions Prompting form, click Data Selection, and then click Submit. On the Data Selection form, create a logic statement that describes the set of users for which you want to create profiles. This form already has a search type of E (employees) populated, which assumes that the users are all employees. You might want to narrow this selection by submitting it for only a range of employees. After you complete the Data Selection form, the Processing Options form appears.

5.

On the Processing Options form, enter: One of these values for option 1: Enter 1 to run this report in proof mode, which provides an example of what would happen if you were to run the report in final mode. Leave blank to run this report in final mode, which creates the user profiles that you specified and creates a report showing the profiles created. One of these values for option 2 to define the user profile record being created for each user: Enter 1 to populate the User ID field with the users' address book numbers plus their initials. Typically, user profiles are created with the users' initials preceding their Address Book number. Leave this field blank to use just the address book number. Complete these user profile fields for option 2: Fast Path Language Date Format Data Separator Character Data Format Character Country

3.4.10 Reviewing User and Profile Definitions


Access the Work With Batch Versions - Available Versions form.

Working with User and Role Profiles

3-9

Setting Up Roles

1.

Select a version and click Select. Default version XJDE0001 creates a report for all role profiles in the enterprise. Default version XJDE0002 creates a report about a specific role profile that you specify.

2. 3. 4.

On the Versions Prompting form, click Data Selection and click Submit. On the Data Selection form, create a logic statement that describes the role profiles that you want to summarize. Click OK.

3.5 Setting Up Roles


This section provides overviews of user roles, role-to-role relationships, the sign-in Role Chooser, the menu filtering Role Chooser, workstation initialization file parameters, and discusses how to:

Create and modify roles. Migrate roles. Sequence roles. Add an environment to a role. Assign business preferences to a role. Set up a role relationship. Enable the Role Chooser. Create role-to-role relationships. Revise role relationships. Delegate roles. Add roles to a user. Add users to a role. Copy user roles. Add a language translation to a role.

3.5.1 Understanding User Roles


As part of the system setup, you must define the roles for users in the organization. Roles define the tasks that users see when they work in the JD Edwards EnterpriseOne Menu and determine what authority the users have in JD Edwards EnterpriseOne. After you have defined a role, you can associate users with it and apply security to it to provide the appropriate level of access to JD Edwards EnterpriseOne functions. You can assign more than one user to a role, or you can assign more than one role to a user. To establish a role relationship, you use the Role Relationships application (P95921), which enables you to add, remove, or revise a role relationship for a user. Role relationships are revised by removing an assigned role or by changing the expiration date for an assigned role. Assigning roles accomplishes these purposes:

Users see only those tasks and perform only those activities that relate to their jobs.

3-10 JD Edwards EnterpriseOne Tools Security Administration Guide

Setting Up Roles

For example, a user acting in the role of accounts payable clerk might not need to see all of the tasks that an accounts payable manager would need to see. You can create both of these roles and define a different set of tasks for each one.

Users can have multiple roles. Within an organization, a user might have many responsibilities, none of which are defined by a single role. A user who is assigned multiple roles can switch roles according to the work required.
Note:

Security for a user is not affected when a user changes a role after signing on to JD Edwards EnterpriseOne; only menu filtering and the display of menu information is affected for that user. The security applied to a user is based on how a user signs-on to the system.

Administrators can set up security based on user roles. A user's access to applications, forms, table columns, data sources, and so on is based on one or more roles to which the user is assigned.
Note:

JD Edwards EnterpriseOne stores the role descriptions in the F00926 table. If you previously defined roles using the UDC table H95/RL, you can run the Populate Role Descriptions From F0092 report (R89959211) to populate the Anonymous User Access Table with those older role descriptions.

This table summarizes the steps an administrator must perform to set up roles for users:
Administrative Step Populate the User Profile table with roles that are stored in UDC H95/RL during Roles Phase I. Run a program to populate the Role Relationships table. Create roles. Applications Used R89959211, R89959212 Forms Used Not applicable (NA). Tables Used F00926, F0092

R8995921 P0092 (User Profile Revisions)

NA. W0092A (User Profile Revisions); Form exit from the Work With User Profiles form (W0092D). W0092L (Work With Role Sequences); Form exit from the Work With User Profiles form.

F0092, F95921 F0092

Sequence the roles.

P0092

F00926

Create role relationships that associate users with roles. Add security to roles.

P95921 (Role Relationships) P00950 (Security Workbench)

W95921A (Work With F95921 Role Relationships). Various, depending on type of security to be applied to each role. F00950

Working with User and Role Profiles 3-11

Setting Up Roles

The Portal, JD Edwards Solution Explorer, and client workstations use the role relationships data in the F95921 table (Role Relationships) and various APIs to retrieve data and allow users to have assigned roles. You use JD Edwards EnterpriseOne to administer defined roles for which you have created role relationship records. You can add large numbers of roles to a single user, and you can add large numbers of users to a single role relationship record. You can also use JD Edwards EnterpriseOne to specify the language that is used for the description of a new role. After you have created one or more role relationships for a user, you can revise the relationships. Role relationships are revised by removing an assigned role or by changing the expiration date for an assigned role. You can also exclude an assigned role from *ALL or add a role to *ALL that was previously excluded. In addition, you might want to delegate one or more of the roles to another user if a particular user will be unavailable. When you delegate the role relationship records, you can copy existing records to another user. You cannot add role relationships to another user unless those roles are already assigned to you.
See Also:

"Applying Roles to a Task" in the JD Edwards EnterpriseOne Tools Solution Explorer Guide. Using Security Workbench.

3.5.2 Understanding Role-to-Role Relationships


You create lists of roles that are subsets of another role. For example, you might create an ADMIN role that includes users with the greatest number of administrative responsibilities and the broadest access to applications in JD Edwards EnterpriseOne. You might also create other roles that include individuals with limited administrative responsibilities and access to fewer applications in JD Edwards EnterpriseOne. If you create a distribution list based on roles, you might want to include on the list all roles with some level of administrative responsibility. Anyone in a role that is part of the distribution list would receive messages sent to the ADMIN role. You use the Work With Distribution Lists form to add or remove roles from the distribution list as needed. Work With Distribution Lists does not influence how security is applied. It only helps to define workflow e-mail distribution lists.

3.5.3 Understanding the Sign-In Role Chooser


When signing into JD Edwards EnterpriseOne, if enabled, users can use the Role Chooser to select a particular role from a list of valid roles. In the Role Chooser, users can either select a particular role or *ALL. You can limit the freedom that a user has to select roles by disabling the Role Chooser. With the Role Chooser disabled, the user must enter JD Edwards EnterpriseOne with *ALL. At the JD Edwards EnterpriseOne sign-in form, the user enters a user ID and password. The user must then enter a valid environment and role before entering JD Edwards EnterpriseOne. User roles and assigned environments are dependent on each other. The user can select an environment, which then determines what roles appear in the Role Chooser; or the user can select a role, which determines the environments that appear in the Environment Chooser. The option for enabling the Role Chooser is a global setting. When enabled, it applies to all users in the system.

3-12 JD Edwards EnterpriseOne Tools Security Administration Guide

Setting Up Roles

This table summarizes the scenarios that can occur when the user encounters the Environment and Role fields at sign-in on the Microsoft Windows client, and the behavior of JD Edwards EnterpriseOne in each scenario:
Sign-in Scenario User enters values in both the Environment and Role fields. User enters a value only in the Role field. User enters a value only the Environment field. User does not enter a value in either the Environment field or the Role field. JD Edwards EnterpriseOne Behavior The software validates the role against the environment. If the role is not valid for the chosen environment, the Environment Chooser appears and the user must choose a valid environment for the role. The Environment Chooser displays only the valid environments for the chosen role. The Role Chooser displays only the valid roles for the user and the chosen environment. The Role Chooser appears, containing the valid roles for the user and the default environment that is defined in the jde.ini file, followed by the Environment Chooser, containing only the valid environments for the chosen role. If you do not enter an environment, the Role Chooser displays the roles that are assigned to the default environment, which is defined in the jde.ini file.

3.5.4 Understanding the Menu Filtering Role Chooser


In P95921, you can select the "Choose role on Menu filtering page" option to give users the ability to filter menus by role in the EnterpriseOne Menu. When enabled, the JD Edwards EnterpriseOne web client displays the Role drop-down menu above the EnterpriseOne Menu. From the Role drop-down menu, users can select *ALL (All My Roles) to view a concatenated list of all the tasks enabled for every role that is included in the *ALL role. Alternatively, users can select a particular role from the Role drop-down menu and the system displays only the tasks enabled for that role in the EnterpriseOne Menu. The "Choose role on Menu filtering page" option is a global setting. When enabled, it applies to all users in the system. In order for users to filter menus by role:

The system administrator must enable the "Choose role on Menu filtering page" option in P95921. Users must sign in using *ALL.
Note:

If a user signs in to JD Edwards EnterpriseOne using a particular role instead of *ALL, then the system only displays the tasks in the EnterpriseOne Menu for that role; the user cannot select a different role in the EnterpriseOne Menu.

See Also:

Enabling the Role Chooser. Understanding User Roles.

Working with User and Role Profiles 3-13

Setting Up Roles

3.5.5 Understanding Workstation Initialization File Parameters


At the JD Edwards EnterpriseOne sign-in, you can select one or more roles, depending on how many are assigned to you. If you select *ALL, you enter JD Edwards EnterpriseOne in all of the assigned roles that are flagged as Include in *ALL. Two parameters relate to roles in the workstation jde.ini file. These parameters are defined by the administrator when JD Edwards EnterpriseOne is first configured, so you should not have to perform this task when performing routine administrative tasks. This table shows the parameters, the .ini file section in which they are found, and the default settings:
Jde.ini Parameter LASTROLE Jde.ini Section [SIGNON] Default Setting *ALL Defines the role that appears for the user at sign-in. Default Role [DB SYSTEM SETTINGS] *ALL

The LASTROLE parameter value defines the role that appears in the sign-in screen when JD Edwards EnterpriseOne is launched.

3.5.6 Forms Used to Set Up Roles


Form Name Work With User / Role Profiles FormID W0092D Navigation Systems Administration Tools (GH9011), User Management, User Profiles (P0092). Usage Locate and review existing roles and access additional forms to add or revise roles.

User Profile Revisions W0092A

Create a role or revise On the Work With information for an User/Role Profiles form, from the Form menu, select existing role. Add Role. Click the Roles Only option, click Find, select a role, and then click Select.

Work With Role Sequences

W0092L

On the Work With Define the sequence of User/Role Profiles form, roles. from the Form menu, select Role Sequence. On the Work With User/Role Profiles form, select a role, and then select Environments from the Row menu. On the Work With User/Role Profiles form, select Role Relationships from the Form menu. On the Work With Role Relationships form, select a role from the Available Roles tree and click the left-arrow button. Add an environment to a role.

User Environment Revisions

W0092C

Work With Role Relationships

W95921A

Set up, revise, and remove roles for a user.

Role Revisions

W95921C

Enter dates on which you want the role to start and end (optional). You can also select an option to add the role to the user's *ALL sign-in.

3-14 JD Edwards EnterpriseOne Tools Security Administration Guide

Setting Up Roles

Form Name Enable/Disable Role Chooser

FormID W95921E

Navigation On the Work With Role Relationships form, select Enable Role Chooser from the Form menu. On the Work With Role Relationships form, select Distribution Lists from the Form menu. On the Work With Role Relationships form, select Roles Delegation from the Form menu.

Usage Enable user to choose role from a list of all assigned roles at sign-in. Create role-to-role relationships that help define workflow r-mail distribution lists. Delegate role relationship records to other users.

Work with Distribution Lists

W95921A

Work With Delegation Relationships Add Roles to User

W95921J

W95921P

On the Work With Role Add roles to a user. Relationships form, from the Form menu, select Add Roles to User. Add users to a role On the Work With Role Relationships form, from relationship record. the Form menu, select Add Users to Roles. On the Work With Role Copy roles from one user to another. Relationships form, complete the User field and click Find. Click Copy. On the Work With User/Role Profiles form, click the Roles Only option. Select a role, and from the Row menu, select Role Description. On the Work With Language Role Descriptions form, click Add. View a role to which you want to add a language translation. Change a role description. Add or revise a description of the language translation.

Add Users to Roles

W95921Q

Copy User Roles

W95921O

Work With Language Role Descriptions

W0092J

Language Role Description Revisions

W0092I

3.5.7 Creating and Modifying Roles


Access the Work With User/Role Profiles form.
1.

Perform one of these operations: To create a new role, select Add Role from the Form menu. To modify an existing profile, click the Roles Only option; click Find and select a role in the detail area; and then click Select.
Note:

You cannot add a role by clicking the Add button on the toolbar of the Work With User/Role Profiles form.

2.

On the Role Revisions form, enter the name of the role, such as ACCOUNTING, and a description in the Role field. When you modify a role profile, this field displays the name of the role.

3.

In the Sequence Number field, enter a number to specify the sequence number of the role in relation to other roles.

Working with User and Role Profiles 3-15

Setting Up Roles

For a user assigned to more than one role, the sequence number determines which role is chosen when a security conflict exists among the different roles.
4.

Complete any of the remaining fields, as necessary, and click OK.

3.5.8 Migrating Roles


On a client machine, open the Batch Versions application in JD Edwards EnterpriseOne, and run these universal batch engines (UBEs) to migrate generic roles into the environments.

3.5.8.1 Run the TC R89959211


Table Conversion (TC) R89959211 takes all of the current roles in the UGRP field in the Library Lists - User table (F0092) and adds a Description record for them in the Anonymous User Access Table (F00926). Both the role and description are populated with the group name (for example, OWTOOL). A sequence number is added to the record in the F00926 table as well. This sequence number begins at 1500 and increments by 5 with each record that is written. This TC has no processing options. The performance of this TC is directly dependent upon the number of *GROUP records in the F0092 table. It should finish quickly. After processing, this TC produces no report. To verify that the table conversion completed, open the Universal Table Browser (UTB) and check the F00926 table for some of the groups that are defined in the F0092 table. For example, check the field USER for OWTOOL, the field ROLEDESC for OWTOOL, and the field SEQNO for a sequence number that is greater than 1500.

3.5.8.2 Run the TC R8995921


TC R8995921 takes all of the current user profile records in the F0092 table and inserts a user/role relationship record that is based on the F0092.USER and F0092.UGRP tables. The record that is added to the F95921 table contains the user, role (formerly the group for this user in the F0092 table), and effective and expiration dates. Some of these values are based upon the values in the processing options. The recommended processing option values are:

Final/Proof Modes It is recommended that the TC be run in proof mode first. This mode inserts records to the F95921 table, but it does not remove the group from the user's profile. After the UBE is successfully run in proof mode, check some of the records in the F95921 table to see if they were added successfully. You can re-run the TC in final mode with the same processing options. A new record is not inserted for the user if the effective date is the same as the previously run TC's effective date, so you only remove the group data from the F0092.UGRP field for that user.

Effective Date The start date of the role relationship. With current users (those in F0092 table), you want to use the date that the TC is run. (When running in final mode, use the date that the TC was run in proof mode to prevent the system from adding a new set of records into the F95921 table.) This field must not be modified within the role relationship record later.

Expiration Date

3-16 JD Edwards EnterpriseOne Tools Security Administration Guide

Setting Up Roles

The end date of the role relationship. If this date is left blank, the relationship never expires. The role will expire at the beginning of the day of the date that you enter. With the current users (those in the F0092 table), you should leave this blank so they do not expire from their current group or role. This field can be modified within the role relationship record later.

Included In All This flag indicates that the security of this role is applied when the user chooses to enter JD Edwards EnterpriseOne under the role of *ALL. Use this flag if a user is being added to a sensitive role, such as Payroll or PVC. This field can be modified within the role relationship record later.

The performance of this TC directly depends upon how many user records are in the F0092 table. It should finish quickly. This TC produces no report. To verify that the TC completed in proof mode, open the UTB and check the F95921 table for some of the users who were defined in the F0092 table. See that their old group (F0092.UGRP) is now their Role F95921.RLFRROLE. To verify that the TC has completed in final mode, view the F0092 table through the UTB, and verify that no data is in the UGRP fields.

3.5.8.3 Sequence the Roles


All roles must be assigned a valid sequence number greater than zero in order for the security associated with the role to be applied correctly. The previous UBE and TCs sequence the roles, but probably not in the desired order. Sequence the roles through the Sequence Roles menu option. This displays all of the current roles in a parent/child tree. Expand the tree and view the current sequence number. You can drag and drop these roles into the desired sequence. You must click the exit Set Sequence to commit the roles sequence to the database.

3.5.8.4 Add Environments


Environments are added to roles. When a user selects a particular role at sign-in, the environments that are associated with that role appear in the Environment Selection List form. If the user selects *ALL environments, all of the environments that are associated with all of the users roles which have been marked as "included in all" appear in the Environment Selection List form. All environments are validated against the user's pathcode.

3.5.8.5 Set up the JDE.INI/JAS.INI file


Open the jde.ini file and jas.ini file and verify these settings:
Note:

You should not have to add or change these settings.

[SECURITY] DefaultRole=*ALL [REPLICATION] DefaultRole=*ALL [SIGNON] LastRole=<Users Last Role> This value is populated when a user signs into JD Edwards EnterpriseOne. [DB_SYSTEM SETTINGS]

Working with User and Role Profiles 3-17

Setting Up Roles

DefaultRole=*ALL

3.5.8.6 Server Executables


Run a PortTest.

3.5.8.7 Set Up Security


Complete these Universal Batch Engines (UBEs) to set up user security.

3.5.8.8 Run the UBE R98OWPU


UBE R98OWPU performs a select distinct on the F98OWSEC table to find all unique combinations of Proxy (System) User and Data Source. After these records are found, the UBE inserts this record into the F98OWPU table. The record contains the Proxy User, Data Source, Password, and audit information.
Note:

This UBE must be run locally because the business function resides only on the client machine.

This UBE has no processing options. The performance of this UBE is directly dependant upon how many system users are associated with user records in F98OWSEC table. It should finish quickly. To verify that the UBE completed successfully, open the UTB and check the F98OWPU table for some of the system users that are in F98OWSEC table. If you want to change a system user password, you have to change it only once for each system user and not for every record in the F98OWSEC table that contains the system user.

3.5.8.9 Run the UBE R98OWUP (Optional)


UBE R98OWUP updates the current F98OWSEC table records, based upon the processing options that you select. This UBE can populate these new fields for current users, as their F98OWSEC table records do not contain values for these options:

Password Change Frequency Allowed Sign-in Attempts Enable / Disable User Daily Password Change Limit Force Password Change

Set these procession options:

Proof or Final Indicates whether to run in proof or final mode. Proof mode does not commit records.

Password Change Frequency For a given user, this option determines the maximum number of days before the system requires a password change.

Allowed Attempts

3-18 JD Edwards EnterpriseOne Tools Security Administration Guide

Setting Up Roles

The number of times that uses can unsuccessfully attempt to log on before their JD Edwards EnterpriseOne account is disabled.

Enable/Disable User Indicates if the user's account is enabled or disabled. A disabled account is not allowed into JD Edwards EnterpriseOne.

Daily Password Change Limit The number of times that users can change their password in one day. Because the last ten passwords of a user are stored in the BLOB, it is a security hole to allow users to change their password as many times as they want. If users want to keep their current password, they can change it 11 times in one day so that they are not back to the original.

Force Immediate Password Change This option requires users to immediately change their password. You might not want to set this option for all users.

The performance of this UBE is directly dependant upon how many system users are associated with user records in the F98OWSEC table. It should finish quickly. To verify that the UBE completed successfully, access the User Security application (P98OWSEC), and find a user or role whose record should have changed. Verify that the values are correct.

3.5.9 Sequencing Roles


The Work With Role Sequences form contains all of the roles that you defined and enables you to assign a sequence to the roles. The sequence defines a hierarchy of roles and determines which role is used when a security conflict exists among roles when a user signs in as *ALL. The Windows client and Web client differ as to how they use the role sequence to determine which security record is applied. The Web client only checks the first role in the role sequence to determine the security for an application, form, column, row, and so forth. The Windows client checks all the roles in *ALL for security, but uses the role sequence to determine which role to use when there are duplicate security records. This is an example of duplicate security records in which the JD Edwards EnterpriseOne Windows client is forced to use the role hierarchy to determine which security record to apply: A user signs in as *ALL. The *ALL has two roles associated with itRole 1 and Role 2.

Role 1 = Form A is secured; no access allowed. Role 2 = Form A is not secured; access allowed.

Because of the conflict in security between these two roles, JD Edwards EnterpriseOne uses the information in the role sequence to determine which role to use for security. If Role 1 was higher in the sequence, then the security for that role is applied. In this same example, if each of these roles had different security records for the same security type, the system would apply the security as defined by both records. For example, if Role 1 does not allow users to view column A and Role 2 does not allow users to view column B, the user would not be able to view either column on the form. You can configure the JD Edwards EnterpriseOne Web client to use the same role sequencing functionality as the Windows client. This is recommended if you are migrating from the Windows client to the Web client. To enable this functionality in

Working with User and Role Profiles 3-19

Setting Up Roles

the Web client, use Server Manager to configure the following setting in the [OWWEB] section of the JAS.INI: userRoleHierarchy=true Access the Work With Role Sequences form.
1.

Select a role from the tree structure and drag it to the point in the sequence that you want.
Note:

The system checks the sequence of roles in descending order.

2. 3.

After you have set the order that you want, select Set Sequences from the Form menu and click Close. If you decide you do not want to change the sequence, select Close Without Set from the Form menu and click Close.

3.5.10 Adding an Environment to a Role


Use the Work With User/Role Profiles form to assign one or more environments to a role or to change an existing environment for a role. When a user signs in to JD Edwards EnterpriseOne, the Environment Chooser and Role Chooser present each user with a list of valid roles and environments. Access the Work With User/Role Profiles form.
1.

Select the Roles Only option and click Find.


Note:

The Both Users and Roles option also enables you to perform the same task, although the Roles Only option is the simplest way to add an environment.

2. 3.

Select a role from the detail area of the grid, and select Environments from the Row menu. On the User Environment Revisions form, in the Display Seq. (display sequence) column, specify the order in which the environments will be presented in the Environment Chooser at JD Edwards EnterpriseOne sign-in. In the Environment column, click the search button to select an environment, and then click OK:
Note:

4.

If you want to change an existing environment for a role, enter a new value for the Environment parameter and click OK.

3.5.11 Assigning Business Preferences to a Role


Access the Work With User/Role Profiles form.
1. 2. 3. 4.

Click Find. Select a role, and then click Select. On the Role Revisions form, from the Form menu, select Bus Preferences. On the Business Preferences form, click the search button in the Industry Code field to associate the role with a specific industry, such as manufacturing.

3-20 JD Edwards EnterpriseOne Tools Security Administration Guide

Setting Up Roles

5. 6.

In the Business Partner Code field, click the search button to associate the role with a specific business partner. In the Customer Code field, click the search button to associate the role with a specific customer.

3.5.12 Setting Up a Role Relationship


Access the Work With Role Relationships form.
1.

Complete the User field and click Find. The system displays the user's assigned roles and the available roles in separate tree controls.

2. 3.

Select a role from the Available Roles tree control and click the left arrow button to add it to the list of assigned roles. On the Role Revisions form, enter an effective date if you want an effective date that is different from today's date. Today's date is the default value for the Effective Date field. If you do not use the default value, enter a date later than today's date; otherwise the software returns an error message.

4.

Enter an expiration date in the Expiration Date field, if one is needed. The role will expire at the beginning of the day of the date that you enter. The role will not expire if you do not complete the Expiration Date field.

5.

Select the Include in ALL* option if you want the role to be one that the user can play if the user enters JD Edwards EnterpriseOne playing all roles, and click OK. If you do not select the Include in *ALL option, this role will not be part of the active roles when the user enters JD Edwards EnterpriseOne using *ALL as his role at sign-in. To activate a role that is not included in *ALL, the user must select that particular role when signing on to the system. The chosen role will be the only active role during that session.

3.5.13 Enabling the Role Chooser


Access the Work With Role Relationships form.
1. 2.

From the Form menu, select Enable Role Chooser. To enable users to select a role from a list of assigned roles at sign-in, on the Enable/Disable Role Chooser form, select the "Choose role on Login page" option. If you do not select this option, users must enter JD Edwards EnterpriseOne using *ALL.

3.

To enable users to filter menus by role in the EnterpriseOne Menu, select the "Choose role on Menu Filtering page" option.
Note:

Both the Role Chooser and Menu Filtering Role Chooser options are global settings. When enabled, they apply to all users in the system.

3.5.14 Creating Role-to-Role Relationships


Access the Work With Role Relationships form.

Working with User and Role Profiles 3-21

Setting Up Roles

1. 2. 3. 4.

From the Form menu, select Distribution Lists. On the Work With Distribution Lists form, complete the Role field and click Find. To add a role to the distribution list, select a role from the Available Roles tree control and click the left-arrow button. On Role Revisions, complete these fields and click OK: Effective date Enter an effective date if you want the delegation to occur at a date other than the current date. Expiration date Include in *All Select this option if you want the role to be one that the user can use if the user enters JD Edwards EnterpriseOne playing all roles.

5.

Select the *ALL option if you want the role to be one that the user can play if the user enters JD Edwards EnterpriseOne playing all roles. JD Edwards EnterpriseOne adds the role to the Assigned Roles tree control.

6.

To remove a role from the distribution list, select a role from the Assigned Roles tree control and click the right-arrow button.
Note:

JD Edwards EnterpriseOne does not currently support multilevel roles.

3.5.15 Delegating Roles


Access the Work With Role Relationships form.
1. 2.

From the Form menu, select Roles Delegation. On the Work With Delegation Relationships form, complete the Delegate field by entering the user ID of the user being delegated to and click Find. The roles of the user who is delegating appear in the Available Roles tree control. The roles of the user who is being delegated to appear in the Assigned Roles tree control.

3. 4.

To delegate a role, select the role from the Available Roles tree control and click the left-arrow button. Complete these fields and click OK: Effective date Enter an effective date if you want the delegation to occur at a date other than the current date. Expiration date

5.

Select the *ALL option if you want the role to be one that the user can play if the user enters JD Edwards EnterpriseOne playing all roles. JD Edwards EnterpriseOne adds the delegated role to the Assigned Roles tree control on the Work With Delegation Relationships form.

3-22 JD Edwards EnterpriseOne Tools Security Administration Guide

Setting Up Roles

Note:

You can use the right-arrow button in the Work With Delegation Relationships form only to remove a role that you delegated to another user. If you try to remove a role that you did not delegate to the user, the software will display a dialog box notifying you that the action is invalid.

3.5.16 Adding Roles to a User


The Add Roles to User form enables you to copy one or more role relationship records to a single user, which is a particularly useful action if you want the user to play many roles. You can copy as many records as you want at one time. Access the Work With Role Relationships form.
1. 2. 3.

From the Form menu, select Add Roles to User. Complete the User ID field and click Find. Select the roles that you want to add to the user and click Select. Hold down the Control key to select more than one role to add.

4.

On the Role Revisions form, complete these fields: Effective Date Enter a date if you want the effective date to be different from the current date. Expiration Date The role will expire at the beginning of the day of the date that you enter. Include in *All

5. 6. 7.

Select the *ALL option if you want the role to be one that the user can play if the user enters JD Edwards EnterpriseOne playing all roles. Click OK. If you are adding more than one role relationship record, complete the Role Revisions form for each record that you are adding.

3.5.17 Adding Users to a Role


Access the Work With Role Relationships form.
1. 2. 3.

Select Add Users to Roles from the Form menu. Complete the Role field and click Find. Select the users that you want to add to a role and click Select. Hold down the Control key to select more than one user to add.

4.

In the Role Revisions form, complete these fields: Effective Date Enter a date if you want the effective date to be different from the current date. Expiration Date Include in *All

Working with User and Role Profiles 3-23

Setting Up Roles

5. 6. 7.

Select the *ALL option if you want the role to be one that the user can play if the user enters JD Edwards EnterpriseOne playing all roles. Click OK. If you are adding more than user record, complete the Role Revisions form for each record you are adding.

3.5.18 Copying User Roles


You can copy the role relationship records of one user to another from Role Relationships (P95921). You can either copy and add the records, which means that JD Edwards EnterpriseOne adds the copied records to the user's existing records; or you can copy and replace the records, which means that the copied records replace the user's existing records. Access the Work With Role Relationships form.
1.

Complete the User field and click Find. The user's roles appear in the Assigned Roles tree control.

2. 3.

Click Copy. On the Copy User Roles form, select one of these options: Copy and Add Copy and Replace

4. 5.

Complete the To User field to specify the user to whom you want the records copied. Click OK.

3.5.19 Adding a Language Translation to a Role


Using the Language Role Description Revisions form, you can either set up the translation of any role that you have defined, or you can change role descriptions for any language. If you want to view the descriptions of any role in all the languages into which it is being translated, use the Work With Language Role Description form. Access the Work With User/Role Profiles form.
1.

Select the Roles Only option.


Note:

The Both Users and Roles option also enables you to perform this task.

2. 3. 4. 5. 6.

Select a role from the detail area of the grid and select Role Description from the Row menu. To add a language to a role, click Add. On the Language Role Description Revisions form, in the Role field, enter the name of the role to which you want to add a language. In the Language field, click the search button to select a language from the list of supported languages. Enter a description of the role in the Role Description field, and then click OK.

3-24 JD Edwards EnterpriseOne Tools Security Administration Guide

4
4

Employing Sign-in Security

This chapter contains the following topic:

Section 4.1, "Understanding Sign-in Security"

4.1 Understanding Sign-in Security


This section discusses:

Sign-in security overview. Security table access. Password encryption. Sign-in security setup. Process flow for sign-in security. Sign-in security for web users.

4.1.1 Sign-In Security Overview


JD Edwards EnterpriseOne security runs on a logic server in a dedicated internal process. You create a security table on the data server that stores information, such as:
Value EnterpriseOne User EnterpriseOne Password System User and System Password Description The user ID used to sign in to JD Edwards EnterpriseOne. The user's password, which the software validates when the user signs in to JD Edwards EnterpriseOne. The actual user and password used to connect to all database management systems (DBMS). If the JD Edwards EnterpriseOne environment includes more than one DBMS, you can create different system users and passwords for each data source. The frequency of password changes required by the software. The date that the password was last changed.

Change Frequency Last Change

You must define a security record for each user either by group or by individual. It is recommended that you map multiple users to the same system user. For example, each user can use the same system user that the software uses to connect the database

Employing Sign-in Security

4-1

Understanding Sign-in Security

management systems. By setting up the security in this manner, you can simplify database administration of users and passwords. You can also set up unified logon with JD Edwards EnterpriseOne to simplify sign-in security. When you set up unified logon, JD Edwards EnterpriseOne uses Windows Authentication to verify security. This verification enables sign-in security to use the network logon information that a user supplies when logging on to Windows; JD Edwards EnterpriseOne does not require the user to enter another user ID and password when signing in. See Managing Unified Logon.

4.1.2 Security Table Access


If you keep the system user and password secure, no users have direct access to the Security table (F98OWSEC). The exception to this situation is for system administrators who maintain the security information. The JD Edwards EnterpriseOne security server has access to the F980WSEC table through JDENet. You must perform all of the validation and changes of JD Edwards EnterpriseOne passwords through a JDENet message to the enterprise server that has the F980WSEC table. Upon validating a JD Edwards EnterpriseOne password, the JDENet message returns the system user and password that you enter. These words are encrypted across the network. Internally, this system password is used for all connections to databases. Using the database management system, you should place database security on the F980WSEC table. You should also assign JD Edwards EnterpriseOne object security to the F980WSEC table so that users cannot access the object except to enter User Password Revisions.
See Also:

Setting Up User Security.

4.1.3 Password Encryption


You can enter the initial sign-in password for each user in these ways:

Type it manually. Use a default password established through the sign-in security processing options. Have JD Edwards EnterpriseOne enter it automatically because the user has an existing security record.

When typing a password manually or when using the processing option default password, you cannot see the password for a new user because you are typing it in. When you revise this record, however, the system encrypts the password so that all you see are asterisks. The number of asterisks does not represent the number of characters in the password. The user security application does not know what the password is. The application is given a flag that indicates that a password was entered. The system stores the actual password on the security server within a binary object in the F980WSEC table. The system accesses the binary object when the user security application requests a change or inquiry.

4.1.4 Sign-In Security Setup


This checklist is an overview of the steps that are required to set up sign-in security:

4-2 JD Edwards EnterpriseOne Tools Security Administration Guide

Understanding Sign-in Security

Sign-in Security Setup Step Determine location of the F98OWSEC table.

Description Ensure that the F98OWSEC table is located in the system data source on the enterprise server, and ensure that the table is mapped to the correct data source through the Object Configuration Manager. If your system data source resides on the enterprise server, the F980WSEC table should reside in the system data source. However, if the system data source is located on the deployment server (or other servers), the F980WSEC table should be moved to the server map data source for the enterprise server. If you have more than one logic server, you should use only one as the security server.

Set database security on the F98OWSEC table.

From within the DBMS, place database security on this table to prevent a user from accessing the object, except to enter passwords through User Password Revisions.

Place security on the logic server's The DBMS user ID and password to the Sign On Security jde.ini file. table are stored in this file. Caution: Implementing jde.ini file security will prevent Server Manager from modifying configuration settings. Create security records for individual users. Assign these:

Data source System user System password EnterpriseOne password User Status Allowed number of invalid sign-on attempts (optional) Change frequency (optional) Note: If you intend to use a unified logon, every user in the JD Edwards EnterpriseOne security database requires a unique user ID.

Verify and modify the jde.ini file If you use a unified logon, you need to change the settings on the JD Edwards EnterpriseOne for a unified logon in the [SECURITY] section as well as in logic server for the platform the JD Edwards EnterpriseOne [SECURITY] settings. environment. Set up a unified logon server. If you use a unified logon with the JD Edwards EnterpriseOne security, set up a unified logon server for each instance of JD Edwards EnterpriseOne on each server. For example, if you have an NT server with multiple releases of JD Edwards EnterpriseOne, you need a unified logon server for each release on the server. The unified logon server differentiates instances of JD Edwards EnterpriseOne based on the port numbers for these instances. For example, if the port number for JD Edwards EnterpriseOne is 6104, the port number for the associated unified logon server is 6104. Other instances and unified logon servers use different port numbers. Verify and modify jde.ini file. Set up sign-in security. Verify and modify the jde.ini file that will be deployed to the server's workstation installations. Require sign-in security for all machines.

Employing Sign-in Security

4-3

Understanding Sign-in Security

4.1.5 Process Flow for Sign-in Security


JD Edwards EnterpriseOne provides sign-in security with an architecture that is designed to provide user security for JD Edwards EnterpriseOne and the logically attached database management systems. The security architecture prevents you from viewing the database or system password and from bypassing JD Edwards EnterpriseOne applications to view and change data. This text explains the process flow for standard sign-in security:

Workstations sign in to JD Edwards EnterpriseOne by using their user ID and password. These workstations can be networked or standalone workstations, laptop computers, or other JD Edwards EnterpriseOne hosts. If you enter a valid user ID and password, as validated against the local workstation installation, the start-up process continues.

As the software starts, it tries to detect an operational network environment. If a network is not detected, the software allows local operation in a store-and-forward mode. Because the workstation or laptop computer is not connected to a network or an enterprise server, no validation can be performed against the F980WSEC table. Therefore, security is limited to that provided by the local workstation or laptop installation. If a network is detected, the software encrypts the password information and sends it over the network to the JD Edwards EnterpriseOne enterprise server. The enterprise server checks the incoming validation request against a table of valid users and passwords. If the user ID and password information are valid, the software accepts the sign-in values and returns the system ID and password to the logically attached database servers. This information is also encrypted on the enterprise server prior to broadcast on the network.

This graphic displays a process flow model for standard sign-in security:

4-4 JD Edwards EnterpriseOne Tools Security Administration Guide

Understanding Sign-in Security

Figure 41 Process flow model for standard JD Edwards EnterpriseOne sign-in security

Enterprise Workstation

Additional EnterpriseOne Server

Laptop-on Network

Standalone Laptop

User enters EnterpriseOne user ID and password

No network detected

Network detected

EnterpriseOne Server (with Security table F980WSEC)

No security provided by EnterpriseOne when standalone used

Encrypt data entered; send to security server, wait for response

Process response; give error if invalid

Validate; get system user/password; encrypt and return results

DONE

The process flow for sign-in security with a unified logon is as follows:

A user starts up JD Edwards EnterpriseOne on a workstation. JD Edwards EnterpriseOne verifies that the unified logon is active and then sends an authentication request to the unified logon server, based on the domain user ID.

Employing Sign-in Security

4-5

Understanding Sign-in Security

Note:

The unified logon server is not a physical server. It is a device that verifies sign-in security against the domain sign-in security maintained by Microsoft Windows.

During jdesnet initialization, jdesnet activates the unified logon server thread. The unified logon server ends automatically when jdesnet ends.

The unified logon server searches its user list for an entry that matches the domain user ID. When the server finds a match, the server sends a validation request to the enterprise server. The enterprise server verifies that the response from the unified logon server matches the security information in the F980WSEC table. If the security information from the user list on the unified logon server matches the security information in the F98OWSEC table on the enterprise server, the start-up process continues. The first time that a user signs in to JD Edwards EnterpriseOne with the unified logon, the Environment Selection appears. The user must enter an environment in the Environment field. Select the option to set the environment as the default, and avoid the Environment Selection form on subsequent sign-in attempts.

This illustration displays the process flow for unified logon:

4-6 JD Edwards EnterpriseOne Tools Security Administration Guide

Understanding Sign-in Security

Figure 42 Unified logon process flow

Enterprise Workstation

Additional EnterpriseOne Server

Laptop on Network

Standalone Laptop

Workstation requests validation that user exists in user list on unified logon server

Unified logon server responds to EnterpriseOne validation request. Yes Workstation sends verified sign-in information to EnterpriseOne security server. EnterpriseOne and Windows NT user IDs must be identical EnterpriseOne and enterprise server (with Security table F980WSEC)

No

If unified logon cannot validate request, attempt to sign in fails.

EnterpriseOne verifies that the User ID from the unified logon server matches the user ID in F980WSEC

No

If EnterpriseOne security server cannot verify the user ID, attempt to sign in fails.

Yes EnterpriseOne starts

4.1.5.1 ShowUnifiedLogon Setting


The ShowUnifiedLogon setting in the [SECURITY] section of the jde.ini file allows users to reset whether the Environment Selection form appears at sign-in. This feature

Employing Sign-in Security

4-7

Understanding Sign-in Security

allows users to change the environment later. This table describes the jde.ini file setting for the [SECURITY] section:
Value 0 Description A value of 0 for ShowUnifiedLogon disables the Environment Selection form. When you click the option on the Environment Selection form to set a default environment, you set this value to 0. A value of 1 for ShowUnifiedLogon enables the Environment Selection form. When a user signs in to JD Edwards EnterpriseOne, the Environment Selection form appears and allows the user to choose an environment. This setting is the default for ShowUnifiedLogon.

4.1.6 Sign-in Security for Web Users


The JD Edwards EnterpriseOne security server and the F98OWSEC table authenticate Java/HTML, Portal, and Interoperability users who sign in to JD Edwards EnterpriseOne across the internet to the JAS security server. The JAS security server acts as an interface between the web user's client workstation and the security server. When web users sign in, disconnect, or make a password change, the JAS server sends the request using a JDENET message to the security server, which, in turn, accesses the F98OWSEC table. The security server then returns the authentication through a JDENET message to the JAS security server. If the user is authenticated, the security info is cached to the JAS security server. The JAS security server acts as an intermediary between the Java/HTML, Portal, and Interoperability client and the security server. This graphic displays a process flow for sign-in security with unified logon for web users:

4-8 JD Edwards EnterpriseOne Tools Security Administration Guide

Understanding Sign-in Security

Figure 43 Sign-in security with unified logon for web users

Java/HTML

Portal

Interoperability

Security Table

Internet/LAN Security Server Logic (sign-in, sign-off and pwd change) Intranet/LAN Java JDENET

Security Server Interface (sign-in, sign-off and pwd change) Java JDENET

EnterpriseOne

Web Server
As the security intermediary, the JAS security server handles these tasks:

Connecting to the JD Edwards EnterpriseOne security server for user security authentication and password when a web user signs in. Switching to a secondary JD Edwards EnterpriseOne security server when the primary server is down, provided the correct jas.ini settings are defined. Notifying Java/HTML, Portal, and Interoperability client workstations when a user password has expired. If an Interoperability user's password has expired, sign-in fails without notification of the cause.

Sending error message to user log after the web user has attempted unsuccessfully to sign in x number of times to JD Edwards EnterpriseOne, where x is the number of sign-in attempts defined in the F98OWSEC table. Allowing Java/HTML and Portal users to change name and password. Encrypting JDENET messages sent between the JAS security server and the JD Edwards EnterpriseOne security server. Keeping a valid user session open until the user signs off or the session expires.

To the web user, sign-in and sign-out function the same as they do to a user on Windows, UNIX, or iSeries platforms. To set up security for web users through the JD Edwards EnterpriseOne security server, add these parameters to those that already exist in the jas.ini file:

Employing Sign-in Security

4-9

Understanding Sign-in Security

[SECURITY] Parameter in jas.ini File NumServers

Parameter Value Total number of JD Edwards EnterpriseOne security servers that are available to web users signing on to the system. If this parameter is missing, the default value is 1 and the primary security server handles the sign-in. Name of the primary security server. Name of the secondary security server. The value of N is 1 for the first secondary server, 2 for the second, and so on. Assign values to this parameter if you want sign-in to switch to a secondary server if users cannot sign in to the primary server. If the value is TRUE, the user can save signon information (username, password, and environment) in an encrypted cookie on the workstation and does not have to type the information in for subsequent sign-ins. If the value is FALSE, the feature is disabled. Unit of time used to measure a cookie's lifetime. For example, the parameter value day means that the cookie's lifetime is measured in days. Amount of time before a cookie expires. The unit of measure is defined by the #CookieLifeTime unit parameter value. If that value is day and the value of the Cookie LifeTime parameter is 7, the cookie expires in seven days.

SecurityServer SecurityServerN

UserLogonCookie=

#CookieLifeTime unit

Cookie LifeTime

If you define one primary server and two secondary servers, the jas.ini file [SECURITY] settings look like this example:
NumServers=3 SecurityServer=JDED SecurityServer1=JDEC SecurityServer2=corowhp2 UserLogonCookie=TRUE #CookieLifeTime unit is day CookieLifeTime=7

If you define one or more secondary servers, sign-in fails over to the secondary server if the primary server is down. If both the primary JD Edwards EnterpriseOne security server and a secondary server as defined in the jas.ini file fail, the JAS server fails the user sign-in. If you do not define a server number or any secondary servers, the jas.ini [SECURITY] settings look like this example:
[SECURITY] SecurityServer=JDED UseLogonCookie=TRUE CookieLifeTime unit is day CookieLifeTime=7

4.1.7 Setting Processing Options for P98OWSEC


The User Security program (P98OWSEC) has processing options that you can use to set a default password when creating user security for users or roles, and to set a default change frequency for the password:

4-10 JD Edwards EnterpriseOne Tools Security Administration Guide

Understanding Sign-in Security

4.1.7.1 Default
Although processing options are set up during JD Edwards EnterpriseOne implementation, you can change processing options each time that you run a program.
1. Enter a '1' to default the User ID into the password field.

2. Enter in the default Change Frequency.

3. Enter the number of sign-on attempts a user is given prior to being disabled.

4. Enter if a new user is to default to as enabled or disabled.

5. Enter a '1' to force immediate password change of new users.

4.1.7.2 Password
Although processing options are set up during JD Edwards EnterpriseOne implementation, you can change processing options each time you run a program.
1. Enter the daily password change limit that will be applied to all users when attempting to change a password.

If this field is 0 or is left blank, there will be no limit on daily password changes.
2. Enter the minimum password length that is to be used when users attempt to change a password.

If this field is 0 or is left blank, the password will not be checked for a minimum length.
3. Enter the minimum number of character that must be used within a password.

If this field is 0 or is left blank, the password will not be checked for characters.
4. Enter the minimum number of numerics that must be used within a password.

If this field is 0 or is left blank, the password will not be checked for numerics.
5. Enter the maximum number of consecutive characters that can be used in a password.

If this field is 0 or is left blank, the password will not be checked for consecutive characters.
6. Enter the minimum number of special characters that must be within a password.

If this field is 0 or is left blank, the password will not be checked for special characters.

Employing Sign-in Security 4-11

Understanding Sign-in Security

4-12 JD Edwards EnterpriseOne Tools Security Administration Guide

5
5

Setting Up User Security

This chapter contains the following topics:


Section 5.1, "Understanding User Security" Section 5.2, "Creating and Revising User Security" Section 5.3, "Reviewing Security History" Section 5.4, "Managing Data Sources for User Security" Section 5.5, "Enabling and Synchronizing Security Settings" Section 5.6, "Running a Security Analyzer Report" Section 5.7, "Managing Unified Logon"

5.1 Understanding User Security


Use the User Security application (P98OWSEC) to create, test, and change user security for JD Edwards EnterpriseOne and the logically attached database management systems. The security architecture prevents you from viewing the database or system password and from bypassing JD Edwards EnterpriseOne applications to view and change data. JD Edwards EnterpriseOne uses an encryption algorithm to ensure that applications other than JD Edwards EnterpriseOne security cannot access passwords transmitted across the network. You can also set up a unified logon server for a JD Edwards EnterpriseOne server. The unified logon server enables JD Edwards EnterpriseOne to use the domain logon information to determine user security. In a JD Edwards EnterpriseOne unified logon scenario, a user needs to enter a user ID and a password only at network logon.

5.2 Creating and Revising User Security


This section provides an overview of user security, lists prerequisites, and discusses how to:

Create user security. Copy user security. Revise user and role security. Revise all user security. Change a sign-in password. Require sign-in security.

Setting Up User Security 5-1

Creating and Revising User Security

5.2.1 Understanding How to Create and Revise User Security


A user profile must already exist for a user before you can create user security records for that user. You can create security records one at a time for each of the users, you can set security for a role, or you can set security for all users. Typically, users within a specific role use similar security information. Oracle recommends that you create a model user with security information that you can copy to create security records for other users. The P98OWSEC application provides a copy function that simplifies the creation of security records.
Note:

When you copy security records to a user, security records must not already exist for that user. If you try to copy user security to a user with existing user security records, you will receive an error message.

You should keep user security simple. Managing JD Edwards EnterpriseOne user IDs and system (database) user IDs can become complicated quickly. The simplest way to set up user security is to have all data sources share the same system user ID and password by leaving the data source field blank when you initially create user security records for users or roles on the Security Revisions form. When you leave the data source field blank, the P98OWSEC application automatically enters DEFAULT in the field. The DEFAULT data source enables you to create one security record for all users. Each time a user accesses a table through a JD Edwards EnterpriseOne application, the software searches for a security record for that user and the specific data source where the table resides. If the software does not find a specific record, then it uses the default data source, which is the security record that you created with the DEFAULT data source field. You use system user IDs to manage user access to databases. Although you should try to maintain as few system user IDs as you can, occasions arise that require you to set up database security in addition to the JD Edwards EnterpriseOne object and user security for specific users and specific tables. For example, you might need to create system users with additional authority to what the typical system user needs.
See Also:

"Setting Up Data Sources" in the JD Edwards EnterpriseOne Tools Configurable Network Computing Implementation Guide.

5.2.2 Prerequisites
Before you complete the tasks in this section:

Set up all user records in the Address Book application (P01012). Create user profiles using the User Profile application (P0092). See Working with User and Role Profiles.

Attach the proper Address Book record to the user or role profile. Review and set the appropriate processing options before using the P98OWSEC application for the first time. See Setting Processing Options for User Profile Revisions (P0092).

5-2 JD Edwards EnterpriseOne Tools Security Administration Guide

Creating and Revising User Security

5.2.3 Forms Used to Create and Revise User Security


Form Name Work With User Security Security Revisions FormID W98OWSECE Navigation Usage

Security Maintenance Access forms to work (GH9052), User with user security. Security (P98OWSEC) On the Work With User Security form, click Add. On the Work With User Security form, select the user or role and click Copy to copy all security records. To copy a single user security record, select the security record from the detail area, and select Copy Record from the Row menu. Create user security.

W98OWSECB

Copy User Records

W98OWSECN

Copy user security.

Security Detail Revisions

W98OWSECI

Revise user and role On the Work With User Security form, security. select the appropriate record, and then select Revise Security from the Row menu. Security Maintenance menu (GH9052), Administrative Password Revisions (P98OWSEC) On the Work With User Security form, select Req / Not Req from the Form menu. Change a sign-in password.

Administration Password Revisions

W98OWSECF

Sign On Security Required/Not Required

W98OWSECG

Require all machines to use JD Edwards EnterpriseOne sign-in security.

5.2.4 Creating User Security


Access the Work with User Security form.
1.

Click Add.
Note:

Do not use the GlobalPasswordPolic option in the Form menu. This form contains password settings that apply only to users who are using the User Profile Self-Service application (P0092SS).

2.

On the Security Revisions form, complete one of these fields: User ID If you enter a user ID that already exists, you can modify data source information for the user. The system disables all other fields and options for the user ID. Role

Setting Up User Security 5-3

Creating and Revising User Security

If you enter a role that already exists, you will overwrite the security record for role when you enter information on the form.
Note:

When you type information in one of these fields, the system disables the other field. For example, if you type ROLE1 in the User Class/Role field, the User ID field becomes unavailable for data entry.

3.

Complete these fields: Data Source If you leave this field blank, you will set security for all data sources. DEFAULT appears in the Data Source field when you tab out of the field. System User Password We recommend you complete at least the System User field. If you create records by role or for all users at one time, the Password field is populated according to the processing option that you select.

4.

In the User Status area, select one of these options: Enabled With User Status enabled, security allows the user to sign in. This option is the default setting when you create user security. Disabled With User Status disabled, security prohibits the user from signing in to the software. If a user commits a security violation, such as exceeding the maximum number of allowed password attempts, the software automatically sets the value for User Status to Disabled. The system administrator must access the user security record for the user and set User Status to Enabled before the user can sign in. In addition, the system administrator can access Administrative Password Revisions to reset the password of the user, which also restores a user profile to the status of enabled.
Note:

5.

If you want to set limits on the passwords for users, complete these fields: Allowed Password Attempts Enter the number of invalid password attempts allowed before the system disables access for the user. Password Change Frequency Enter the number of days until the system requires the user to change the password. Daily Password Change Limit Enter the allowed number of times a user can change a password in a day. Force Immediate Password Change

5-4 JD Edwards EnterpriseOne Tools Security Administration Guide

Creating and Revising User Security

Click this option to require the user to change the password on the next sign-in.
6.

Click OK to save the current user security information.

5.2.5 Copying User Security


A user profile must already exist for a user before you can create user security records for that user. In addition, when you copy security records to a user, security records must not already exist for that user. If you try to copy user security to a user with existing user security records, you will receive an error message.
Note:

You should create a model user with security information that you can copy to create other users. Typically, users within a specific role use similar security information.

Access the Work With User Security form. To copy user security:
1.

On the Work With User Security form, find the user, and then perform one of these actions: To copy all user security records for a user or role, select the user or role in the tree structure, and click Copy. To copy a single user security record for a user or role, select the security record row in the detail area, and select Copy Record from the Row menu.

2.

On the Copy User Records form, enter a valid user ID in the To User / Role field and click OK.

5.2.6 Revising User and Role Security


Access the Work With User Security form.
1. 2. 3. 4.

On the Work With User Security form, complete the User ID / Role field. Click Find. Select the appropriate record in the tree structure, and then select Revise Security from the Row menu. On the Security Detail Revisions form, complete these fields, as necessary: User Status Under User Status, you can enable or disable a user profile. Password Change Frequency Allowed Password Attempts
Note:

For a role, select the appropriate option from the Change box to enable each field.

5.

Click OK.

Setting Up User Security 5-5

Creating and Revising User Security

5.2.7 Revising All User Security


Access the Work With User Security form.
1. 2.

From the Form menu, select Revise All. On the Security Detail Revisions form, in the Change box, select any of these options to enable the related field: User Status Frequency Attempts Change Limit

3.

Complete any of these fields, and then click OK: User Status This field enables you to enable or disable user profiles. Password Change Frequency Allowed Password Attempts Force Immediate Password Change This field requires the user to change the password on the next sign-in.

5.2.8 Changing a Sign-in Password


Access the Administration Password Revisions form.
Note:

You can also access Administrative Password Revisions from the User Security application. On the Work with User Security form, find the user, select the user in the tree structure, and then select Password Revisions from the Row menu.

User ID

Enter the user ID that you want to force a password change during sign-in. The user ID is the default value in this field when the user record is highlighted and Password Revision is activated.
New Password

Enter a new password. On this form, the system does not restrict the password choices. Any password is valid.
New Password - Verify

Enter the password again to verify it.


Force Immediate Password Change

Select this option to force the user to change the password during the next sign-in.

5.2.9 Requiring Sign-in Security


Use this feature to require all machines to use JD Edwards EnterpriseOne sign-in security. This procedure enables mandatory security only for the environment that you are signed into when you make this change. Access the Work With User Security form.

5-6 JD Edwards EnterpriseOne Tools Security Administration Guide

Managing Data Sources for User Security

1. 2.

Select Req / Not Req from the Form menu. On the Sign On Security - Required/Not Required form, click the lock icon to change the Security Server to Required or Not Required.
Note: If you set up the security as Not Required and have security turned on through the jde.ini file on the enterprise server, users that comment out signon security in their jde.ini files will still not be able to access any data sources without knowing the system user ID and password.

When attempting to access a table in a secured data source, users will receive a database password entry form. If system user IDs and passwords are confidential, no one will be able to access the secured tables.

5.3 Reviewing Security History


This section lists the prerequisite and the forms used to review security history. If you know the specific user or role, you can review the user's or role's security history by using the JD Edwards EnterpriseOne Security application. You can also search for specific information for all users. For example, to see the users who were deleted on a given day, you can search on event type 06 (Delete User) and a specific event date.

5.3.1 Prerequisite
The [SECURITY] section in the server jde.ini must include the History=1 setting for the system to record security history.

5.3.2 Forms Used to Review Security History


Form Name Work With User Security Work With Security History FormID W98OWSECE Navigation Usage

Security Maintenance Access forms to (GH9052), User review security Security (P98OWSEC) history. On the Work With User Security form, from the Form menu, select Security History. Click Find to review the security history records.

W98OWSECC

5.4 Managing Data Sources for User Security


This section provides an overview of data source management for user security and discusses how to:

Add a data source to a user, a role, or all users. Revise a data source for a user, a role, or all users. Remove a data source from a user, a role, or all users. Change the system user password for multiple users.

Setting Up User Security 5-7

Managing Data Sources for User Security

5.4.1 Understanding Data Source Management for User Security


You add data sources to user and role records in user security to authorize users and roles to access JD Edwards EnterpriseOne databases. You can also revise the system user and password for existing data sources.

5.4.2 Forms Used to Manage Data Sources for User Security


Form Name Work With User Security Add Data Source FormID W98OWSECE Navigation Usage

Security Maintenance Access forms to set up (GH9052), User user security. Security (P98OWSEC) On the Work With User Security form, from the Form menu, select Add Data Source. Add a data source to a user, role, or all users.

W98OWSECS

Data Source Revisions W98OWSECH

Change the system On the Work With user for a data source. User Security form, select a data source, and then select Revise Data Source from the Row menu. On the Work With Security form, select the appropriate record in the tree structure, and then click Delete. Remove a data source. If you chose a data source for a specific user or role, this form displays the user ID or the role name with the data source name. If you chose only the data source, this form displays only the data source name. Locate a system user.

Remove Data Source

W98OWSECK

Work With System Users System User Revisions

W980001A

In Solution Explorer, enter P980001 in the Fast Path. On the Work With System Users form, select a system user and then click the Select button.

W980001C

Change the system user password.

5.4.3 Adding a Data Source to a User, a Role, or All Users


Access the Add Data Source form.
1.

Complete one of these fields or options: User ID Complete this field to add a data source to a specific user. Role Complete this field to add a data source to a specific role. All Users Select this option to add a data source to all users.

5-8 JD Edwards EnterpriseOne Tools Security Administration Guide

Managing Data Sources for User Security

2.

Complete these additional fields and click OK: Data Source Leave this field blank to set the data source information for all data sources. When you leave this field blank, the system automatically enters DEFAULT in the field. System User

5.4.4 Revising a Data Source for a User, Role, or All Users


Access the Work With User Security form.
1.

Complete the Data Source field, and then click Find.


Note:

You can also enter both a data source and user ID/role. If you select just a data source, the change will affect all users.

2.

Select the data source in the tree structure and then, from the Row menu, select Revise Data Source. The Data Source Revisions form appears. If you chose a specific user or role, this form displays the user ID or the role name and the data source information. If you chose only the data source, this form automatically selects the All Users option with the data source information.

3.

Complete the System User field and click OK. This field is necessary to access databases within the software. Depending on what you selected from the tree on the Work With User Security form, this information will apply to a specific user, a specific role, or all users.

5.4.5 Removing a Data Source for a User, Role, or All Users


Access the Work With User Security form.
1. 2.

Complete the Data Source field, and then click Find. Select the appropriate record in the tree structure, and then click Delete.
Note:

For a user, you can also select a row in the detail area for the user, and then click Delete.

The Remove Data Source form appears. If you chose a data source for a specific user or role, this form displays the user ID or the role name with the data source name. If you chose only the data source, this form displays only the data source name.
Important:

If you performed the search by data source without including a specific user or role, when you click OK on Remove Data Source, you remove the data source for all users.

3.

Click OK to remove the data source.

Setting Up User Security 5-9

Enabling and Synchronizing Security Settings

5.4.6 Changing the System User Password


Access the Work With System User form.
1. 2.

Locate a system user and then click Select. On the System Users Revision form, complete these fields and then click OK: Password Enter a new password for the system user/data source combination. Password Verify Enter the password again for verification purposes.

5.5 Enabling and Synchronizing Security Settings


This section provides an overview of enabling and synchronizing security settings and discusses how to:

Change the workstation jde.ini file for user security. Set auxiliary security servers in the workstation jde.ini. Change the timeout value due to security server communication error. Change the enterprise server jde.ini file for security. Set auxiliary security servers in the server jde.ini. Verify security processes in the server jde.ini.

5.5.1 Understanding Security Setting Synchronization


You must modify the enterprise server and the workstation jde.ini files to enable and synchronize security settings between the enterprise server and the workstation.
Note:

For the JD Edwards EnterpriseOne workstations, enable security by changing settings in the workstation jde.ini file. You should make these changes on the deployment server-resident jde.ini file that is delivered to the workstation through a package installation.

5.5.2 Changing the Workstation jde.ini File for User Security


Access the jde.ini file.
1.

Locate the jde.ini file that will be sent to the workstation as part of a package installation. This file is located on the deployment server in the release share path:
\\xxx\CLIENT\MISC\jde.ini

Where xxx is the installed release level of the software (for example, 810).
2.

Using a text editor such as Notepad, view the jde.ini file to verify this setting:
[SECURITY] SecurityServer=Enterprise Server NameDefaultEnvironment=Default Environment

This table explains the variable values:

5-10 JD Edwards EnterpriseOne Tools Security Administration Guide

Enabling and Synchronizing Security Settings

Setting Security Server

Value The name of the enterprise server. For workstations to sign on and run batch reports on the enterprise server, this value must be the same for both the workstation and the enterprise server. A name that identifies any valid environment. If no value is specified, security is not enabled for that workstation.

DefaultEnvironment

5.5.3 Setting Auxiliary Security Servers in the Workstation jde.ini


Within the [SECURITY] section of the workstation jde.ini file, you can set as many as 10 auxiliary security servers. This example shows how the jde.ini file might look:
[SECURITY] NumServers=Numeric Value SecurityServer=Enterprise Server Name (primary) SecurityServer1=Enterprise Server Name (auxiliary) SecurityServer2=Enterprise Server Name (auxiliary)

This table explains the variable values:


Setting NumServers Value The total number of security servers (primary and auxiliary) that you set under the [SECURITY] section of the jde.ini file. For example, if you set one primary and four auxiliary servers, the NumServers value is 5. You can set NumServers to any value between 1 and 10. If you do not include the NumServers setting, the system assumes that you have only one server. The name of a JD Edwards EnterpriseOne enterprise server. The primary and auxiliary security server names must all correspond to valid enterprise servers. The values for both the workstation and the enterprise servers must be the same for workstations to sign on to and run batch reports from the enterprise server. The variable value n can be a number between 1 and 10. This number defines the auxiliary security server.

SecurityServern

5.5.4 Changing the Timeout Value Due to Security Server Communication Error
You might need to change a setting in the workstation jde.ini file if you receive an error such as:
Failure to Communicate with Security Server.

Change this section:


[JDENET] connectTimeout=30

5.5.5 Changing the Enterprise Server jde.ini File for Security


To change the enterprise server jde.ini file for security, you should verify the server jde.ini file settings as shown in this task. Use these settings to specify the internal security parameters, valid users and passwords, environments, and data sources. Locate the enterprise server's jde.ini file. Using an ASCII editor, such as Notepad, view the jde.ini file to verify these settings:
[JDENET_KERNEL_DEF4] Setting Up User Security 5-11

Enabling and Synchronizing Security Settings

dispatchDLLName=name of host dll dispatchDLLFunction=JDEK_DispatchSecurity maxNumberOfProcesses=1 beginningMsgTypeRange=551 endingMsgTypeRange=580 newProcessThresholdRequests=0 [SECURITY] Security Server=Enterprise Server Name User=user ID Password=user password ServerPswdFile=TRUE/FALSE DefaultEnvironment=default environment

This table explains the variable values:


Setting dispatchDLLName Value Values for enterprise server host platforms are:

HP9000, libjdeknet.sl RS/6000, libjdekrnl.so Windows (Intel), jdekrnl.dll Windows (Compaq AlphaServer), jdekrnl.dll iSeries, JDEKRNL

For UNIX platforms, values are case-sensitive. SecurityServer The name of the enterprise server. This value must be the same for both the workstation and the enterprise server for workstations to run batch reports on the enterprise server. The ID of a user with access to the F98OWSEC. This is the ID used to connect to the DBMS; therefore, this value must match that of the target DBMS. The password for the user ID with access to the F98OWSEC. This is the password used to connect to the DBMS; therefore, this value must match that of the target DBMS. This parameter is valid for servers operating under UNIX operating systems. The setting of this parameter determines whether the system uses special password handling for batch reports running on the server:

User

Password

ServerPswdFile

Set the value to TRUE to instruct the system to enable special handling of passwords. Set the value to FALSE to disable special handling.

When the system runs a batch report on the server, it runs the report using a string of line commands and parameters that includes the user password. Under UNIX operating systems, it is possible to use the process status command (ps command) to query the status of a job and view the parameters that were used to start the process. As a security measure, you can enable special handling by the software. When enabled, the software does not include the user password in the parameter list for a batch process. Instead, it includes the name of a file that contains the user password. This file is deleted as soon as the batch report reads the password. DefaultEnvironment The name of a valid environment for accessing the security table (for example, PD810).

5-12 JD Edwards EnterpriseOne Tools Security Administration Guide

Running a Security Analyzer Report

5.5.6 Setting Auxiliary Security Servers in the Server jde.ini


Within the [SECURITY] section of the server jde.ini file, you can set one to 10 auxiliary security servers. You set multiple auxiliary security servers to establish levels of default servers. For example, if a machine cannot access a given security server, the machine tries the next security server that is defined in the [SECURITY] section. The settings for the auxiliary security servers might look like this example:
[SECURITY] NumServers=Numeric Value SecurityServer=Enterprise Server Name (primary) SecurityServer1=Enterprise Server Name (auxiliary) SecurityServer2=Enterprise Server Name (auxiliary)

This table explains the variable values:


Setting NumServers Value The total number of security servers (primary and auxiliary) that you set under the [SECURITY] section of the jde.ini file. For example, if you set one primary and four auxiliary servers, the NumServers value is 5. You can set NumServers to any value between 1 and 10. If you do not include the NumServers setting, the system assumes that you have only one server. The name of an enterprise server. The primary and auxiliary security server names must all be valid enterprise servers. The values must be the same for both the workstation and enterprise servers for workstations to log onto and run batch reports from the enterprise server. The variable value x can be any number between 1 and 10. This number defines the auxiliary security server.

SecurityServerx

5.5.7 Verifying Security Processes in the Server jde.ini


You should define only one process for the security network. You can set multiple processes, but they are probably not necessary. Under the [JDENET_KERNEL_DEF4] section of the server jde.ini file, verify that this parameter is set:
[JDENET_KERNEL_DEF4] maxNumberOfProcesses=1

5.6 Running a Security Analyzer Report


This section provides an overview of the Security Analyzer Report and discusses how to:

Run the Security Analyzer by Data Source Report (R98OWSECA). Run the Security Analyzer by User or Group Report (R98OWSECB).

5.6.1 Understanding the Security Analyzer Report


This process generates two separate reports that provide you with an analysis of JD Edwards EnterpriseOne security. The first report is the Security Analyzer by Data Source (R98OWSECA); it is organized and sorted by data source. A blank data source means that security for the System User ID is applicable to all data sources. The Security Analyzer by Data Source report is based on data that it reads from the F98OWSEC table.

Setting Up User Security 5-13

Running a Security Analyzer Report

The second report is the Security Analyzer by User or Group (R98OWSECB); it is organized by user or role. The Security Analyzer by User or Role report is also based on data that it reads from the F98OWSEC table.

5.6.2 Form Used to Run a Security Analyzer Report


Form Name Work With Batch Versions - Available Versions FormID W98305A Navigation Report Management (GH9111), Batch Versions (P98305) Usage Run the Security Analyzer by Data Source (R98OWSECA) and Security Analyzer by User or Group (R98OWSECB) reports.

5.6.3 Running the Security Analyzer by Data Source Report (R98OWSECA)


This report presents security analysis information for each data source, each user ID, and each role. The report is sorted by data source and then by user ID. This columnar data appears in the report:

Data Source The data source to which the user is secured. Blank indicates all data sources.

User ID User / Role An identification code for a user profile.

System User ID The actual user that JD Edwards EnterpriseOne uses to connect to the DBMS that you specified as the data source. This system user must match the user value that is defined in the DBMS.

Change Frequency The number of days before the system requires that a user change their password. This data can be set by individual user ID or by role.

Source Password Changed The date when a user's password was last changed.

Invalid Signons The number of invalid sign-in attempts by a user. If the retry count value exceeds the number of allowed attempts, the user profile is disabled.

Allowed Attempts The number of sign-in attempts that a user can make before that user profile is disabled.

User Status A value that indicates whether the user can sign in to JD Edwards EnterpriseOne. Values are 01 (enabled) and 02 (disabled).

Status The display status of the User Status field.

5-14 JD Edwards EnterpriseOne Tools Security Administration Guide

Running a Security Analyzer Report

Access the Work With Batch Versions - Available Versions form to run the Security Analyzer by Data Source Report (R98OWSECA).
1.

Select a version and then click Select. The default version is XJDE0001. It creates a report for all user IDs for all data sources.

2. 3.

On the Version Prompting form, click Submit. On the Report Output Destination form, select any of these options: On Screen To Printer Export to CSV

4.

If desired, select the OSA Interface Name option and enter a name in the box that appears.

5.6.4 Running the Security Analyzer by User or Group Report (R98OWSECB)


The Security Analyzer by User or Group Report (R98OWSECB) report presents security analysis information for each user ID, each group, and each data source. The report is sorted either by user ID or user group, depending on which processing option you select. This columnar data appears in the report:

User ID Role Password Change Frequency The number of days before a user must change their password. This data can be set by individual user ID or by group.

Data Source The data source to which the user is secured. A blank indicates all data sources.

System User The actual user that the software uses to connect to the DBMS that you specified as the data source. The system user that is defined here must match the user value that is defined in the DBMS.

Access the Work With Batch Versions - Available Versions form to run the Security Analyzer by User or Group Report (R98OWSECB).
1.

Select a version and click Select. The default version is XJDE0001. It creates a report for all user IDs for all data sources. By default, the XJDE0001 version has the processing option for this report set to 1. This option generates a report by user ID. To generate a report by role, you can prompt for processing options and then, on the User Setup tab, change the value to 2.

2. 3. 4.

On the Version Prompting form, click Submit. Complete the processing options as necessary, and then click OK. On Report Output Destination, select any of these options: On Screen
Setting Up User Security 5-15

Managing Unified Logon


5.

To Printer Export to CSV

If desired, select the OSE Interface Name option and type a name in the field that appears.

5.7 Managing Unified Logon


This section provides an overview of unified logon and discusses how to:

Modify the jde.ini setting to enable or disable unified logon. Set up a service for unified logon. Remove a service for unified logon.

5.7.1 Understanding Unified Logon


For configurations that use a Windows enterprise server, to set up unified logon, you need to modify only the [SECURITY] section of the jde.ini file. When a user signs on, these settings alert the software to use unified logon. When the enterprise server is on a non-Windows platform, you need to set up a Windows service for unified logon. This service identifies the unified logon server for JD Edwards EnterpriseOne. You also need to set the unified logon settings in the [SECURITY] section of the jde.ini file.
Important:

When you use unified logon, you need to use the same user ID for the Windows domain and JD Edwards EnterpriseOne so that the records for each are synchronized. For example, if the user ID for a user in the Windows domain is USER1, the user ID for JD Edwards EnterpriseOne must also be USER1. If the user IDs are different, unified logon does not work for the user.

5.7.2 Modifying the jde.ini Setting to Enable or Disable Unified Logon


Locate the jde.ini files on the server and on the workstation. To modify the jde.ini setting to enable or disable unified logon:
1.

In the server jde.ini file, add these settings in the [SECURITY] section:
[SECURITY] SecurityMode=0, 1 or 2

Value 0 1 2 2.

Description Accepts only users set up for standard sign-in security. Accepts only users set up for unified logon. Accepts users set up for both unified logon and standard sign-in security.

In the workstation jde.ini file, add these settings in the [SECURITY] section:
[SECURITY] UnifiedLogon=0 or 1

5-16 JD Edwards EnterpriseOne Tools Security Administration Guide

Managing Unified Logon

Value 0 1 server_name

Description Disables unified logon for the workstation. This setting is the default value. Sets unified logon for the workstation. Enter the name of the server on which the unified logon server data resides.

5.7.3 Setting Up a Service for Unified Logon


If the enterprise server is not a Windows server, you should set up services for unified logon on the deployment server. The deployment server is always a Windows server. To set up a service for unified logon:
1.

On the deployment server, in Windows Explorer, access the \Unified Logon directory and run the file UniLogonSetup.exe. The Unified Logon Server Setup form appears. On this form, you define the Windows service for unified logon servers. You can also remove these services on this form.

2.

Complete these fields: Unified Logon Service Name Enter the name for the unified logon server. EnterpriseOne Port Number The port number for the unified logon server should match the JD Edwards EnterpriseOne port number of the server for which you want to set up unified logon. Service Executable Filename Enter the directory path for the unified logon service program. Log Filename Enter the name of the unified logon log file, including the full directory path. The default user list contains all authenticated network users.

3.

To create a custom user list, enter the users or the groups in the Users or User Groups box to add the user information to the unified logon user list.
Note:

Generally, the default Windows list of authenticated network users lists users by group.

4.

Click the Install Service button to save the service information for the unified logon server.

5.7.4 Removing a Service for Unified Logon


To remove a service for unified logon:
1.

Run UniLogonSetup.exe. The Unified Logon Server Setup form appears.

2.

From the Unified Logon Service Name menu, select a unified logon server, and then click the Uninstall Service button.

Setting Up User Security 5-17

Managing Unified Logon

5-18 JD Edwards EnterpriseOne Tools Security Administration Guide

6
6

Setting Up JD Edwards Solution Explorer Security


This chapter contains the following topics:

Section 6.1, "Understanding JD Edwards Solution Explorer Security" Section 6.2, "Configuring JD Edwards Solution Explorer Security"

6.1 Understanding JD Edwards Solution Explorer Security


Use the Security Workbench application (P00950) to set up security for these JD Edwards Solution Explorer features:

Menu Design Menu Filtering Favorites Fast Path Documentation OMW Logging

This table describes the three general security settings for JD Edwards Solution Explorer features:
Security Setting Secured View Change Description Restricts the user from accessing the feature. Allows read-only access to the feature but no modification capability. Gives the user full access to the feature with no restrictions on changing, adding, or deleting data.

In JD Edwards Solution Explorer, you can check the permissions for each feature for any user in the system. You view the settings by signing onto JD Edwards EnterpriseOne as the user whose settings you want to view, and then clicking the security button in the status bar of the JD Edwards Solution Explorer, which launches the Solution Explorer Security form. You cannot change the security settings from this form.
Note: You can also view existing Solution Explorer security records in P00950.

Setting Up JD Edwards Solution Explorer Security

6-1

Understanding JD Edwards Solution Explorer Security

Users who are logged into the Microsoft Windows client can quickly identify their Solution Explorer security by double-clicking on the padlock on the status bar at the bottom of the window. This table shows the features and provides a description of the settings for Application Release 8.9.11 and later Applications releases:
Feature Menu Design Setting Description Typically, administrators use the Menu Design feature to set up menus, tasks, task views, and task view roles. You use Solution Explorer to provide or limit access to the Menu Design feature for a specific user or role by selecting one of these security options: Secured - The feature is not available when the user or role signs on to the system. View - The user or role can see and use menus, tasks, task views, and task roles that you have set up. Change - The user or role can create and modify menus, tasks, task views, and task roles. The Menu Design button appears on the Microsoft Windows client when this feature is set to Change. Typically, you select the Change setting for an administrator. See "Using the Design Menu Mode" in the JD Edwards EnterpriseOne Tools Solution Explorer Guide. Menu Filtering Typically, administrators use the Menu Filtering feature to selectively enable or disable tasks by role in a task view. You use Solution Explorer to provide or limit access to the Menu Filtering feature for a specific user or role by selecting one of these security options: Secured - The Menu Filtering button is not available when the user or role signs on to the system. View - The user or role can see Menu Filtering information. Change - The user or role can hide or show tasks or task views and save changes to roles. Typically, you select the Change setting for an administrator. See "Using the Menu Filtering Mode" in the JD Edwards EnterpriseOne Tools Solution Explorer Guide. Favorites This feature enables users to save links to their tasks and access tasks directly from their Favorites task view. You use Solution Explorer to provide or limit access to the Favorites feature for a specific user or role by selecting one of these security options: Secured-The Favorites task view is not available when the user or role signs on to the system. View-Users or roles can see the Favorites task view and access tasks (assuming they have security rights for the application, form, version, and so on) from the Favorites task view; however, users or roles cannot add or remove tasks from the Favorites task view. Change-Users or roles can add and remove tasks from the Favorites task view. Typically, you select the Change option in Solution Explorer so that your users can create and change their Favorites task view. See "Understanding EnterpriseOne Navigation" in the JD Edwards EnterpriseOne Tools Foundation Guide.

6-2 JD Edwards EnterpriseOne Tools Security Administration Guide

Understanding JD Edwards Solution Explorer Security

Feature Fast Path

Setting Description The Fast Path feature is used by your users to navigate to menus, folders, applications, and reports directly. Your users enter commands in the Fast Path to move quickly among menus and applications. You use Solution Explorer to provide or limit access to the Fast Path feature for a specific user or role by selecting one of these security options: Secured - The Fast Path command line is not available when the user or role signs on to the system. View - The user or role can enter tasks, fast path codes, or applications in the Fast Path command line. Restricted View (menu navigation and mnemonics only) - The user or role can use the Fast Path command line to call menus and applications that are defined in the Fast Path UDC table. This option prevents the user or role from running tasks that call applications directly or from accessing specific objects by entering an object name. For example, users with the Restricted View option receive an error if they attempt to launch an application directly by typing in the object name (such as P01012) or if they attempt to type in a task ID for a task that launches an interactive or batch application. See "Understanding EnterpriseOne Navigation" in the JD Edwards EnterpriseOne Tools Foundation Guide.

Documentation

The Documentation feature enables users to access online Documentation for a task. You use Solution Explorer to provide or limit access to the Documentation feature by selecting one of these options: Secured - The documentation feature is not available to the user or role. View - The user or role can view available online documentation for a task. Typically, you select this setting for users or roles. Edit - The user or role can edit the online task documentation. Task documentation can be edited only from a Windows client. Users or roles using a Web client cannot edit task documentation. Users access documentation by clicking the arrow to the right of the task, and then selecting Documentation. A task may have multiple types of documentation, which appears as separate selections.

OMW Logging

You use Solution Explorer to enable (on option) or disable (off option) the OMW Logging feature for a specified user or role. When enabled, the OMW Logging feature captures information when a user uses Object Management Workbench (OMW) to transfer Solution Explorer task information between environments.

Important:

When you use Solution Explorer security options for a user or role, be sure to select the appropriate option for each feature on the form.

6.1.1 Fast Path Security Settings


Besides preventing or allowing access to Fast Path, you can also set up Fast Path access in a restricted view. The restricted view prevents web client users from entering an application ID in the Fast Path to launch an application. Instead, users can enter menu IDs to access menus in the EnterpriseOne Menu. The menu ID must be associated to a menu in the Task Master table (F9000). The restricted view also allows users to enter a mnemonic code, defined in the User Defined Code Values table (F0005), to launch an application or access a menu.

Setting Up JD Edwards Solution Explorer Security

6-3

Understanding JD Edwards Solution Explorer Security

You can add UDCs for mnemonic codes using the User Defined Codes application (P0004A). Use these parameters when adding UDCs for mnemonic codes in P0004A:

Product Code: H90 (EnterpriseOne Tools) UDC Type: FP


Note:

After you add UDCs for mnemonic codes, you must clear the cache in order for the UDCs to take affect in the system. See Section 2.5, "Cached Security Information".

This example shows some of the mnemonic codes already defined in JD Edwards EnterpriseOne:
Figure 61 User Defined Codes application (P0004A) Work With User Defined Codes

To set up UDCs for mnemonic codes, refer to the instructions on how to customize and add UDCs. See "Customizing User Defined Codes" in the JD Edwards EnterpriseOne Tools System Administration Guide.

6.1.2 Solution Explorer Security Presets


Security Workbench (P00950) contains security presets that determine default security settings for different types of users. These security presets correspond to novice (Preset One), intermediate (Preset Two), and expert (Preset Three) users. If you click one of these preset buttons, Solution Explorer changes the Security Revisions default settings for each feature.

6-4 JD Edwards EnterpriseOne Tools Security Administration Guide

Configuring JD Edwards Solution Explorer Security

Novice users require the most restrictive security settings; expert users require the least restrictive settings. Although you can fine-tune these default settings for a particular individual, using the default settings can free you from the task of manually choosing security setting options for each individual in the system because you can apply the settings to groups as well as to individual users.

6.1.3 Prerequisite
Fast Path Restricted View security is a JD Edwards EnterpriseOne Tools feature that is applicable to the JD Edwards EnterpriseOne Applications 8.12 and 9.0 releases. This feature comes automatically with the 9.0 release. However, for the 8.12 release you must download a JD Edwards EnterpriseOne Tools ESU from the Update Center on the My Oracle Support Web site. See SAR 8517645 for more information.

6.2 Configuring JD Edwards Solution Explorer Security


Access the Work With User/Role Security form. In Solution Explorer, enter P00950 in the Fast Path.
1. 2. 3.

Select the Form menu, Setup Security, Solution Explorer. On the Work with Solution Explorer Security Revisions form, enter a user ID or role in the User/Role field. Select the security options for Menu Design, Menu Filtering, and Documentation, as appropriate: Secured View Change

4.

For Fast Path, select one of these options: Secured View Restricted View (menu navigation and mnemonics only)

5.

Select one of these options to enable or disable OMW Logging: Off On

6.

Alternatively, you can select any of these options from the Preset drop-down menu to specify default Solution Explorer security settings: Preset One Preset Two Preset Three

Setting Up JD Edwards Solution Explorer Security

6-5

Configuring JD Edwards Solution Explorer Security

6-6 JD Edwards EnterpriseOne Tools Security Administration Guide

7
7

Using Security Workbench

This chapter contains the following topics:


Section 7.1, "Understanding Security Workbench" Section 7.2, "Understanding Exclusive/Inclusive Row Security" Section 7.3, "Creating Security Overrides" Section 7.4, "Managing Application Security" Section 7.5, "Managing Action Security" Section 7.6, "Managing Row Security" Section 7.7, "Managing Column Security" Section 7.8, "Managing Processing Option and Data Selection Security" Section 7.9, "Managing Tab Security" Section 7.10, "Managing Hyper Exit Security" Section 7.11, "Managing Exclusive Application Security" Section 7.12, "Managing External Calls Security" Section 7.13, "Managing Miscellaneous Security" Section 7.14, "Managing Push Button, Link, and Image Security" Section 7.15, "Managing Text Block Control and Chart Control Security" Section 7.16, "Managing Media Object Security" Section 7.17, "Managing Application Query Security" Section 7.18, "Managing Data Browser Security" Section 7.19, "Managing Published Business Services Security" Section 7.20, "Copying Security for a User or a Role" Section 7.21, "Reviewing and Deleting Security Records on the Work With User/Role Security Form" Section 7.22, "Running Security Workbench Records Reports"

7.1 Understanding Security Workbench


Use Security Workbench to apply security to JD Edwards EnterpriseOne applications, application versions, forms, and other objects within JD Edwards EnterpriseOne that are described in this chapter. You can apply security for these objects to users, roles, or

Using Security Workbench 7-1

Understanding Exclusive/Inclusive Row Security

*PUBLIC. JD Edwards EnterpriseOne stores security information in the F00950 table and caches the security information in the web server's memory for the web clients and each workstation's memory on Microsoft Windows clients. For Microsoft Windows client users, changes made to security are applied after the user exits JD Edwards EnterpriseOne and signs back in. For the security changes to take affect on web clients, you must restart the web server or clear the web server's cache using the Server Administration Workbench (SAW) application. When applying object level security, you need to consider how JD Edwards EnterpriseOne checks for security. When a user signs in, the system first checks the user ID for security. If no object security is assigned to the user ID, then it checks the role (if the user is part of a specific role), and then finally it checks *PUBLIC.
Note:

You can access Security Workbench on the JD Edwards EnterpriseOne web client, as well as the Microsoft Windows client.

7.2 Understanding Exclusive/Inclusive Row Security


You use row security to either restrict or allow users from viewing, updating, deleting, or adding certain records (rows) to a table. Prior to setting up any kind of row security (whether at the user level, role level, or *PUBLIC level), security administration determines whether your system will use inclusive or exclusive row security. Exclusive row security blocks users from accessing the database for a secured range of values that you define. Inclusive row security allows users to access the database for a valid range of values that you define. You use the EnterpriseOne Security program (P98OWSEC) to set up user security. You use the Row Security application in the Security Workbench program (P00950) to define database values to be excluded or included depending on your JD Edwards EnterpriseOne security configuration. You can set up row security for a user, role, and *PUBLIC. Exclusive row security and inclusive row security are mutually exclusive; you cannot use a combination of the two. To illustrate exclusive and inclusive row security, assume that user MG5700778 should be able to view records in the Address Book table (F0101) that have a business unit value from 1 through 20 and from 51 through 70. In addition, this user should be able to update records in the Address Book table that have a business unit value from 1 through 20. This user cannot insert or delete any records in the Address Book table. The following examples show the records you must define and the SQL statements that the system performs for both exclusive and inclusive row security.

7.2.1 Exclusive Row Security


This table shows the records that you define using the Row application in Security Workbench when you use exclusive row security to secure your system:
Tabl e From Value Thru Value 20 50 70

User

Data item

Add Change Delete View Alias N N N Y N N N N N N N Y N Y N MCU MCU MCU MCU

MG5700778 *ALL CostCenter 1 MG5700778 *ALL CostCenter 21 MG5700778 *ALL CostCenter 51 MG5700778 *ALL CostCenter 71

ZZZZZZZZ N

7-2 JD Edwards EnterpriseOne Tools Security Administration Guide

Understanding Exclusive/Inclusive Row Security

This example shows the Select operation that the system performs against the F0101 table:
SELECT * FROM TESTDTA.F0101 WHERE ( ABMCU NOT BETWEEN ' 21' AND ' 50' AND ABMCU NOT BETWEEN ' 71' AND ' ZZZZZZZZ' ) ORDER BY ABAN8 ASC

This example shows the Update operation that the system performs against the F0101 table:
UPDATE TESTDTA.F0101 SET ABALKY='MG5700778',ABTAX='456456456',ABALPH='John Doe',ABDC='JOHNDOE',ABMCU=' 1',ABSIC=' ',ABLNGP=' ',ABAT1='E',ABCM=' ',ABTAXC=' WHERE ( ABAN8 = 9999999.000000 ) AND ( ABMCU NOT BETWEEN ' 21' AND ' 50' AND ABMCU NOT BETWEEN ' 51' AND ' 70' AND ABMCU NOT BETWEEN ' 71' AND ' ZZZZZZZZ' )

Note:

Row security is applied for the range of values that have N in the appropriate Add/Change/Delete/View action.

7.2.2 Inclusive Row Security


This table shows the records that you define using the Row application in Security Workbench when you use inclusive row security to secure your system:
From Thru Value Value Add Change Delete View Alias 20 70 N N Y N N N Y Y MCU MCU

User

Table Data Item

MG5700778 F0101 CostCenter 1 MG5700778 F0101 CostCenter 51

This example shows the Select operation that the system performs against the F0101 table:
SELECT * FROM TESTDTA.F0101 WHERE ( ( ABMCU BETWEEN ' 1' AND ' 20' OR ABMCU BETWEEN ' 51' AND ' 70' ) ) ORDER BY ABAN8 ASC

This example shows the Update operation that the system performs against the F01010 table:
UPDATE TESTDTA.F0101 SET ABALKY=' ',ABTAX='546',ABALPH='John Doe',ABDC='JOHNDOE',ABMCU=' 60',ABSIC=' ',ABUSER='MG5700778',ABPID='EP01012',ABUPMJ=101214,ABJOBN='DEN123456', ABUPMT=154030.000000 WHERE ( ABAN8 = 6864221.000000 ) AND ( ABMCU BETWEEN ' 1' AND ' 20' )

Important:

The presence of a single record or a set of security records in the Security Workbench table (F00950) with all N values for one or more operations for a table and data dictionary combination will disallow that user from performing that particular operation on the table.

Note:

Row Security is applied for range of values that have Y in the Add/Change/Delete/View action

Using Security Workbench 7-3

Creating Security Overrides

As illustrated in the examples, when you define data access security using exclusive row security, you identify a range of values that are to be secured from the user. When you define data access security using inclusive row security, you identify a range of values that the user can access. Depending on your security setup, inclusive row security can increase performance over exclusive row security. The reason for the performance increase is due to the select and update statements that the middleware generates. Performance can be improved if the use of inclusive row security results in a small range of valid values in the row security application rather than specifying a large range of secured values in the row security application to use exclusive row security.

7.2.2.1 Activating Inclusive Row Security


The system assumes Exclusive Row Security unless you specify inclusive row security. Use these steps to activate inclusive row security:
1. 2. 3. 4.

Enter P00950 in the Fast Path. On the Work With User/Role Security form, select Exclusive/Inclusive from the Form menu. On the Inclusive/Exclusive Row Security form, select the Inclusive Row Security option. Click OK.

If your system is prior to JD Edwards EnterpriseOne Tools Release 8.9, you must manually enter a record in the Security Workbench table using SQL to indicate to your system that inclusive row security is to be used. Use this Insert SQL statement as an example:
Insert into SYS7333.F00950 (FSSETY, FSUSER, FSOBNM, FSDTAI, FSFRDV, FSSY, FSATN3) Values(' ','EXCLUSIVE',' ', ' ', ' ', ' ' , '1')

7.3 Creating Security Overrides


This section provides an overview of security overrides, provides a prerequisite, and discusses how to add security overrides.

7.3.1 Understanding Security Overrides


Security overrides operate as exceptions to existing security records. They specify that users are unsecured from a JD Edwards EnterpriseOne object. In other words, security overrides allow users access to a particular object, even if another security record in the system specifies that access is not allowed. Security overrides enable you to create object security more efficiently, with fewer security records to manage. For example, you might have a scenario that requires securing four out of five versions of an application from a group of users. Instead of creating four security records to prevent users from accessing each of the four versions, you can create two security records to achieve the same result. First, you would create a security override for the application version that you want users to access. This security override would specify that this version is not secured. These are the high level steps to create security overrides in Security Workbench:
1. 2.

Create a security record for the version, making sure that the security options are cleared. Create a security record that secures users from accessing the application, including all versions of the application. In Security Workbench, you would select

7-4 JD Edwards EnterpriseOne Tools Security Administration Guide

Creating Security Overrides

the application and then select the Run security option, which secures users from running the application. As a result, when users try to access the application version, the security override for the version operates as an exception to the second application security record, allowing users access to the version of the application. All other versions of the application are secured. You can create security overrides for these JD Edwards EnterpriseOne objects:

Applications Actions Processing options Tabs Hyper exits External calls Push buttons, links, and images Media objects

Creating security overrides simplifies the process of applying security to various JD Edwards EnterpriseOne items. The following table provides some scenarios in which you could use security overrides to set up your security:
Scenario Allow a user or group of users access to a single form in an application. These users are otherwise restricted from using the application. Secure users from using all but one push button on a form in an application. This security shall apply to all versions of the application as well. Allow only one user in a role access to an external application. Method To set up:
1. 2.

Create a security override for the form. Create a security record to prevent users from accessing the application.

To set up:
1. 2.

Create a security override for the push button. Create a security record to prevent users from using all push buttons on the form.

To set up:
1. 2.

Create a security override for the user that gives the user access to the external application. Create a security record that prevents the role from accessing the external application.

Secure users from all action To set up: buttons except Add and Copy on a 1. Create a security override to specify that Add and form in a particular version of an Copy action buttons are not secured on a form in a application. particular version of an application.
2.

Create a security record to secure all actions on the form.

7.3.2 Prerequisite
Before you can create a security override for a JD Edwards EnterpriseOne object, you must first understand how a standard security record for the object is created in Security Workbench. See the appropriate sections in this chapter for instructions on how to apply security to JD Edwards EnterpriseOne objects such as applications, processing options, tabs, and media objects.
Using Security Workbench 7-5

Managing Application Security

7.3.3 Adding Security Overrides


Enter P00950 in the Fast Path.

1.

On the Work With User/Role Security form, select the Form menu, Set Up Security, and then select the menu for the type of object for which you want to create a security override. On the security form, enter the user or role ID in the User / Role field. Enter a complete user or role, which includes *PUBLIC.

2.

3.

In the Display UnSecured Items region, complete the appropriate fields, and then click Find. This step provides a list of unsecured items for the user, role, or *PUBLIC in the UnSecured node.

4.

Expand the UnSecured node to view the individual applications or versions, and the forms associated with each, that do not already have security set for them. After you expand the node, each item that you select appears in the grid.

5. 6. 7.

Select the item in the node that you want to create a security override for. In the Create with region, make sure that the security options are cleared or not selected. Drag the item from the UnSecured node to the Secured node. This action creates a security override for the user or role that can operate as an exception to a another security record for the user or role.

7.4 Managing Application Security


This section provides an overview of application security and discusses how to:

Review the current application security settings for a user or role. Add security to an application. Secure a user or role from all JD Edwards EnterpriseOne objects. Remove security from an application.

7.4.1 Understanding Application Security


Application security enables you to secure these types of items from users:

Applications When you secure an application, you secure all versions and forms associated with the application.

Versions You can secure access to a version of an application while leaving other versions available to the user.

Forms You can secure access to a single form in an application or application version.

You can secure users from running or installing (or both) a particular application, version, or form within an application. You cannot define application security at the
7-6 JD Edwards EnterpriseOne Tools Security Administration Guide

Managing Application Security

subform level. As an alternative, you could define column security at the form level (power form level) and every instance of the data dictionary item (either on the power form header or subform grid) follows the defined security. This section also explains how to add a *ALL object and change all of the applications for a particular user or role from unsecured to secured.

7.4.2 Reviewing the Current Application Security Settings for a User or Role
Enter P00950 in the Fast Path.
1. 2.

On the Work With User/Role Security form, select the Form menu, Set Up Security, Application. On the Application Security form, enter the user or role ID in the User / Role field. Enter a complete user or role, which includes *PUBLIC but not wildcards.

3.

In the Display UnSecured Items region, complete the appropriate fields to determine which items have already been secured for the user or role, and then click Find: Application Enter an application name, such as P01012. You can also enter *ALL to display all applications. Version Enter a version name, such as ZJDEC0001, if you want to check only a specific version of an application. You can also use an asterisk to display all versions. Form Name Enter a form name, such as W01012A. You can also enter an asterisk to display all forms.

4.

Expand the Secured node to view the security settings for the user or role in the detail area.

7.4.3 Adding Security to an Application


Enter P00950 in the Fast Path.
Note:

You cannot secure the Data Browser program using the Application Security form. Security Workbench provides a separate option for securing this program.

See Managing Data Browser Security.


1. 2.

On the Work With User/Role Security form, select the Form menu, Set Up Security, Application. On the Application Security form, enter the user or role ID in the User / Role field. Enter a complete user or role, which includes *PUBLIC but not wildcards.

3.

In the Display UnSecured Items region, complete the appropriate fields, and then click Find. Application Version

Using Security Workbench 7-7

Managing Application Security

Enter a particular version of the application that you entered in the Application field. If you leave this field blank, the system displays all versions associated with the application in the UnSecured node. Product Code Enter a product code to display all applications, versions, and forms associated with a particular product code. This field does not work in conjunction with the Application or Version fields. The search results appear under the UnSecured node.
4.

Expand the UnSecured node to view the individual applications or versions, and the forms associated with each, that do not already have security set for them. After you expand the node, the individual items also appear in the grid.

5.

In the Create with region, select one or both of these security options: Run Security Select this option to secure users from running the application. Install Security Select this option to prevent the just-in-time installation (JITI) of anything necessary to run the application.

6.

Complete one of these steps: Drag applications, versions, or forms from the UnSecured node to the Secured node. From the Row menu, select All Objects to move all applications to the Secured node. From the Row menu, select Secure to All to move all objects that are under the UnSecured node to the Secured node. If you secured an individual form, only the form appears under the Secured node. If you secured an application or version, the application or version and the forms associated with each appear under the Secured node.

7.

To change the security on an item, select the item under the Secured node, select the appropriate security option, and then, from the Row menu, select Revise Security. In the grid, the values under the Run and Install fields change accordingly.

7.4.4 Securing a User or Role from All JD Edwards EnterpriseOne Objects


Enter P00950 in the Fast Path.
1. 2.

On the Work With User/Role Security form, select the Form menu, Set Up Security, Application. On the Application Security form, enter the user or role ID in the User / Role field. Enter a complete user or role, which includes *PUBLIC but not wildcards.

3. 4. 5.

In the Display UnSecured Items area, enter *ALL in the Application field to select all JD Edwards EnterpriseOne objects, and then click Find. Expand the UnSecured node and then click *ALL in the detail area. In the Create with region, select one or both of these options:

7-8 JD Edwards EnterpriseOne Tools Security Administration Guide

Managing Action Security

Run Security Use this option to secure users from running all applications.

Install Security Use this option for JITI only.

6.

Complete one of these steps: Drag *ALL from the UnSecured node to the Secured node. From the Row menu, select All Objects to move *ALL to the Secured node. From the Row menu, select Secure to All to move *ALL from UnSecured node to the Secured node.

7.4.5 Removing Security from an Application


Access the Application Security form. On the Application Security form, perform one of these steps:

Under the Secured node, select an application, version, or form and click Delete. Drag an application, version, or form from the Secured node to the UnSecured node. Select Remove All from the Row menu to move all items from the Secured node to the UnSecured node.

7.5 Managing Action Security


This section provides an overview of action security and discusses how to:

Review the current action security settings for a user or role. Add action security. Remove action security.

7.5.1 Understanding Action Security


Action security enables you to secure the buttons that enable users to perform particular actions, such as adding, deleting, inquiring, revising, or copying a record. These buttons typically reside on the toolbar in a form. Do not confuse these buttons with buttons that are located on other parts of a form. You can define action security at the application, version, and form level. You cannot define action security at the subform level. As an alternative, you could define column security at the form level (power form level) and every instance of the data dictionary item (either on the power form header or subform grid) follows the defined security. Oracle recommends that after you add action security to an application, you should test the application to make sure that the security works as desired. For example, adding action security to an Add or OK button in some applications that have editable grids does not prevent users from adding new records or modifying existing ones. For these applications, you would have to add additional security to the application as well.

Using Security Workbench 7-9

Managing Action Security

See Also:

Managing Push Button, Link, and Image Security. Managing Hyper Exit Security.

7.5.2 Reviewing the Current Action Security Settings


Enter P00950 in the Fast Path.
1. 2.

On the Work With User/Role Security form, select the Form menu, Set Up Security, Action. On the Action Security form, enter the user or role ID in the User / Role field and click Find. You can enter *PUBLIC but not wildcards. Current action security settings for the user or role appear under the Secured node in the tree.

3.

To see if an action security is applied to a particular application, version, or form, complete a combination of these fields in the Display Secured Item region, and then click Find: Application Enter an application name, such as P01012. Version Enter a version of the application entered in the Application field to see if action security is applied to the version. Form Name Enter a form name, such as W01012A.

4.

Expand the Secured node and click a secured item to view the current security settings for the user or role in the detail area.

7.5.3 Adding Action Security


Enter P00950 in the Fast Path.
1. 2.

On the Work With User/Role Security form, select the Form menu, Set Up Security, Action. On the Action Security form, enter the user or role ID in the User / Role field and click Find. You can enter *PUBLIC but not wildcards. Current action security settings for the user or role appear under the Secured node in the tree.

3.

To find the applications, versions, or forms to which you want to apply action security, complete any of these fields under the Display UnSecured Items heading, and then click Find: Application Enter an application name, such as P01012. Enter *ALL to display all applications. Version

7-10 JD Edwards EnterpriseOne Tools Security Administration Guide

Managing Action Security

Enter a version of the application you entered in the Application field. If you leave this field blank, all versions associated with the application will appear in the UnSecured node.
4. 5.

Product Code

Expand the Unsecured node to view individual applications, versions, and forms in the detail area. In the Create with region, select any of these options: Change Add Delete OK/Select Copy Scroll To End When you select the OK/Select function, both the Select and OK buttons will be disabled on forms regardless of the setting for any of the other functions. The reason that separate options exist for OK/Select and the other functions is to allow a user to select records from a Find/Browse or Inquiry form but not be able to perform those actions that you secured. For example, a valid setup would be to set OK/Select to Y and set Change to N. The user will be able to select records but not change them. However, if you set OK/Select to N and Change to Y, the OK and Select buttons will be disabled even if the form is in update mode.

6.

To secure the actions on an application, version, or form, perform one of these steps: Drag the application, version, or form from the UnSecured node to the Secured node. From the Row menu, select All Objects to move all items to the Secured node. From the Row menu, select Secure to All to move all objects under the UnSecured node to the Secured node. For example, to set delete security on an application, select the Delete option. Next, drag the application from the UnSecured node to the Secured node. The detail area will reflect the delete security that you set for this application, which means that the user you entered cannot perform the delete action on this application. The applications or forms now appear under the Secured node and they have the appropriate action security.

7.

To change the security on an item, select the item under the Secured node, select the appropriate security option, and then, from the Row menu, select Revise Security. In the grid, the values for the security options change accordingly.

7.5.4 Removing Action Security


Enter P00950 in the Fast Path.
1.

On the Work With User/Role Security form, select the Form menu, Set Up Security, Action.
Using Security Workbench 7-11

Managing Row Security

2. 3.

On the Action Security form, enter the user or role for which you want to change action security in the User / Role field, and then click Find. To delete action security from an application, version, or form, do one of these: Under the Secured node, select an application, version, or form and click Delete. Under the Secured node, drag an application, version, or form from the Secured node to the UnSecured node. Select Remove All from the Row menu to move all applications and forms from the Secured node to the UnSecured node.

7.6 Managing Row Security


This section provides an overview of row security and discusses how to:

Add row security Remove row security

7.6.1 Understanding Row Security


Row security enables you to secure users from accessing a particular range or list of data in any table. Use row security sparingly because it can adversely affect system performance. Additional processing occurs for each data item that you set with row security. You can set up row security at three levels:

User Group *PUBLIC

JD Edwards EnterpriseOne first looks for row security at the user level, then at the group level, and then at the *PUBLIC level. If you set any of the security at a higher level, such as at the user level, the software ignores lower-level security settings, such as the group or *PUBLIC levels. Before you set up row security for an item in a table, you should verify that the item is actually in that table. For example, the F0101 table contains the data item AN8. Therefore, you can set up row security for that item. However, the same table does not contain data item PORTNUM. Setting row security on this item for the F0101 table has no effect. You set up row security on a table, not on a business view. You should verify that the object that you want to secure uses a business view over a table containing the object. For example, the Work With Environments application (P0094) uses business view V00941 over the F00941 table. You could secure the data item RLS (Release) because it is in the F00941 table. On the other hand, the same item is not in the F0094 table. If you attempt to secure the item on the F0094 table, data item RLS is not secured.
Note: You can find the tables, applications, forms, business views, and so on that use a data item by launching the Cross Reference application (P980011) after you build cross-reference tables (F980011and F980021).

7-12 JD Edwards EnterpriseOne Tools Security Administration Guide

Managing Row Security

7.6.2 Prerequisite
Before you can set up row security, you must activate row security in Data Dictionary Design. See "Creating a Data Dictionary Item" in the JD Edwards EnterpriseOne Tools Development Tools: Data Dictionary Guide.

7.6.3 Setting Up Data Dictionary Spec Files


After you activate row security in Data Dictionary Design, log out of JD Edwards EnterpriseOne and delete these spec files, which are located in the \pathcode\spec directory:

dddict.xdb dddict.ddb ddtext.xdb ddtext.ddb glbltbl.xdb glbbltbl.ddb

If you do not use data dictionary replication, you must delete these spec files for each path code directory on your machine and every workstation, inlcuding the enterprise server, where this security needs to be activated. These spec files are automatically rebuilt as data dictionary items are referenced the next time the user signs onto JD Edwards EnterpriseOne when just-in-time installation (JITI) is enabled for the environment.
Note:

If your system is prior to JD Edwards Applications Release 8.11, and you are using terminal servers in an environment that does not use JITI, you must rebuild the data dictionary and global table spec files using R92TAM and R98CRTGL to get the changed data dictionary information to the terminal servers

7.6.4 Adding Row Security


Enter P92001 in the Fast Path.
1.

On the Work With Data Items form, click Find.


Note:

You can enter search criteria in the Search Description field and the query by example (QBE) row to narrow your search.

2.

Select the data item that you want to secure, and click Select. The Data Item Specifications form appears.

3.

On the Item Specifications tab, select the Row Security option and click OK. This option must be selected for row security to work.

4. 5. 6.

Click OK. Exit the data dictionary application. In Solution Explorer, enter P00950 in the Fast Path and press Enter.

Using Security Workbench

7-13

Managing Column Security

7. 8. 9.

On the Work With User/Role Security form, select the Form menu, Set Up Security, Row. On the Row Security form, complete the User / Role field and then click Find to display current row security. Complete these fields, either in the first open detail area row (to add security) or in a pre-existing detail area row (to change security): Table You can enter *ALL in this field. Data Item This field is required. From Value This field is required. Thru Value Add Change Delete View

10. Click OK to save the security information.

7.6.5 Removing Row Security


Enter P00950 in Fast Path.
1. 2. 3.

On the Work With User/Role Security form, select an object. From the Form menu, select Set Up Security, Row. On the Row Security form, complete the User / Role field and click Find.
Note:

If you accessed the Row Security form from the Work With User/Role Security form for a specific record, the user or role associated with the security record appears in the User / Role field by default.

4. 5. 6.

Select the security record or records in the detail area, and then click Delete. On Confirm Delete, click OK. Click OK when you finish deleting row security. If you do not click OK after you delete the row security records, the system does not save the deletion.

7.7 Managing Column Security


This section provides an overview of column security and discusses how to:

Add column security Remove column security

7-14 JD Edwards EnterpriseOne Tools Security Administration Guide

Managing Column Security

7.7.1 Understanding Column Security


This section explains how to add and revise column security. You can secure users from viewing a particular field or changing the value for a particular field. This item can be a database field, or a field that is defined in the data dictionary but is not in the database.
Note: You can find the tables, applications, forms, business views, and so on, that use a data item by launching the Cross Reference application (P980011) after you build the cross-reference tables (F980011and F980021).

You can set up column security on a table, an application, an application version, or a form. Even if an application uses a business view that does not contain the data item that you want to secure, you can still secure it, as long as the item appears on a form in the application.

7.7.1.1 Column Security Options


When you use Column Security you can set View, Add, and Change options to secure a field. For the field to appear on a table, application, application version, or form, the View option must be set to Y. When the View option is set to N for a field, that field does not appear on the object. Add and Change options depend on the View option being set to Y for the field. The Add and Change options are independent of each other. You can set the View and Add options to Y and the Change option to N. With security defined in this manner, the field appears on the object and is enabled when the user enters the object in add mode. If the user enters the object in update mode, the field appears but is disabled. You can set the View and Change options to Y and the Add option to N. With security defined in this manner, the field appears on the object and is enabled when the user enters the object in update mode. If the user enters the object in add mode, the field appears but is disabled. You can set all three options to Y. With security defined in this manner, the field appears on the object and is enabled in both add and update mode.

7.7.1.2 Column Security on a Table


Before you set up column security on a table, do these:

Verify that the object that you want to secure is in the table. Verify that the object that you want to secure is part of an application that uses a business view over a table containing the object. Verify that the object that you want to secure uses a business view that includes the column containing the object.

For example, if you want to apply column security to data item RLS (Release Number) in the F00941 table, RLS must be an item in that table, and it must also be part of an application using a business view over that table. Finally, the business view over the F00941 table must include a column containing the data item RLS. If all of these conditions are met, you can successfully apply column security to the data item. Setting column security on a table also means that you set security on the data item for any other applications that use the F00941 table.

Using Security Workbench

7-15

Managing Column Security

7.7.1.3 Column Security on an Application


Before you set up column security on an application, do these:

Verify that the object that you want to secure is in the application. Verify that you are securing the correct data item in an application (data item descriptions can be similar, if not identical).

For example, if you want to apply column security to data item UGRP (UserRole) in the Object Configuration Manager application (P986110), you first verify that the item is in the application. Because it is in the application, you can apply security to the data item. However, note that data items UGRP, MUSE, USER, and USR0 all contain the identical data description of User ID. Verify the item by its alias, not by its data description.

7.7.1.4 Column Security on an Application Version


You can secure users from using columns (or fields) in a version of an application. When you secure a column in a version, the system secures the column in all forms associated with that application version. Before you set up column security on an application version, do these:

Verify that the object that you want to secure is in the version of the application. Verify that you secure the correct data item in an application (data item descriptions can be very similar, if not identical). Verify the item by its alias, not by its data description.

7.7.1.5 Column Security on a Form


Security Workbench enables you to secure the column in one particular form, either in an application or in a version of an application. Before you set up column security on a form, do these:

Verify that the object that you want to secure is in the form. Verify that you secure the correct data item in the form (data item descriptions can be very similar for different data items).

7.7.2 Adding Column Security


Enter P00950 in Fast Path.
1. 2. 3.

On the Work With User/Role Security form, select the Form menu, Set Up Security, Column. On the Column Security form, complete the User / Role field, and then click Find to display current column security for the user or role. To add new security, go to the last row of the detail area and enter information into any of these fields: Table Application Version If you want to add column security to a particular version, enter a version of the application that you entered in the Application field. Form Name

7-16 JD Edwards EnterpriseOne Tools Security Administration Guide

Managing Processing Option and Data Selection Security

You can enter *ALL in any of these fields; however, after *ALL is entered for a table, application, or form for a specific data item, you cannot enter *ALL again for that data item.
4.

Complete these fields: Data Item View If the value for View is N, the data item will not appear on any of the objects identified in Step 3, making Add and Change functions obsolete. Add Change

5. 6.

To change security, change the row values in the detail area. Click OK to save the security information.

7.7.3 Removing Column Security


Enter P00950 in the Fast Path.
1. 2.

On the Work With User/Role Security form, select the Form menu, Set Up Security, Column. On the Column Security form, complete the User / Role field, and then click Find.
Note:

If you accessed the Column Security form from the Work With User/Role Security for a specific record, the user or role associated with the security record appears in the User/Role field by default.

3. 4.

Highlight the security record or records in the detail area and click Delete,and then click OK on Confirm Delete. Click OK when you finish deleting column security. If you do not click OK after you delete the security records, the system does not save the deletion.

7.8 Managing Processing Option and Data Selection Security


This section provides overviews of processing option and data selection security and discusses how to:

Review the current processing option and data selection security settings. Add security to processing options and data selection. Remove security from processing options and data selection. Use R009505 to update data selection security.

7.8.1 Understanding Processing Option Security


You can secure users from changing, prompting for values, and prompting for versions of specific processing options. By itself, setting security that prohibits users from prompting for versions does not prevent them from changing values in the processing option. If you do not want users to use processing option values, you might

Using Security Workbench

7-17

Managing Processing Option and Data Selection Security

want to set security so that users are secured from the "prompt for" value and "prompt for" versions. For example, to set prompt-for-values security, which also automatically sets change security, select the Prompt for Values option. Next, drag one application at a time from the UnSecured node to the Secured node. The detail area reflects the prompt-for-values and change security that you set for these applications. This procedure means that the user you entered cannot prompt for values or change processing options on any applications that you dragged to the Secured node. This task also explains how to add a *ALL object and how to move all of the applications for a particular user or role from unsecured to secured.

7.8.2 Understanding Data Selection Security


You can secure users from modifying, adding, deleting, and viewing the data selection for batch applications or specific versions of batch applications. This security applies to the data selection during submission of a batch application (or report).

7.8.2.1 Implementation Considerations


Data selection security only applies to web clients. You can set up data selection security by running the Security Workbench application on the Windows client. However, the security is only enforced for end users submitting batch applications from the web client. It is not enforced for other means of launching reports, such as RUNUBE and RUNUBEXML commands or the scheduler. The Data Selection row exit on the Work with Batch Versions form allows a user to modify the data selection for a version or report. Oracle recommends that the JD Edwards EnterpriseOne security administrator secures the Data Selection row exit using existing hyper exit security in addition to setting up proper data selection security. For example, data selection security is set up for a user on a batch application version so that the user cannot modify existing rows but can add new rows. However, the user can access the Data Selection row exit and use this row exit to add rows to the existing data selection. When the user clicks OK, the data selection specification is saved to the version. When the user takes the Data Selection row exit again, all rows become existing rows that are secured out. As a result, he cannot modify rows that he just added. You should also consider using action security to secure the ability to add and copy versions of a batch application. Or you can set data selection security at the batch application level rather than version level. In this case, a new user-created version that was created through add or copy will still have the same data selection security.

7.8.2.2 Data Selection Security Options


The available security settings related to data selections are:
Security Setting Prompt for Data Selection Description This setting prevents a user from viewing the data selection screen when submitting a report or version. The data selection criteria defined in the version are used for submission.

7-18 JD Edwards EnterpriseOne Tools Security Administration Guide

Managing Processing Option and Data Selection Security

Security Setting Full Access for Data Selection

Description This setting prevents a user from having a full set of the editing capabilities on the data selection screen. Specifically, it prevents a user from deleting any existing data selection criteria. When this setting is checked, two additional settings "Modify for Data Selection" and "Add for Data Selection" are enabled. All three settings can be used in combination. This setting prevents a user from editing or deleting existing data selection criteria defined for a report or version. It also prevents a user from adding new data selection criteria with an OR operator, in effect either expanding or changing existing criteria. This setting is made available only when the user is not granted with Full Access for Data Selection. This setting prevents a user from adding new data selection criteria. This setting is made available only when the user is not granted with Full Access for Data Selection. This setting can be used in combination with the Modify for Data Selection setting.

Modify for Data Selection

Add for Data Selection

All of the security settings can be set at the specific user, role, or *PUBLIC level for any report version or report.

7.8.2.3 Security Hierarchy


When multiple security records exist, the system applies security by following the existing security hierarchy:
1. 2. 3. 4. 5. 6. 7. 8. 9.

Version level security for user. Batch application level security for user. *ALL level security for user. Version level security for group. Batch application level security for group. *ALL level security for group. Version level security for *PUBLIC. Batch application level security for *PUBLIC. *ALL level security for *PUBLIC.

Once a security record is found, the system stops searching for lower priority records.
Note:

The Java Application Server resolves the security entries for the group based on the role sequence number, and only returns one record for all groups at runtime.

7.8.2.4 Data Selection Security Scenarios


This table lists the possible data selection security scenarios. "X" indicates that the specified checkbox is checked in the Security Workbench application:

Using Security Workbench

7-19

Managing Processing Option and Data Selection Security

Scenario Full access to data selection. No access to data selection form. User receives error when he tries to access data selection. Read-only access.

Full Prompt for Access Data Data Selection Selection N/A X N/A Grayed out and checked by default X X

Modify Data Selection N/A Grayed out and checked by default X X

Add Data Selection N/A Grayed out and checked by default X N/A

N/A

User can only add new data selection N/A rows with AND operator. User cannot modify or delete existing data selection rows. User can only modify the right operand value for existing data selection rows. User cannot add new data selection rows or delete existing rows. User can modify existing rows and add new rows with the 'AND' operator. User cannot delete existing rows. NA

N/A

N/A

N/A

N/A

7.8.3 Reviewing the Current Processing Option and Data Selection Security Settings
Enter P00950 in the Fast Path.
1. 2.

On the Work With User/Role Security form, select Set Up Security, Proc Opt and Data Sel Security. On the Processing Option and Data Selection Security form, enter a user or role ID in the User / Role field. Enter a complete user or role, which includes *PUBLIC but not wildcards.

3.

In the Display Secured Item region, complete these fields and then click Find: Application Enter a batch application name, such as R0006P. Enter *ALL to display all applications. Version Enter a version of the application that you entered in the Application field. Current security settings for that user or role appear under the Secured node in the tree. Expand the node to view the individual secured applications. After you expand the node, the applications that are secured also appear in the detail area.

7.8.4 Adding Security to Processing Options and Data Selection


Enter P00950 in the Fast Path.
1.

On the Work With User/Role Security form, select the Form menu, Set Up Security, Proc Opt and Data Sel Security.

7-20 JD Edwards EnterpriseOne Tools Security Administration Guide

Managing Processing Option and Data Selection Security

2.

On the Processing Option and Data Selection Security form, enter the user or role ID in the User / Role field and then click Find. Enter a complete user or role, which includes *PUBLIC but not wildcards.

3.

In the Display UnSecured Items region, complete the appropriate fields and then click Find: Application Enter an application name, such as R0006P. Enter *ALL to display all applications. Version You can enter a particular version of the application that you entered in the Application field. If you leave this field blank, all versions associated with the application will appear in the UnSecured node. Product Code UBEs Only Select this checkbox to view only batch applications. You must perform this step before you can add new security. This step provides a list of applications from which you can apply processing option or data selection security. The search results appear under the UnSecured node. Expand the node to view applications (interactive and batch) and menus with interactive or batch applications. After you expand the node, the applications appear in the detail area. For example, to set security on applications within the 00 product code, you enter 00 in the Product Code field and click Find. All of the applications (interactive and batch) attached to product code 00 appear after you expand the UnSecured node.

4.

In the Create with region, select one or more of these options and drag applications from the UnSecured node to the Secured node: Change Prompt for Values When you select this option, you automatically activate the Change option. Prompt for Versions Prompt for Data Selection Full Access Data Selection When you select this option, you automatically activate the following two options: Modify Data Selection Add Data Selection See Data Selection Security Scenarios.

5.

Perform one of these actions: Drag applications from the UnSecured node to the Secured node.

Using Security Workbench

7-21

Managing Processing Option and Data Selection Security

From the Row menu, select All Objects to move all applications to the Secured node. From the Row menu, select Secure to All to move all objects under the UnSecured node to the Secured node. The applications now appear under the Secured node and have the appropriate security.

6.

To change the security on an item, select the item under the Secured node, select the appropriate security option, and then, from the Row menu, select Revise Security. In the grid, the values for the security options change accordingly.

7.8.5 Removing Security from Processing Options and Data Selection


Enter P00950 in the Fast Path.
1. 2.

On the Work With User/Role Security form, select the Form menu, Set Up Security, Proc Opt and Data Sel Security. On the Processing Option and Data Selection Security form, enter a user or role ID for which you want to remove processing option or data selection security in the User / Role field. Enter a complete user or role, which includes *PUBLIC but not wildcards.

3.

Click Find. Current security settings for that user or role appear under the Secured node in the tree. Expand the node to view the individual secured applications. After you expand the node, the applications that are secured also appear in the detail area.

4.

Perform one of these steps: Under the Secured node, select an application or application version and click Delete. Under the Secured node, drag an application or application version from the Secured node to the UnSecured node. On the Row menu, select Remove All to move all items from the Secured node to the UnSecured node.

7.8.6 Using R009505 to Update Data Selection Security


The data selection security records are stored in the security table as security type 5. You can use the R009505 batch application to clean up any existing security type 5 records. The R009505 runs over the F00950 table with data selection on records of Security Type 5 (Processing Option and Data Selection Security). These records must have a value in the Object Name field that is a batch application or *ALL (since Security Type 5 can be set up for interactive application objects as well, those will be ignored by this batch application.) The batch application can be run in Proof or Final Mode where Final Mode will update the F00950 table records according to the values in the processing options. The F00950 table will be updated as follows given the processing option values:

7-22 JD Edwards EnterpriseOne Tools Security Administration Guide

Managing Tab Security

PO Prompt for Data Selection Full Access Data Selection Modify Data Selection Add Data Selection Prompt for Data Selection Full Access Data Selection Modify Data Selection Add Data Selection Prompt for Data Selection Full Access Data Selection Modify Data Selection Add Data Selection Prompt for Data Selection Full Access Data Selection Modify Data Selection Add Data Selection Prompt for Data Selection Full Access Data Selection Modify Data Selection Add Data Selection Prompt for Data Selection Full Access Data Selection Modify Data Selection Add Data Selection Prompt for Data Selection Full Access Data Selection Modify Data Selection Add Data Selection

Y or N Y Y Y Y N Y Y Y N N Y Y N N N Y N N N N Y N N N Y Y N N

Actual Record Y Y Y Y N N N N N N N N N N N N N N N N Y N N N Y Y Y Y

7.9 Managing Tab Security


This section provides an overview of tab security and discusses how to:

Add tab security Remove tab security

7.9.1 Understanding Tab Security


You can secure users from changing the name of the tab and viewing the form that you call by using the tab. For example, to set up change security, select the Change option. Next, drag tabs one at a time from the UnSecured node to the Secured node. The detail area reflects the changed security that you set for the tabs. This security means that the user you entered cannot change the tabs that you dragged to the Secured node.

Using Security Workbench

7-23

Managing Tab Security

Note:

If you secure a user from an application, you cannot also secure the user from certain tabs on a form in that application. This restriction prevents redundant double security. Similarly, if you secure a user from a tab, you cannot secure the user from the application that contains the tab.

You can define Tab security at the application, version, and form level. You cannot define Tab security at the subform level. As an alternative, you could define column security at the form level (power form level) and every instance of the data dictionary item (either on the power form header or subform grid) follows the defined security.
Note:

Portlets are handled by the system as if they are subforms; therefore, portlets have the same Tab security limitation.

7.9.2 Adding Tab Security


Enter P00950 in the Fast Path.
1. 2.

On the Work With User/Role Security form, select the Form menu, Set Up Security, Tab Security. On the Tab Exit Security form, complete these fields and click Find: User / Role Enter a complete user or role, which includes *PUBLIC but not wildcards. Application You can view security for a specific application or enter *ALL to display all applications. Current security settings for the user or role appear under the Secured node in the tree. Expand the nodes to view the secured tabs. After you expand the node, the secured tabs also appear in the grid.

3.

Complete only one of these fields in the Display UnSecured Items region and click Find: Application Enter *ALL in this field to select all JD Edwards EnterpriseOne objects. In the detail area, this special object appears as *ALL and displays the security that you defined for the object, such as Run Security or Install Security. The *ALL object acts as any other object, and you can use the Revise Security and Remove All options from the Row menu. Product Code You must perform this step before you can add new security. This step provides a list of applications from which to select. The search (application or product code) appears under the UnSecured node. Expand the node to view applications (interactive and batch) and the associated tabs. After you expand the node, the applications or tabs also appear in the detail area. For example, to set security for tabs in applications within the 00 product code, you enter 00 in the Product Code field and click Find. All of the

7-24 JD Edwards EnterpriseOne Tools Security Administration Guide

Managing Hyper Exit Security

applications (interactive and batch) attached to product code 00 appear after you expand the UnSecured node.
4.

In the Create with region, select one or more of these options: Change Select this option to prohibit a user or role from changing information on the tab page. View Select this option to hide the tab from the user or the role.

5.

Drag tabs from the UnSecured node to the Secured node. These tabs now appear under the Secured node.

6.

To change the security on an item, select the item under the Secured node, select the appropriate security option, and then, from the Row menu, select Revise Security. In the grid, the values for the security options change accordingly.

7.9.3 Removing Tab Security


Access the Work With User/Role Security form.
1. 2.

From the Form menu, select Set Up Security, Tab Security. On the Tab Exit Security form, complete these fields and click Find: User / Role Enter a complete user or role, which includes *PUBLIC but not wildcards. Application You can view security for a specific application or enter *ALL to display all applications. Current security settings for that user or role appear under the Secured node in the tree. Expand the node to view the secured tabs. After you expand the node, the secured tabs also appear in the grid.

3.

Perform one of these steps: Under the Secured node, select a tab and then click Delete. Under the Secured node, drag a tab from the Secured node to the UnSecured node. On the Row menu, select Remove All to move all tabs from the Secured node to the UnSecured node.

7.10 Managing Hyper Exit Security


Menu bar exits, also referred to as hyper exits, call applications and allow users to manipulate data. You can secure users from using these exits. Hyper exit security also provides restrictions for menu options. This section discusses how to:

Add hyper exit security Remove hyper exit security.

Using Security Workbench

7-25

Managing Hyper Exit Security

7.10.1 Adding Hyper Exit Security


Enter P00950 in the Fast Path.
1. 2.

On the Work With User/Role Security form, select the Form menu, Set Up Security, Hyper Exit Security. On the Hyper Exit Security form, complete these fields and click Find: User / Role Enter a complete user or role ID, which includes *PUBLIC but not wildcards. Application View security for a specific application. Enter *ALL to display all applications. Current security settings for the user or role appear under the Secured node in the tree. Expand the node to view the individual secured applications, such as interactive and batch. After you expand the node, the secured hyper-button exits also appear in the detail area.

3.

In the Display Unsecured Items region, complete only one of these fields to locate the applications to which you want to apply exit security, and click Find: Application If you enter *ALL in this field and select the Run Security option, all action buttons (except Close and Cancel on the web client only) including every exit under the Form, Row, and Tools options are disabled. To avoid disabled action buttons, apply Hyper Exit security at the individual application level. Product Code You can search for all of the applications within a product code. For example, to set security on hyper-buttons in applications within the 00 product code, you enter 00 in the Product Code field and click Find. All of the applications (interactive and batch) attached to product code 00 appear after you expand the UnSecured node. The search (application, product code, or menu) appears under the UnSecured node. Expand the node to view applications (interactive and batch) and hyper-button exits. After you expand the node, the hyper-button exits also appear in the detail area.

4.

Expand the UnSecured node to view and select applications (interactive and batch) and hyper-button exits. After you expand the node, the hyper-button exits also appear in the detail area.

5.

In the Create with region, select the Run Security option. When you select this option, the grid shows an N in the Run column for each object.

6. 7.

Click Find. Drag exits one at a time from the UnSecured node to the Secured node. The exits that you dragged now appear under the Secured node. The grid reflects the security that you set for these exits. This security prevents the user that you entered from using the exit.
Note:

Hyper Exit security with Run=N for *ALL objects is ignored on the web client for Tools Release 8.97 and earlier releases.

7-26 JD Edwards EnterpriseOne Tools Security Administration Guide

Managing Exclusive Application Security

7.10.2 Removing Hyper Exit Security


Enter P00950 in the Fast Path.
1. 2.

On the Work With User/Role Security form, select the Form menu, Set Up Security, Hyper Exit Security. Complete these fields and click Find: User / Role Enter a complete user or role ID, which includes *PUBLIC but not wildcards. Application View security for a specific application. Enter *ALL to display all applications. Current security settings for the user or role appear under the Secured node in the tree. Expand the node to view the individual secured applications, such as interactive and batch. After you expand the node, the secured hyper-button exits also appear in the detail area.

3.

Perform one of these steps: Under the Secured node, select a hyper exit and click Delete. Under the Secured node, drag a hyper exit from the Secured node to the UnSecured node. On the Row menu, select Remove All to move all hyper exits from the Secured node to the UnSecured node.

7.11 Managing Exclusive Application Security


This section provides an overview of exclusive application security and discusses how to:

Add exclusive application security. Remove exclusive application access.

7.11.1 Understanding Exclusive Application Security


Exclusive application security enables you to grant access to otherwise secured information through one exclusive application. For example, assume that you use row security to secure a user from seeing a range of salary information; however, the user needs to run a report for payroll that includes that salary information. You can grant access to the report, including the salary information, using exclusive application security. JD Edwards EnterpriseOne continues to secure the user from all other applications in which that salary information might appear.

7.11.2 Adding Exclusive Application Security


Enter P00950 in the Fast Path.
1. 2.

On the Work With User/Role Security form, select the Form menu, Set Up Security, Exclusive Application. On the Exclusive Application Security form, complete the User / Role field. Enter a complete user or role, which includes *PUBLIC but not wildcards.

3.

Complete these fields in the detail area:


Using Security Workbench 7-27

Managing External Calls Security

Object Name Enter the name of the exclusive application for which you want to allow access (the security). For example, to change the security for a user of the Vocabulary Overrides application, enter P9220 in this field.

4.

Run Application

Click OK to save the information.

7.11.3 Removing Exclusive Application Access


Enter P00950 in the Fast Path.
1. 2.

On the Work With User/Role Security form, select the Form menu, Set Up Security, Exclusive Application. On the Exclusive Application Security form, complete the User / Role field and click Find.
Note: If you accessed the Exclusive Application Security form from a specific record in the Work With User/Role Security form, the user or role associated with the security record appears in the User/Role field by default.

3. 4. 5.

Highlight the security records in the grid and click Delete. On the Confirm Delete message form, click OK. Click OK when you finish deleting exclusive application security. If you do not click OK after you delete the security records, JD Edwards EnterpriseOne does not save the deletion.

7.12 Managing External Calls Security


This section provides an overview of external call security and discusses how to:

Add external call security. Remove external call security.

7.12.1 Understanding External Call Security


In JD Edwards EnterpriseOne, certain applications exist that are not internal to JD Edwards EnterpriseOne; they are standalone executables. For example, the Report Design Aid, which resides on the Cross Application Development Tools menu (GH902), is a standalone application. You can also call this application externally using the RDA.exe. By default, this file resides in the \E810\SYSTEM\Bin32 directory.

7.12.2 Adding External Call Security


Enter P00950 in the Fast Path.
1. 2.

On the Work With User/Role Security form, select the Form menu, Set Up Security, External Calls. On the External Calls Security form, complete these fields and click Find: User / Role

7-28 JD Edwards EnterpriseOne Tools Security Administration Guide

Managing External Calls Security

Enter a complete user or group ID, which includes *PUBLIC but not wildcards. Executable Enter the name of the external application, such as debugger.exe. When you enter information into this field, the software searches only for the indicated application. Current security settings for that user or group appear under the Secured node in the tree. Expand the node to view the individual secured applications, such as debugger.exe.
3. 4.

In the Create with region, select the Run Security option. Complete one of these steps: Drag applications from the UnSecured node to the Secured node. To move all applications to the Secured node, select All Objects from the Row menu. The external call applications now appear under the Secured node and have the appropriate security. For example, to set run security on the Business Function Design application, select the Run Security option and then drag the Business Function Design node from the UnSecured node to the Secured node. The detail area reflects the run security that you set for this application, which means that the user you entered could not run the Business Function Design application.

5.

To change the security on an item, select the item under the Secured node, select the Run Security option, and then, from the Row menu, select Revise Security. In the grid, the value in the Run field changes accordingly.

7.12.3 Removing External Call Security


Enter P00950 in the Fast Path.
1. 2.

On the Work With User/Role Security form, select the Form menu, Set Up Security, External Calls. On the External Calls Security form, complete these fields and click Find: User / Role Enter a complete user or group ID, which includes *PUBLIC but not wildcards. Executable Enter the name of the external application, such as debugger.exe. When you enter information into this field, the software searches only for the indicated application. Current security settings for that user or group appear under the Secured node in the tree. Expand the node to view the individual secured applications, such as debugger.exe.

3.

Perform one of these steps: Under the Secured node, select an application and click Delete. Under the Secured node, drag an application from the Secured node to the UnSecured node.
Using Security Workbench 7-29

Managing Miscellaneous Security

On the Row menu, select Remove All to move all applications from the Secured node to the UnSecured node.

7.13 Managing Miscellaneous Security


This section provides an overview of miscellaneous security and discusses how to manage miscellaneous security features.

7.13.1 Understanding Miscellaneous Security


JD Edwards EnterpriseOne security enables you to secure users and roles from:

Read/write reports Workflow status monitoring

7.13.1.1 Read/Write Reports Security


JD Edwards EnterpriseOne enables administrators to prevent specific users and roles from running reports that update JD Edwards EnterpriseOne database tables (read/write reports). Administrators can assign users to a user profile called No Update Report Creation User (NUR), which restricts users to running only read-only reports. When an NUR user runs a report, JD Edwards EnterpriseOne prevents the report from making table input/output (I/O) calls to databases that can affect business data. Users assigned to this profile can create and run read-only reports, but are restricted from creating or running existing UR reports. NUR users can copy existing UR reports and run the copied report, although the software disables the report's ability to change business data and displays a warning that the copied report cannot be updated. NUR users can edit NUR reports in Report Design Aid, but are prevented from even opening existing UR reports in RDA.

7.13.1.2 Workflow Status Monitoring Security


Users can access Workflow Modeler, (a scaled-down version of Process Modeler) to design JD Edwards EnterpriseOne workflow models. Process Modeler Server includes a JD Edwards EnterpriseOne Portal-based component called Model Viewer, which enables users with appropriate access to monitor the status of a workflow and perform workflow administration tasks directly from the Viewer. Miscellaneous security includes these Workflow Status Monitoring settings, which determine the operations a user can perform from the Model Viewer:

Secured Restricts users from accessing any Model Viewer tasks using the Portal.

Partial Allows users to view workflow models and to monitor their status, but restricts these users from performing any administrative tasks.

Full Allows users to access all Model Viewer tasks using the JD Edwards Collaborative Portal. Users can view workflow statuses and perform administrative tasks.

7.13.2 Managing Miscellaneous Security Features


Enter P00950 in the Fast Path.

7-30 JD Edwards EnterpriseOne Tools Security Administration Guide

Managing Push Button, Link, and Image Security

1. 2.

On the Work With User/Role Security form, select the Form menu, Set Up Security, Misc Security. On the Miscellaneous Security form, complete the User / Role field and click Find. Enter a complete user or role, which includes *PUBLIC but not wildcards.

3.

To change Read-Only Report security, select one of these options: Read / Write Read Only

4.

To change Workflow Status Monitoring security, select one of these options: Secured Prevents users from viewing or administering workflow. View Allows users to view workflow but prevents them from making changes. Full Allows users to view and administer workflow.

5.

Click OK to accept the changes.

7.14 Managing Push Button, Link, and Image Security


This section provides an overview of push button, link, and image security and discusses how to:

Add push button, link, and image security. Remove push button, link, and image security.
Note:

Push button, link, and image security is enforced only for interactive applications in the JD Edwards EnterpriseOne HTML client and the Portal. It is not supported on the Microsoft Windows client.

7.14.1 Understanding Push Button, Link, and Image Security


JD Edwards EnterpriseOne enables you to secure users from using or viewing push button, link, and image controls. You can secure users from using a control but still allow them to view it. Or you can prevent users from both using and viewing a control.
Note:

In JD Edwards EnterpriseOne forms, static text and text boxes can be made into links. However, you can only apply security to static text links, not to text box links.

Security Workbench displays the objects that you want to secure in a hierarchical tree structure that contains nodes for each application, application version, and form. Security Workbench only displays the forms that contain push button, link, and image controls. You can secure an individual control by dragging the control from the UnSecured node to the Secured node. In addition, you can secure all controlspush buttons, links, or imageson a form by dragging the form node to the Secured node.

Using Security Workbench

7-31

Managing Push Button, Link, and Image Security

You can perform the same action on applications and application versions. For example, to secure all the links within an entire application, you drag the application from the UnSecured node to the Secured node to secure all the links in every form within the application as well as within any versions of the application. If you drag an application version node to the Secured node, only the links in that application version are secured.
Note:

For security purposes JD Edwards EnterpriseOne does not allow cross site scripting to be executed.

7.14.1.1 Push Button, Link, and Image Security on Subforms


You can secure push buttons, links, and images on both embedded and reusable subforms in JD Edwards EnterpriseOne. If you secure controls on an embedded subform, only the controls within that subform are secured. For reusable subforms, the behavior of the security depends upon the context in which the reusable subforms are used in power forms. If you apply security to a reusable subform under a power form, then only the controls in that reusable subform for that particular power form are secured, even if the reusable subform is used by another power form, as shown in this diagram:
Figure 71 Push Button, Link, and Image Security on a Reusable Subform - Scenario 1

Power Form F55TESTA

Power Form F55TESTB

Reusable Subform S55TEST SECURED

Reusable Subform S55TEST

Reusable Subform S55TEST

However, if you apply security to a reusable subform under a power form, and that subform is reused in the same power form, the security is applied to both subforms, as shown in this diagram:

7-32 JD Edwards EnterpriseOne Tools Security Administration Guide

Managing Push Button, Link, and Image Security

Figure 72 Push Button, Link, and Image Security on a Reusable Subform - Scenario 2

Power Form F55TESTB

Reusable Subform S55TEST SECURED Reusable Subform S55TEST SECURED


Because security functions differently on embedded subforms than it does on reusable subforms, Security Workbench provides a way for you to distinguish between the two forms. To make this distinction, the tree structure in Security Workbench displays the embedded subform using its form ID, and it displays the reusable subform using its form title.

7.14.2 Adding Push Button, Link, and Image Security


Enter P00950 in the Fast Path to access the Work With User/Role Security form.
1. 2.

From the Form menu, select Set Up Security, and then select the menu for push buttons, links, or images, depending on the type of object that you want to secure. Complete the User / Role field and click Find. Enter a complete user or role, which includes *PUBLIC.

3.

In the Display UnSecured Items region, complete the appropriate fields and then click Find: Application Enter an interactive application name, such as P01012. Enter *ALL to display all applications.
Note:

Batch applications are not supported.

Version You can enter a particular version of the application that you entered in the Application field. If you leave this field blank, Security Workbench displays all unsecured versions associated with the application in the UnSecured node.

Product Code Enter a product code to display all applications, versions, and forms associated with a particular product code. This field does not work in conjunction with the Application and Version fields.

The search results appear under the UnSecured node.

Using Security Workbench

7-33

Managing Text Block Control and Chart Control Security

4.

Expand the UnSecured node to view the individual applications or versions, and the forms associated with each. Only the forms that contain controls are displayed.

5.

Under the Create with region, select the type of security that you want to apply: View This option prevents the user from using and viewing the control. Enable This option prevents the user from using the control. However, the control is still visible.

6.

Use one of these actions to secure the items: Drag items from the UnSecured node to the Secured node. From the Row menu, select All Objects to move all applications to the Secured node. The system displays the items under the Secured node that have the appropriate security. You can view the security for each item in the grid.

7.14.3 Removing Push Button, Link, and Image Security


Enter P00950 in the Fast Path.
1. 2.

On the Work with User/Role Security form, select the Form menu, Set Up Security, and then the menu for push buttons, links, or images. Enter a user or role ID from which you want to remove the security in the User / Role field. Enter a complete user or role, which includes *PUBLIC but not wildcards.

3.

Click Find. Current security settings for that user or role appear under the Secured node in the tree. Expand the node to view the individual secured applications. After you expand the node, the applications that are secured also appear in the detail area.

4.

Perform one of these steps: Under the Secured node, select an application or application version and click Delete. Under the Secured node, drag an application or application version from the Secured node to the UnSecured node. On the Row menu, select Remove All to move all items from the Secured node to the UnSecured node.

7.15 Managing Text Block Control and Chart Control Security


This section provides an overview of text block control and chart control security and discusses how to:

Review current text block control and chart control security settings. Add text block control and chart control security. Remove text block control and chart control security.

7-34 JD Edwards EnterpriseOne Tools Security Administration Guide

Managing Text Block Control and Chart Control Security

7.15.1 Understanding Text Block Control and Chart Control Security


JD Edwards EnterpriseOne enables you to secure users from using or viewing text block and chart controls. You can secure users from using a control but still allow them to view it. Or you can prevent users from both using and viewing a control. In JD Edwards EnterpriseOne, a text block or chart control can have separate segments that contain links to other objects. You cannot secure these individual segments of a control. When you secure a text block or chart control, security is applied to the entire control.
See Also:

"Understanding Text Block Controls" in the JD Edwards EnterpriseOne Tools Development Tools: Form Design Aid Guide.

7.15.2 Reviewing Current Text Block Control and Chart Control Security Settings
Enter P00950 in the Fast Path.
1. 2.

On the Work With User/Role Security form, select Set Up Security from the Form menu, and then select the menu for text block control or chart control. Enter the user or role ID in the User / Role field and click Find. You can enter *PUBLIC but not wildcards. The system displays the control security settings for the user or role under the Secured node in the tree.

3.

To see if control security is applied to a particular application, version, or form, complete a combination of these fields in the Display UnSecured Items region, and then click Find: Application Enter an application name, such as P01012. Version Enter a version of the application entered in the Application field to see if control security is applied to the version. Form Name Enter a form name, such as W0101G.

4.

Expand the Secured node and click a secured item to view the current security settings for the user or role in the detail area.

7.15.3 Adding Text Block Control and Chart Control Security


Enter P00950 in the Fast Path to access the Work With User/Role Security form.
1.

From the Form menu, select Set Up Security, and then select the menu for text block control or chart control, depending on the type of control that you want to secure. Complete the User / Role field and click Find. Enter a complete user or role, which includes *PUBLIC.

2.

3.

In the Display UnSecured Items region, complete the appropriate fields and then click Find: Application
Using Security Workbench 7-35

Managing Text Block Control and Chart Control Security

Enter an interactive application name, such as P01012. Enter *ALL to display all applications.
Note:

Batch applications are not supported.

Version You can enter a particular version of the application that you entered in the Application field. If you leave this field blank, Security Workbench displays all unsecured versions associated with the application in the UnSecured node.

Product Code Enter a product code to display all applications, versions, and forms associated with a particular product code. This field does not work in conjunction with the Application and Version fields.

The search results appear under the UnSecured node.


4.

Expand the UnSecured node to view the individual applications or versions, and the forms associated with each. Only the forms that contain controls are displayed.

5.

Under the Create with region, select the type of security that you want to apply: View This option prevents the user from using and viewing the control. Enable This option prevents the user from using the control. However, the control is still visible.

6.

Use one of these actions to secure the items: Drag the text block or chart control from the UnSecured node to the Secured node. Select the control that you want to secure and then select Secure Selected from the Row menu. From the Row menu, select All Objects to move all applications to the Secured node. The system displays the items under the Secured node that have the appropriate security. You can view the security for each item in the grid.

7.15.4 Removing Text Block Control and Chart Control Security


Enter P00950 in the Fast Path.
1. 2.

On the Work with User/Role Security form, select the Form menu, Set Up Security, and then the menu for text block control or chart control security. Enter a user or role ID from which you want to remove the security in the User / Role field. Enter a complete user or role, which includes *PUBLIC but not wildcards.

3.

Click Find.

7-36 JD Edwards EnterpriseOne Tools Security Administration Guide

Managing Media Object Security

Current security settings for that user or role appear under the Secured node in the tree. Expand the node to view the individual secured applications. After you expand the node, the applications that are secured also appear in the detail area.
4.

Perform one of these steps: Under the Secured node, select an application or application version and click Delete. Under the Secured node, drag an application or application version from the Secured node to the UnSecured node. On the Row menu, select Remove All to move all items from the Secured node to the UnSecured node.

7.16 Managing Media Object Security


This section provides an overview of media object security and discusses how to:

Review the current media object security settings for a user or role. Add media object security. Remove media object security.

7.16.1 Understanding Media Object Security


JD Edwards EnterpriseOne enables you to secure users from adding, changing, deleting, or viewing media objects within interactive applications, forms, or application versions. You can apply media object security to ensure that media object attachments cannot be modified or tampered with after they have been added. If you apply view security to media object attachments, Security Workbench automatically prevents the user from adding, deleting, or changing media objects. If you apply change security to media object attachments, Security Workbench automatically prevents the user from deleting the media object. Media object security enables you to use media object attachments as a mechanism for recording justifications for transactions and for legal purposes. For example, your company may have a business process that requires clerks to use media object attachments to document the reason or justification for adjusting a price on an item in a transaction. In this case, you would allow the clerks to add and view media object attachments in an application, but secure them from deleting or modifying them. In addition, this type of security prevents users from modifying or deleting attachments that others have added. As a result, the media object attachments provide secured information about previous transactions. This information can be reviewed by interested parties for legal or other purposes.
Note:

Media object security is enforced only in interactive applications on the JD Edwards EnterpriseOne web client and the Portal. It is not supported on the Microsoft Windows client. Also, media object system functions enforce media object security in the web client. When running applications that have media object security applied to them, the system logs the security information for the system functions in the web client debug log file.

Using Security Workbench

7-37

Managing Media Object Security

7.16.2 Reviewing the Media Object Security Settings


Enter P00950 in the Fast Path.
1. 2.

On the Work With User/Role Security form, select the Form menu, Set Up Security, Media Object. On the Media Object Security form, enter the user or role ID in the User / Role field and click Find. You can enter *PUBLIC but not wildcards. The system displays current media object security settings for the user or role under the Secured node in the tree.

3.

To see if a media object security is applied to a particular application, version, or form, complete a combination of these fields in the Display UnSecured Items region, and then click Find: Application Enter an application name, such as P01012. Version Enter a version of the application entered in the Application field to see if media object security is applied to the version. Form Name Enter a form name, such as W0101G.

4.

Expand the Secured node and click a secured item to view the current security settings for the user or role in the detail area.

7.16.3 Adding Media Object Security


Enter P00950 in the Fast Path.
1. 2.

On the Work With User/Role Security form, select the Form menu, Set Up Security, Media Object. On the Media Object Security form, enter the user or role ID in the User / Role field and click Find. You can enter *PUBLIC but not wildcards. Current media object security settings for the user or role appear under the Secured node in the tree.

3.

To find the applications, versions, or forms to which you want to apply media object security, complete any of these fields in the Display UnSecured Items region, and then click Find: Application Enter an application name, such as P01012. Enter *ALL to display all applications. Version Enter a version of the application you entered in the Application field. If you leave this field blank, all versions associated with the application will appear in the UnSecured node. Product Code

7-38 JD Edwards EnterpriseOne Tools Security Administration Guide

Managing Media Object Security

4. 5.

Expand the Unsecured node to view individual applications, versions, and forms in the detail area. In the Create with region, select any of these options: Change Add Delete View
Note:

If you apply view security to media object attachments, Security Workbench automatically prevents the user from adding, deleting, or changing media objects. If you apply change security to media object attachments, Security Workbench automatically prevents the user from deleting the media object.

6.

To secure the media objects on an application, application version, or form, perform one of these steps: Drag the application, version, or form from the UnSecured node to the Secured node. From the Row menu, select All Objects to move all items to the Secured node. From the Row menu, select Secure to All to move all objects beneath the UnSecured node to the Secured node. For example, to set delete security, select the Delete option. Next, drag the application from the UnSecured node to the Secured node. The detail area will reflect the media object security that you set for this application. The applications or forms now appear under the Secured node, and they have the appropriate media object security.

7.16.4 Removing Media Object Security


Enter P00950 in the Fast Path.
1. 2.

On the Work With User/Role Security form, select the Form menu, Set Up Security, Media Object. In the User / Role field, enter a user or role ID from which you want to remove media object security. Enter a complete user or role, which includes *PUBLIC but not wildcards.

3.

Click Find. Current security settings for that user or role appear under the Secured node in the tree. Expand the node to view the individual secured applications. After you expand the node, the applications that are secured also appear in the detail area.

4.

Perform one of these steps: Under the Secured node, select an application or application version and click Delete. Under the Secured node, drag the item that is secured from the Secured node to the UnSecured node.

Using Security Workbench

7-39

Managing Application Query Security

On the Row menu, select Remove All to move all items from the Secured node to the UnSecured node.

7.17 Managing Application Query Security


This section provides an overview of Application Query Security and discusses how to:

Set Up Application Query Security for Applications Set Up DataBrowser Query Security Select Error or Warning Messages Find Existing Query Security Records Edit Query Security Records Delete Query Security Records Enable or Disable Security Exclude Users Configure Error Messages Using DD Items Configure Fields

7.17.1 Understanding Application Query Security


Application Query Security prevents users from performing searches if they have not entered search criteria in the form filter fields or QBE fields. If users try to perform a search without entering search criteria, they receive an error or warning message that alerts them that their search has been suppressed. If users enter search criteria, then the search functionality will proceed.

7.17.2 Setting Up Application Query Security for Applications


You set up application query security at the form level for all users. Use these steps to set up application query security:
1. 2.

Access your web client application. In the Fast Path field, type P00950. The Work with User/Role Security form displays.

3.

From the Form menu, click Set Up Security, and then click App Query Security. From the Form menu, click Set Up Security, and then click App Query Security. The Work with Application Query Security form displays.

4.

From the Form menu, click Add Application. The Setup Application Query Security form displays.

5. 6.

Select Application. In the Application Name field, enter the application name to which you are adding query security, or click the Search button and select an application from the Interactive Application Search and Select form.

7-40 JD Edwards EnterpriseOne Tools Security Administration Guide

Managing Application Query Security

7.

In the Form Name field, enter the form name to which you are adding query security, or click the Search button and select a form from the Interactive Application Search and Select form. For example, if you enter W01012B in the Form Name field, then the options you assign for the query security will apply to the Work With Address Book (W01012B) form.

8.

Select one of the following Field Entry Requirements: At Least One Form Filter or QBE Field Select this option if users must enter search criteria into at least one filter field on the form or QBE column. Configured Fields Select this option to select one or more required form filter fields or QBE fields for the form.

9.

Select one of the following Message Types: Error Select this option if you want an error message to pop up when users try to execute a query that does not satisfy the Field Entry Requirements specified previously. Warning Select this option if you want a warning message to pop up when users try to execute a query that does not satisfy the Field Entry Requirements specified previously.

10. Click OK.

7.17.3 Setting Up DataBrowser Query Security


You set up databrowser query security records if you want to secure users from entering wide open queries from the Data Browser. Similar to Application Query Security, you can specify required filter fields and QBE columns the user must enter when querying via the Data Browser. Use these steps to set up DataBrowser query security:
1. 2.

Access your web client application. In the Fast Path field, type P00950. The Work with User/Role Security form displays.

3.

From the Form menu, click Set Up Security, and then click App Query Security. The Work with Application Query Security form displays.

4.

From the Form menu, click Add Application. The Setup Application Query Security form displays.

5.

From the Form menu, click Add Application, and then select Databrowser. Notice that DATABROWSE already displays in the Application Name field, and the databrowser options display. At Least One Form Filter Field or QBE Field

Using Security Workbench

7-41

Managing Application Query Security

Select this option if users must enter search criteria into at least one filter field on the form or QBE column. Configured Fields Select this option to select one or more required form filter fields or QBE fields for the form.
6.

Select one of the following Message Types: Error Select this option if you want an error message to pop up when users try to execute a query that does not satisfy the Field Entry Requirements specified previously. Warning Select this option if you want a warning message to pop up when users try to execute a query that does not satisfy the Field Entry Requirements specified previously.

7.

Click OK.

7.17.4 Selecting Error or Warning Messages


You can opt for users to see an error or warning message when they try to search for data without entering search criteria on a form. Use these steps to select error or warning messages:
1. 2.

Access your web client application. In the Fast Path field, type P00950. The Work with User/Role Security form displays.

3.

From the Form menu, click Set Up Security, and then click App Query Security. The Work with Application Query Security form displays. Any query security instances that have already been set up display in the grid.

4.

From the grid, select the existing record, and then click Select. The Setup Application Query Security form displays with all of the application and form name query security information.

5.

Select one of the following Message Types: Error Select this option if you want an error message to pop up when users try to execute a query that does not satisfy the Field Entry Requirements specified above. Warning Select this option if you want a warning message to pop up when users try to execute a query that does not satisfy the Field Entry Requirements specified previously.

6.

Click OK.

7.17.5 Finding Existing Query Security Records


Use these steps to find existing query security records:

7-42 JD Edwards EnterpriseOne Tools Security Administration Guide

Managing Application Query Security

1. 2.

Access your web client application. In the Fast Path field, type P00950. The Work with User/Role Security form displays.

3.

From the Form menu, click Set Up Security, and then click App Query Security. The Work with Application Query Security form displays. Any query security instances that have already been set up display in the grid.

4.

Select Application Secured to view the application that have query security, or select Excluded Users to view the list of users excluded from the query security. For each Application Query Security record, you can define one or more users that are excluded from the security. These users are called Excluded Users. See the "Excluding Users" section of this document for details.

5.

Click Close.

7.17.6 Editing Existing Query Security Records


You can edit records with existing information like Field Entry Requirements, Error type and enable and disable security records. Use these steps to edit an existing query security record:
1. 2.

Access your web client application. In the Fast Path field, type P00950. The Work with User/Role Security form displays.

3.

From the Form menu, click Set Up Security, and then click App Query Security. The Work with Application Query Security form displays. Any query security instances that have already been set up display in the grid.

4. 5.

Click Find. From the grid, select the existing query security record, and then click Select. The Setup Application Query Security form displays with all of the application and form name query security information.

6.

Select one of the following Field Entry Requirements: Form Filter Field Select this option if users must enter search criteria into at least one filter field on the form or QBE column. QBE Fields Select this option if you want users to enter search criteria into a QBE field on a grid.

7.

Select one of the following Message Types: Error Select this option if you want an error message to pop up when users try to execute a query that does not satisfy the Field Entry Requirements specified above. Warning

Using Security Workbench

7-43

Managing Application Query Security

Select this option if you want a warning message to pop up when users try to execute a query that does not satisfy the Field Entry Requirements specified previously.
8.

Click OK.

7.17.7 Deleting Query Security Records


Deleting a query security records removes it from EnterpriseOne. Use these steps to delete a query security record:
1. 2.

Access your web client application. In the Fast Path field, type P00950. The Work with User/Role Security form displays.

3.

From the Form menu, click Set Up Security, and then click App Query Security. The Work with Application Query Security form displays. Any query security instances that have already been set up display in the grid.

4.

From the grid, select the existing record, and then click Delete. A dialog box displays that says, "Are you sure you want to delete the selected item?"

5.

Click OK.

7.17.8 Enable or Disable Query Security Records


You can set up an Application Query Security record and enable or disable it at a different time. When you disable an Application Query Security record, the record will not be enforced on the users using the application. Use these steps to enable or disable query security records:
1. 2.

Access your web client application. In the Fast Path field, type P00950. The Work with User/Role Security form displays.

3.

From the Form menu, click Set Up Security, and then click App Query Security. The Work with Application Query Security form displays. Any query security instances that have already been set up display in the grid.

4.

From the grid, select the existing record, and then click Select. The Setup Application Query Security form displays with all of the application and form name query security information.

5.

Select one of the following options: Enable Select this option if you want application query security to be turned on for the application you are editing. Disable Select this option if you want application query security to be turned off for the application you are editing.

6.

Click OK.

7-44 JD Edwards EnterpriseOne Tools Security Administration Guide

Managing Application Query Security

7.17.9 Excluding Users


Application Query Security is applied to all users (*PUBLIC), which encompasses all users. Some users may need to perform an open ended fetch for a particular reason. Therefore, some users need to be excluded from the application query security. The Exclude Users form enables you to exclude one or more users from the application security record. Use these steps to exclude users:
1. 2.

Access your web client application. In the Fast Path field, type P00950. The Work with User/Role Security form displays. Any query security instances that have already been set up display in the grid.

3.

From the Form menu, click Set Up Security, and then click App Query Security. The Work with Application Query Security form displays. Any query security instances that have already been set up display in the grid.

4. 5.

From the grid, select the existing record, and then click the Row exit. Click Exclude Users. The Exclude Users form displays.

6. 7.

In the User ID field, enter the ID of the user you want to exclude from the Application Query Security you have set up for the record you selected. Click OK.

7.17.10 Configuring Error Messages Using Data Dictionary Items


You can configure the custom error message by using the following Data Dictionary Items. This ability enables you to add custom messages using Glossary Overrides.

POFERR Applications Query Security Error POFWAR - Applications Query Security Warning

Use these steps to configure error messages using data dictionary items:
1. 2. 3. 4. 5.

Access your web client application. In the Fast Path field, type DD. Click work with Data Dictionary Items. In the Alias field of the QBE line, enter POFERR. Click Find, and then select the DD Item. By default it comes with default error message in item glossary.

6. 7. 8. 9.

From the Row menu, click Glossary Overrides. Click Add. Enter the appropriate information, and then click OK to save. In the Work with Data Dictionary Items form click Find and select the entered record.

10. Click Select to enter the custom message. 11. Enter the text in the attachment and click on OK to save the data.

Using Security Workbench

7-45

Managing Data Browser Security

7.17.11 Configuring Fields


Configuring fields enables you to select one or more specific form filter fields, QBE fields, or both for the required search criteria. Use these steps to configure fields:
1. 2.

Follow the steps for Setting Up Application Query Security for Applications, making sure to select the Configured Fields option. From the Tools menu, click Configured Fields. The available form filter fields and QBE fields display.

3.

Select the required fields for the search value, and then click Save.

7.18 Managing Data Browser Security


This section provides an overview of Data Browser security and discusses how to:

Add Data Browser security. Remove Data Browser security.

7.18.1 Understanding Data Browser Security


Data Browser security enables you to grant permission to users, roles, or *PUBLIC to access the Data Browser program. There are two levels of Data Browser security that you can assign to users. The first level grants access to the Data Browser, which users can use to perform public or personal queries. After you grant this access, you can grant an additional level of security that allows Data Browser users to select a particular table or business view that they wish to query. You can also use the Copy feature in Security Workbench to copy Data Browser security from one user or role to another.
See Also:

"Viewing the Data in Tables and Business Views" in the JD Edwards EnterpriseOne Tools Foundation Guide.

7.18.2 Adding Data Browser Security


Enter P00950 in the Fast Path.
1. 2.

On the Work With User/Role Security form, select the Form menu, Set Up Security, Data Browser. On the Data Browser Security form, enter the user or role ID in the User / Role field and click Find. You can enter *PUBLIC but not wildcards.

3.

In the Data Browser hierarchical security permissions region, select one or both of these options, depending on the level of security that you want to grant: Allow access to launch Data Browser. This option gives users access to the Data Browser, which they can use to perform personal or public queries. Allow access to Search and Select for Tables or Business View Queries.

7-46 JD Edwards EnterpriseOne Tools Security Administration Guide

Managing Published Business Services Security

This option gives users the ability to search and select the table or business view that they want to query.
Note:
4.

This option is enabled only after you select the first option.

Click OK.
Note:

To activate Data Browser security changes, you must refresh the jdbj security cache using the SAW.

7.18.3 Removing Data Browser Security


You can remove Data Browser security using the Data Browser Security form or the Work With User/Role Security form. To remove security using the Data Browser Security form, clear the security check boxes for a user, role, or *PUBLIC. Using the Work With User/Role Security form, search for the security record and then delete the Data Browser security record from the grid.

7.19 Managing Published Business Services Security


This section provides an overview of published business services security and discusses how to:

Review the current published business services security records. Authorize access to published business services. Add multiple published business services security records at a time. Delete published business services security.

7.19.1 Understanding Published Business Services Security


JD Edwards EnterpriseOne provides security to ensure that web service consumers are authenticated in the JD Edwards EnterpriseOne system and authorized to access published business services. The authentication of users of published business service users is handled by the Business Services Server and EnterpriseOne security server. After a user is authenticated by the JD Edwards EnterpriseOne security server, the system checks if the user is authorized to run a published business service by retrieving records from the JD Edwards EnterpriseOne F00950 security table, which contains all the object security records.
Note:

This section discusses only the authorization of users to access published business services.

For published business services, JD Edwards EnterpriseOne uses a "secure by default" security model which means that users cannot access a published business service unless a security record exists that authorizes access. For all other objects in JD Edwards EnterpriseOne, access is granted unless otherwise secured or restricted. You manage published business services security using Security Workbench (P00950), the application used to manage all object security in JD Edwards EnterpriseOne. In P00950, you can add, copy, modify, or delete security records for published business

Using Security Workbench

7-47

Managing Published Business Services Security

services. When a user tries to access or run a published business service, verification of authorization is done through an API that queries records in the F00950 security table. As with all object security in JD Edwards EnterpriseOne, you can assign published business service security to a user, role, or *PUBLIC. You can create a security record that allows a user or role access to:

A particular method in a published business service. All methods in a published business service. All published business services.

It is recommended that you set up security by role first. This method makes setting up published business services security easier; instead of defining security for individual users, you can define security for the role and then assign users to the appropriate roles. If an individual in a role needs a different security setup, you can assign security at the user level, which overrides the role settings. In addition, you can create a security record that disallows access to a published business service. Typically, there is no need to add security records that disallow access because by default, access to published business services is not allowed. However, creating a security record that disallows access can be an efficient method to set up published business services security. For example, to allow a role access to all but a small subset of published business services, you can:

Enter *ALL in the fields for the published business service and published business service method to create a security record that allows the role access to all published business services. Create security records for the same role that disallows access to a subset of published business services.

7.19.1.1 Inherited Security


When creating a published business service, a developer can configure it to pass its context to any published business service that it calls. In this configuration, authorization for the called published business service is inherited; that is, if the calling business service is authorized, then the called business service is authorized as well. In this scenario, the system does not check the security for the called business service. However, it is possible (though not supported) to configure a published business service so that it does not pass its context to another business service. In this scenario, the security or authorization for the called published business service is not inherited. Even if a user is authorized to access the calling or parent business service, the system also checks if access to the called business service is allowed. As a result, if there is not a security record that allows access to the called business service, the system will produce an exception or error, denying access to the called business service.

7.19.1.2 How JD Edwards EnterpriseOne Checks Published Business Services Security


JD Edwards EnterpriseOne checks security for published business services in the same sequence that it checks security for all other JD Edwards EnterpriseOne objectsfirst by user, then role, and finally *PUBLIC. The system applies the first security record found. In addition, for the user, role, and *PUBLIC, the system checks for published business services security in this sequence:

Published business service + method.

7-48 JD Edwards EnterpriseOne Tools Security Administration Guide

Managing Published Business Services Security

Published business service. *ALL.


Note: Using *ALL to set up object security in Security Workbench is not related to the *ALL functionality that is used to sign into JD Edwards EnterpriseOne. *ALL in Security Workbench enables you to assign a user, role, or *PUBLIC to all objects of a particular type. *ALL during sign-in enables users to sign into JD Edwards EnterpriseOne with all the roles that have been assigned to them.

This illustration shows how the system checks for published business services security for a user signed in with *ALL and a user signed in with a specific role:
Figure 73 *Role 1 has the highest role sequence.

User Signed In Using *ALL as Role User Id / Method + Published Business Service User Id / Published Business Service User Id / *ALL Role 1 / Method + Published Business Service Role 1 / Published Business Service Role 1 / *ALL Role n / Method + Published Business Service Role n / Published Business Service Role n / *ALL *Public / Method + Published Business Service *Public / Published Business Service *Public / *ALL

User Signed In Using a Specific Role User Id / Method + Published Business Service User Id / Published Business Service User Id / *ALL Sign-in Role / Method + Published Business Service Sign-in Role / Published Business Service Sign-in Role / *ALL *Public / Method + Published Business Service *Public / Published Business Service *Public / *ALL

Using Security Workbench

7-49

Managing Published Business Services Security

If a user is assigned to multiple roles and signs in as *ALL, the system uses role sequencing to determine which security record is used. A system administrator sets up role sequencing when setting up user and role profiles. See Sequencing Roles.

7.19.1.3 Published Business Services Security Log Information


The log file provides administrators with information that you can use for troubleshooting business service security without revealing details that could possibly create a gap in the security. When a web service attempts to access a published business service in JD Edwards EnterpriseOne, the system records the authorization information in the log file. If the logging level is set to "Debug," the log file records whether authorization was granted or denied. If the log level is set to "Severe," the system only logs information if the attempt to access a web service fails. This is an example of the information provided in the log file:
Access to <method name> in <published business service name> is <granted/denied> for <user name> with <role name>.

See Also

Server Manager Guide for information on how to view business service security log file information. JD Edwards EnterpriseOne Business Services Server Reference Guide for information on how to configure JD Edwards EnterpriseOne to authenticate users of published business services.

7.19.2 Reviewing the Current Published Business Services Security Records


You can use the Work With User/Role Security form in P00950 to review existing published business services security records. The query by example row of the grid enables you to display all security records for published business services. You can further narrow the search by locating the records for a user, role, or a particular published business service. In addition, you can review published business services security records by running the Security Audit ReportsSecurity by Object (R009501) and Security by User/Role (R009502). See Running a Report that Lists Published Business Service Security Records. From the Security Maintenance menu (GH9052), select Security Workbench (P00950).
1. 2. 3.

On the Work with User/Role Security form, enter S in the Security Type column and then click Find. To narrow the search by user or role, enter a user or role in the query by example field in the User / Role column and then click Find. To view the security records for a particular published business service, complete the query by example field at the top of the Published BSSV column and then click Find.

7.19.3 Authorizing Access to Published Business Services


In P00950, you can create security records that allow a user, role, or *PUBLIC access to:

A particular method in a published business service.

7-50 JD Edwards EnterpriseOne Tools Security Administration Guide

Managing Published Business Services Security

A published business service. All published business services.

From the Security Maintenance menu (GH9052), select Security Workbench (P00950).
1.

On Work with User/Role Security, select the Form menu, Set Up Security, Published BSSV. By default, *PUBLIC is in the User / Role field. If any records exist for *PUBLIC, those records appear in the grid.

2. 3.

On Published Business Service Security Revision, enter the user, role, or *PUBLIC to which you want to allow access to a published business service. To allow access to a particular method in a published business service:
a. b.

On Published Business Service Security Revision, click the visual assist in the Published BSSV column to search for and select a published business service. On the same form, click the visual assist in the Published BSSV Method column to select the method that you want to allow access to. On Published BSSV Method, you must enter the published business service again in the Published BSSV column to see a list of all the methods for the published business service. The system displays published business services by the method that is being exposed in the published business service. A published business service that contains multiple methods will have multiple rows in the grid, one for each method.

c. d.

Select the row that contains the method that you want to secure and then click the Select button. On Published Business Service Security Revision, click the visual assist in the Execute Allowed column and then select Y to allow access to the published business service method.

4.

To allow access to a published business service (including all its methods):


a. b. c. d.

Click the visual assist in the Published BSSV column to search for published business services. On Select Business Service, complete the Business Service field and click the Find button. Select the published business service that you want to secure and then click the Select button. On Published Business Service Security Revision, in the row that contains the published business service, enter *ALL in the Published BSSV Method column. In the same row, click the visual assist in the Execute Allowed column and then select Y to allow access to the published business service.

e. 5.

To allow access to all published business services:


a. b. c. d.

Enter *ALL in the row under the Published BSSV column. Enter *ALL in the row under the Published BSSV Method column. Click OK. In the same row, click the visual assist and then select Y to allow access to the published business services objects.

Using Security Workbench

7-51

Managing Published Business Services Security

By default, users are not allowed access to published business services objects in JD Edwards EnterpriseOne. However, you can select N to create a security override that disallows access to an object.

7.19.4 Adding Multiple Published Business Services Security Records at a Time


Security Workbench provides a form that you can use to add multiple published business services security records at a time. From the Security Maintenance menu (GH9052), select Security Workbench (P00950).
1. 2. 3.

On Work with User/Role Security, select the Form menu, Set Up Security, Published BSSV. On Published Business Service Security Revision, from the Form menu, select Secure by Method. On the Secure by Method form, enter the user, role, or *PUBLIC for which you want to set up published business services security, and then click the Find button. The system displays published business services by the method that is being exposed in the published business service. A published business service that contains multiple methods will have multiple rows, one for each method.

4.

Use the query-by-example fields at the top of the grid to refine your search. For example, if you want to set up security for all methods that perform an add or delete, you search for those methods by typing add* or delete* in the Published BSSV Method query by example field in the grid. Select the check box next to the items that you want to secure. Click either the Allow Execute or Disallow Execute button. On Confirm Batch Secure, click OK. The system displays the number of records that were added or updated.

5. 6. 7.

7.19.5 Deleting Published Business Services Security


To delete published business services security records, you can use the same form that you used to authorize access to published business services. In addition to this method, you can use the Work with User/Role Security form in P00950 to delete the records in the same way that you would delete any other object security record. See Deleting Security on the Work With User/Role Security Form. From the Security Maintenance menu (GH9052), select Security Workbench (P00950).
1. 2.

On Work With User/Role Security, select the Form menu, Set Up Security, Published BSSV. On Published Business Service Security Revision, enter the user, role, or *PUBLIC from which you want to delete a published business services security record and then click Find. Click the check box next to the each record that you want to delete and then click the Delete button. Click OK to confirm the delete.

3. 4.

7-52 JD Edwards EnterpriseOne Tools Security Administration Guide

Copying Security for a User or a Role

7.20 Copying Security for a User or a Role


This section provides an overview of copying security for a user or a role and discusses how to:

Copy all security records for a user or a role. Copy a single security record for a user or a role.

7.20.1 Understanding How to Copy Security for a User or a Role


You can copy the security information for one user or role, and then use this information for another user or role. When you copy security, you can either overwrite the current security for the user or role, or you can add the new security information to the existing security information. You can also copy all of the security records for a user or role, or you can copy one security record at a time for a user or role.

7.20.2 Copying All Security Records for a User or a Role


Enter P00950 in the Fast Path.
1. 2.

On the Work With User/Role Security form, select the Form menu, and then select Copy Security. Select one of these options: Copy and Add When you copy and add security settings, you do not overwrite preexisting security for user or role. Copy and Replace When you copy and replace security settings, the software deletes the security information for a user or role, and then copies the new security information from the selected user or role.

3.

Complete these fields and click OK: From User / Role To User / Role The system saves the security information and returns you to the Work With User/Role Security form.

7.20.3 Copying a Single Security Record for a User or a Role


Enter P00950 in the Fast Path.
1. 2. 3.

On the Work With User/Role Security form, locate a security record. Select the security record row that you want to copy, and then click Copy. Complete the To User / Role field and click OK. The system saves the security information and returns you to the Work With User/Role Security form.

Using Security Workbench

7-53

Reviewing and Deleting Security Records on the Work With User/Role Security Form

7.21 Reviewing and Deleting Security Records on the Work With User/Role Security Form
This section provides an overview on how to review security records and discusses how to:

Review security on the Work With User/Role Security form. Delete security on the Work With User/Role Security form.

7.21.1 Understanding How to Review Security Records


On the Work With User/Role Security form in P00950, you can review security records for a user or role based on security type, such as action, application, row, or any of the other types of security that can be added in P00950. The system displays all the security records for the user or role based on the security type that you select. For example, when you search for application security records for the AP Role, the system displays all the application security records for the AP role in the application grid. The settings for each security type are displayed as columns in the grid. The columns that appear in the grid are based on the security type that you select. For example, application security provides two different levels of security: run and install. When you search for application security records, P00950 displays only the columns for Run and Install in the grid. However, action security contains several settings, such as OK/Select, Copy, Delete, OK, and so forth. When you search for action security records, the grid displays only columns for each of these security settings. The value in the column, either Y or N, indicates whether or not each setting is secured. In addition, you can search on all security records of a particular security type. As a result, the system displays records for every user and role with the security type that was specified. You can search on all Security Workbench records by clicking the Find button.
Note:

You can also review and delete security records on the form used to add a particular type of object security record, such as application, action, row, and so forth. Refer to the section on how to manage a particular type of object security for more information.

7.21.2 Reviewing Security on the Work With User/Role Security Form


Enter P00950 in the Fast Path to access the Work With User/Role Security form.
1. 2. 3.

On the Work With User/Role Security form, click Find. To search for records by user or role, complete the User/Role field and then click Find. To narrow the search by security type, click the Search button in the Security Type column to select a code and then click the Find button.

7.21.3 Deleting Security on the Work With User/Role Security Form


Enter P00950 in the Fast Path.
1. 2.

On the Work With User/Role Security form, click Find. To search for records by user or role, complete the User/Role field and then click Find.

7-54 JD Edwards EnterpriseOne Tools Security Administration Guide

Running Security Workbench Records Reports

3. 4. 5.

To narrow the search by security type, click the Search button in the Security Type column to select a code and then click the Find button. Select a record in the grid, and then click Delete. On Confirm Delete, click OK. Security Workbench deletes the security record and refreshes the grid.

7.22 Running Security Workbench Records Reports


This section provides an overview of the Security Workbench Records reports and discusses how to:

Run the Security Audit Report by Object version (R009501, XJDE0001). Run the Security Audit Report by User version (R009502, XJDE0001). Run the Security Audit Report by Role version (R009502, XJDE0002).

7.22.1 Understanding the Security Workbench Records Reports


JD Edwards EnterpriseOne provides two Security Workbench Records reportsSecurity by Object (R009501) and Security by User/Role (R009502)that you can run to review the current security records by object type and user or role. The Security Workbench Records reports list security records for these objects:

Interactive and batch applications. Tables (rows and columns). Published business services.

Before choosing which report to run, you should consider the data that you want the report to produce. Run the Security by Object report (R009501) to generate a report that lists the security records based on a particular object, object type, or product code. You can refine the data selection for this report to list only records for a particular user ID, role, or a combination of user ID and role. Run the Security by User/Role report (R009502) to generate a report that lists all the application, row, column, and published business service security records for a particular user ID, role, or *PUBLIC. Each report contains processing options that you can use to define the output of the report. Along with the processing options, you can use the Data Selection form in the Batch Version program (P98305W) to further refine the data that the report produces. Each security record in the report indicates the level of security, or type of security, that is applied to the object. For application security, each record indicates if a user or role has permission to install, run, or both install and run the application. For row security, each record indicates if view, add, change, or delete security have been applied. For column security, each record indicates if view, add, or change security have been applied. For published business service security, each record indicates whether a user or role has access to the published business service object. How you set up your report determines how readily you can find gaps in your security plan. For example, if you have a highly sensitive application and you want to ensure that only the appropriate users have access to it, you can refine the R009501 report (Security Audit Report by Object) to list only the security records for that particular application.

Using Security Workbench

7-55

Running Security Workbench Records Reports

7.22.1.1 Example of Security by Object Report (R009501)


This example shows the results of running the R009501 report. The report has been set up to list all the security records for the P00950 program.
Figure 74 Example of Security by Object Report.

7.22.1.2 Example of Security Audit Report by User (R009502, XJDE0001)


This example shows the results of running the Security Audit Report by User version of the R009502 report. The report lists the security records for a particular user in order of application, row, and then column. This example shows only the first page of the report, which lists the application security records for the user ID.

7-56 JD Edwards EnterpriseOne Tools Security Administration Guide

Running Security Workbench Records Reports

Figure 75 Example of Security Audit Report by User Report

7.22.1.3 Example of Security Audit Report by Role (R009502, XJDE0002)


This example shows the results of running the Security Audit Report by Role version of the R009502 report. The data selection of the report has been defined to list security records for the OWTOOL role. This example shows the third page of the report, which lists the row and column security records for the OWTOOL role.
Figure 76 Example of Security Audit Report by Role

Using Security Workbench

7-57

Running Security Workbench Records Reports

7.22.2 Run the Security Audit Report by Object Version (R009501, XJDE0001)
Access the Work With Batch Versions - Available Versions form. To do so, enter P98305W in the Fast Path.
1. 2. 3.

In the Batch Application field, enter R009501 and click the Find button. Select the Security Audit Report by Object version. To define processing options for the report, select Processing Options from the Row menu, and then complete the processing options as appropriate: User ID or Role (optional) Enter a user ID or role to refine the report to generate only records based on that particular user ID or role. Report on Application Security Leave blank if you want the report to include application security records. Enter 1 to exclude application security records. Report on Row Security Leave blank if you want the report to include row security records. Enter 1 to exclude row security records. Report on Column Security Leave blank if you want the report to list application security records. Enter 1 to exclude application security records. Report on Published BSSV Security Leave blank if you want the report to list published business service security records. Enter 1 to exclude published business service security records.
Note:

In addition, to generate a report that displays published business service security records, you need to add an additional condition in the Data Selection form, as discussed below.

4. 5. 6.

On the Work With Batch Versions - Available Versions form, click Select. On the Versions Detail form, select the Data Selection check box and click the Submit button. On the Data Selection form, you can add a condition to filter on a particular object, object type, or product code. If the processing option is set to list published business service security records, you must add the following condition after the default Where condition:
And BC Source Language (F9860) (SRCLNG) [BC] is equal to "SBF"

7. 8.

Click the OK button. On the Printer Selection form, define the location for the output of the report and then click OK to submit it.

7.22.3 Run the Security Audit Report by User Version (R009502, XJDE0001)
Access the Work With Batch Versions - Available Versions form. To do so, enter P98305W in the Fast Path.

7-58 JD Edwards EnterpriseOne Tools Security Administration Guide

Running Security Workbench Records Reports

1. 2. 3.

In the Batch Application field, enter R009502 and click the Find button. Select the Security Audit Report by User version. To define processing options for the report, select Processing Options from the Row menu, and then complete the processing options as appropriate: Role (optional) To refine the report to generate only records based on a particular role of the user, enter a role. Report on Application Security Leave blank if you want the report to include application security records. Enter 1 to exclude application security records. Report on Row Security Leave blank if you want the report to include row security records. Enter 1 to exclude row security records. Report on Column Security Leave blank if you want the report to list column security records. Enter 1 to exclude column security records. Report on Published BSSV Security Leave blank if you want the report to list published business service security records. Enter 1 to exclude published business service security records.

4. 5. 6. 7. 8.

On the Work With Batch Versions - Available Versions form, click Select. On the Versions Detail form, select the Data Selection check box and click the Submit button. On the Data Selection form, use the User ID left operand to define the user ID that you want the report to list security records for. Click OK. On the Printer Selection form, define the location for the output of the report and then click OK to submit it.

7.22.4 Run the Security Audit Report by Role Version (R009502, XJDE0002)
Access the Work With Batch Versions - Available Versions form. To do so, enter P98305W in the Fast Path.
1. 2. 3.

In the Batch Application field, enter R009502 and click the Find button. Select the Security Audit Report by Role version. To define processing options for the report, select Processing Options from the Row menu, and then complete the processing options as appropriate: Role (optional) Do not use this option for this report. Instead, enter the role in the Data Selection form. Report on Application Security Leave blank if you want the report to include application security records. Enter 1 to exclude application security records. Report on Row Security
Using Security Workbench 7-59

Running Security Workbench Records Reports

Leave blank if you want the report to include row security records. Enter 1 to exclude row security records. Report on Column Security Leave blank if you want the report to list application security records. Enter 1 to exclude application security records. Report on Published BSSV Security Leave blank if you want the report to list published business service security records. Enter 1 to exclude published business service security records.
4. 5. 6. 7. 8.

On the Work With Batch Versions - Available Versions form, click Select. On the Versions Detail form, select the Data Selection check box and click the Submit button. On the Data Selection form, use the User ID left operand to define the role that you want the report to list security records for. Click OK on the Data Selection form. On the Printer Selection form, define the location for the output of the report and then click OK to submit it.

7.22.5 Running a Report that Lists Published Business Service Security Records
You can use the Security Workbench Records reports to generate a list of published business service security records by object, user, or role. However, before you run the report, you must use the Data Selection form to specify the published business service object type. Access the Work With Batch Versions - Available Versions form. To do so, enter P98305W in the Fast Path.
1. 2. 3. 4. 5.

In the Batch Application field, enter either R009501or R009502 and click the Find button. Select the version of the report that you want to run. On the Work With Batch Versions - Available Versions form, click Select. On the Versions Detail form, select the Data Selection check box and click the Submit button. On the Data Selection form, enter these conditions and then click OK:
Where BC Object Type (F9860) (FUNO) is equal to "BSFN" And BC Source Language (F9860) (SRCLNG) [BC] is equal to "SBF"

6.

On the Printer Selection form, define the location for the output of the report and then click OK to submit it.

7-60 JD Edwards EnterpriseOne Tools Security Administration Guide

8
8

Setting Up Address Book Data Security


This chapter contains the following topics:

Section 8.1, "Understanding Address Book Data Security" Section 8.2, "Prerequisites" Section 8.3, "Setting Up Permission List Definitions" Section 8.4, "Setting Up Permission List Relationships" Section 8.5, "Enabling or Disabling Secured Private Data from Displaying in Other Applications and Output (Release 8.98.4.10)"

8.1 Understanding Address Book Data Security


The Address Book data security feature enables you to restrict users from viewing address book information that you have determined is personal. After performing the required setup for this feature, secured users can see the fields that you specify as secured, but the fields are filled with asterisks and are disabled. You can set up data security for these fields:

Tax ID Addl Ind Tax ID (additional tax ID) Address Includes Address Lines 1-7, City, State, Postal Code, Country, and County.

Phone Number Includes phone number and phone prefix.

Electronic Address Includes only electronic addresses with Type E.

Day of Birth, Month of Birth, and Year of Birth. Gender

Setting Up Address Book Data Security 8-1

Understanding Address Book Data Security

Note:

In addition to these fields, the system enables you to designate up to eight other user-defined fields as secured. Included in the eight fields are: five string, one math numeric, one character, and one date type. To secure additional fields, you must modify the parameter list in the call to the business function B0100095. For example, if you want to designate Industry Class as a secured field, you must modify the call to the B0100095 business function to map Industry Class in the parameter list.

The Address Book data security feature provides an additional level of security by not allowing secured users to locate valid personal information using the query based example (QBE) line. For example, if a user enters numbers in the Tax ID field of the QBE line, the system does not display the matching record in the event that the user happens to enter a valid tax ID number. Setting up Address Book data security involves these steps:
1.

Selecting the Activate Personal Data Security constant in the Address Book Constants. Personal data security is inactive unless the Activate Personal Data Security constant is selected.

2.

Setting up permission list definitions. Use the Address Book Data Permissions program (P01138) to create one or more permission lists that specify which fields in the Address Book are secured.

3.

Setting up permission list relationships. Use the Permission List Relationships program (P95922) to determine the users or roles that are subject to each permission list.

After you set up Address Book data security, users cannot view information in the fields that you specify as secured. The secured fields appear as asterisks and the system disables these fields for updates. However, users can view their own secured address book information. Also, secured fields are not protected when adding new address book records.

8.1.1 Additional Level of Private Data Security with Release 8.98 Update 4
In addition to storing Address Book private data in the Address Book Data Permission List Definition table (F01138), the system stores private data in these tables:

Address Book-Whos Who (F0111) Address Book-Phone Numbers (F0115) Address by Date (F0116)

When a user runs a report or an application other than the Address Book (such as a Universal Batch Engine report, the Data Browser, or the Universal Table Browser), if EnterpriseOne encounters secured private data in any of the tables in the preceding list, records or columns with secured data do not display in the results. The results displayed depend on whether the fetch is over one or multiple tables. If the fetch is over one table with a secured field, the records that contain secured private data do not appear in the output. If a fetch is over a business view with two tables, the records are displayed, but the columns with secured private data are blank.

8-2 JD Edwards EnterpriseOne Tools Security Administration Guide

Setting Up Permission List Definitions

For example, if an administrator configures private data security to prevent users of a role from viewing the Tax ID for search type E, and the Who's Who application is launched for an address book record with search type E, a user assigned to this role cannot view records for this Address Book record in the Who's Who application.
Note:

For Release 8.98.4.10, when Address Book data security is configured, you can either enable or disable the additional level of security that prevents secured private data from appearing in other applications and output. See Enabling or Disabling Secured Private Data from Displaying in Other Applications and Output (Release 8.98.4.10) for more information.

8.2 Prerequisites
Select the Activate Personal Data Security constant in the Address Book Constants. See "Setting Up the Address Book System" in the JD Edwards EnterpriseOne 9.0 Address Book Implementation Guide. Set up users and roles in the User Profiles program (P0092) for each user that you want to secure from Address Book information. See Setting Up User Profiles.

8.3 Setting Up Permission List Definitions


This section provides an overview of permission list definitions and discusses how to set up permission list definitions.

8.3.1 Understanding Permission List Definitions


The Permission List Definition program enables you to create multiple lists that determine which Address Book fields are secure. When you create permission lists, you specify a permission list name and a search type, and then select each field that you want to secure. The system stores permission list definitions in the F01138 table.

8.3.2 Forms Used to Set Up Permission List Definitions


Form Name Work With Permission List Definitions FormID W01138A Navigation Usage

Permission List Review existing Management permission list (JDE029160), Address definitions. Book Data Permission Enter P01138 in the Fast Path.

Add/Edit Permission List Definitions

W01138B

Select Add from the Work With Permission List Definitions form.

Create new permission list definitions or revise existing definitions.

8.3.3 Creating Permission List Definitions


Access the Add/Edit Permission List Definitions form.

Setting Up Address Book Data Security 8-3

Setting Up Permission List Relationships

After entering the Permission List Name and the Search Type, select each field that you want to secure.
Permission List Name

Enter a name for the permission list. Enter up to 15 alphanumeric characters.


Search Type

Select the search type for which the permission list applies.

8.4 Setting Up Permission List Relationships


This section provides an overview of permission list relationships and discusses how to set up permission list relationships.

8.4.1 Understanding Permission List Relationships


After you set up permission list definitions, use the Permission List Relationships program to assign them to previously defined user IDs and roles. You can attach a user ID or role to only one permission list. The system stores permission list relationships in the F95922 table.

8.4.2 Forms Used to Create Permission List Relationships


Form Name Work With Permission List Relationships FormID W95922A Navigation Permission List Management (JDE029160), Work With Permission List Relationships Enter P95922 in the Fast Path. Maintain Permission List Relationships W95922D Click Select on the Work With Permission List Relationships form. Set up permission list relationships. Usage Search for a permission list.

8.4.3 Creating Permission List Relationships


Access the Maintain Permission List Relationships form.
1. 2. 3.

In the User or Role field, enter the User ID or Role that you want to attach to a permission list, and then click the find button. Click the right arrow button to attach a User ID or Role to a permission list. Click the left arrow button to remove a User ID or Role from a permission list.

8.5 Enabling or Disabling Secured Private Data from Displaying in Other Applications and Output (Release 8.98.4.10)
With Release 8.98.4.10, EnterpriseOne provides INI file settings to enable or disable the displaying of records with secured private data in applications and output other than the Address Book.

8-4 JD Edwards EnterpriseOne Tools Security Administration Guide

Enabling or Disabling Secured Private Data from Displaying in Other Applications and Output (Release 8.98.4.10)

The settings for enabling and disabling this additional level of private data security are located in the JDBJ.INI file on the HTML Server and the JDE.INI file on the Enterprise Server. Use Server Manager to modify these settings:
INI File JDBJ.INI on the HTML Server Section and Setting [JDBj-RUNTIME PROPERTIES] Values Values are:

true: Excludes records with secured enableDataPrivacySkipRec data from all other output sources. ord= false (or leave blank): This is the default. Allows records with secured data to appear in other output sources. [DB SYSTEM SETTINGS] Values are:

JDE.INI file on the Enterprise Server

enableDataPrivacySkipRec true: Excludes records with secured ord= data from all other sources of output. false (or leave blank): This is the default. Allows records with secured data to appear in other output sources.

For more information about modifying INI file settings in Server Manager, see the JD Edwards EnterpriseOne Server Manager Guide.

Setting Up Address Book Data Security 8-5

Enabling or Disabling Secured Private Data from Displaying in Other Applications and Output (Release 8.98.4.10)

8-6 JD Edwards EnterpriseOne Tools Security Administration Guide

9
9

Setting Up Business Unit Security

This chapter contains the following topics:


Section 9.1, "Understanding Business Unit Security" Section 9.2, "Working with UDC Sharing" Section 9.3, "Working with Transaction Security"

9.1 Understanding Business Unit Security


JD Edwards EnterpriseOne business unit security provides the ability to filter data by business unit for UDCs and for transaction tables. For UDCs, you create subgroups of values that can be shared among various business units or may be unique to one particular business unit. This is referred to as UDC sharing. For transaction tables, business unit security enables you to limit the transaction records that a user has access to based on business unit. This is called transaction security.

9.1.1 UDC Sharing


With UDC sharing, JD Edwards EnterpriseOne provides the ability to control, or regulate, how organizational data among different business units is shared. UDC sharing enables you to define a subset of UDC values for a business unit. You can share multiple UDC values among multiple business units. For example, a company's customer service department may provide support for appliances, consumer electronics, and sporting goods. Typically, a representative would choose from an extensive list of values to specify the repair code for a particular type of product. However, with UDC sharing, the company can associate a subset of the repair code UDC values, such as for appliances, to a business unit. As a result, the representatives associated with the business unit would only have to choose from a list of repair codes relevant to appliances.
Note: UDC sharing can impact system performance because of the time it takes the system to determine the UDC values that are associated with each business unit.

9.1.2 Transaction Security


Another feature of JD Edwards EnterpriseOne business unit security is transaction security. Transaction security enables you to determine the transaction records a user can view. Transaction security ensures that users can only access and modify transaction data for the business unit to which they are associated.

Setting Up Business Unit Security

9-1

Working with UDC Sharing

See Also:

Setting Up Business Units in the JD Edwards EnterpriseOne Financial Management Solutions Application Fundamentals Guide.

9.2 Working with UDC Sharing


This section provides overviews of the UDC sharing setup and business unit security for UDC sharing and discusses how to:

Set up UDC sharing. Set up business unit security for UDC sharing. Revise a UDC group. Delete a UDC group.

9.2.1 Understanding the UDC Sharing Setup


Use the UDC Sharing application (P95130) to set up UDC sharing. This wizard-like program leads you through the appropriate tasks to configure these items:

UDC group A UDC group serves as a container for the UDC values that you want to share among different business units. You create the UDC group by naming it and assigning the UDC types that contain UDC values. For example, if you are sharing UDC values that represent various states and countries in geographic regions, you might name the UDC group GEO, and then assign the UDC types that contain the appropriate UDC values for the states or countries.

Set-ID A set-ID enables you to further categorize the UDC values within a UDC group. For example, you can further categorize the UDC values in the GEO UDC group into subsets, such as Europe, Canada, Pacific Rim, and so forth. Each subset, or set-ID, can contain values that are specific to that region.
Important:

UDC sharing is available for JD Edwards EnterpriseOne Application Release 8.11 and later releases. You must use a Microsoft Windows client to set up UDC sharing. However, the actual security applied to applications that are run only on the web client.

9.2.2 Understanding Business Unit Security for UDC Sharing


JD Edwards EnterpriseOne provides a wizard-like program to assist you with setting up business unit security for UDC sharing. The program leads you through these tasks:

Define a business unit type. A business unit type serves as a logical grouping of business units. To define it, you give it a name and then specify the table (typically the F0006 table) and the data item within the table that contains the business unit values.

Associate a user ID or role to a business unit.

9-2 JD Edwards EnterpriseOne Tools Security Administration Guide

Working with UDC Sharing

Note:

You can associate users to business units when setting up UDC sharing or when setting up transaction security.

Associate a UDC group to a business unit.

9.2.3 Setting Up UDC Sharing


Enter GH9052 in the Fast Path, select Business Unit Security, and then select Set-up UDC Sharing to access the UDC Group Revisions form.
Note: You can access this form on the Microsoft Windows client and the web client.
1.

Complete these fields to name and describe the UDC group: UDC Group Group Description

2.

In the detail area, click the search button in these fields to add UDC types to the UDC group: Product Code Select the product code of the UDC type that you want to add. User Defined Code Select the UDC type that contains the values for the UDC group.
Note:

A UDC type cannot be associated with more than one UDC

group.
3. 4.

Click Next. On Set-ID Definition Revisions, complete these fields to create set-IDs for the UDC group: Set-ID Enter a name for the set-ID. Description

5.

Click Next. On Maintain Set-ID, in the right pane, the system displays the UDC types that you assigned to the UDC group. The left pane contains the set-IDs that you defined for the UDC group.

6.

Assign UDC values to the Set-IDs.


a. b. c.

Select a set-ID in the left pane. Click a UDC type in the right pane, and then select from the list of UDC values. Click the left arrow to assign the UDC value to the chosen Set-ID.

7.

After you assign UDC values to the set-IDs, click Done.

Setting Up Business Unit Security

9-3

Working with UDC Sharing

9.2.4 Setting Up Business Unit Security for UDC Sharing


Enter GH9052 in the Fast Path, double-click Business Unit Security, and then select Set-up Business Unit Security to access the Business Unit Security Definition Revisions form.
1.

Complete these fields in this order: Business Unit Type Business Unit Definition Table Enter the table object name that contains the individual business unit values (for example, F0006). Business Unit Definition Data Item Enter the data item in the Business Unit Definition Table that contains the unique business unit name (for example, MCU).

2. 3.

Press Tab and then click Next to continue. On User/Role to Business Unit Relationships, assign the users or roles in the right panel to the appropriate business units in the left panel. You can search for particular business unit values and users or roles by clicking the search button next to the Business Unit Value and User/Role fields, respectively.
Note:

You can click the Skip button if you choose not to perform this step at this time. You can also assign users to business units when setting up transaction security.

4. 5.

After securing users to the appropriate business units, click Next to continue. On Maintain Transaction Security Tables, click the Skip button. This form is only used for transaction security.

6.

On UDC Group/Set-ID/Business Unit Relationship, assign the set-IDs within the UDC groups to the appropriate business units in the left panel. You can search for particular business unit values and UDC groups by clicking the search button next to the Business Unit Value and UDC Group fields, respectively. Remember that you must first configure UDC sharing to be able to assign set-IDs to business units on this form.

7.

Click Done.

9.2.5 Revising UDC Groups


Enter GH9052 in the Fast Path, double-click Business Unit Security, and then select Maintain UDC Sharing to access the Work With UDC Sharing form. You can access this form in the Microsoft Windows client and the web client.
1. 2. 3.

Select the UDC group that you want to revise. To add or delete a UDC type in a UDC group, from the Row menu, select Group Revisions. To add or delete a set-ID, from the Row menu, select Set-ID Definition.

9-4 JD Edwards EnterpriseOne Tools Security Administration Guide

Working with Transaction Security

Note:

You cannot delete a set-ID that is part of a business unit and UDC group relationship.

4.

To revise the UDC values that are assigned to the set-IDs, from the Row menu, select Maintain Set-ID.

9.2.6 Deleting a UDC Group


On the Work With UDC Sharing form, select the UDC group and then click Delete.
Note:

You cannot delete a UDC group that is part of a business unit relationship.

9.3 Working with Transaction Security


This section provides an overview of how to set up transaction security and discusses how to:

Set up transaction security. Set processing options for Maintain Business Unit Transaction Security (R95301). Set processing options for Business Unit Security Maintenance application (P95300). Revise transaction security.

9.3.1 Understanding How to Set Up Transaction Security


Transaction security enables you to define which transaction records a user can access, based on the business units they are associated with. Transaction security for business units is inclusive, which means that you define which transactions users can access based on the business unit to which the user ID or role is associated. To set up transaction security, you must define these items:

Business unit type. A business unit type serves as a logical grouping of business units. To define it, you name it and then specify the table (typically the F0006 table) and the data item within the table that contains the business unit values.
Note:

If you are setting up transaction security for an existing business unit type, use the Maintain Business Unit Security menu to add transaction security.

Tables to include in a transaction security definition. Users associated with the business units.

The application that you use to set up transaction security, the Business Unit Security Maintenance program (P95300), is available in two modes: a mode that you can use for the initial transaction security setup and another mode to revise transaction security. The mode for the initial setup uses a director or wizard-like process to lead you through the P95300 application forms used to set up transaction security. See Setting Up Transaction Security.
Setting Up Business Unit Security 9-5

Working with Transaction Security

The mode to revise transaction security provides access to the same forms that are used for the initial setup, but without the wizard functionality. You can use these forms to add, update, or delete transaction security. See Revising Transaction Security.

9.3.1.1 Generating Transaction Security Records


When you set up or revise transaction security, JD Edwards EnterpriseOne does not automatically enable transaction security in the software. The new or revised transaction security records must be added to the Security Workbench table (F00950). JD Edwards EnterpriseOne provides different mechanisms for updating transaction security records in the F00950 table, depending on whether you are performing an initial setup of transaction security or revising transaction security. After you perform an initial setup, you must run the Maintain Business Unit Transaction Security batch application (R95301) to generate the transaction security records. You can set processing options for this batch application that enable you to review the records in a "proof" mode before the records are updated in the F00950 table. See Setting Processing Options for Maintain Business Unit Transaction Security (R95301). If you are revising transaction security, you can set processing options to control how the transaction security records are updated in the F00950 table. You can set these processing options on the Maintain Business Unit Security menu, which is the JD Edwards EnterpriseOne menu that launches the forms used for revising transaction security. See Setting Processing Options for Business Unit Security Maintenance Application (P95300). When you change (add, update, delete) transaction security, you must run the Maintain Business Unit Transaction Security Records (R95301) batch program for the changes to take effect.
Note:

Because the data in the F00950 table is cached, you must clear the cache in order for the updated security records to take affect. See Cached Security Information.

9.3.2 Setting Up Transaction Security


Access the Business Unit Security Definition Revisions form. Enter GH9052 in the Fast Path, and then select Business Unit Security, Set-up Business Unit Security.
1.

On the Business Unit Security Definition Revisions form, complete these fields in order: Business Unit Type Business Unit Definition Table Enter the table object name that contains the individual business unit values (for example, F0006). Business Unit Definition Data Item Enter the data item in the Business Unit Definition Table that contains the unique business unit name (for example, MCU).

9-6 JD Edwards EnterpriseOne Tools Security Administration Guide

Working with Transaction Security

2. 3.

Press Tab and then click Next to continue. On User/Role to Business Unit Relationships, assign the users or roles in the right panel to the appropriate business units in the left panel. You can search for particular business unit values and users or roles by clicking the search button next to the Business Unit Value and User/Role fields, respectively.

4. 5.

After securing users to the appropriate business units, click Next to continue. On Maintain Transaction Security Tables, complete these columns in the grid: Transaction table Enter the table name that contains the data item that you want to secure. Data item Enter the data item of the column that you want to secure. You can use this form to secure multiple tables.

6. 7. 8. 9.

Click Next to continue. On UDC Group/Set-ID/Business Unit Relationship, click Done. Run the R95301 batch program. Clear the workstation or web client cache

9.3.3 Setting Processing Options for Maintain Business Unit Transaction Security (R95301)
Processing options enable you to specify the default processing for programs and reports.

9.3.3.1 Transaction Security


These processing options are used to specify how the system processes the transaction security records.
Processing Option 1. Add Transaction Security Records Description Specify whether to run the report in Final mode or Proof mode. Use the Proof mode to generate a report of the transaction security records that will be updated in the Security Workbench table (F00950). Use the Final mode to update the records. Specify whether to add or to not add transaction security records. Values are: 1: Add 0: Do not add 3. Delete Transaction Security Records Specify whether to delete or to not delete transaction security records. Values are: 1: Delete 0: Do not delete

2. Add Transaction Security Records

Setting Up Business Unit Security

9-7

Working with Transaction Security

9.3.4 Setting Processing Options for Business Unit Security Maintenance Application (P95300)
Processing options enable you to specify the default processing for programs and reports. You can access these processing options from the JD Edwards EnterpriseOne Menu by right-clicking the Maintain Business Unit Security menu, and then selecting Prompt for Values.

9.3.4.1 Mode
This processing option is used to specify the business unit security mode.
Processing Option 1. Business Unit Security Mode Description Specify whether to run the report in Director Mode (A) or Maintenance Mode (D).

9.3.4.2 Transaction Security


These processing options are used when working with business unit security in Maintenance mode only.
Processing Option 1. In Maintenance mode, automatically add transaction security records. Description Specify whether to automatically add transaction security records. Values are: 1: Add 0: Do not add 2. In Maintenance mode, automatically delete transaction security records. Specify whether to automatically delete transaction security records. Values are: 1: Delete 0: Do not delete

9.3.5 Revising Transaction Security


Access the Work With Business Unit Security form. Enter GH9052 in the Fast Path, and then select Business Unit Security, Maintain Business Unit Security.
1. 2. 3. 4. 5. 6. 7.

On the Work With Business Unit Security form, select the business unit security type record that you want to revise. To revise the users or roles associated to a business unit, from the Row menu, select Associate User/Role. To revise the UDC values that are assigned to business units, from the Row menu, select UDC Groups for BU. To revise a transaction table record, from the Row menu, select Transaction Tables. To delete transaction security for a business unit type, select the record and then click Delete. Run the R95301 batch program. Clear the workstation or web client cache.

9-8 JD Edwards EnterpriseOne Tools Security Administration Guide

10
10

Setting Up Application Failure Recovery


This chapter contains the following topics:

Section 10.1, "Understanding Application Failure Recovery" Section 10.2, "Enabling/Disabling Application Failure Recovery" Section 10.3, "Saving Application Data"

10.1 Understanding Application Failure Recovery


JD Edwards EnterpriseOne enables web client users to recover data from failed applications due to:

Transaction failures Session time outs User Voluntary Save

The Application Failure Recovery program (P95400) enables users to access data from any failed transaction in which they are involved. Using P95400, users can review data from failed transactions. Additional links may be added to the JD Edwards EnterpriseOne Menu or the Application Recovery Form for application failure recovery if data is saved during the transaction. The system adds a link named "Failure Recovery Data" to the JD Edwards Menu if there is a transactional failure saved for the user. The system adds a link named "Application Saved Data" to the JD Edwards EnterpriseOne Menu if there is no transactional failure, but there are other saved data due to voluntary save or time out. In addition, on the Application Recovery Form, the Export option is enabled so that a user can export the saved records.
See Also:

"Recovering Data" in the JD Edwards EnterpriseOne Tools Foundation Guide.

10.1.1 Prerequisites
Use the Security Workbench program (P00950) to secure P95410 to system administrators only. See Managing Application Security.

Setting Up Application Failure Recovery

10-1

Enabling/Disabling Application Failure Recovery

10.2 Enabling/Disabling Application Failure Recovery


Application Failure Recovery is enabled out of the box with the jas.ini setting set to ALL, which is the default setting. To disable Application Failure Recovery set the jas.ini to NONE. The Application Recovery setting is found in the [OMWEB} Web Runtime section of the jas.ini. See the Server Manager Guide on the My Oracle Support Web site.

10.3 Saving Application Data


Saving Application Data needs to be set up for when sessions time out. In the JD Edwards EnterpriseOne web client, enter P95400 in the Fast Path to access the Work with Application Failure Records form.
1. 2. 3.

From the Form menu, select Time Out Subscriptions. On the Work with Time Out Subscriptions form, click Add. On the Add Time Out Subscription form, in the User field, enter the user ID or role that you want the system to save when the session times out. Enter *Default to allow access to all users. In the Application Name field, enter the application for which the user or role can save data, and then click OK.

4.

10-2 JD Edwards EnterpriseOne Tools Security Administration Guide

11
11

Enabling LDAP Support in JD Edwards EnterpriseOne


This chapter contains the following topics:

Section 11.1, "Understanding LDAP Support in JD Edwards EnterpriseOne" Section 11.2, "Configuring LDAP Support in JD Edwards EnterpriseOne" Section 11.3, "Modifying the LDAP Default User Profile Settings" Section 11.4, "Using LDAP Bulk Synchronization (R9200040)" Section 11.5, "Using LDAP Over SSL" Section 11.6, "Exporting User Data to the LDAP Server"
Important:

This chapter does not provide instructions for installing and configuring an LDAP-compliant directory service, such as Microsoft Windows Active Directory or IBM Directory Server. For more information, refer to the Prerequisites section in this chapter.

11.1 Understanding LDAP Support in JD Edwards EnterpriseOne


This section discusses:

LDAP support overview. User Profile Management in LDAP-Enabled JD Edwards EnterpriseOne LDAP and JD Edwards EnterpriseOne relationships. Application changes in LDAP-enabled JD Edwards EnterpriseOne. LDAP server-side administration. JD Edwards EnterpriseOne server-side administration.

11.1.1 LDAP Support Overview


LDAP is an open industry standard protocol that directory services use to manage user profiles, such as user IDs and passwords, across multiple application systems. You can enable JD Edwards EnterpriseOne to use an LDAP-compliant directory service to manage JD Edwards EnterpriseOne user profiles and user-role relationships. After enabling JD Edwards EnterpriseOne for LDAP, user profiles can be administered through an LDAP version 3 compliant directory server, otherwise referred to as the LDAP server. System administrators use a third-party LDAP-enabled application to access the LDAP server.
Enabling LDAP Support in JD Edwards EnterpriseOne 11-1

Understanding LDAP Support in JD Edwards EnterpriseOne

LDAP provides these benefits:

Central administration and repository for user profiles. You can easily maintain user profiles in a single location that serves multiple end user applications, including JD Edwards EnterpriseOne applications.

Reduced complexity. You are not required to use several applications to maintain user profiles. In addition, users are not required to maintain multiple passwords across multiple systems.
Note:

LDAP support does not address single sign-on functionality that might exist through other JD Edwards EnterpriseOne functionality.

11.1.2 User Profile Management in LDAP-Enabled JD Edwards EnterpriseOne


When JD Edwards EnterpriseOne is enabled for LDAP, the features used to manage user profiles in the User Profile Revisions application (P0092) are disabled. Instead, you must use a third-party, LDAP-enabled application to manage JD Edwards EnterpriseOne user profiles.
Note:

JD Edwards EnterpriseOne does not provide an application for managing LDAP user profiles.

Additionally, JD Edwards EnterpriseOne provides a self-service version of P0092. This self-service application is used to manage only self-service user profile information for the Manufacturing Sourcing module; not JD Edwards EnterpriseOne user profiles. However, if you are enabling JD Edwards EnterpriseOne for LDAP and your company is using this self-service application, you can add parameters for it when you define the LDAP server settings. In this configuration, any self-service user profiles that are added are synchronized with the LDAP server.
Note:

Even though self-service user profiles are synchronized with the LDAP server, you cannot use this self-service application to manage JD Edwards EnterpriseOne or LDAP user profiles.

See Configuring the LDAP Server Settings.

11.1.3 LDAP and JD Edwards EnterpriseOne Relationships


The LDAP system administrator must understand the logical and database-dependent relationships between the LDAP server and JD Edwards EnterpriseOne. The administrator directly or indirectly controls the logical flow of events and where specific data resides based on the setting of system variables in the JD Edwards EnterpriseOne enterprise server jde.ini file and settings specified in the LDAP Server Configuration Workbench program (P95928). The security kernel on the JD Edwards EnterpriseOne enterprise server is responsible for ensuring the integrity of the security within JD Edwards EnterpriseOne. If this kernel is not running correctly or cannot locate requisite data, users cannot sign in to JD Edwards EnterpriseOne. However, when the security kernel is properly

11-2 JD Edwards EnterpriseOne Tools Security Administration Guide

Understanding LDAP Support in JD Edwards EnterpriseOne

configured, the system verifies the user credentials from data within the user profiles. In this case, the following two scenarios are possible:

You can configure JD Edwards EnterpriseOne to use LDAP to manage user profiles. You can configure JD Edwards EnterpriseOne to use LDAP to manage user-role relationship data.

LDAP does not support certain user profile information. Such information remains in the domain of the JD Edwards EnterpriseOne server and must be maintained by the JD Edwards EnterpriseOne system administrator. Therefore, two distinct and separate user profiles may exist:

LDAP user profile This profile includes the user ID and password and can include user-role relationships.

JD Edwards EnterpriseOne user profile The information contained in this profile is stored in the JD Edwards EnterpriseOne database. Examples of such information include the date separator, the decimal separator, and so on.

11.1.3.1 User Authentication Using the LDAP Server


When LDAP is enabled, all systems (including JD Edwards EnterpriseOne) are directed to perform user authentication through the LDAP server. This diagram shows how LDAP and JD Edwards EnterpriseOne handle authentication:
Figure 111 LDAP and JD Edwards EnterpriseOne authentication

Web Client Security Kernel LDAP Server

EnterpriseOne Enterprise Server EnterpriseOne Windows Client EnterpriseOne Database Server

In this illustration, the security kernel in the JD Edwards EnterpriseOne enterprise server performs authentication against the LDAP server when LDAP is enabled in the [SECURITY] section of the jde.ini file of the JD Edwards EnterpriseOne enterprise server. Otherwise, when LDAP is disabled, the security kernel authenticates the user against the JD Edwards EnterpriseOne enterprise server database.

Enabling LDAP Support in JD Edwards EnterpriseOne 11-3

Understanding LDAP Support in JD Edwards EnterpriseOne

11.1.3.2 JD Edwards EnterpriseOne User Data


The security kernel in JD Edwards EnterpriseOne requires specific attributes to be defined for all users. These attributes generally include:

User ID. User password. User-role relationship. JD Edwards EnterpriseOne system user. Definition of role. JD Edwards EnterpriseOne user profile settings.

11.1.3.3 User Data Managed by LDAP


When you configure JD Edwards EnterpriseOne to use LDAP, the JD Edwards EnterpriseOne security kernel uses the following data stored in the LDAP server:

User ID User password User-role relationship (optional)

11.1.3.4 Data Managed by LDAP and JD Edwards EnterpriseOne


This table explains how user data is managed by LDAP and JD Edwards EnterpriseOne, as well as how the security kernel uses this information:
JD Edwards EnterpriseOne Comment Yes F0092 If you enable LDAP support in JD Edwards EnterpriseOne, the security kernel validates the user from the LDAP database. The security kernel synchronizes this data from LDAP to JD Edwards EnterpriseOne only when this data is in the LDAP server and not in JD Edwards EnterpriseOne. If LDAP is enabled, the user password is always stored in LDAP. If LDAP is not enabled, the user password is stored in the F98OWSEC table in JD Edwards EnterpriseOne. User-Role Relationship Yes Yes F95921 If the user-role relationship is defined to execute through LDAP, the user-role relationship is synchronized from the LDAP server to JD Edwards EnterpriseOne. If the user-role relationship is defined to execute through JD Edwards EnterpriseOne, the data is stored in the JD Edwards EnterpriseOne database in the F95921 table.

Data Category EnterpriseOne User ID

LDAP Yes

EnterpriseOne User Password

Yes

Yes F98OWSEC

11-4 JD Edwards EnterpriseOne Tools Security Administration Guide

Understanding LDAP Support in JD Edwards EnterpriseOne

Data Category EnterpriseOne System User

LDAP No

JD Edwards EnterpriseOne Comment Yes F98OWSEC Not managed in the LDAP server. JD Edwards EnterpriseOne requires each user to have a system user specified for access to the JD Edwards EnterpriseOne database. The database user is set by the JD Edwards EnterpriseOne system administrator in the JD Edwards EnterpriseOne security table, F98OWSEC. If there are no valid system user settings, the JD Edwards EnterpriseOne security kernel will not validate the user.

Definition of Role

Yes

Yes F0092

The user-role relationship is synchronized from the LDAP server to the JD Edwards EnterpriseOne database for roles defined in the JD Edwards EnterpriseOne database. However, the system does not synchronize role definitions from the LDAP server to the JD Edwards EnterpriseOne database. Therefore, role definitions must exist in both systems. Not managed in LDAP. JD Edwards EnterpriseOne requires additional user profile attributes that are not generally defined through equivalent attributes in LDAP. Therefore, you can manually set these attributes. You can also specify these values in the default user profile settings for LDAP so that these settings are included for each user that is synchronized from LDAP to JD Edwards EnterpriseOne. See Modifying the LDAP Default User Profile Settings. Some of these attributes include:

EnterpriseOne User Profile Attributes

No

Yes F00921 and F0092

Address Book Number Decimal Separator Time Zone Currency Date Format

11.1.3.5 User Data Synchronization in LDAP-Enabled JD Edwards EnterpriseOne


This diagram shows the synchronization of user data from the LDAP server to JD Edwards EnterpriseOne:

Enabling LDAP Support in JD Edwards EnterpriseOne 11-5

Understanding LDAP Support in JD Edwards EnterpriseOne

Figure 112 User data synchronization

Third Party LDAP-enabled Application

Web Client LDAP Server Security Kernel Batch Process

EnterpriseOne Enterprise Server EnterpriseOne Windows Client EnterpriseOne Database Server

In this configuration, a third-party LDAP-enabled application is being used to add, modify, and delete LDAP user information. In addition, the system uses the following methods to synchronize user data from LDAP to the JD Edwards EnterpriseOne database:

At user sign-in, using the JD Edwards EnterpriseOne security kernel. Using the LDAP Bulk Synchronization batch application (R9200040). R9200040 enables you to perform bulk synchronization of user profile records from the LDAP server to the JD Edwards EnterpriseOne database.

11.1.4 Application Changes in LDAP-Enabled JD Edwards EnterpriseOne


When LDAP support is enabled in JD Edwards EnterpriseOne, some of the user profile tasks that you typically perform in JD Edwards EnterpriseOne, such as adding and deleting users, are disabled. You must use LDAP to modify these records, not JD Edwards EnterpriseOne. This section summarizes the following changes in JD Edwards EnterpriseOne menus and applications that result from using LDAP to manage user profile information:

User password changes. User Profile Revisions application changes. Security Revisions application changes. Role Relationships application changes. Scheduler application changes.

11.1.4.1 User Password Changes


In JD Edwards EnterpriseOne, users can change their passwords using the User Default Revisions application. However, when LDAP is enabled, users must contact a system administrator for password changes. If a user attempts to select the Change Password option in the User Default Revisions form, the system displays this error:
11-6 JD Edwards EnterpriseOne Tools Security Administration Guide

Understanding LDAP Support in JD Edwards EnterpriseOne

Error: LDAP authentication is enabled. Solution: Users must contact a security administrator to have their passwords changed.

11.1.4.2 User Profile Revisions Application (P0092) Changes


The following functions for managing user information in P0092 are disabled:

Add Copy Delete

This ensures that users can only be managed through LDAP.

11.1.4.3 EnterpriseOne Security Application (P98OWSEC) Changes


When LDAP is enabled, P98OWSEC only allows you to add or change specific security settings for specified users. This section discusses the features that you can use in this application when LDAP is enabled. When an existing single user is selected for security revisions, the User ID field contains the selected user ID. On the Security Detail Revisions form, you can enable the User Status and Allowed Password Attempts fields by selecting these corresponding options:

User Status Attempts

When you are updating security for all users, you click the Revise All button from the Form menu in the Work With User/Role Profiles form. The Security Detail Revisions form appears. On the Security Detail Revisions form, you can enable the User Status and Allowed Password Attempts fields for all users by selecting these corresponding options:

User Status Attempts

11.1.4.4 Role Relationships Application (P95921) Changes


When LDAP is enabled, P95921 has been modified to enable or disable certain functionality, depending on whether roles are managed in LDAP. When roles are managed in LDAP, you cannot use JD Edwards EnterpriseOne to add or delete a role for an individual user. However, you can add roles to the default user for LDAP, which is _LDAPDEFLT. Additionally, you can modify the role expiration date. If you attempt to add a role to an individual user in JD Edwards EnterpriseOne, the system displays this error:
Error: Role Relationship is managed by LDAP.

Similarly, if you attempt to delegate, remove, or add a role for an individual user, the system will display the same error.

Enabling LDAP Support in JD Edwards EnterpriseOne 11-7

Understanding LDAP Support in JD Edwards EnterpriseOne

Note:

When LDAP is enabled and roles are managed in LDAP, you can use a third-party LDAP-enabled application to add, delete, or modify role relationships for any user.

11.1.4.5 Schedule Jobs Application Changes


The Schedule Jobs application (P91300) displays a password column which is written to the F91300 table. The password stored in this column provides the password that P91300 uses to connect to the JD Edwards EnterpriseOne database. The column is only stored for program use and the actual database record contains an encrypted blob that cannot be viewed or decrypted by the system administrator. However, you can enter the password in the Scheduler Password field of the Scheduling Advance Options form. The Scheduler kernel validates the user ID and password stored in F91300. The job cannot be launched if the validation fails. Therefore, if the user changes their password after the job is scheduled, the job cannot be launched. In such cases, the user must use P91300 to revise the job.

11.1.5 LDAP Server-Side Administration


This section assumes that JD Edwards EnterpriseOne is using the LDAP server for user profile administration. Using a third-party LDAP-enabled application to access the LDAP server, you can add, modify, or delete attributes of user profiles. This table lists the items that you can manage and actions that you can perform from the LDAP server:
User Profile Attribute User ID and Password Values Action Add Modify Delete Description The user ID and password values must be alphanumeric and cannot exceed 10 characters in length. Unicode is supported. At sign-in, logic on the JD Edwards EnterpriseOne server automatically performs one-way, real-time synchronization of user IDs from the LDAP server to the JD Edwards EnterpriseOne database. You can run a separate batch program on the JD Edwards EnterpriseOne enterprise server to initially migrate user IDs from LDAP to the JD Edwards EnterpriseOne database. User-Role Relationship Add Modify Delete At sign-in, logic on the JD Edwards EnterpriseOne server will automatically perform one-way real-time synchronization of this data from the LDAP server to the JD Edwards EnterpriseOne database. You can run a separate batch program on the JD Edwards EnterpriseOne server to initially migrate this data from LDAP to the JD Edwards EnterpriseOne database. Only valid JD Edwards EnterpriseOne user-role relationships will be synchronized from LDAP to the JD Edwards EnterpriseOne database. Role Definitions Add Modify Delete You must manually set up role definitions in LDAP and JD Edwards EnterpriseOne because there is no automated method to synchronize this data.

11-8 JD Edwards EnterpriseOne Tools Security Administration Guide

Configuring LDAP Support in JD Edwards EnterpriseOne

11.1.6 JD Edwards EnterpriseOne Server-Side Administration


When JD Edwards EnterpriseOne is enabled for LDAP, there are still some user profile administrative tasks that you manage on the JD Edwards EnterpriseOne enterprise server, such as:

Tasks that are not supported by LDAP. Tasks that are not synchronized automatically. Tasks that are not synchronized through a batch process.

You can modify the following items on the JD Edwards EnterpriseOne enterprise server:
JD Edwards EnterpriseOne Attributes Action System User ID and Password Add Modify Delete User-Role Relationship Add Modify Delete User-Role Relationship Attributes Add Modify Delete User Status Modify Allowed statuses include:

Description Required to set system values not supported by LDAP. System information is used to connect to the database. It includes database system user name, system user password, and data source name (system key). Required if user-role relationships are managed in JD Edwards EnterpriseOne.

Required to set attributes not supported by LDAP, such as *ALL and Expiration Dates, when you manage user-role relationships in LDAP.

Enabled Disabled

There is no automatic or batch synchronization between LDAP and JD Edwards EnterpriseOne for this function. Allow Password Attempts Modify for EnterpriseOne User Role Definitions Modify The number of invalid sign-on attempts a user can make before that user profile is disabled. You must always define the role definition in JD Edwards EnterpriseOne, regardless of any LDAP considerations.

11.2 Configuring LDAP Support in JD Edwards EnterpriseOne


This section contains the following topics:

Section 11.2.1, "Overview of Steps to Enable LDAP Support in JD Edwards EnterpriseOne" Section 11.2.2, "How JD Edwards EnterpriseOne Uses LDAP Server Settings" Section 11.2.3, "Prerequisites" Section 11.2.4, "Forms Used to Configure LDAP Support in JD Edwards EnterpriseOne" Section 11.2.5, "Creating an LDAP Configuration" Section 11.2.6, "Configuring the LDAP Server Settings"

Enabling LDAP Support in JD Edwards EnterpriseOne 11-9

Configuring LDAP Support in JD Edwards EnterpriseOne

Section 11.2.7, "Configuring LDAP to JD Edwards EnterpriseOne Enterprise Server Mappings" Section 11.2.8, "Changing the LDAP Configuration Status" Section 11.2.9, "Enabling LDAP Authentication Mode"
Note:

If you are creating an LDAP configuration for Oracle Internet Directory, the specific settings for this configuration are listed in an appendix in this guide.

See Creating a JD Edwards EnterpriseOne LDAP Configuration for OID.

11.2.1 Overview of Steps to Enable LDAP Support in JD Edwards EnterpriseOne


You must follow these high-level steps in the specified order to properly configure the JD Edwards EnterpriseOne enterprise server to support LDAP:
1.

Disable LDAP authentication by ensuring that the [Security] section of the JD Edwards EnterpriseOne enterprise server jde.ini file contains this setting:
LDAPAuthentication=false

2.

Use the LDAP Server Configuration Workbench application (P95928) to create an LDAP configuration, configure the LDAP server settings, and configure the LDAP to JD Edwards EnterpriseOne enterprise server mappings. The P95928 application is available on the Microsoft Windows client and the web client.
Note:

JD Edwards EnterpriseOne provides two versions of this application. You can use ZJDE0001 to create a template for creating an LDAP configuration. Create the template by adding specific attributes to the LDAP configuration that can be defined later. This section uses ZJDE0002 of the application to show all possible attributes that can be mapped in the LDAP configuration.

3.

Use the Configure LDAP Defaults form to enter the required LDAP default user profile settings. See Modifying the LDAP Default User Profile Settings.

4. 5.

Change the LDAP configuration status. Enable LDAP authentication by changing the setting in the [Security] section of the JD Edwards EnterpriseOne enterprise server jde.ini file:
LDAPAuthentication=true

6.

Restart the JD Edwards EnterpriseOne enterprise server.

11.2.2 How JD Edwards EnterpriseOne Uses LDAP Server Settings


Part of creating an LDAP configuration for JD Edwards EnterpriseOne involves configuring LDAP server settings. The LDAP server settings are in compliance with the standard syntax specified by the LDAP Data Interchange Format (LDIF). These settings, or attributes, when configured correctly, determine how JD Edwards EnterpriseOne searches for user profile data in the LDAP server. The attributes that you configure differ depending on whether you are:

11-10 JD Edwards EnterpriseOne Tools Security Administration Guide

Configuring LDAP Support in JD Edwards EnterpriseOne

Creating a standard JD Edwards EnterpriseOne configuration for the LDAP server. Using Secure Socket Layer with the LDAP server. Using the self-service version of the user profile application for the Manufacturing Sourcing module.

This diagram shows how JD Edwards EnterpriseOne uses the LDAP server settings to search for user profiles in the LDAP server:
Figure 113 User data search hierarchy in the LDAP server

Root

Company A

o=enterpriseone, c=us

User

Role

Role

User

User

Role

User

Role

LDAP entry that satisfied the condition: objectclass=inetOrgPerson AND uid=ab12345 Attribute Value objectclass inetOrgPerson Language E cn bob uid ab12345

ab12345
In this diagram, the JD Edwards EnterpriseOne application requests a search of the Directory Information Tree for a JD Edwards EnterpriseOne user in the United States with an ab12345 user ID. The user can only be found if these attributes contain valid values:

Enabling LDAP Support in JD Edwards EnterpriseOne 11-11

Configuring LDAP Support in JD Edwards EnterpriseOne

Attribute USRSRCHBAS (User Search Base) USRSRCHSCP (User Search Scope) USRSRCHFLT (User Search Filter) USRSRCHATR (User Search Attribute) E1USRIDATR (EnterpriseOne User ID Attribute) 1. 2. 3.

Value o=enterpriseone, c=us subtree objectclass=inetOrgperson uid uid

JD Edwards EnterpriseOne starts the search using the criteria specified in the User Search Base attribute. JD Edwards EnterpriseOne uses the value in the User Search Scope attribute to determine the scope of the search. JD Edwards EnterpriseOne uses the following Search Filter parameter to search for the user in LDAP: (&((User Search Filter value), ((User Search Attribute value)= "ab12345")))

4.

JD Edwards EnterpriseOne retrieves the user ID from the EnterpriseOne User ID Attribute.

11.2.3 Prerequisites
To configure LDAP support in JD Edwards EnterpriseOne, you must have a system administrator who understands LDAP and understands how to use an LDAP-compliant directory service to manage user profile information. For more information on LDAP, refer to these resources on the web:

The IETF LDAPv3 Working Group. See http://www.ietf.org/html.charters/ldapbis-charter.html

The LDAPv3 Working Group archived newsgroup. See http://www.openldap.org/lists/ietf-ldapbis/

RFC 3377, the current definition of LDAPv3. See ftp://ftp.rfc-editor.org/in-notes/rfc3377.txt

For more information about a specific LDAP-compliant directory service, refer to that particular directory service's documentation. If you are configuring the directory service with SSL, refer to the directory service documentation for instructions.

11-12 JD Edwards EnterpriseOne Tools Security Administration Guide

Configuring LDAP Support in JD Edwards EnterpriseOne

11.2.4 Forms Used to Configure LDAP Support in JD Edwards EnterpriseOne


Form Name Available LDAP Configurations FormID W95928F Navigation Usage

Add an LDAP Enter P983051 in the configuration record. Fast Path. On the Work With Interactive Versions form, enter P95928 in the Interactive Version field and click Find. Select ZJDE0002 and then select Run from the Row menu. The P95928 application is available on the Microsoft Windows client and the web client.

LDAP Server Information

W95928A

On the Available Complete the fields LDAP Configurations that are required for form, click Add. the LDAP configuration record. Enter LDAP server On the Available LDAP Configurations attribute values. form, select a configuration record and then select Values from the Row menu. On the Available LDAP Configurations form, select Mappings from the Row menu. Configure LDAP to JD Edwards EnterpriseOne enterprise server mappings.

LDAP Server Attribute Values

W95928E

LDAP Server Mappings

W95928B

11.2.5 Creating an LDAP Configuration


Access the Available LDAP Configurations form.
1. 2.

Click Add to add a new configuration record. On the LDAP Server Information form, complete these fields and then click OK:
Description Enter a unique name for the server configuration, and then tab to the next field and enter a description. Enter the location of the enterprise server. Enter the port used to connect to the enterprise server. Enter the location (machine name or IP address) of the LDAP server on the network. Enter the port used to connect to the LDAP server.

Field Server Configuration Name Enterprise Server Location Enterprise Server Port LDAP Server Location LDAP Server Port

Enabling LDAP Support in JD Edwards EnterpriseOne 11-13

Configuring LDAP Support in JD Edwards EnterpriseOne

Field LDAP Server Type

Description Click the search button to select the type of LDAP server: Microsoft, IBM, or Domino. Note: If you are configuring LDAP for Oracle Internet Directory, you must add OID to the list of options and select it here. See Creating a JD Edwards EnterpriseOne LDAP Configuration for OID.

LDAP Admin ID LDAP Admin Password SSL Enabled LDAP Server

Enter the administrator's ID for the LDAP server. Enter the administrator's password for the LDAP server. Select this option if you want to set up Secure Socket Layer (SSL) communication between JD Edwards EnterpriseOne security kernel and the LDAP server. Note: This requires the LDAP server to be configured for SSL. See Using LDAP Over SSL.

Role Enabled in LDAP

Select this option if you are managing user-role relationships in LDAP.

11.2.6 Configuring the LDAP Server Settings


Access the LDAP Server Attribute Values form. To do so, on the Available LDAP Configurations form, select a configuration record and then select Values from the Row menu.
1.

Click the search button in the Enterprise Server Attribute Name column to select the attributes to include in the LDAP server settings. After selecting the attributes, you must enter the appropriate LDAP value for the attribute in the LDAP Server Attribute Value column.

2.

To configure the standard JD Edwards EnterpriseOne settings for LDAP server, enter values for these attributes:
Description User search base. Specifies that the system searches for user information at the root of the directory information tree. This value specifies the "container" in which to begin the search. For example, USRSRCHBAS=o=jdedwards,c=us User search filter. Specifies that a search is performed at the base level for the user ID in the LDAP server using the specified criteria. For example, USRSRCHFLT=objectclass=inetOrgPerson If you do not specify this value, no search filtering occurs.

Attribute USRSRCHBAS

USRSRCHFLT

USRSRCHSCP

User search scope. Specifies the level, or scope, at which the system searches for user information. Valid values are:

base The query searches only the value you specified in the USRSRCHBAS setting.

subtree This is the default value. The query searches the value in the Search Base field and all entries beneath it.

onelevel The query searches only the entries one level down from the value in the Search Base field.

11-14 JD Edwards EnterpriseOne Tools Security Administration Guide

Configuring LDAP Support in JD Edwards EnterpriseOne

Attribute ROLSRCHBAS

Description Role search base (use only if roles are enabled in LDAP). Specifies that a search is performed at the base level for the UserIDAttri in the LDAP database. For example, ROLSRCHBAS=o=jdedwards,c=us Role search filter (use only if roles are enabled in LDAP). This specifies that a search is performed at the base level for the role in the LDAP database using the specified criteria. For example, ROLSRCHFLT=objectclass=groupOfNames If you do not specify this value, no search filtering occurs.

ROLSRCHFLT

ROLSRCHSCP

Role search scope (use only if roles are enabled in LDAP). This specifies the level, or scope, at which the system searches for role information. Valid values are:

base The query searches only the value you specified in the ROLSRCHBAS setting.

subtree This is the default value. The query searches the value in the Search Base field and all entries beneath it.

onelevel The query searches only the entries one level down from the value in the Search Base field.

3.

When using Secure Socket Layer (SSL) with LDAP server, enter values for these attributes:
Description SSL Port for the LDAP server. Specifies the SSL port on the LDAP server. Dir path for cert7.db (SSL) For Windows and UNIX: This specifies the directory path to the cert7.db file (SSL). This file should generally be located in the system\bin32 directory on the JD Edwards EnterpriseOne enterprise server. For iSeries: This specifies the directory path and file name for the cert.kdb file on the iSeries-based JD Edwards EnterpriseOne enterprise server machine, for example /QIBM/USERDATA/ICSS/CERT/SERVER/CERT.KDB. You should use the Digital Certificate Manager (DCM) to verify the location of the certificate for your installation.

Attribute SSLPORT CERTDBPATH

CERTDBCLBL CERTDBPSWD

Do not use this attribute. This is for future use only. For iSeries only. This is the password to the key database. Specifies the password to the key database (files with a "kdb" extension). The key database is used to store a uniquely identified name, or label, associated with the client private key/certificate pair.

SSLTIMEOUT

For iSeries only. This specifies the time-out value for the SSL connection.

4.

If you are using the self-service version of the user profile application for the Manufacturing Sourcing module, enter values for these attributes:

Enabling LDAP Support in JD Edwards EnterpriseOne 11-15

Configuring LDAP Support in JD Edwards EnterpriseOne

Note:

You cannot use this application to manage LDAP user profiles.

Attribute USRACNTCTL

Description User Account Control. Specifies the authority attached when creating a user in Active Directory, for example USRACNTCTL=512 creates an enabled user in Active Directory only. User Add Location. Specifies the location in LDAP where users will be added, for example USRADDLOC=O=jdedwards. User Class Hierarchy. Specifies the class hierarchy needed to create a user in LDAP, for example USRCLSHRCY=top, person, organizationalPerson, inetOrgPerson. Role Add Location (use only if roles are enabled in LDAP). Specifies the location in LDAP that contains the user-role relationship, for example ROLADDLOC=O=jdedwards. Do not use this attribute. This is for future use only.

USRADDLOC USRCLSHRCY

ROLADDLOC

ROLCLSHRCY

11.2.7 Configuring LDAP to JD Edwards EnterpriseOne Enterprise Server Mappings


You can map attributes for users or for user-role relationships, depending upon your configuration. If you are entering mappings for user-role relationships, you must also ensure that the LDAP configuration record is enabled for roles. Access the LDAP Server Mappings form. To do so, on the Available LDAP Configurations form, select Mappings from the Row menu.
1.

Click the search button in the Enterprise Server Attribute Name column to select the attributes to include in the mappings. After selecting the attributes, you must enter the appropriate LDAP value for the attribute in the LDAP Server Actual Attribute column.

2.

To configure the LDAP to JD Edwards EnterpriseOne enterprise server mappings for a standard setup, enter values for these attributes:
Description EnterpriseOne User ID Attribute. Specifies the user ID attribute in LDAP that is used for JD Edwards EnterpriseOne users. The system uses this attribute when creating users in LDAP during JD Edwards EnterpriseOne sign-in, for example E1USRIDATR=cn. User ID Search Attribute. Specifies the search criteria for the sign-on user ID. This is the value that maps the sign-on user ID in LDAP to the sign-in user ID in JD Edwards EnterpriseOne, for example USRSRCHATR=cn. The USRSRCHATR and E1USRIDATR attributes should be mapped to the same value.

Attribute E1USRIDATR

USRSRCHATR

EUSRIDATR

Enterprise User ID Attribute. Specifies the User ID attribute in LDAP that is used for Enterprise users. The system uses this attribute to search for Enterprise users for single sign-on between PeopleSoft Enterprise Portal and JD Edwards EnterpriseOne, for example EUSRIDATR = cn.

11-16 JD Edwards EnterpriseOne Tools Security Administration Guide

Configuring LDAP Support in JD Edwards EnterpriseOne

Attribute ROLNAMEATR

Description Role Name Attribute (use only if roles are enabled in LDAP). This value maps the role in LDAP to the role in JD Edwards EnterpriseOne, for example ROLENAMEATR=cn Role Search Attribute (use only if roles are enabled in LDAP). Specifies the search attribute for the role in the LDAP server. The system uses this attribute to search LDAP for a list of roles for a user, for example ROLSRCHATR=member. Language Attribute. Specifies the language attribute used within LDAP, for example LANGUAGATR=preferredLanguage

ROLSRCHATR

LANGUAGATR

3.

If you are using the self-service version of the user profile application for the Manufacturing Sourcing module, enter values for these attributes:
Note:

You cannot use this application to manage LDAP user profiles.

Attribute CMNNAME

Description Common Name. Specifies the Common Name for a user in LDAP. The system uses this attribute when creating users in LDAP, for example CMNNAME=cn Specifies the Given Name for a user in LDAP. It is used when creating users in LDAP, especially in Active Directory, for example GIVENNAME=givenName. Specifies the SUR Name for a user in LDAP. This attribute is used when creating users in LDAP, for example SURNAME=sn. Specifies the password associated with the account that you specify with the ConnectDN (distinguished name) of the LDAP server. Object Class. Specifies the Object Class attribute for a user in LDAP it is used when creating users in LDAP, for example OBJCLASS=objectCLASS. Account Control Attribute. Specifies the attribute used in Active Directory for user authority in Active Directory, for example ACNTCTLATR=userAccountControl. If the attribute USRACNTCTL=512 is used in conjunction with ACNTCTLATR, the JD Edwards EnterpriseOne API will create an enabled user in Active Directory only. Account Name Attribute. Specifies the attribute used only in Active Directory for creating a signon user account, for example ACNTCTLATR=sAMAccountName.

GIVENNAME

SURNAME PASSWORD

OBJCLASS

ACNTCTLATR

ACTNAMEATR

11.2.8 Changing the LDAP Configuration Status


After you add an LDAP configuration, by default the configuration is disabled or non-active. You must change the status to active to enable the configuration.
Note:

You can have only one active LDAP configuration per port.

Access the Available LDAP Configurations form. Select a configuration record and then select Change Status from the Row menu.

Enabling LDAP Support in JD Edwards EnterpriseOne 11-17

Modifying the LDAP Default User Profile Settings

The system changes the status in the Status column to AV (active) or NA (not active).

11.2.9 Enabling LDAP Authentication Mode


Access the jde.ini file on the JD Edwards EnterpriseOne enterprise server. In the [SECURITY] section, enter true for the LDAPAuthentication setting to enable security authentication. The default value for this setting is false, which disables the LDAP authentication mode.

11.3 Modifying the LDAP Default User Profile Settings


This section contains the following topics:

Section 11.3.1, "Understanding LDAP Default User Profile Settings" Section 11.3.2, "Forms Used to Modify the LDAP Default User Profile Settings" Section 11.3.3, "Reviewing the Current LDAP Default Settings" Section 11.3.4, "Modifying the Default User Profile Settings for LDAP" Section 11.3.5, "Modifying the Default Role Relationships for LDAP" Section 11.3.6, "Modifying the Default User Security Settings for LDAP"

11.3.1 Understanding LDAP Default User Profile Settings


You must configure and review the default LDAP user profile settings that are in the JD Edwards EnterpriseOne database. The system requires the default settings for user profile synchronization. These values are synchronized from LDAP to JD Edwards EnterpriseOne by the LDAP synchronization mechanisms (security kernel and batch report). The default user profile settings are written to the F0092 table.
Note: You must add the default LDAP user profile settings before enabling LDAP authentication in the jde.ini file of the JD Edwards EnterpriseOne security server.

The Configuring LDAP Defaults form shows whether the following items exist for the default user:

User profile Role relationships Data source/system user


Important:

Changes made in this application can affect almost all JD Edwards EnterpriseOne users when synchronizing data from LDAP to the JD Edwards EnterpriseOne database.

11-18 JD Edwards EnterpriseOne Tools Security Administration Guide

Modifying the LDAP Default User Profile Settings

11.3.2 Forms Used to Modify the LDAP Default User Profile Settings
Form Name Configure LDAP Defaults FormID W0092M Navigation Usage

Review the current In Solution Explorer, LDAP default from the System Administration Tools settings. menu (GH9011), select Security Maintenance, Security Maintenance Advanced and Technical Operations, Configure LDAP Defaults. On the Configure LDAP Defaults form, click the User Profile link. On the Configure LDAP Defaults form, click the Role Relationships link. On the Configure LDAP Defaults form, click the Data Source/System User link. On the Work With User Security form, select a security record and then click Select. On the Work With User Security form, click Add. Modify the default user profile settings for LDAP. Add roles to the default user.

User Profile Revisions W0092A

Work with Role Relationships

W95921C

Work With User Security

W98OWSECE

Add or modify the data source or system user settings.

Data Source Revisions W98OWSECH

Assign a different system user to the data source.

Security Revisions

W98OWSECB

Add an additional data source.

11.3.3 Reviewing the Current LDAP Default Settings


Access the Configure LDAP Defaults form.
Note:

All user values are assigned per user ID the first time, and the first time only, that a user signs in. During this initial sign-in, the values are synchronized from LDAP to the JD Edwards EnterpriseOne database. The default role relationship is synchronized only if roles are managed by JD Edwards EnterpriseOne.

LDAP Authentication

Indicates whether LDAP authentication is enabled or disabled.


Role Management

Indicates whether roles are managed by LDAP. You can enable JD Edwards EnterpriseOne to manage roles in LDAP through the P95928 application. See Creating an LDAP Configuration.

Enabling LDAP Support in JD Edwards EnterpriseOne 11-19

Modifying the LDAP Default User Profile Settings

User Profile

Indicates whether a default user profile exists within the JD Edwards EnterpriseOne database. Click this link to modify the default user profile settings. See Modifying the LDAP Default User Profile Settings.
Role Relationships

Indicates whether a default role relationship exists. If LDAP authentication is enabled, and if user-role relationships are set to be managed by LDAP, then this option is disabled. This means that the system does not use the default user-role relationship when synchronizing users from LDAP to the JD Edwards EnterpriseOne database. Click this link to revise the default role relationship. See Modifying the Default Role Relationships for LDAP.
Data Source/System User

Indicates whether a default data source or system user exists. Click this link to add or change the data source or system user. See Modifying the Default User Security Settings for LDAP.

11.3.4 Modifying the Default User Profile Settings for LDAP


Access the User Profile Revisions form. To do so, on the Configure LDAP Defaults form, click the User Profile link. Modify the appropriate fields.
Note: The User ID field always contains the default user ID for the LDAP system. This field is read only.

11.3.5 Modifying the Default Role Relationships for LDAP


Access the Work With Role Relationships form. To do so, on the Configure LDAP Defaults form, click the Role Relationships link.
Note:

If LDAP authentication is enabled and user-role relationships are being managed by LDAP, then this option is disabled. This means that user-role relationship functionality from within JD Edwards EnterpriseOne is disabled.

On the Work With Role Relationships form, you can highlight a role in either the Assigned Roles or Available Roles menus, and then click the appropriate directional arrow button to add or remove the role for the default user.
Note:

These values are only synchronized between JD Edwards EnterpriseOne and LDAP if the role is being managed by JD Edwards EnterpriseOne.

11.3.6 Modifying the Default User Security Settings for LDAP


Access the Configure LDAP Defaults form.
1.

In the Configure Defaults area, click the Data Source/System User link.

11-20 JD Edwards EnterpriseOne Tools Security Administration Guide

Using LDAP Bulk Synchronization (R9200040)

If the default data source or system user does not exist, the Security Revisions form appears.
2.

On the Security Revisions form, complete the System User field to add or change the data source or system user. If the default data source is defined, the Work With User Security form appears.

3. 4. 5. 6.

To assign a different system user to the data source, on the Work With User Security form, select the security record and then click Select. On Data Source Revisions, click the search button in the System User field to assign a different system user. To add an additional data source, on the Work With User Security form, click Add. On the Security Revisions form, complete the fields as appropriate.

11.4 Using LDAP Bulk Synchronization (R9200040)


This section provides an overview of LDAP bulk synchronization and discusses how to run the LDAP Bulk Synchronization batch process (R9200040).

11.4.1 Understanding LDAP Batch Synchronization


The LDAP server contains user profile data for multiple users. This data must also exist in the JD Edwards EnterpriseOne database server. The LDAP Bulk Synchronization batch process (R9200040) enables you to perform bulk synchronization of user profile records from the LDAP server to the JD Edwards EnterpriseOne database. Therefore, this report is beneficial because it populates data that is required for JD Edwards EnterpriseOne functionality.
Note:

If the JD Edwards EnterpriseOne database contains user profile records that are not in the LDAP server, this data cannot be synchronized from JD Edwards EnterpriseOne to the LDAP server using the R9200040 batch process. JD Edwards EnterpriseOne does not provide a utility to perform this function.

Running the report synchronizes user profile data obtained from the LDAP server to the following JD Edwards EnterpriseOne database tables:
Table F0092 F00921 F98OWSEC F95921 F0093 F00922 F00924 F00926 F9005 Description Library List User User Display Preferences Security settings Role Relationship Library List Control User Display Preferences Tag File User Install Package Anonymous User Access Table Variant Description - Control Tables

Enabling LDAP Support in JD Edwards EnterpriseOne 11-21

Using LDAP Over SSL

Table F9006 F00927

Description Variant Detail - Control Tables E1 Users PIM Information

11.4.1.1 Example: LDAP Bulk Synchronization (R9200040)


The following example shows the PDF output of the R9200040 batch process. Note that if the data on the LDAP server is already the same as the corresponding data on the JD Edwards EnterpriseOne database server, the report lists the affected tables and shows a zero record synchronization, which indicates the data exists, but is identical.
Figure 114 LDAP Bulk Synchronization output

11.4.2 Running the LDAP Bulk Synchronization Batch Process (R9200040)


Access the Batch Versions program (P98305). To do so, enter P98305 in the Fast Path.
1. 2.

On the Work With Batch Versions Available Versions form, enter R9200040 in the Batch Application field and click Select. On the Version Prompting form, click Submit.

11.5 Using LDAP Over SSL


This section provides an overview on how to enable LDAP authentication over Secure Socket Layer (SSL) and discusses how to:

Enable LDAP authentication over SSL for Windows and UNIX. Enable LDAP authentication over SSL for iSeries.

11-22 JD Edwards EnterpriseOne Tools Security Administration Guide

Using LDAP Over SSL

11.5.1 Understanding LDAP with SSL


You can establish a secure LDAP connection between the JD Edwards EnterpriseOne server and the LDAP server.

11.5.1.1 LDAP Authentication Over SSL for Windows and UNIX


The JD Edwards EnterpriseOne server uses Netscape's certificate database, cert7.db. You can obtain a cert7.db using the PKCS Utilities distributed by Netscape. Refer to Netscape's documentation for more information on obtaining and using the PKCS Utilities. For Windows and UNIX, establishing the secure connection between the JD Edwards EnterpriseOne application server and the LDAP server requires these items:

Cert7.db certificate database from Netscape. A server certificate for the LDAP server. The trusted root certificate from the certificate authority (CA) that issues the server certificate.

11.5.1.2 LDAP Authentication Over SSL for iSeries


The JD Edwards EnterpriseOne server uses IBM certificate database (.kdb) to store certificates on iSeries. You can create a certificate database on iSeries using Digital Certificate Manager. For iSeries, establishing a secure connection between the JD Edwards EnterpriseOne application server and the LDAP server requires these items:

IBM Certificate store (.kdb) certificate database. A server certificate for the LDAP server. The trusted root certificate from the certificate authority (CA) that issues the server certificate.

11.5.2 Enabling LDAP Authentication Over SSL for Windows and UNIX
To enable LDAP authentication over SSL for Windows or UNIX:
1. 2. 3. 4.

Follow the documentation for your directory server to add the server certificate to the directory server. Using Netscape's PKCS Utilities, add the CA's trusted root certificate to the cert7.db certificate database. Enable SSL for the LDAP configuration using the LDAP Server Configuration Workbench application. Specify the SSL parameters. See Configuring the LDAP Server Settings.

5.

Restart the JD Edwards EnterpriseOne server.

11.5.3 Enabling LDAP Authentication Over SSL for iSeries


To enable LDAP authentication over SSL for iSeries:
1.

Follow the documentation for your directory server to add the server certificate to the directory server.

Enabling LDAP Support in JD Edwards EnterpriseOne 11-23

Exporting User Data to the LDAP Server

2. 3. 4.

Use Digital Certificate Manager to add and export the CA's trusted root certificate to the certificate database (.kdb file). Enable the SSL for the LDAP configuration using the LDAP Server Configuration Workbench application. Specify the SSL parameters. See Configuring the LDAP Server Settings.

5.

Restart the JD Edwards EnterpriseOne server.

11.6 Exporting User Data to the LDAP Server


This section provides an overview of the data4ldap utility, lists prerequisites, and discusses:

Granting access to the data4ldap utility. Configuring parameters required to run the data4ldap utility. Running the data4ldap utility on Windows. Running the data4ldap utility on UNIX or Linux. Running the data4ldap utility on iSeries. Scenarios for Uploading Users to the LDAP server. LDAP server behavior.

11.6.1 Understanding the data4ldap Utility


The data4ldap utility automates the process of uploading JD Edwards EnterpriseOne user data to the LDAP server. The JD Edwards EnterpriseOne user data includes:

EnterpriseOne user ID Password Language attribute User-role relationship

If you do not use this utility, you would have to populate the repository manually, which can lead to data being entered incorrectly. This illustration shows the data4ldap.exe utility uploading the JD Edwards EnterpriseOne user data to the LDAP server.

11-24 JD Edwards EnterpriseOne Tools Security Administration Guide

Exporting User Data to the LDAP Server

Figure 115 Uploading user data to the LDAP server with data4ldap.exe

Web Client LDAP Server data4ldap.exe

EnterpriseOne Enterprise Server

EnterpriseOne Windows Client

EnterpriseOne Database Server

The Language attribute is uploaded only for those JD Edwards EnterpriseOne users who are specifically assigned a language. By default, no language is assigned to a user when a user is added to JD Edwards EnterpriseOne. In such a case, no language is available for the particular user in the LDAP server. For example, if User 1 is assigned language E and User 2 is not assigned to any language, the language attribute is uploaded to the LDAP server only for User 1 and not for User 2. Expired JD Edwards EnterpriseOne users and roles are also exported to the LDAP server. If a JD Edwards EnterpriseOne user record does not exist in the table F98OWSEC, then the particular user would not be exported to the LDAP server.

11.6.2 Prerequisites
Before you use the data4ldap utility, you must:

Use the LDAP Server Configuration Workbench program (P95928) to map these items: See Enabling LDAP Support in JD Edwards EnterpriseOne. User Search Attribute User Search Base User Class Hierarchy Role Search Attribute Role Name Attribute

Enabling LDAP Support in JD Edwards EnterpriseOne 11-25

Exporting User Data to the LDAP Server

Role Search Base Role Class Hierarchy Object Class Password If these fields are left blank, no operation is performed; the utility generates an appropriate error message and exits.

For Microsoft Active Directory, map the following attributes in addition to the above mentioned ones: User Account Control Account Control Attribute Account Name Attribute

Use the LDAP Administrator user ID and password. If either the LDAP Administrator user ID or password field is blank in P95928, the utility cannot export JD Edwards EnterpriseOne user-role data to the LDAP server. It will generate an error message and exit. Disable the password policies of the LDAP server. For further information, refer to the documentation of the directory server that you are using for the LDAP server or contact your LDAP Administrator.

11.6.3 Granting Access to the data4ldap Utility


The data4ldap utility involves working with secured data, so you must ensure that only authorized users are able to access and run it. Use the External Calls Security form in the Security Workbench program (P00950) to grant a user or administrator access to this utility. See Adding External Call Security.

11.6.4 Configuring Parameters Required to Run the data4ldap Utility


The data4ldap utility can run only on the Enterprise Server and not on the client. To run the data4ldap utility, you must configure these parameters:
data4ldap <UserID> <Environment> <Role> <IsRoleIncluded (*YES/*NO)> <IsOverwrite Allowed (*YES/*NO)>

Parameter UserID Environment Role IsRoleIncluded

Description Enter a valid JD Edwards EnterpriseOne user ID that has been granted access to the utility from External Call Security. Enter a valid JD Edwards EnterpriseOne environment. Enter a valid JD Edwards EnterpriseOne role. Specify whether or not JD Edwards EnterpriseOne role information is included in the export to the LDAP server. Enter *YES to export role information. Enter *NO to not export role information.

11-26 JD Edwards EnterpriseOne Tools Security Administration Guide

Exporting User Data to the LDAP Server

Parameter IsOverwriteAllowed

Description Determine whether you want to override the LDAP server entries with the JD Edwards EnterpriseOne user-role data: Enter *YES to overwrite the LDAP server entries with the JD Edwards EnterpriseOne user-role data. Enter *NO if you do not want to overwrite the LDAP server entries with the JD Edwards EnterpriseOne user-role data.

Note:

The IsOverwriteAllowed parameter is used in case the LDAP server already contains user data that is identical to JD Edwards EnterpriseOne user data. In this case, you have the option to overwrite the existing LDAP server user IDs with the current JD Edwards EnterpriseOne user IDs.The value of IsOverwriteAllowed parameter is valid only for user data (common name, language, password, and given name whichever is configured through the application P95928) and not for user-role relationship data.

11.6.5 Running the data4ldap Utility on Windows


In the command prompt, navigate to Enterprise Server System\bin32.
1.

Enter the valid parameters. For example:


data4ldap JDE DV812 *ALL *YES *YES

2.

Press Enter. The utility prompts for User Password.

3.

Enter the password for the JD Edwards EnterpriseOne account.

11.6.6 Running the data4ldap Utility on Unix or Linux


In the command prompt, navigate to Enterprise Server System\bin32.
1.

Enter the valid parameters. For example:


data4ldap JDE DV812 *ALL *YES *YES

2.

Press Enter. The utility prompts for User Password.

3.

Enter the password for the JD Edwards EnterpriseOne account.

11.6.7 Running the data4ldap utility on iSeries


Access the iSeries command prompt.
1.

Under "Selection or command," type data4ldap and press F4. Some default values that are editable appear on the screen.

2.

Enter the valid parameters, for example:


data4ldap JDE Password DV812 *ALL *YES *YES

3.

Press Enter.

Enabling LDAP Support in JD Edwards EnterpriseOne 11-27

Exporting User Data to the LDAP Server

11.6.8 Scenarios for Uploading Users to the LDAP Server


This section discusses the following scenarios for uploading users to the LDAP server:

data4ldap JDE DV812 *ALL *NO *YES data4ldap JDE DV812 *ALL *YES *YES data4ldap JDE DV812 *ALL *YES *NO data4ldap JDE DV812 *ALL *NO *NO

11.6.8.1 data4ldap JDE DV812 *ALL *NO *YES


All JD Edwards EnterpriseOne users are uploaded to the LDAP server and existing LDAP user data is overwritten. However, JD Edwards EnterpriseOne user-role relationship data is neither uploaded nor overwritten in the LDAP server.

11.6.8.2 data4ldap JDE DV812 *ALL *YES *YES


All JD Edwards EnterpriseOne user and user-role relationship data is uploaded to the LDAP server. The existing LDAP user data and LDAP role-relationship data is overwritten.

11.6.8.3 data4ldap JDE DV812 *ALL *YES *NO


All JD Edwards EnterpriseOne users who do not exist in the LDAP server are uploaded to the LDAP server. The existing LDAP users are not be overwritten. All JD Edwards EnterpriseOne user-role relationship data is uploaded to the LDAP server and the existing LDAP role-relationship data is overwritten.

11.6.8.4 data4ldap JDE DV812 *ALL *NO *NO


All JD Edwards EnterpriseOne users who do not exist in the LDAP server are uploaded to the LDAP server, and the existing LDAP users are not overwritten. However, JD Edwards EnterpriseOne user-role relationship data would neither be uploaded nor overwritten in the LDAP Server.

11.6.9 LDAP Server Behavior


This section provides information about LDAP server and:

Tree Delete control Microsoft Active Directory

11.6.9.1 Tree Delete Control


IBM Directory Server (IDS) and Microsoft Active Directory support Tree Delete Control. The Tree Delete Control extends the delete operation and allows the removal of sub trees within a directory using a single delete request. It is always recommended that if the Role data are managed by the LDAP server, include the Role data (isRoleIncluded = *YES) while choosing the Overwrite option (isOverwriteAllowed = *YES). For more details on Tree Delete Control, see:

http://www-128.ibm.com/developerworks/tivoli/library/t-ldap-con trols/index.html

11-28 JD Edwards EnterpriseOne Tools Security Administration Guide

Exporting User Data to the LDAP Server

http://publib.boulder.ibm.com/infocenter/iseries/v5r3/index.jsp ?topic=/rzahy/rzahycontrols.htm
Note:

Oracle Internet Directory (OID) does not support Tree Delete Control.

11.6.9.2 Microsoft Active Directory


Microsoft Active Directory 2003 uses "inetOrgPerson" and a user password can be stored in the Active Directory attribute called "userPassword". However, Active Directory 2003 must be configured to store a user password in the "userPassword" attribute. It can be configured by setting the 9th bit of dsHeuristics value. It is located in CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=domain. object. The value should look like this: 000000001. For details refer to: http://technet2.microsoft.com/windowsserver/en/library/bb99fdd4-f8e0-490f-adae6814cf081ff71033.mspx?mfr=true Consider the following items when using Microsoft Active Directory:

EnterpriseOne application P95928 should be configured accordingly for "InetOrgPerson" and "userPassword". For Microsoft Active Directory 2003, the EnterpriseOne data can be dynamically uploaded only over a SSL connection. Even the LDIF (Lightweight Directory Interchange Format) file generated with the help of the data4ldap utility can be uploaded to the LDAP server only over SSL connection. This is due to the Microsoft Active Directory restriction. Microsoft Active Directory 2003 user-password authentication is case sensitive. The uploaded user passwords are stored in upper-case in LDAP servers. During sign-in, other LDAP servers, except Microsoft Active Directory 2003, ignore the case of the supplied password, whereas Microsoft Active Directory 2003 fails to authenticate a user if the supplied password is not in uppercase. In case a user does not get uploaded to Microsoft Active Directory, all of the roles assigned to the particular user would also not be uploaded to Microsoft Active Directory. This restriction is valid only for Microsoft Active Directory and not for OID / IDS.

Enabling LDAP Support in JD Edwards EnterpriseOne 11-29

Exporting User Data to the LDAP Server

11-30 JD Edwards EnterpriseOne Tools Security Administration Guide

12
12

Understanding JD Edwards EnterpriseOne Single Sign-On


This chapter contains the following topics:

Section 12.1, "JD Edwards EnterpriseOne Single Sign-On Overview" Section 12.2, "Authenticate Tokens" Section 12.3, "Nodes" Section 12.4, "How a Node Validates an Authenticate Token" Section 12.5, "Single Sign-On Scenarios"

12.1 JD Edwards EnterpriseOne Single Sign-On Overview


JD Edwards EnterpriseOne single sign-on enables users that are signed in to either PeopleSoft Enterprise Portal or JD Edwards Collaborative Portal to access JD Edwards EnterpriseOne applications without re-entering a user ID and password. Single sign-on provides these benefits:

Allows users to navigate between PeopleSoft Enterprise Portal and JD Edwards EnterpriseOne applications seamlessly. Increases the security for the JD Edwards EnterpriseOne system since passwords are no longer passing between different sub-systems in JD Edwards EnterpriseOne.
Note:

JD Edwards EnterpriseOne does not support single sign-on between JD Edwards EnterpriseOne applications and third-party applications.

12.2 Authenticate Tokens


JD Edwards EnterpriseOne uses an authenticate token to achieve single sign-on. The authenticate token contains criteria that grants access to a JD Edwards EnterpriseOne application from PeopleSoft Enterprise Portal or JD Edwards Collaborative Portal. When a user signs on to either system, after successful authentication, the system generates an authenticate token. When a user accesses an JD Edwards EnterpriseOne application, the system uses the generated token to validate the user against the JD Edwards EnterpriseOne security server. As a result, the user does not have to manually sign on to the system again.

Understanding JD Edwards EnterpriseOne Single Sign-On 12-1

Nodes

When a user signs on to either system, an authenticate token is generated after successful authentication. When the user accesses an EnterpriseOne application, the system uses the generated token to validate the user against the EnterpriseOne security server. As a result, the user does not have to manually sign on to the system again. For security purposes, all authenticate tokens expire after a certain period of time and contain a digital signature that ensures the token cannot be tampered with. An authenticate token contains these properties:
Property User ID Description The user ID that the server issued the token for. When the browser submits this token for single sign-on, this is the user that the application server signs in to the system. The language code of a user. When the system uses a token for single sign-on, it sets the language code for the session based on this value. The date and time the token was first issued. The system uses this field to enforce a time-out interval for the single sign-on token. Any application server that accepts tokens for sign-on compares this value against the amount of time set in the application server to accept tokens. The value is in Greenwich Mean Time (GMT) so it does not matter which time zone the application server is in. Note: The system date and time is used to validate the expiration of a token. Changing these values on the server may expose a potential security risk. Issuing Node Name Signature The name of the machine that issued the token. A digital signature that the application server (node) uses to validate the token for single sign-on by ensuring that the token has not been tampered with since it was originally issued. The machine issuing the token generates the signature by concatenating the contents of the token (all the fields that appear in this table) with the message node password for the local node. Then the system hashes the resulting string using the SHA1 hash algorithm. For example ("+" means concatenation), signature = SHA1_Hash (UserID + Lang + Date Time issued + Issuing Node Name+ Issuing Node Password) There is only one way to derive the 160 bits of data that make up the signature, and that is by hashing exactly the same User ID, Language, Date Time, Issuing System, and node password.

Language Code

Date and Time Issued

12.3 Nodes
A node is a machine that can generate or validate an authenticate token. The node contains properties that you set to control security and specify parameters for which tokens the node will accept. The system stores the node properties in the database or the jde.ini files, depending on your particular setup. Each node contains these properties:
Property Node name Description A logical name associated with this node. The length of the node name cannot exceed 15 characters.

12-2 JD Edwards EnterpriseOne Tools Security Administration Guide

How a Node Validates an Authenticate Token

Property Node password

Description Each node has a password which is known only by the system administrator. It serves as a key to ensure that the token does not get tampered with after it is generated. The physical machine name in which the node resides. This property contains the list of nodes that can be trusted by this node. For security purposes, only tokens that are generated by predefined machines can be accepted. These predefined machines are called trusted nodes. The trusted node is one-way, for example if you set up node A to trust node B, it does not mean that node B trusts node A.

Physical machine name Trusted nodes list

Token lifetime properties

When validating a token, the node checks the time the token was issued against the amount of time that you set in the token lifetime properties. For example, if you set the token lifetime for six hours, and the node receives a token that was originally issued seven hours prior, the node will not accept the token. You can use these two properties to specify the token lifetime:

Regular token lifetime This property specifies the expiration time for a regular token. A regular token gives a user the authority to run a regular short-run process, such as a business function. The default value for this property is 12 hours.

Extended token lifetime This property specifies the expiration time for an extended token. An extended token gives a user the authority to run a long-run process, such as a UBE, after it is issued. The default value for this property is 30 days.

Note:

On the iSeries platform, GMT time calculation does not take into account daylight savings time. Consequently, there can be a one hour difference in GMT time calculation between tokens generated on iSeries and Windows platforms. If you set the token timeout values as 12 hours (the default) or longer, you will notice this issue in sessions running for longer than 11 hours. If you set the token timeout values as less than one hour, then the tokens generated on Windows will automatically expire on iSeries. To resolve this issue, on the iSeries server, you should change the QUTCOFFSET value manually whenever there is a change in daylight savings time to ensure proper calculation of GMT time.

12.4 How a Node Validates an Authenticate Token


The node validates an authenticate token by checking whether:

The token signature has been changed. The token is expired. The token is generated by a trusted node.

This diagram is an example of token validation in a multiple node setup:

Understanding JD Edwards EnterpriseOne Single Sign-On 12-3

Single Sign-On Scenarios

Figure 121 Token validation in a multiple node setup

Configuration Node A: Trusted Node: B, C Token Lifetime: 30 mins Node B: Trusted Node: A Token Lifetime: 60 mins Node C: Trusted Node: B Token Lifetime: 90 mins

Trusts A

Trusts

Trusts

C
According to this configuration, the following tokens are validated by a node:

Node A validates tokens generated by node B and node C if received less than 30 minutes from generation. Node B validates tokens generated by node A if received less than 60 minutes from generation. Node C validates tokens generated by node B if received less than 90 minutes from generation.

The following tokens are not validated by a node:

Node B cannot accept a token generated by node C, even though node C trusts node B. A node will not accept a token if the time between its generation and reception by the node is greater than the token lifetime set for that node. For example, node A cannot accept a token from node B if the token was generated more than 30 minutes prior to being received by node A.
Note:

No node will accept a token if its signature has been changed. The system verifies this by comparing the token signature and the hash value of the token body.

12.5 Single Sign-On Scenarios


This section discusses how single sign-on works in these scenarios:

Launching a JD Edwards EnterpriseOne application from PeopleSoft Enterprise Portal. Launching a JD Edwards EnterpriseOne application from JD Edwards Collaborative Portal.

12-4 JD Edwards EnterpriseOne Tools Security Administration Guide

Single Sign-On Scenarios

12.5.1 Launching a JD Edwards EnterpriseOne Application from PeopleSoft Enterprise Portal


The illustration and steps in this section explain how single sign-on works when a user signs in to PeopleSoft Enterprise Portal and launches a JD Edwards EnterpriseOne application:
Figure 122 Single sign-on between PeopleSoft Enterprise Portal and JD Edwards EnterpriseOne applications

3. Authenticate User by Pwd

5. Store Authenticate Token in cookie 1. Sign in with user/pwd End User 6. Launch EnterpriseOne Application Enterprise Portal (Web Browser)

2. Send User/Pwd

4. Send Authenticate Token 7. Send Authenticate Token

Enterprise Application Server (Node)

EnterpriseOne Application Server 8 Validate Authenticate Token

EnterpriseOne Security Server (Node)


1.

The user signs in to PeopleSoft Enterprise Portal in a Web browser using a PeopleSoft Enterprise user ID and password.

Understanding JD Edwards EnterpriseOne Single Sign-On 12-5

Single Sign-On Scenarios

2. 3. 4. 5. 6. 7. 8.

The web browser sends the user ID and password to the PeopleSoft Enterprise application server (node). The PeopleSoft Enterprise application server authenticates the user credentials and generates an authenticate token. The PeopleSoft Enterprise application server delivers a cookie containing an authenticate token to the Web browser. The web browser stores the cookie on the local machine. The end user tries to launch a JD Edwards EnterpriseOne application through PeopleSoft Enterprise Portal. The PeopleSoft Enterprise Portal sends the authenticate token to the JD Edwards EnterpriseOne application server. The JD Edwards EnterpriseOne application server validates the token (through the JD Edwards EnterpriseOne security server).

12.5.2 Launching a JD Edwards EnterpriseOne Application from JD Edwards Collaborative Portal


The illustration and steps in this section explain how single sign-on works when a user signs in to JD Edwards Collaborative Portal and launches a JD Edwards EnterpriseOne application:

12-6 JD Edwards EnterpriseOne Tools Security Administration Guide

Single Sign-On Scenarios

Figure 123 Single Sign-on between JD Edwards Collaborative Portal and JD Edwards EnterpriseOne applications

3. Authenticates User 4. Generates Token

User

1. Login with user/password Collaborative Portal Web Browser

2. Send User/Pwd 5. Send Token

Collaborative Portal Server

6. Validate Token

EnterpriseOne JAS Server


1. 2. 3. 4. 5. 6.

EnterpriseOne Security Server

The user signs in to JD Edwards Collaborative Portal through a web browser using a JD Edwards EnterpriseOne user ID and password. The system sends the user ID and password to the JD Edwards Collaborative Portal. JD Edwards Collaborative Portal authenticates the user ID and password against either LDAP, JD Edwards EnterpriseOne tables, or WebSphere security. A token is generated for the user ID. When single sign-on is required for JD Edwards EnterpriseOne, the token is sent to either a JAS Server or a JD Edwards EnterpriseOne application server. The JD Edwards EnterpriseOne security server validates the token and grants access to the JD Edwards EnterpriseOne application.

Understanding JD Edwards EnterpriseOne Single Sign-On 12-7

Single Sign-On Scenarios

12-8 JD Edwards EnterpriseOne Tools Security Administration Guide

13
13

Setting Up JD Edwards EnterpriseOne Single Sign-On


This chapter contains the following topics:

Section 13.1, "Understanding the Default Settings for the Single Sign-On Node Configuration" Section 13.2, "Setting Up a Node Configuration" Section 13.3, "Setting Up a Token Lifetime Configuration Record" Section 13.4, "Setting Up a Trusted Node Configuration" Section 13.5, "Configuring Single Sign-On for a Pre-EnterpriseOne 8.11 Release" Section 13.6, "Configuring Single Sign-On Without a Security Server" Section 13.7, "Configuring Single Sign-On for JD Edwards Collaborative Portal" Section 13.8, "Configuring Single Sign-On for Portlets" Section 13.9, "Configuring Single Sign-On Between PeopleSoft Enterprise Portal and JD Edwards EnterpriseOne"

13.1 Understanding the Default Settings for the Single Sign-On Node Configuration
By default, when there is no configuration table specifications in the system and no configurations in the jde.ini file, the security server uses these settings for node information:
Setting Logical Node Name Physical machine name Regular token timeout Extended token timeout Trusted node Description _GLOBALNODE N/A (The default settings are all the same independent of the physical machine that it is residue in.) 12 hours 30 days _GLOBALNODE

As a result, the EnterpriseOne system will generate a token with node name _ GLOBALNODE, and it will only accept a token with node name _GLOBALNODE.

Setting Up JD Edwards EnterpriseOne Single Sign-On 13-1

Setting Up a Node Configuration

Note:

Using default settings may expose a potential security risk. Thus, it is highly recommend to overwrite the single sign-on settings using the single sign-on configuration applications discussed in this section.

13.2 Setting Up a Node Configuration


This section provides an overview of the single sign-on configurations and discusses how to:

Add a node configuration. Revise a node configuration Change the status of a node. Delete a node configuration.

13.2.1 Understanding Single Sign-On Configurations and Their Relationships


In JD Edwards EnterpriseOne, the node configurations are stored in a database. The node lifetime configuration is the configuration for the existing node, and the nodes in the trusted node configuration must have an existing node that has the lifetime configurations. The node properties are stored in these three database tables:

Node Configuration Table (F986180). This table contains the information of a node in the single sign-on environment, such as the node name, description, machine name, node status (active/inactive), and the password. Node Lifetime Configuration Table (F986182): This table contains the lifetime information for an existing node. The node lifetime configuration information, such as the node name, regular token lifetime, and extended token lifetime. Trusted Node Configuration Table (F986181): This table contains the trust relationship between two nodes.

This diagram shows the relationship among these tables:

13-2 JD Edwards EnterpriseOne Tools Security Administration Guide

Setting Up a Node Configuration

Figure 131 Single sign-on table relationships

F986180 Node Name TESTNODE_1 Physical Machine SUN1 Node Password TESTPWD_1 Node Name TESTNODE_2

F986180 Physical Machine IBM1 Node Password TESTPWD_2

F986182 Node Name TESTNODE_1 Regular Life Time 30 Extended Life Time 36000 Node Name TESTNODE_2

F986182 Regular Life Time 30 Extended Life Time 36000

F986101 Node Name TESTNODE_1 Trusted Node Name TESTNODE_2

This configuration requires that you configure the single sign-on settings in this order:
1. 2. 3.

Set up node information. Set up node lifetime. Establish the trust between nodes.

You should delete the single sign-on settings in this order:


1. 2. 3.

Delete the trusted node relationship. Delete the node lifetime. Delete the node information.

Alternatively, you can delete the node information directly by deleting the node record in the F986180 table. The system will automatically delete the record's corresponding entries in the Node Lifetime (F986181) and Trusted Node (F986182) tables.

13.2.2 Adding a Node Configuration


Access the SSO Environment Configuration Tools form. In JD Edwards Solution Explorer, select System Administration Tools (GH9011), User Management, User Management Advanced and Technical Operations, and then double-click SSO Environment Configuration Tools.
1. 2. 3.

Click the Single Signon Node Configuration link. On the Work With Node Configuration form, click Add. On the SSO Node Configuration Revisions form, complete these fields:
Description Enter a logical name associated with this node. The length of the node name cannot exceed 15 characters.

Field Node Name

Setting Up JD Edwards EnterpriseOne Single Sign-On 13-3

Setting Up a Token Lifetime Configuration Record

Field Node Description Machine Name Node Status Node Password Verify Node Password

Description Enter a description of the node. Enter the physical machine name where the node resides. Specify whether the node is active or inactive. Enter a password for the node. The password ensures that tokens that are generated from the node do not get tampered with. Re-enter the password.

13.2.3 Revising a Node Configuration


Access the Work With Node Configuration form.
1. 2.

Select a node and then click Select. On SSO Node Configuration Revision, modify the appropriate fields.

13.2.4 Changing the Status of a Node


Access the Work With Node Configuration form. Select the node and then from the Row menu, select Active/Inactive to change the status of the node.

13.2.5 Deleting a Node Configuration


Deleting an existing node configuration results in the removal of its lifetime configuration and trusted node configuration records in F986181 and F986182 respectively. Access the Work With Node Configuration form.
1.

Select the node that you want to delete and click Delete. A warning message appears informing you of the corresponding records that are deleted when you delete a node configuration.

2.

Click OK to delete the node configuration.

13.3 Setting Up a Token Lifetime Configuration Record


A node that has a token lifetime configuration always generates a pair of lifetime configuration recordsone for the regular token and one for the extended token. The trusted node configuration depends on the token lifetime configuration. You can add a pair of new token lifetime configuration records for an existing node. This section discusses how to:

Add a token lifetime configuration record. Delete a token lifetime configuration record.

13.3.1 Adding a Token Lifetime Configuration Record


Access the SSO Environment Configuration Tools form. In JD Edwards Solution Explorer, select System Administration Tools (GH9011), User Management, User Management Advanced and Technical Operations, and then double-click SSO Environment Configuration Tools.

13-4 JD Edwards EnterpriseOne Tools Security Administration Guide

Setting Up a Trusted Node Configuration

1. 2. 3.

Click the Single Signon Token Lifetime Configuration link. On the Work With Token Lifetime Configuration form, click Add. On the Token Lifetime Configuration Revision form, complete these fields: Regular Token Lifetime Specify the expiration time for a regular token. The default value for a node is 720 minutes (12 hours). Extended Token Lifetime Specify the expiration time for an extended token. The default value is 4320 minutes (three days). However, the recommended value for this setting is 43,200 minutes (30 days).

13.3.2 Deleting a Token Lifetime Configuration Record


Access the Work With Token Lifetime Configuration form.
Note:

If one token lifetime configuration record is deleted, then another token lifetime configuration for the same node and the trusted node configurations that have this node in it will be deleted as well.

On the Work With Token Lifetime Configuration form, select a node and then click the Delete button.
Note:

A dialog box appears warning you that if you delete this record, the system will delete the extended and regular token lifetime configuration records and the trusted node configuration records of this node.

13.4 Setting Up a Trusted Node Configuration


This section discusses how to:

Add a trusted node configuration. Delete a trusted node configuration.

13.4.1 Adding a Trusted Node Configuration


The nodes that you add to a new trusted node configuration must already be defined and have token lifetime configuration records. Access the SSO Environment Configuration Tools form. In JD Edwards Solution Explorer, select System Administration Tools (GH9011), User Management, User Management Advanced and Technical Operations, and then double-click SSO Environment Configuration Tools.
1. 2. 3.

Click the Single Signon Trusted Node Configuration link. On the Work With Trusted Node Configuration form, click Find, select a record, and then click Add. On the Trusted Node Configuration Revision form, enter a node in the Node Name field and then click OK.

Setting Up JD Edwards EnterpriseOne Single Sign-On 13-5

Configuring Single Sign-On for a Pre-EnterpriseOne 8.11 Release

13.4.2 Deleting a Trusted Node Configuration


Access the Work With Trusted Node Configuration form. Select a record and then click Delete.

13.5 Configuring Single Sign-On for a Pre-EnterpriseOne 8.11 Release


JD Edwards EnterpriseOne stores single sign-on node configuration information in new tables (F986180, F986181 and F986182). These tables are not available in pre-8.11 releases (such as release 8.94). However, you can still configure single sign-on for the pre-release through single sign-on node settings in the jde.ini file. This section discusses how to:

Modify jde.ini file node settings for single sign-on. Work with sample jde.ini node settings for single sign-on.

13.5.1 Modifying jde.ini file Node Settings for Single Sign-On


JD Edwards EnterpriseOne comes with standard default settings for single sign-on. If you do not want to accept the default settings, you can overwrite the default single sign-on node settings by configuring the jde.ini file. See Understanding the Default Settings for the Single Sign-On Node Configuration. Access the jde.ini file to modify the single sign-on node settings. In the [TRUSTED NODE] section of the jde.ini file, add the appropriate values to these settings:
Setting numTrustedNodes RegularLifeTime ExtendedLifeTime NodeName MachineName NodePassword NodeName1 MachineName1 NodePassword1 Description Enter the number of trusted nodes. Enter the expiration time (in minutes) for a regular token. Enter the expiration time (in minutes) for an extended token. Enter the logical name for the first node. Enter the number of trusted nodes. Enter the password for the first node. Enter the logical name for the second node. Enter the physical machine name for the second node. Enter the password for the second node.

13.5.2 Working with Sample jde.ini Node Settings for Single Sign-On
This section contains examples of node settings in the jde.ini file for single sign-on configurations:

13.5.2.1 Example 1:
A system administrator wants to install the EnterpriseOne system on three machines: SUN1, IBM1 and HP1. He wants all three machines to trust each other, and no other machines will be trusted. In this case, the administrator can configure the jde.ini as follows and deploy it on SUN1, IBM1, and HP1:
[TRUSTED NODE]

13-6 JD Edwards EnterpriseOne Tools Security Administration Guide

Configuring Single Sign-On Without a Security Server

numTrustedNodes=3

For Sun:
NodeName=NodeSUN1 MachineName=SUN1 NodePassword=NodePwd

For IBM:
NodeName1=NodeIBM1 MachineName1=IBM1 NodePassword1=IBM1Pwd

For HP:
NodeName2=NodeHP1 MachineName2=HP1 NodePassword2=HP1Pwd

13.5.2.2 Example 2:
A system administrator wants all EnterpriseOne servers in the network to trust each other. Moreover, he wants to change the default node configuration as follows:

Change the node password to NewPwd. Change the regular token lifetime to 30 minutes instead of 12 hours. Change the extended token lifetime to 60 minutes instead of 30 days.

In this case, the administrator can configure the jde.ini as follows and deploy it to all the enterprise servers in the network:
[TRUSTED NODE] numTrustedNodes=1 RegularLifeTime=30 ExtendedLifeTime=60 NodeName=_GLOBALNODE (The node name must be _GLOBALNODE) MachineName=_GLOBALNODE (The machine name must be _GLOBALNODE) NodePassword=NewPwd

13.6 Configuring Single Sign-On Without a Security Server


When there is no security kernel available in the system, a user can directly sign in to the JD Edwards EnterpriseOne Windows client without using the security server. To sign in to JD Edwards EnterpriseOne without a security server, you must:

Set SecurityServer=<blank> in the [SECURITY] section of the client jde.ini file. Sign on to EnterpriseOne using the system (database) user ID and password.

In this case, the EnterpriseOne Windows client generates an authenticate token locally. This token is referred to as a local token. A local token is very similar to a regular token except that it has a fixed node name (_LOCALNODE) and contains the system user name and password. A local token can only be accepted by a local fat client or an enterprise server without a security server, for example SecurityServer=<blank> in the server jde.ini.

Setting Up JD Edwards EnterpriseOne Single Sign-On 13-7

Configuring Single Sign-On for JD Edwards Collaborative Portal

Note:

If you sign in to JD Edwards EnterpriseOne without a security server, you can only run the business functions and UBEs that are mapped to either the local machine or the enterprise server without a security server.

When a local token is used, the default value for regular token lifetime is 12 hours and the default value for extended token lifetime is 30 days. You can override these default values for the local token using the SSO Environment Configuration Tools application or by modifying the appropriate settings in the jde.ini file of the Windows client, deployment server, and enterprise server. These are sample jde.ini node settings to override _LOCALNODE for the local token:
[TRUSTED NODE] numTrustedNodes=1 RegularLifeTime=4320 ExtendedLifeTime=43200 NodeName=_LOCALNODE MachineName=_LOCALNODE

Note:

You cannot override the node password for _LOCALNODE in the jde.ini file; you must use the SSO Environment Configuration Tools application to do this.

13.7 Configuring Single Sign-On for JD Edwards Collaborative Portal


The JD Edwards Collaborative Portal now uses token-based authentication for single sign-on between the JD Edwards Collaborative Portal and the JD Edwards EnterpriseOne HTML Web Server or EnterpriseOne enterprise server. Portlets that access information on JD Edwards EnterpriseOne server generate a token based on the user ID, and send the token to the JD Edwards EnterpriseOne server. The server validates the token and enables the user to sign in. The requested information is returned to the portlet. The token-based system requires that the JD Edwards Collaborative Portal user ID and the JD Edwards EnterpriseOne user ID are the same or that a mapping be set up for the user IDs on the JD Edwards EnterpriseOne server.
Note:

If JD Edwards EnterpriseOne and JD Edwards Collaborative Portal are sharing an LDAP instance, this is not an issue. Since JD Edwards EnterpriseOne only accepts uppercase user IDs in its database, JD Edwards Collaborative Portal will also require uppercase user IDs for the generated token to be validated.

See Also:

Managing User ID Mapping in JD Edwards EnterpriseOne. Configuring Single Signon for Collaborative Portal in the JD Edwards EnterpriseOne Tools 8.98 Collaborative Portal Reference Guide.

13-8 JD Edwards EnterpriseOne Tools Security Administration Guide

Configuring Single Sign-On for Portlets

13.8 Configuring Single Sign-On for Portlets


This section provides information on how to modify the TokenGen.ini file settings for single sign-on and contains single sign-on configuration information for these portlets:

EnterpriseOne Portlet (JSR168) Collaborative Portal EnterpriseOne Menu Hosted EnterpriseOne Portlet CSS, ESS, SSS EnterpriseOne Links CRM

13.8.1 Modifying TokenGen.ini File Settings


Single sign-on requires that you change the TokenGen.ini settings for Node Name and Node Password to correspond to the entries in the JD Edwards EnterpriseOne security server. The values shown in the [NODE MANAGER] section are for a default install:
[NODE MANAGER] NodeName=_GLOBALNODE NodePwd=_GLOBALPWD

To modify these settings after the install, locate the TokenGen.ini file in this directory: <WebSphere home>/properties

13.8.2 EnterpriseOne Portlet (JSR168)


With the EnterpriseOne portlet, the JAS server runs as part of the portlet rather than being connected to remotely. This also means that the EnterpriseOne portlet uses the jas.ini and jdbj.ini files that were installed as part of the JD Edwards Collaborative Portal install. The user IDs must be synchronized between the JD Edwards Collaborative Portal and the JD Edwards EnterpriseOne user database. If the default environment and role are set in the OWWEB section of the jas.ini, these entries will be used for all users. If no default entries are set, the user will be asked to choose from a list of environments and roles when they go to a page with the JD Edwards EnterpriseOne portlet on it. When multiple JD Edwards EnterpriseOne portlets are placed on a page, only one of the portlets displays the environment and role list. The other portlets display the warning message, "This portlet is waiting for authentication to be completed."
See Also:

JD Edwards EnterpriseOne Tools 8.96 HTML Web Server Reference Guide for information about the jas.ini file settings.

13.8.3 Collaborative Portal EnterpriseOne Menu


Before release 8.11, EnterpriseOne Menu (then called Task Explorer) used inherited trust for single sign-on. As of 8.11, the portlet uses the authenticate token. The environment and role are configured through the configuration screen of the portlet by the administrator. Alternatively, the default environment and role can be set in the jas.ini of the remote JAS server.

Setting Up JD Edwards EnterpriseOne Single Sign-On 13-9

Configuring Single Sign-On Between PeopleSoft Enterprise Portal and JD Edwards EnterpriseOne

13.8.4 Hosted EnterpriseOne Portlet


Before release 8.11, the Hosted EnterpriseOne Portlet used inherited trust for single sign-on. As of release 8.11, the portlet uses the authenticate token. Environment and role are configured through the edit screen by each user. Alternatively, the administrator can set the default environment and role in the jas.ini of the remote EnterpriseOne JAS server.

13.8.5 CSS, ESS, SSS


Before release 8.11, these portlets used inherited trust for single sign-on. As of release 8.11, these portlets use the authenticate token. The environment and role are set through the portlet configuration screen by the administrator.

13.8.6 EnterpriseOne Links


Before release 8.11, EnterpriseOne Links used inherited trust for single sign-on. As of release 8.11, this portlet uses the authenticate token. The environment and role are still set through the portlet configuration screen by the administrator.

13.8.7 CRM
The CRM portlets, based on the Youcentric technology, continue to use the inherited trust system for single sign-on. CRM portlets included in the 8.11 JD Edwards EnterpriseOne solution are included in the EnterpriseOne portlet.

13.9 Configuring Single Sign-On Between PeopleSoft Enterprise Portal and JD Edwards EnterpriseOne
This section provides an overview of setting up single sign-on between PeopleSoft Enterprise Portal and JD Edwards EnterpriseOne and discusses how to:

Manage user ID mapping in JD Edwards EnterpriseOne. Manage user ID mapping when using LDAP. Synchronize user mapping between LDAP and JD Edwards EnterpriseOne while using LDAP authentication. View user ID mapping when using LDAP.

13.9.1 Understanding Single Sign-On Between PeopleSoft Enterprise Portal and JD Edwards EnterpriseOne
Prior to JD Edwards EnterpriseOne release 8.11, single sign-on between PeopleSoft Enterprise Portal and JD Edwards EnterpriseOne was accomplished as follows:
1. 2. 3.

PeopleSoft Enterprise Portal generated a token and sent it to JD Edwards EnterpriseOne. JD Edwards EnterpriseOne called back to the PeopleSoft Enterprise Portal application server to validate token and received back a user ID. The system used the user ID to sign on to JD Edwards EnterpriseOne.

Since JD Edwards EnterpriseOne can validate and sign on with a token generated by the PeopleSoft Enterprise Portal, it is no longer necessary to call back to the PeopleSoft Enterprise Portal side to validate the token. This simplification of the single sign-on

13-10 JD Edwards EnterpriseOne Tools Security Administration Guide

Configuring Single Sign-On Between PeopleSoft Enterprise Portal and JD Edwards EnterpriseOne

setup between PeopleSoft Enterprise Portal and JD Edwards EnterpriseOne means that the following items are no longer required:

The psjoa.jar, psft.jar, and PeopleSoft.Generated.CompIntfc.jar files in the JD Edwards EnterpriseOne system. The latest JD Edwards Collaborative Portal installer does not install these files. The PeopleSoftAppServer, PeopleSoftAppServerUser, and PeopleSoftAppServerPassword jas.ini entries in the OWWEB section. The DBUser and DBPassword entries in the jas.ini are no longer required in the SECURITY section. The setup of the component interface (PRTL_SS_CI) on the PeopleSoft Enterprise Portal. Additionally, the admin user for accessing this interface no longer needs to be set up. The entry in the PSTRUSTNODES table on the PeopleSoft Enterprise Portal for the local node.
Note:

The environment and role entries are still set up the same as in previous releases, as defaults in the jas.ini on the JD Edwards EnterpriseOne HTML Web Server.

See JD Edwards EnterpriseOne Tools 8.98 HTML Web Server Reference Guide.

13.9.1.1 Time Zone Adjustment for PeopleSoft Enterprise Portal


When setting up single sign-on between PeopleSoft Enterprise Portal and JD Edwards EnterpriseOne, you must properly configure the ENTERPRISE TIMEZONE ADJUSTMENT setting in the JD Edwards EnterpriseOne enterprise server jde.ini file. This setting enables you to enter the difference in time between Greenwich Mean Time (GMT) and PeopleSoft Enterprise Portal Node time. You should change this setting whenever daylight saving time changes to reflect the difference between GMT time and the PeopleSoft Enterprise Portal Node time. In this example of the ENTERPRISE TIMEZONE ADJUSTMENT setting, the difference between the GMT and PeopleSoft Enterprise Portal Node time is entered in minutes for a PeopleSoft Enterprise Portal that is running in Mountain Standard Time (MST):
[ENTERPRISE TIMEZONE ADJUSTMENT] EntNode=-360

13.9.1.2 User ID Mapping for Single Sign-On


Since PeopleSoft Enterprise and JD Edwards EnterpriseOne systems have different user IDs, you must map the user IDs between the two systems in order for single sign-on to work. If you manage user IDs in a JD Edwards EnterpriseOne database, then you can use a JD Edwards EnterpriseOne application to map users. If you use LDAP to manage user information such as user IDs, passwords, and role relationships, then you must use the third-party LDAP tool to set up user ID mapping.

13.9.2 Managing User ID Mapping in JD Edwards EnterpriseOne


Access the SSO Environment Configuration Tools form. In JD Edwards Solution Explorer, select System Administration Tools (GH9011), Security Maintenance, Security Maintenance Advanced and Technical Operations, SSO Environment Configuration Tools.
Setting Up JD Edwards EnterpriseOne Single Sign-On 13-11

Configuring Single Sign-On Between PeopleSoft Enterprise Portal and JD Edwards EnterpriseOne

1. 2. 3. 4.

Click the Configure the UserID Mapping link. On the Work with SSO E/E1 UserID Mapping form, use the Add, Select, and Delete buttons to manage user ID mappings. To add a user ID mapping, click Add. On the SSO E/E1 userID Mapping Revisions form, complete the EnterpriseOne UserID and Enterprise UserID fields. The system saves the record in the F00927 table.
Note:

If the JD Edwards EnterpriseOne user ID is not in the F0092 table, the system generates an error stating that it cannot add the mapping record.

13.9.3 Managing User ID Mapping when Using LDAP


JD Edwards EnterpriseOne can use LDAP (Lightweight Data Access Protocol) to manage user IDs, password, and role relationships. If the JD Edwards EnterpriseOne system is LDAP-enabled, this setting must be added to the jde.ini file:
[SECURITY] LDAPAuthentication=true

See Also:

Enabling LDAP Support in JD Edwards EnterpriseOne.

13.9.4 Synchronizing User Mappings Between LDAP and JD Edwards EnterpriseOne While Using LDAP Authentication
JD Edwards EnterpriseOne provides an optional batch application, Synchronize the LDAP and EnterpriseOne Database (R9200040), that you can run to synchronize all of the user mappings between the LDAP and JD Edwards EnterpriseOne databases. The user mapping synchronization also occurs when a user signs in to JD Edwards EnterpriseOne. However, the synchronization only applies to the user who just signed in. Therefore, you should run R9200040 to:

Synchronize all users. Purge obsolete users (such as the users that have already been removed from LDAP) from the database.
Note:

You should be extremely cautious when running this batch application since it not only synchronizes user mappings, but also synchronizes other user profile settings such as user-role relationships. Moreover, it will delete all the users that do not exist in LDAP.

To synchronize all user mappings between the LDAP and JD Edwards EnterpriseOne databases, run the R9200040 batch application: This is an example of the results of running the R9200040 batch application:

13-12 JD Edwards EnterpriseOne Tools Security Administration Guide

Configuring Single Sign-On Between PeopleSoft Enterprise Portal and JD Edwards EnterpriseOne

Figure 132 R9200040 output

13.9.5 Viewing User ID Mapping When Using LDAP


When using LDAP to manage user sign-on information, you can still view the user ID mappings for single sign-on through JD Edwards EnterpriseOne. Access the SSO Environment Configuration Tools form. In JD Edwards Solution Explorer, select System Administration Tools (GH9011), Security Maintenance, SSO Environment Configuration Tools.
1. 2.

On the SSO Environment Configuration Tools form, click the View UserID Mapping option. On the Work with SSO E/E1 UserID Mapping form, select a mapping record and then click the Select button to view the mapping.

Setting Up JD Edwards EnterpriseOne Single Sign-On 13-13

Configuring Single Sign-On Between PeopleSoft Enterprise Portal and JD Edwards EnterpriseOne

13-14 JD Edwards EnterpriseOne Tools Security Administration Guide

14
14

Understanding Single Sign-On Between JD Edwards EnterpriseOne and Oracle


This chapter contains the following topics:

Section 14.1, "Single Sign-On Between JD Edwards EnterpriseOne and Oracle" Section 14.2, "Oracle Single Sign-On Components" Section 14.3, "Supported JD Edwards EnterpriseOne and Oracle Single Sign-On Configurations" Section 14.4, "Single Sign-On when Running JD Edwards EnterpriseOne on Oracle Application Server" Section 14.5, "Single Sign-On When Running JD Edwards EnterpriseOne on IBM WebSphere" Section 14.6, "Non-Web Client Sign-On in the Oracle Single Sign-On Configuration"

14.1 Single Sign-On Between JD Edwards EnterpriseOne and Oracle


Single sign-on between JD Edwards EnterpriseOne and Oracle enables users to sign in once to access both JD Edwards EnterpriseOne and Oracle single sign-on enabled applications.
Note:

In addition, you can enable support of long user IDs and passwords in a JD Edwards EnterpriseOne single sign-on configuration with Oracle Access Manager or Oracle AS Single Sign-On Server. For more information, see "Using Long User IDs and Passwords in JD Edwards EnterpriseOne" in the Red Paper Library on the My Oracle Support Web site.

14.1.1 Prerequisites
The Oracle Identity Management infrastructure must be installed as part of the Oracle Application Server setup. See the Oracle Fusion Middleware Installation Guide for Oracle Identity Management for more information. If you are running JD Edwards EnterpriseOne web applications on Oracle Application Server, the instructions in this section require that you use the JD Edwards EnterpriseOne Tools HTML Web Server for Oracle Application Server. See JD Edwards EnterpriseOne Tools Release 8.98 HTML Web Server Reference Guides for Oracle Application Server 10.1.3.1 on the My Oracle Support Web site.
Understanding Single Sign-On Between JD Edwards EnterpriseOne and Oracle 14-1

Oracle Single Sign-On Components

See JD Edwards EnterpriseOne Tools Minimum Technical Requirements for WebServers on the My Oracle Web site. If you are running JD Edwards EnterpriseOne web applications on IBM WebSphere Application Server instead of Oracle Application Server, the PeopleSoft SSO Plug-In must be installed on the OracleAS Single Sign-On server. See the My Oracle Support Web site for information on how to install this plug-in.

14.2 Oracle Single Sign-On Components


Configuring single sign-on between JD Edwards EnterpriseOne and Oracle applications requires a thorough understanding of the Oracle Identity Management infrastructure within Oracle Application Server. Oracle Identity Management provides the framework that supports single sign-on. OracleAS Single Sign-On is the component within Oracle Identity Management that works with these other components to enable single sign-on:

Single sign-on server. Partner applications. mod_osso. Oracle Internet Directory. Oracle Identity Management infrastructure.

14.2.1 Single Sign-On Server


The single sign-on server consists of program logic in the Oracle Application Server database, Oracle HTTP Server, and OC4J server that enables you to sign in securely to applications. The single sign-on server enables access to several applications by authenticating only once.

14.2.2 Partner Applications


OracleAS applications delegate the authentication function to the single sign-on server. For this reason, they are called partner applications. An authentication module called mod_osso enables these applications to accept authenticated user information instead of a user name and password once users have signed in to the single sign-on server. A partner application is responsible for determining whether a user authenticated by OracleAS Single Sign-On is authorized to use the application. Examples of partner applications include OracleAS Portal, OracleAS Discoverer, and Oracle Delegated Administration Services. When JD Edwards EnterpriseOne is installed on Oracle Application Server, it is also considered a partner application.

14.2.3 mod_osso
mod_osso is an Oracle HTTP Server module that provides authentication to OracleAS applications. Located on the application server, mod_osso simplifies the authentication process by serving as the sole partner application to the single sign-on server. In this way, mod_osso renders authentication transparent to partner applications.

14-2 JD Edwards EnterpriseOne Tools Security Administration Guide

Supported JD Edwards EnterpriseOne and Oracle Single Sign-On Configurations

14.2.4 Oracle Internet Directory


Oracle Internet Directory is the repository for all single sign-on user accounts and passwordsadministrative and non-administrative. The single sign-on server authenticates users against their entries in the directory. At the same time, it retrieves user attributes form the directory that enables applications to validate users.

14.2.5 Oracle Identity Management Infrastructure


OracleAS Single Sign-On is just one link in an integrated infrastructure that also includes these components:

Oracle Internet Directory Oracle Directory Integration and Provisioning Oracle Delegated Administrative Services OracleAS Certificate Authority

Working together, these components, called the Oracle Identity Management infrastructure, manage the security life cycle of users and other network entities in an efficient, cost-effective way.
See Also:

Oracle Application Server Single Sign-On Administrator's Guide. Oracle Identity Management Integration Guide.

14.3 Supported JD Edwards EnterpriseOne and Oracle Single Sign-On Configurations


Single sign-on is supported between JD Edwards EnterpriseOne web applications and OracleAS Single Sign-On enabled applications.
Note:

JD Edwards EnterpriseOne non-web client applications, such as Windows client, JAVA Connector, and COM Connector, do not use OracleAS Single Sign-On for authentication.

How single sign-on works between JD Edwards EnterpriseOne and Oracle depends upon your implementation:

JD Edwards EnterpriseOne HTML Web Server installed on Oracle Application Server. In this configuration, single sign-on is bi-directional. This means that whichever system users sign in to first, JD Edwards EnterpriseOne or Oracle, they do not have to sign in again to access an application in the other system.

JD Edwards EnterpriseOne HTML Web Server installed on IBM WebSphere. In this configuration, single sign-on is unidirectional. If users have already signed in to Oracle Application Server, they can access a JD Edwards EnterpriseOne application without having to re-enter a user name and password. However, in this configuration, if users sign in to JD Edwards EnterpriseOne first, they cannot access an Oracle application through single sign-on. They will have to re-enter a user ID and password.

Understanding Single Sign-On Between JD Edwards EnterpriseOne and Oracle 14-3

Single Sign-On when Running JD Edwards EnterpriseOne on Oracle Application Server

In addition, JD Edwards EnterpriseOne provides single sign-on from Oracle Portal, enabling users to access a JD Edwards EnterpriseOne application inside Oracle Portal. For more information, see the JD Edwards EnterpriseOne Tools 8.96 Portlet Installation for the Oracle Portal Guide.

14.4 Single Sign-On when Running JD Edwards EnterpriseOne on Oracle Application Server
When JD Edwards EnterpriseOne HTML Web Server is running on Oracle Application Server, JD Edwards EnterpriseOne delegates user authentication to the OracleAS Single Sign-On server. The mod_osso authentication module enables JD Edwards EnterpriseOne applications to accept authenticated user information instead of a user name and password once users have signed in to OracleAS Single Sign-On server. JD Edwards EnterpriseOne determines whether a user authenticated by OracleAS Single Sign-On is authorized to use the application. This diagram shows the single sign-on process when JD Edwards EnterpriseOne HTML Web Server is running on Oracle Application Server:
Figure 141 JD Edwards EnterpriseOne and OracleAS single sign-on
Oracle Internet Directory

3 Web Client 2 OracleAS Single Sign-On Server EnterpriseOne Security Server 4

1 5 Oracle Application Server (EnterpriseOne Applications)


These steps explain the single sign-on process illustrated in the diagram:
1.

A user signs in to an Oracle partner application (either a JD Edwards EnterpriseOne or Oracle web application).

14-4 JD Edwards EnterpriseOne Tools Security Administration Guide

Single Sign-On when Running JD Edwards EnterpriseOne on Oracle Application Server

2. 3.

Using mod_osso, the partner application redirects the request to the OracleAS Single Sign-On server. The OracleAS Single Sign-On server authenticates the user ID and password, generates an Oracle SSO cookie, and redirects the request to the JD Edwards EnterpriseOne partner application on Oracle Application Server. Based on the Oracle SSO cookie, JD Edwards EnterpriseOne generates an authenticate token (PS_TOKEN) and sends it to the JD Edwards EnterpriseOne security server to validate the token, which enables the user to sign in. A session is established for the web user.
Note:

4.

5.

In the diagram, Oracle Internet Directory can be used as an LDAP directory for the JD Edwards EnterpriseOne security server.

14.4.1 Single Sign-Off


Signing off of a JD Edwards EnterpriseOne application terminates the single sign-on session, which in turn signs off all active Oracle partner applications. When you click Sign Out in a JD Edwards EnterpriseOne application, the system takes you to the single sign-off page, where sign-off occurs. If you signed off successfully, each of the applications listed on the single sign-off page has a check mark next to the application name. A broken image next to an application name denotes an unsuccessful sign-off. Once all of the application names activated in a session have a check mark, you can click Return to go to the application from which you initiated sign-off. Signing off an Oracle application takes you to the single sign-off page as well. This closes any Oracle applications that are running. However, any JD Edwards EnterpriseOne applications that are open remain active. Only when a user accesses the JD Edwards EnterpriseOne application does JD Edwards EnterpriseOne check if the Oracle SSO cookie is present. If it is not, the system ends the JD Edwards EnterpriseOne session and redirects the user to the Oracle Single Sign-On page for sign-in.

14.4.2 JD Edwards EnterpriseOne Single Sign-On Settings when Running on Oracle Application Server
Part of configuring single sign-on between JD Edwards EnterpriseOne and Oracle involves configuring the jas.ini and tokengen.ini files.

14.4.2.1 JD Edwards EnterpriseOne jas.ini Settings for Single Sign-On


The jas.ini file of the JD Edwards EnterpriseOne HTML Web Server contains a setting that you can configure to delegate JD Edwards EnterpriseOne user authentication to OracleAS Single Sign-On. This setting is in the [SECURITY] section of the jas.ini file:
Setting OracleSSO= Purpose Determines if OracleAS Single Sign-On is used for user authentication. Valid values are:

TRUE FALSE (default)

In addition, you can configure this setting in the [SECURITY] section to control the functionality of the Return link on the Single Sign-Off web page:
Understanding Single Sign-On Between JD Edwards EnterpriseOne and Oracle 14-5

Single Sign-On when Running JD Edwards EnterpriseOne on Oracle Application Server

Setting OracleSSOSignOffURL =

Purpose Determines the web page that the Return link accesses from the Oracle Single Sign-Off web page when the user signs off from JD Edwards EnterpriseOne. Enter a URL for the web page that you want users to access from the Return link. The default is the URL for accessing the JD Edwards EnterpriseOne web client.

14.4.2.2 JD Edwards EnterpriseOne TokenGen.ini Settings


JD Edwards EnterpriseOne uses the TokenGen.ini file to generate an authenticate token (PS_TOKEN). A common key is required for the encryption and decryption of the authenticate token. This key is set during the JD Edwards EnterpriseOne HTML Web Server installation and is saved in the TokenGen.ini file. The key consists of the node name and node password, as well as other parameters that must not be modified:
Setting NodeName= NodePwd= CLIENTTYPE= CODEPAGE VERSION= TOOLSVERSION= SIGNATURETYPE= MNRD Default Value NodeName NodePassword 1 0 700 8.10 N 0

If you configured single sign-on settings on the JD Edwards EnterpriseOne security server, you can change the NodeName and NodePassword settings during the JD Edwards EnterpriseOne HTML Web Server installation. When the single sign-on node has not been configured on the JD Edwards EnterpriseOne security server, the installer displays the default values for the Node Name and Node Password. After the JD Edwards EnterpriseOne HTML Web Server is installed, you can change the values for the node name and node password to correspond to the entries on your JD Edwards EnterpriseOne security server, if necessary. It will require the restart of JD Edwards EnterpriseOne HTML Web Server.
See Also:

Understanding JD Edwards EnterpriseOne Single Sign-On.

14.4.3 Settings for Configuring JD Edwards EnterpriseOne Virtual Hosts with Oracle Single Sign-On
Single sign-on partner applications are integrated with mod_osso, which is registered automatically by the OracleAS installer. In essence, partner applications are registered by way of mod_osso. Registering the module creates an entry for it in the identity management infrastructure database as well as on the application computer. When the JD Edwards EnterpriseOne HTML Web Server is configured with a port other than the default port (which is typically 80), you should register JD Edwards EnterpriseOne HTML Web Server with the other port using mod_osso. The commands in this section should be executed on the Oracle Identity Manager Host.

14-6 JD Edwards EnterpriseOne Tools Security Administration Guide

Single Sign-On When Running JD Edwards EnterpriseOne on IBM WebSphere

Using port 7778 as an example, these commands show how to register JD Edwards EnterpriseOne HTML Web Server using mod_osso:
SET ORACLE_HOME=C:\OracleAppSrv $ORACLE_HOME/sso/bin/ssoreg.sh -oracle_home_path $ORACLE_HOME -config_mod_osso TRUE -site_nameAppServer90.eone.jdedwards.com -remote_midtier

You must run an update after running the ssoreg.sh command. Use this command to run an update:
$ORACLE_HOME/sso/bin/ssoreg.sh -oracle_home_path $ORACLE_HOME -config_mod_osso TRUE -site_name AppServer90.eone.jdedwards.com -remote_midtier - config_file $ORACLE_HOME/Apache/Apache/conf/osso/myosso.conf -mod_osso_url http:// App Server90.eone.jdedwards.com:7778

The resulting configuration file is an obfuscated osso configuration file. You must copy this file to the Oracle Application Server middle-tier instance. Lastly, on the middle-tier host, run this script to complete the registration: (UNIX) $ORACLE_HOME/Apache/Apache/bin/osso1013 config_file For additional information on how to configure virtual hosts with Oracle Single Sign-On, see:

"Configuring Instances to Use 10.1.4 or 10.1.2 Oracle Identity Management" in the Oracle Application Server Administrator's Guide "Configuring mod_osso with Virtual Hosts" in the Oracle Application Server Single Sign-On Administrator's Guide.

14.5 Single Sign-On When Running JD Edwards EnterpriseOne on IBM WebSphere


When JD Edwards EnterpriseOne HTML Web Server is running on IBM WebSphere, single sign-on is unidirectional. Users must first sign in to an Oracle application using Oracle Single Sign-On. Only then can they access a JD Edwards EnterpriseOne application in the same session without having to re-enter their user ID and password. If users access a JD Edwards EnterpriseOne web application first, the JD Edwards EnterpriseOne sign-in screen appears; the sign-in request does not redirect users to the Oracle Single Sign-On page. This solution is similar to JD Edwards EnterpriseOne single sign-on from the PeopleSoft Enterprise Portal, which uses the authenticate token. See Configuring Single Sign-On Between PeopleSoft Enterprise Portal and JD Edwards EnterpriseOne. In this configuration, Oracle AS Single Sign-On uses the PeopleSoft SSO Plug-In to achieve single sign-on with JD Edwards EnterpriseOne. The plug-in, which must be installed on the OracleAS Single Sign-On server, generates an authenticate token that IBM WebSphere uses to achieve single sign-on. See the My Oracle Web site for information on how to download and install this plug-in.

Understanding Single Sign-On Between JD Edwards EnterpriseOne and Oracle 14-7

Single Sign-On When Running JD Edwards EnterpriseOne on IBM WebSphere

Note:

Single sign-off between Oracle and JD Edwards EnterpriseOne is not supported when JD Edwards EnterpriseOne is running on IBM WebSphere. When you sign off of JD Edwards EnterpriseOne, the system ends the JD Edwards EnterpriseOne session, but any Oracle application sessions that are open continue to run. You must close the browser to sign in to JD Edwards EnterpriseOne again. Signing off of an Oracle application ends the OracleAS Single Sign-On session, as well as any other Oracle applications that were active in the session; however, any JD Edwards EnterpriseOne applications that are open will remain active.

This illustration shows the single sign-on process when JD Edwards EnterpriseOne HTML Web Server is running on IBM WebSphere:
Figure 142 JD Edwards EnterpriseOne and OracleAS single sign-on with IBM WebSphere
Oracle Internet Directory

3 2 Web Client OracleAS Single Sign-On Server

EnterpriseOne Security Server

Oracle Application Server 4 6

EnterpriseOne HTML Server (IBM WebSphere)

These steps explain the single sign-on process illustrated in the diagram:
1. 2.

A user signs in to an Oracle partner application on Oracle Application Server. Using mod_osso, the partner application redirects the request to the OracleAS Single Sign-On server.

14-8 JD Edwards EnterpriseOne Tools Security Administration Guide

Non-Web Client Sign-On in the Oracle Single Sign-On Configuration

3.

OracleAS Single Sign-On authenticates the user ID and password, generates an Oracle SSO cookie and PS_TOKEN cookie, and redirects the request to the partner application on Oracle Application Server. When the same user tries to launch a JD Edwards EnterpriseOne application in the same session, the browser sends the request to the JD Edwards EnterpriseOne HTML Web Server running on IBM WebSphere. The JD Edwards EnterpriseOne HTML Web Server sends the PS_TOKEN to the JD Edwards EnterpriseOne security server to validate the token. Upon validation, IBM WebSphere establishes a session for the web user.
Note:

4.

5. 6.

In this diagram, Oracle Internet Directory can be used as an LDAP directory for JD Edwards EnterpriseOne.

14.5.1 Time Zone Setting Adjustment


When JD Edwards EnterpriseOne is running on IBM WebSphere, you must configure the ENTERPRISE TIMEZONE ADJUSTMENT setting in the JD Edwards EnterpriseOne enterprise server jde.ini file. This setting enables you to enter the difference in time between Greenwich Mean Time (GMT) and OracleAS Single Sign-On node time. You should change this setting whenever daylight saving time changes to reflect the difference between GMT time and the OracleAS Single Sign-On node time. In this example of the ENTERPRISE TIMEZONE ADJUSTMENT setting, the difference between the GMT and OracleAS Single Sign-On time is entered in minutes for an OracleAS Single Sign-On server that is running in Mountain Standard Time (MST):
[ENTERPRISE TIMEZONE ADJUSTMENT] OracleSSONode=-360

14.6 Non-Web Client Sign-On in the Oracle Single Sign-On Configuration


JD Edwards EnterpriseOne non-web clients, such as Windows, JAVA Connector, and COM Connector, cannot use OracleAS Single Sign-On. However, this diagram shows how JD Edwards EnterpriseOne can use Oracle Internet Directory, which is an LDAP compliant directory service, to authorize non-web client users:

Understanding Single Sign-On Between JD Edwards EnterpriseOne and Oracle 14-9

Non-Web Client Sign-On in the Oracle Single Sign-On Configuration

Figure 143 JD Edwards EnterpriseOne non-web client sign-on in the Oracle single sign-on configuration
Oracle Internet Directory

Web Client

OracleAS Single Sign-On Server

EnterpriseOne Security Server

Web Application Server

Non-Web Client

OracleAS Single Sign-On uses the Oracle Internet Directory (OID) to manage user information. If enabled for LDAP, JD Edwards EnterpriseOne security server can validate the user ID and password of the non-web client user from Oracle Internet Directory.
See Also:

Enabling LDAP Support in JD Edwards EnterpriseOne.

14-10 JD Edwards EnterpriseOne Tools Security Administration Guide

15
Setting Up JD Edwards EnterpriseOne Single Sign-On Through Oracle Access Manager 10g
15

This chapter contains the following topics:

Section 15.1, "Understanding JD Edwards EnterpriseOne Single Sign-On Through Oracle Access Manager" Section 15.2, "Setting Up Oracle Access Manager Single Sign-On for JD Edwards EnterpriseOne" Section 15.3, "Setting Up JD Edwards EnterpriseOne for Single Sign-On Integration with Oracle Access Manager" Section 15.4, "Configuring Single Sign-Off"
Note:

You can also set up single sign-on between JD Edwards EnterpriseOne and Oracle applications through the Oracle AS Single Sign-On Server, which is not discussed in this chapter. In addition, you can enable support of long user IDs and passwords in a JD Edwards EnterpriseOne single sign-on configuration with Oracle Access Manager or Oracle AS Single Sign-On Server. See "Using Long User IDs and Passwords in JD Edwards EnterpriseOne" in the Red Paper Library on the My Oracle Support Web site for more information.

See Also:

Understanding Single Sign-On Between JD Edwards EnterpriseOne and Oracle.

15.1 Understanding JD Edwards EnterpriseOne Single Sign-On Through Oracle Access Manager
Oracle Access Manager provides single sign-on functionality for Oracle applications, including JD Edwards EnterpriseOne. It provides a secure internet infrastructure for identity management for JD Edwards EnterpriseOne applications and processes. This infrastructure provides:

Identity and access management across JD Edwards EnterpriseOne applications, enterprise resources, and other domains.

Setting Up JD Edwards EnterpriseOne Single Sign-On Through Oracle Access Manager 10g 15-1

Understanding JD Edwards EnterpriseOne Single Sign-On Through Oracle Access Manager

Foundation for managing the identities of customers, partners, and employees across internet applications. These user identities are protected by security policies for web interaction.

Integration with Oracle Access Manager provides JD Edwards EnterpriseOne implementations with these features:

Oracle Access Manager authentication, authorization, and auditing services for JD Edwards EnterpriseOne applications. Oracle Access Manager single sign-on for JD Edwards EnterpriseOne applications and other Oracle Access Manager-protected resources in a single domain or across domains.
Note:

JD Edwards EnterpriseOne single sign-on through Oracle Access Manager is supported only by the JD Edwards EnterpriseOne Web client, not Collaborative Portal.

Oracle Access Manager authentication schemes that provide single sign-on for JD Edwards EnterpriseOne applications: Basic Over LDAP (Lightweight Directory Access Protocol): Users enter a user name and password in a window supplied by the Web server. This method can be redirected to Secure Socket Layer (SSL). Form: Similar to the basic challenge method, users enter information in a custom HTML form. You choose the information that users must provide in the form. X509 Certificates: X.509 digital certificates over SSL. A user's browser must supply a certificate. Integrated Windows Authentication (IWA): Users will not notice a difference between an Oracle Access Manager authentication and IWA when they log on to the desktop, open an Internet Explorer (IE) browser, request an Oracle Access Manager-protected web resource, and complete single sign-on. Microsoft .NET Passport: NET Passport is a component of the Microsoft .NET framework. The .NET plug-in is a Web-based authentication service that provides single sign-on for Microsoft-protected web resources. Custom: You can use other forms of authentication through the Oracle Access Manager Authentication Plug-in API.

Session timeout: Oracle Access Manager enables you to set the length of time that a user session is valid. Ability to use the Oracle Access ManagerIdentity System for identity management. The Identity System provides identity management features such as portal inserts, delegated administration, workflows, and self-registration to JD Edwards EnterpriseOne applications. You can determine how much access to provide to users upon self-registration. Identity System workflows enable a self-registration request to be routed to appropriate personnel before access is granted. Oracle Access Manager also provides self-service, enabling users to update their own identity profiles.

15-2 JD Edwards EnterpriseOne Tools Security Administration Guide

Understanding JD Edwards EnterpriseOne Single Sign-On Through Oracle Access Manager

See Also:

Oracle Access Manager Integration Guide and the Oracle Identity Manager documentation.

15.1.1 JD Edwards EnterpriseOne Integration Architecture


JD Edwards EnterpriseOne has a configurable authentication mechanism that allows it to authenticate a user against:

Native tables (through a security kernel). Lightweight Data Access Protocol (LDAP). Custom plug-ins, including the ability to read HTTP Headers.

JD Edwards EnterpriseOne single sign-on through Oracle Access Manager involves:

Protection through a WebGate, which is a plug-in that intercepts Web resource (HTTP) requests and forwards them to the Access Server for authentication and authorization. Populating a header variable with an attribute value that is stored in the LDAP directory used by Oracle Access Manager. Configuring JD Edwards EnterpriseOne to invoke the Oracle Access Manager authentication process, overriding the default authentication mechanism.

15.1.1.1 Single Sign-On Architecture


Single sign-on with Oracle Access Manager requires a JD Edwards EnterpriseOne HTML Web Server configuration with an application server, such as Oracle Application Server 10g, that contains an HTTP server and a J2EE container, which is required for the Java servlets and Java code to run. In addition, WebGate must be installed on the HTTP Server, and it must be configured to protect the JD Edwards EnterpriseOne URLs that are used to access the HTML Web Server. The user accesses a JD Edwards EnterpriseOne application using a web browser. WebGate intercepts the user's HTTP request and checks for an obSSOCookie. The obSSOCookie is an encrypted cookie that the Oracle Access Manager Access System uses to implement single-domain and multi-domain single sign-on. If the cookie does not exist or has expired, the user is prompted to enter credentials. Oracle Access Manager verifies the user credentials, and if the user is authenticated, the WebGate redirects the user to the requested resource and passes the required header variable to JD Edwards EnterpriseOne. The header variable is read by JD Edwards EnterpriseOne and is used to generate the PS_TOKEN. The following illustration shows the integration environment and process flow:

Setting Up JD Edwards EnterpriseOne Single Sign-On Through Oracle Access Manager 10g 15-3

Understanding JD Edwards EnterpriseOne Single Sign-On Through Oracle Access Manager

Figure 151 JD Edwards EnterpriseOne Single Sign-On through Oracle Access Manager

obSSOCookie

JD Edwards EnterpriseOne Application

Web Browser Web Server Oracle WebGate Oracle Access Server

JD Edwards EnterpriseOne Application Server

LDAP

JD Edwards EnterpriseOne Database Server


The following steps describe the single sign-on process:
1. 2. 3.

A user attempts to access a JD Edwards EnterpriseOne program. A WebGate that is deployed on the JD Edwards EnterpriseOne HTTP Server intercepts the request. The WebGate checks the Access Server to determine whether the resource (JD Edwards EnterpriseOne URL) is protected. The security policy consists of an authentication scheme, authorization rules, and allowed operations based on an authentication and authorization success or failure.

4. 5.

If a valid session does not exist and the resource is protected, WebGate prompts the user for credentials. If the credentials are validated, Oracle Access Manager performs the actions that are defined in the security policy for the JD Edwards EnterpriseOne resource and sets an HTTP header variable that maps to the JD Edwards EnterpriseOne user ID. If a valid session cookie exists and the user is authorized to access the resource, WebGate redirects the user to the requested JD Edwards EnterpriseOne resource. JD Edwards EnterpriseOne receives the request for the JD Edwards EnterpriseOne resource and runs the code that is defined in its authentication configuration.

6. 7.

15-4 JD Edwards EnterpriseOne Tools Security Administration Guide

Setting Up Oracle Access Manager Single Sign-On for JD Edwards EnterpriseOne

8.

The code reads the HTTP header variable and sets that value as the signed-on JD Edwards EnterpriseOne user. It then generates the PS_TOKEN, which contains the same information. JD Edwards EnterpriseOne generates the applications, subject to further authorization verification within JD Edwards EnterpriseOne.

9.

15.1.2 Supported Versions and Platforms


This section describes the integration of Oracle Access Manager 10g (10.1.4.0.1) with JD Edwards EnterpriseOne Tools 8.98 and JD Edwards EnterpriseOne applications. However, any references to specific versions and platforms in this chapter are for demonstration purposes. For supported versions and platforms for this integration, see Certifications on the My Oracle Support Web site.

15.2 Setting Up Oracle Access Manager Single Sign-On for JD Edwards EnterpriseOne
This section lists prerequisites and discusses how to set up Oracle Access Manager single sign-on for JD Edwards EnterpriseOne, which includes these tasks:

Create a host identifier for the JD Edwards EnterpriseOne HTTP Server. Create a policy domain and policies to restrict access to JD Edwards EnterpriseOne URLs. Define a resource that controls the highest-level URL prefix to protect. Define two authorization rules. Define an authorization action. Define an authentication rule. Define an access policy and add the JD Edwards EnterpriseOne URL pattern to it. Define an authentication rule for the JD Edwards EnterpriseOne resources. Define an authentication action that sets a custom HTTP header variable upon successful authentication. Define an authentication expression for the JD Edwards EnterpriseOne resources.
Note:

JD Edwards EnterpriseOne single sign-on through Oracle Access Manager is supported only with the JD Edwards EnterpriseOne Web client, not Collaborative Portal.

15.2.1 Prerequisites
Before you set up Oracle Access Manager and JD Edwards EnterpriseOne for single sign-on, you must:

Install a supported directory server according to vendor instructions. Install and configure Oracle Access Manager using the directory server as the LDAP repository. See Oracle Access Manager Installation Guide..

Setting Up JD Edwards EnterpriseOne Single Sign-On Through Oracle Access Manager 10g 15-5

Setting Up Oracle Access Manager Single Sign-On for JD Edwards EnterpriseOne

Configure the HTML Web Server so that JD Edwards EnterpriseOne applications are rendered and accessed through the HTTP Server. Install a WebGate on the JD Edwards EnterpriseOne HTTP Server. See Oracle Access Manager Installation Guide.

Configure the Web browser to allow cookies, according to vendor instructions.

15.2.2 Creating a Host Identifier for the JD Edwards EnterpriseOne HTTP Server
Sign in to Oracle Access Manager.
1. 2. 3.

From the Access System Landing page, select the Access System Console. Click Access System Configuration, and then click Host Identifiers. Add information about the server.

15.2.3 Creating a Policy Domain and Policies to Restrict Access to JD Edwards EnterpriseOne URLs
In Oracle Access Manager, access the System Landing page.
Figure 152 Create Policy Domain page: General tab

1. 2.

From the Access System Landing page, select the Policy Manager, and then click create Policy Domain. Define a policy domain and policies. The policy domain should protect all JD Edwards EnterpriseOne URLs that users access. For example, if you use JD Edwards EnterpriseOne Portal to consolidate access to various JD Edwards EnterpriseOne applications, the policy must protect the portal and application URLs. URL prefix formats are specific to your JD Edwards EnterpriseOne implementation. For example, the version 8.98 URLs have the format /jde/E1Menu.maf.

15-6 JD Edwards EnterpriseOne Tools Security Administration Guide

Setting Up Oracle Access Manager Single Sign-On for JD Edwards EnterpriseOne

15.2.4 Defining a Resource That Controls the Highest-Level URL Prefix to Protect
If you are already viewing the new policy domain, click Resources. Otherwise, click My Policy Domains, the link for the policy domain, and then Resources.
Figure 153 Resources page

15.2.5 Defining Two Authorization Rules


You must define two authorization rules that determine which users have access to all resources, including JD Edwards EnterpriseOne resources. If you are already viewing the new policy domain, click Authorization Rules. Otherwise, click My Policy Domains, the link for the policy domain, and then Authorization rules.

Setting Up JD Edwards EnterpriseOne Single Sign-On Through Oracle Access Manager 10g 15-7

Setting Up Oracle Access Manager Single Sign-On for JD Edwards EnterpriseOne

Figure 154 Authorization Rules page

15.2.6 Defining an Authorization Action


You must define an authorization action that sets a custom HTTP header variable upon successful authorization. If you are already viewing the new policy domain, click Authorization Rules, Actions. Otherwise, click My Policy Domains, the link for the policy domain, Authorization Rules, and then Actions.

15-8 JD Edwards EnterpriseOne Tools Security Administration Guide

Setting Up Oracle Access Manager Single Sign-On for JD Edwards EnterpriseOne

Figure 155 Authorization Rules page

The header variable should contain a value that maps to the JD Edwards EnterpriseOne user ID.

15.2.7 Defining an Authentication Rule


If you are already viewing the new policy domain, click Default Rules, Authentication Rule. Otherwise, click My Policy Domains, the link for the policy domain, Default Rules, and then Authentication Rule.
Figure 156 Authentication Rule Configuration page

Setting Up JD Edwards EnterpriseOne Single Sign-On Through Oracle Access Manager 10g 15-9

Setting Up Oracle Access Manager Single Sign-On for JD Edwards EnterpriseOne

Note:

An authentication rule could be, for example, Oracle Access and Identity Basic Over LDAP, form authentication, and so on.

15.2.8 Defining an Access Policy and Adding the JD Edwards EnterpriseOne URL Pattern to It
If you are already viewing the new policy domain, click Policies, Add. Otherwise, click My Policy Domains, the link for the policy domain, Policies, and then Add.
Figure 157 Policies page with an example of a saved policy

15.2.9 Defining an Authentication Rule for the JD Edwards EnterpriseOne Resources


If you are already viewing the new policy domain, click Policies, JDE, and then Authentication Rule. Otherwise, click My Policy Domains, the link for the policy domain, Policies, JDE, and then Authentication Rule.

15-10 JD Edwards EnterpriseOne Tools Security Administration Guide

Setting Up Oracle Access Manager Single Sign-On for JD Edwards EnterpriseOne

Figure 158 Authentication Rule page

15.2.10 Defining an Authentication Action That Sets a Custom HTTP Header Variable Upon Successful Authentication
If you are already viewing the new policy domain, click Policies, JDE, Authentication Rule, and then Actions. Otherwise, click My Policy Domains, the link for the policy domain, Policies, JDE, Authentication Rule, and then Actions.
Figure 159 Authentication Rule page

The header variable should contain a value that maps to the JD Edwards EnterpriseOne user ID.

Setting Up JD Edwards EnterpriseOne Single Sign-On Through Oracle Access Manager 10g

15-11

Setting Up JD Edwards EnterpriseOne for Single Sign-On Integration with Oracle Access Manager

15.2.11 Defining an Authorization Expression for the JD Edwards EnterpriseOne Resources


If you are already viewing the new policy domain, click Policies, JDE, and then Authorization Expression. Otherwise, click My Policy Domains, the link for the policy domain, Policies, JDE, and then Authorization Expression.
Figure 1510 Authorization Expression page

15.3 Setting Up JD Edwards EnterpriseOne for Single Sign-On Integration with Oracle Access Manager
This section discusses how to set up JD Edwards EnterpriseOne for single sign-on integration with Oracle Access Manager.
1. 2.

Access the JD Edwards EnterpriseOne Web client jas.ini file located on the HTML Web Server machine. In the Security section, complete these settings:
Value TRUE

Setting OracleAccessSSO=

OracleAccessSSOSignOffURL= http://fullyqualifiedhostname:port/access/oblix/lang/en-us /EnterpriseOnelogout.html 3.

Make sure that the HMTL Web Server machine is set up as a trusted node.

15-12 JD Edwards EnterpriseOne Tools Security Administration Guide

Configuring Single Sign-Off

In addition, when setting up the trusted node, you might have to change the key for the encryption and decryption of the authenticate token. The settings for this key are set during the installation of the JD Edwards EnterpriseOne HTML Web Server and are stored in the TokenGen.ini file on the security server. See JD Edwards EnterpriseOne TokenGen.ini Settings.

15.4 Configuring Single Sign-Off


This section discusses how to configure single sign-off for JD Edwards EnterpriseOne.
Note:

If you use the Basic Over LDAP authentication scheme on some versions of Microsoft Internet Explorer, you may get unexpected results with the single sign-off URL. Internet Explorer caches user credentials when a Basic Over LDAP authentication scheme is used. For some versions of Internet Explorer, this means that users can continue to access resources after logging out. If you experience this problem with the single sign-off URL, Oracle recommends that you use a Form over LDAP authentication scheme.

1. 2.

Create a new HTML page called EnterpriseOneLogout.html. Open the EnterpriseOneLogout.html file in an editor and add the following information to it:
Note:

You can customize the sign-off page if desired.

<!doctype html public "-//w3c//dtd html 4.0 transitional//en"> <html lang="en-US"> <head> <title>Oracle Access Manager</title><link rel="stylesheet" type="text/css" href= "style2/coreid.css"></link> <meta http-equiv="PRAGMA" name="PRAGMA" content="NO-CACHE"> <meta http-equiv="Expires" name="Expires" content="Mon, 06 Jan 1990 00:00:01 GMT"> <meta http-equiv="Content-Type" content="text/html; charset=utf-8"> <meta name="Description" content="Oracle Access Manager"> <meta name="Robot" content="none"> <meta name="Copyright" content="Copyright 1996-2006, Oracle. All Rights Reserved."> <style type="text/css"> <!--.unnamed1 { font-family: Arial, Helvetica, sans- serif; font-size: 2pt} --></style> <script language="JavaScript"> function delCookie(name,path,domain) { var today = new Date(); var deleteDate = new Date(today.getTime() - 48 * 60 * 60 * 1000); // minus 2 days var cookie = name + "=" + ((path == null) ? "" : "; path=" + path) + ((domain == null) ? "" : "; domain=" + domain) + "; expires=" + deleteDate; document.cookie = cookie; }

Setting Up JD Edwards EnterpriseOne Single Sign-On Through Oracle Access Manager 10g

15-13

Configuring Single Sign-Off

function delOblixCookie() { // set focus to ok button var isNetscape = (document.layers); if (isNetscape == false || navigator.appVersion.charAt(0) >= 5) { for (var i=0; i<document.links.length; i++) { if (document.links[i].href == "javascript:top.close()") { document.links[i].focus(); break; } } } delCookie('ObTEMC', '/'); delCookie('ObSSOCookie', '/'); delCookie('ObSSOCookie', '/'); delCookie('OBBasicAuth', '/'); delCookie('JSESSIONID', '/jde'); // in case cookieDomain is configured // delete same cookie to all of subdomain var subdomain; var domain = new String(document.domain); var index = domain.indexOf("."); while (index > 0) { subdomain = domain.substring(index, domain.length); if (subdomain.indexOf(".", 1) > 0) { delCookie('ObTEMC', '/', subdomain); delCookie('ObSSOCookie', '/', subdomain); delCookie('OBBasicAuth', '/', subdomain); delCookie('JSESSIONID', '/jde', subdomain); } domain = subdomain; index = domain.indexOf(".", 1); } } </script> </head> <link rel="stylesheet" type="text/css" href="/css/webguistylesheet.jsp"> <body bgcolor="#ffffff" marginwidth="0" marginheight="0" topmargin="0" leftmargin= "0" onload="delOblixCookie();"> <table width="100%" height="100%" cellpadding="0" cellspacing="0"> <tr> <td height="148" valign="middle"> <p align="center"> <img src="./images/Oracle_JDEE1.gif" alt="Oracle JD Edwards EnterpriseOne Logo"> </p> </td> </tr> <tr> <td height="250" align="center" valign="middle"> <h3><font size="5">Oracle Access Manager Applications</font></h3> <h3>You have been logged out.</h3>

15-14 JD Edwards EnterpriseOne Tools Security Administration Guide

Configuring Single Sign-Off

<h3>For security reasons, please close the browser window </h3> <h3>by clicking the OK button.</h3> <a href="javascript:top.close()" onmouseover="self.status='Close the browser window.'; return true"> <img border="0" alt="Close the browser window." src="style2/NAVok.gif"></a> <script language="JavaScript1.2"> var jdeLegalInfo = "The Programs (which include both the software and documentation) contain proprietary information; they are provided under a license agreement containing restrictions on use and disclosure and are also protected by copyright, patent, and other intellectual and industrial property laws. Reverse engineering, disassembly, or decompilation of the Programs, except to the extent required to obtain interoperability with other independently created software or as specified by law, is prohibited.\nThe information contained in this document is subject to change without notice. If you find any problems in the documentation, please report them to us in writing. This document is not warranted to be error-free. Except as may be expressly permitted in your license agreement for these Programs, no part of these Programs may be reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose.\nSubject to patent protection under one or more of the following U.S. patents: 5,781,908; 5,828,376; 5,950,010; 5,960,204; 5,987,497; 5,995,972; 5,987,497; and 6,223,345. Other patents pending.\nContains GNU libgmp library; Copyright 1991 Free Software Foundation, Inc. This library is free software which can be modified and redistributed under the terms of the GNU Library General Public License.\nIncludes Adobe PDF Library, Copyright 1993-2001 Adobe Systems, Inc. and DL Interface, Copyright 1998-2001 Datalogics Inc. All rights reserved. Adobe is a trademark of Adobe Systems Incorporated.\nPortions of this program contain information proprietary to Microsoft Corporation. Copyright 1985- 1999 Microsoft Corporation.\nPortions of this program contain information proprietary to Tenberry Software, Inc. Copyright 1992-1995 Tenberry Software, Inc.\nPortions of this program contain information proprietary to Premia Corporation. Copyright 1993 Premia Corporation.\nThis product includes code licensed from RSA Data Security.\nAll rights reserved.\nThis product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit http: //www.openssl.org/).\nThis product includes cryptographic software written by Eric Young ([email protected]).\nThis product includes software written by Tim Hudson

Setting Up JD Edwards EnterpriseOne Single Sign-On Through Oracle Access Manager 10g

15-15

Configuring Single Sign-Off

([email protected]).All rights reserved."; </script> </td> </tr> <tr> <td valign="bottom"> <table width="100%" border="0" cellspacing="0" cellpadding="5"> <tr> <td width="325"><div class="fineprint"> <script> jdeLegalInfo = "The Programs (which include both the software and documentation) contain proprietary information; they are provided under a license agreement containing restrictions on use and disclosure and are also protected by copyright, patent, and other intellectual and industrial property laws. Reverse engineering, disassembly, or decompilation of the Programs, except to the extent required to obtain interoperability with other independently created software or as specified by law, is prohibited.\nThe information contained in this document is subject to change without notice. If you find any problems in the documentation, please report them to us in writing. This document is not warranted to be error-free. Except as may be expressly permitted in your license agreement for these Programs, no part of these Programs may be reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose.\nSubject to patent protection under one or more of the following U.S. patents: 5,781,908; 5,828,376; 5,950,010; 5,960,204; 5,987,497; 5,995,972; 5,987,497; and 6,223,345. Other patents pending.\nContains GNU libgmp library; Copyright 1991 Free Software Foundation, Inc. This library is free software which can be modified and redistributed under the terms of the GNU Library General Public License.\nIncludes Adobe PDF Library, Copyright 1993-2001 Adobe Systems, Inc. and DL Interface, Copyright 1998-2001 Datalogics Inc. All rights reserved. Adobe is a trademark of Adobe Systems Incorporated.\nPortions of this program contain information proprietary to Microsoft Corporation. Copyright 1985- 1999 Microsoft Corporation.\nPortions of this program contain information proprietary to Tenberry Software, Inc. Copyright 1992-1995 Tenberry Software, Inc.\nPortions of this program contain information proprietary to Premia Corporation. Copyright 1993 Premia Corporation.\nThis product includes code licensed from RSA Data Security.\nAll rights reserved.\nThis product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit http:

15-16 JD Edwards EnterpriseOne Tools Security Administration Guide

Configuring Single Sign-Off

//www.openssl.org/).\nThis product includes cryptographic software written by Eric Young ([email protected]).\nThis product includes software written by Tim Hudson ([email protected]).All rights reserved."; </script> <a href="#content"><img src="./images/1pix_shim.gif" border="0" alt="Skip navigation links"></a><a class="fineprint" style="COLOR: black" href="javascript: alert(jdeLegalInfo);">Legal Terms</a><br> Copyright 2003-2005, Oracle. All rights reserved. Oracle, JD Edwards, PeopleSoft, and Retek are registered trademarks of Oracle Corporation and /or its affiliates. Other names may be trademarks of their respective owners.</div> </td> <td><a name="content"></a></td> </tr> </table> </td> </tr> <noscript>A script enabled browser is required for this page to function properly</noscript> </td> </table> </body> </html> 3.

Place the EnterpriseOneLogout.html file in a path that is not protected by a WebGate. The default path is: Policy_Manager_install_dir/access/oblix/lang/en-us/EnterpriseOneLogout.html Where Policy_Manager_install_dir is the directory where the Policy Manager is installed. The file contains Javascript that deletes the ObTEMC, ObSSOCookie, ObBasicAuth, and JSESSIONID cookie. See the appendix on configuring logout in the Oracle Access Manager Access Administration Guide for details.

Setting Up JD Edwards EnterpriseOne Single Sign-On Through Oracle Access Manager 10g

15-17

Configuring Single Sign-Off

Figure 1511 Signoff page

15-18 JD Edwards EnterpriseOne Tools Security Administration Guide

16
Setting Up JD Edwards EnterpriseOne Single Sign-On Through Oracle Access Manager 11g
16

This chapter contains the following topics:

Section 16.1, "Understanding JD Edwards EnterpriseOne Single Sign-On Through Oracle Access Manager" Section 16.2, "Setting Up Oracle Access Manager Single Sign-On for JD Edwards EnterpriseOne" Section 16.3, "Setting Up JD Edwards EnterpriseOne for Single Sign-On Integration with Oracle Access Manager" Section 16.4, "Setting Up JD Edwards EnterpriseOne for Single Sign-Off Integration with Oracle Access Manager" Section 16.5, "Testing the Single Sign-On Configuration"
Note:

You can enable support of long user IDs and passwords in a JD Edwards EnterpriseOne single sign-on configuration with Oracle Access Manager. See "Long User ID and Password Support in JD Edwards EnterpriseOne" in the JD Edwards EnterpriseOne White Paper Index on My Oracle Support for more information.

16.1 Understanding JD Edwards EnterpriseOne Single Sign-On Through Oracle Access Manager
Oracle Access Manager provides single sign-on functionality for Oracle applications, including JD Edwards EnterpriseOne. It provides a secure internet infrastructure for identity management for JD Edwards EnterpriseOne applications and processes. This infrastructure provides:

Identity and access management across JD Edwards EnterpriseOne applications, enterprise resources, and other domains. Foundation for managing the identities of customers, partners, and employees across internet applications. These user identities are protected by security policies for web interaction.

Integration with Oracle Access Manager provides JD Edwards EnterpriseOne implementations with these features:

Setting Up JD Edwards EnterpriseOne Single Sign-On Through Oracle Access Manager 11g 16-1

Understanding JD Edwards EnterpriseOne Single Sign-On Through Oracle Access Manager

Oracle Access Manager authentication, authorization, and auditing services for JD Edwards EnterpriseOne applications. Oracle Access Manager single sign-on for JD Edwards EnterpriseOne applications and other Oracle Access Manager-protected resources in a single domain or across domains.
Note:

JD Edwards EnterpriseOne single sign-on through Oracle Access Manager is supported only by the JD Edwards EnterpriseOne Web client, not Collaborative Portal.

Oracle Access Manager authentication schemes that provide single sign-on for JD Edwards EnterpriseOne applications: Basic Over LDAP (Lightweight Directory Access Protocol): Users enter a user name and password in a window supplied by the Web server. This method can be redirected to Secure Socket Layer (SSL). Form: Similar to the basic challenge method, users enter information in a custom HTML form. You choose the information that users must provide in the form. X509 Certificates: X.509 digital certificates over SSL. A user's browser must supply a certificate. Integrated Windows Authentication (IWA): Users will not notice a difference between an Oracle Access Manager authentication and IWA when they log on to the desktop, open an Internet Explorer (IE) browser, request an Oracle Access Manager-protected web resource, and complete single sign-on. Microsoft .NET Passport: NET Passport is a component of the Microsoft .NET framework. The .NET plug-in is a Web-based authentication service that provides single sign-on for Microsoft-protected web resources. Custom: You can use other forms of authentication through the Oracle Access Manager Authentication Plug-in API.

Session timeout: Oracle Access Manager enables you to set the length of time that a user session is valid. Ability to use the Oracle Access Manager Identity System for identity management. The Identity System provides identity management features such as portal inserts, delegated administration, workflows, and self-registration to JD Edwards EnterpriseOne applications. You can determine how much access to provide to users upon self-registration. Identity System workflows enable a self-registration request to be routed to appropriate personnel before access is granted. Oracle Access Manager also provides self-service, enabling users to update their own identity profiles.
See Also:

Oracle Access Manager Integration Guide and the Oracle Identity Manager documentation.

16-2 JD Edwards EnterpriseOne Tools Security Administration Guide

Understanding JD Edwards EnterpriseOne Single Sign-On Through Oracle Access Manager

16.1.1 JD Edwards EnterpriseOne Integration Architecture


JD Edwards EnterpriseOne has a configurable authentication mechanism that allows it to authenticate a user against:

Native tables (through a security kernel). Lightweight Data Access Protocol (LDAP). Custom plug-ins, including the ability to read HTTP Headers.

JD Edwards EnterpriseOne single sign-on through Oracle Access Manager involves:

Protection through a WebGate, which is a plug-in that intercepts Web resource (HTTP) requests and forwards them to the Access Server for authentication and authorization. Populating a header variable with an attribute value that is stored in the LDAP directory used by Oracle Access Manager. Configuring JD Edwards EnterpriseOne to invoke the Oracle Access Manager authentication process, overriding the default authentication mechanism.

16.1.2 Single Sign-On Architecture


Single sign-on with Oracle Access Manager requires a JD Edwards EnterpriseOne HTML Server configuration with an application server, such as Oracle WebLogic Server 10g, that contains a J2EE container, which is required for the Java servlets and Java code to run. In addition, WebGate must be installed on an Oracle HTTP Server, and it must be configured to protect the JD Edwards EnterpriseOne URLs that are used to access the HTML Server. The following illustration shows the integration environment and process flow:

Setting Up JD Edwards EnterpriseOne Single Sign-On Through Oracle Access Manager 11g 16-3

Understanding JD Edwards EnterpriseOne Single Sign-On Through Oracle Access Manager

Figure 161 JD Edwards EnterpriseOne Single Sign-On through Oracle Access Manager

This image is described in surrounding text. *********************************************************************************************** The following steps describe the single sign-on process:
1. 2. 3. 4. 5.

A user attempts to access a JD Edwards EnterpriseOne program by entering a URL to the JD Edwards EnterpriseOne Web client in a Web browser. A WebGate deployed on the JD Edwards EnterpriseOne HTTP Server intercepts the request. The WebGate checks Oracle Access Manager to determine whether the resource (JD Edwards EnterpriseOne URL) is protected. If a valid session does not exist and the resource is protected, WebGate prompts the user for credentials through the Oracle Access Manager login page. After the user enters their single sign-on user ID and password on the Oracle Access Manager login page, the WebGate captures the user credentials and sends them to Oracle Access Manager for authentication. Oracle Access Manager compares the user credentials against the Oracle Internet Directory (OID).
a. b.

6.

If the users single sign-on credentials are not in OID, Oracle Access Manager notifies WebGate and the user is denied access to JD Edwards EnterpriseOne. If Oracle Access Manager finds the users single sign-on credentials in OID, Oracle Access Manager authenticates the credentials.

16-4 JD Edwards EnterpriseOne Tools Security Administration Guide

Setting Up Oracle Access Manager Single Sign-On for JD Edwards EnterpriseOne

7. 8.

If the credentials are validated, the user gains access to the JD Edwards EnterpriseOne HTML client. If a valid session already exists and the user is authorized to access the resource, WebGate redirects the user to the requested JD Edwards EnterpriseOne resource.

16.1.3 Supported Versions and Platforms


For supported versions and platforms for the integration of Oracle Access Manager with JD Edwards EnterpriseOne Tools and JD Edwards EnterpriseOne Applications, see Certifications on My Oracle Support. Also, see the JD Edwards EnterpriseOne Current MTR Index on My Oracle Support.

16.2 Setting Up Oracle Access Manager Single Sign-On for JD Edwards EnterpriseOne
To configure Oracle Access Manager single sign-on for JD Edwards EnterpriseOne, you must register the Oracle Access Manager 11g WebGate Agent for JD Edwards EnterpriseOne HTML Server. This configuration includes the following tasks:
1. 2. 3. 4. 5.

Creating a host identifier for the JD Edwards EnterpriseOne HTTP Server. Creating an application domain template with resources, authentication and authorization policies. Creating the JDE resources such as /JDE and //* and added them to the authorization policies. Adding the JDE_SSO_UID Header field to responses section. Copying the Agent files from the Oracle Access Manager 11g WebGate Agent to the JD Edwards EnterpriseOne Server.

See Registering the WebGate Agent for JD Edwards EnterpriseOne HTML Server in this section, which contains detailed steps on how to perform the preceding tasks.

16.2.1 Prerequisites
Before you set up Oracle Access Manager and JD Edwards EnterpriseOne for single sign-on, you must:

Install a supported directory server, such as Oracle Internet Directory, according to vendor instructions. Install and configure Oracle Access Manager using the directory server as the LDAP repository. Install and configure the HTML Server so that JD Edwards EnterpriseOne applications are rendered and accessed through the HTTP Server. Install and configure the Oracle HTTP Server for JD Edwards EnterpriseOne HTML Server. Install and register the WebGate Agent for JD Edwards EnterpriseOne HTML Server.

See the following guides for information about the prerequisites:


Oracle Access Manager Installation Guide Oracle Access Manager Access Administration Guide

Setting Up JD Edwards EnterpriseOne Single Sign-On Through Oracle Access Manager 11g 16-5

Setting Up Oracle Access Manager Single Sign-On for JD Edwards EnterpriseOne

"Configuring Oracle Internet Directory" in the Oracle Fusion Middleware Installation Guide for Oracle Identity Management

16.2.2 Registering the WebGate Agent for JD Edwards EnterpriseOne HTML Server
Sign in to Oracle Access Manager.
1. 2.

Open the Oracle Access Manager console, for example http://oamservesr:oamport/oamconsole Enter the Admin user and password.

Figure 162 Welcome to Oracle Access Manager 11g Page

3.

On the Welcome page, select the "New OAM 11g Webgate" option.

16-6 JD Edwards EnterpriseOne Tools Security Administration Guide

Setting Up Oracle Access Manager Single Sign-On for JD Edwards EnterpriseOne

Figure 163 Create OAM 11G Webgate Page

4. 5.

On Create OAM 11G Webgate, enter a name for the WebGate in the Name field. In the Security options area, select Open, and then click the Apply button. This creates entries for the new WebGate under the Host Identifiers and Application Domains nodes, as shown in the following screen.

Setting Up JD Edwards EnterpriseOne Single Sign-On Through Oracle Access Manager 11g 16-7

Setting Up Oracle Access Manager Single Sign-On for JD Edwards EnterpriseOne

Figure 164 OAM Policy Configuration Tab: New WebGate Entries

6.

To create the resource URL, in the Applications Domains node, click Resources under the new WebGate.

16-8 JD Edwards EnterpriseOne Tools Security Administration Guide

Setting Up Oracle Access Manager Single Sign-On for JD Edwards EnterpriseOne

Figure 165 OAM Policy Configuration Tab: Create Button

7.

In the Search Results area, click the Create button (paper icon).

Figure 166 Create Resource Tab: Resources Page

8.

On Resources, complete the following fields:


Type: HTTP Host Identifier: Select you host identifier. Resource URL: /jde Protection Level: Select Protected. Authentication Policy: Select Protected Resource Policy. Authorization Policy: Select Protected Resource Policy.

9.

Click the Apply button.

10. Repeat the preceding steps to add the following resource URL:

Setting Up JD Edwards EnterpriseOne Single Sign-On Through Oracle Access Manager 11g 16-9

Setting Up Oracle Access Manager Single Sign-On for JD Edwards EnterpriseOne

//*
11. Double-click the Protected Resource Policy.

The Resources tab displays the newly added resources.


Figure 167 Resources Tab with Newly Added Resources

12. Click the Responses tab and click the Add button (plus symbol icon). Figure 168 Responses Tab: Header Row

13. On the Responses tab, complete the following fields in the header row:

Name: JDE_SSO_UID Type: Header

16-10 JD Edwards EnterpriseOne Tools Security Administration Guide

Setting Up Oracle Access Manager Single Sign-On for JD Edwards EnterpriseOne

Value: $user.userid

14. Review all registered agents, and then select the System Configuration tab. 15. Open the Access Manager Settings section, and then open the SSO Agents option. Figure 169 OAM Agents Tab: List of Registered Agents

16. In the "Access Manager Settings" section in the left pane, double-click OAM

Agents and then click the Search button. A list of registered agents appears. The registered agent creates a cwallet.sso file and ObAccessClient.xml file.
17. Copy these two files from <MW_HOME>/user_

projects/domain/OAMDomain/output/<Agent_name> and paste them to the following directory on the JD Edwards EnterpriseOne Server: <MW_Home>Oracle_ WT1/instances/instance1/OHS/ohs1/webgate/config

16.2.3 Configuring Oracle HTTP Server for JD Edwards EnterpriseOne HTML Server
After you install and configure the Oracle HTTP Server and Oracle HTTP WebGate, you will need to configure the mod_wl_ohs.conf file. To configure the mod_wl_ohs.conf file:
1.

Navigate to the mod_wl_ohs.conf file located at:


MW_Home>/Oracle_WT1/instances/instance1/config/OHS/ohs1

2.

Edit the mod_wl_ohs.conf file.


a.

Add a Virtual Host section.


NameVirtualHost *:7777 <VirtualHost *:7777> <Location /jde> <--EnterpriseOne Context SetHandler weblogic-handler WebLogicHost dendell06.mlab.jdedwards.com WebLogicPort 9003 <-- EnterpriseOne Port </Location>

Setting Up JD Edwards EnterpriseOne Single Sign-On Through Oracle Access Manager 11g

16-11

Setting Up JD Edwards EnterpriseOne for Single Sign-On Integration with Oracle Access Manager

b.

If you would prefer to use the single signon for the Weblogic console, then include a <Location /console> section.
<Location /console> <--WebLogic Console Configuration (optional) SetHandler weblogic-handler WebLogicHost dendell06.mlab.jdedwards.com WebLogicPort 9001 </Location>

Use the following image to verify that the WebLogic port numbers match your configuration.
Figure 1610 Configure mod_wl_ohs.conf

Note: The HTTP port number (for example: 7777) will be the SSO port.
3.

Restart the HTTP server.


a. b. c.

Change the directory to MW_Home>/Oracle_WT1/instances/instance1/bin. Run ./opmnctl stopall Run ./opmnctl startall

16.3 Setting Up JD Edwards EnterpriseOne for Single Sign-On Integration with Oracle Access Manager
This section discusses how to set up JD Edwards EnterpriseOne HTML Server for single sign-on integration with Oracle Access Manager through Oracle Enterprise Server Manager.
1. 2. 3.

Open EnterpriseOne Server Manager from a browser. Select your EnterpriseOne HTML Server instance. Select Network Settings from the Configuration section.

16-12 JD Edwards EnterpriseOne Tools Security Administration Guide

Setting Up JD Edwards EnterpriseOne for Single Sign-Off Integration with Oracle Access Manager

Figure 1611 Security Server Configuration Page

4. 5. 6. 7.

Select the Enable Oracle Access Manager option. Click Apply. At the prompt, click the Synchronize button to synchronize the changes in all .ini files. Stop and restart the HTML server.

16.4 Setting Up JD Edwards EnterpriseOne for Single Sign-Off Integration with Oracle Access Manager
This section discusses how to set up the JD Edwards EnterpriseOne HTML Server for single sign-off integration with Oracle Access Manager through EnterpriseOne Server Manager.
1. 2. 3.

Open Server Manager from a Web browser. Select your EnterpriseOne HTML Server instance. In the Configuration section, select Network Settings.

Setting Up JD Edwards EnterpriseOne Single Sign-On Through Oracle Access Manager 11g

16-13

Testing the Single Sign-On Configuration

Figure 1612 Network Settings for Single Sign-Off

4. 5.

In the Security Server Configuration section, select the Enable Oracle Access Manager option. Enter the Oracle Access Manager (OAM) sign-off URL. The sign-off URL should include the OAM server URL, for example:
http://OAMServer:OAMPort/oamsso/logout.html?end_ url=http://e1server:e1ssoport/jde/index.jsp

6. 7. 8.

Click Apply. At the prompt, click the Synchronize button to synchronize the changes in all .ini files. Stop and restart the EnterpriseOne HTML Server.

16.5 Testing the Single Sign-On Configuration


Perform the steps in this section to test the single sign-on configuration.
1.

In a Web browser, enter the following URL to the JD Edwards EnterpriseOne Web client:
http://yourhost:yourssoport/jde/E1Menu.maf

The Oracle Access Manager 11g login page appears.

16-14 JD Edwards EnterpriseOne Tools Security Administration Guide

Testing the Single Sign-On Configuration

Figure 1613

Oracle Access Manager 11g Login Page

2.

On the login page, enter user credentials in the Username and Password fields, and then click the Login button. If the credentials are validated, the system grants access to the JD Edwards EnterpriseOne Web client. You have successfully configured single sign-on!

Setting Up JD Edwards EnterpriseOne Single Sign-On Through Oracle Access Manager 11g

16-15

Testing the Single Sign-On Configuration

16-16 JD Edwards EnterpriseOne Tools Security Administration Guide

17
17

Setting Up Single Sign-On Between JD Edwards EnterpriseOne and Crystal Enterprise


This chapter contains the following topics:

Section 17.1, "Understanding Single Sign-On between JD Edwards EnterpriseOne and Crystal Enterprise" Section 17.2, "Configuring Single Sign-On Between JD Edwards EnterpriseOne and Crystal Enterprise"

17.1 Understanding Single Sign-On between JD Edwards EnterpriseOne and Crystal Enterprise
Single sign-on between JD Edwards EnterpriseOne and Crystal Enterprise provides a way for users to access Crystal Enterprise from JD Edwards EnterpriseOne. JD Edwards EnterpriseOne uses a predefined task type to launch Crystal Enterprise from the JD Edwards EnterpriseOne Menu. From the JD Edwards EnterpriseOne Menu, you can select the Crystal Enterprise task to open a new Crystal Enterprise session. This provides a convenient way for JD Edwards EnterpriseOne users to access Crystal Enterprise without having to maintain separate user IDs and passwords for Crystal Enterprise.
Note:

A separate Crystal Enterprise license is used each time a user opens a new Crystal Enterprise session from JD Edwards EnterpriseOne. Therefore, you should remind users to sign off of Crystal Enterprise when finished to ensure that there are enough licenses available for users. Although, if a user forgets to sign off, the Crystal Enterprise web server will eventually time out and release the license.

17.1.1 Prerequisite
You must install Crystal Enterprise with JD Edwards EnterpriseOne HTML Web Server in one of two supported configurations before setting up JD Edwards EnterpriseOne and Crystal Enterprise for single sign-on. See JD Edwards EnterpriseOne Tools Business Objects XI R2 Guide on the My Oracle Support Web site.

Setting Up Single Sign-On Between JD Edwards EnterpriseOne and Crystal Enterprise

17-1

Configuring Single Sign-On Between JD Edwards EnterpriseOne and Crystal Enterprise

17.2 Configuring Single Sign-On Between JD Edwards EnterpriseOne and Crystal Enterprise
This section discusses how to:

Verify the UDC for the Crystal Enterprise task type. Add the Crystal Enterprise task to the JD Edwards EnterpriseOne Menu. Set up the default domain in Crystal Management Console. Verify the Crystal Enterprise web server definition.

17.2.1 Verifying the UDC for the Crystal Enterprise Task Type
Access the Work with User Defined Codes form. In JD Edwards Solution Explorer, type UDC in the Fast Path.
1.

Complete these fields and click Find: Product Code Enter H90. User Defined Code Enter TT. Codes (in the QBE line) Enter 20. The system should display 20, which is the UDC for Crystal Enterprise.

2. 3.

If no entries are found, click the Add button to create the UDC for Crystal Enterprise. On User Defined Codes, tab to the blank row at the bottom of the list of UDCs and complete these fields: Codes Enter 20. Description 1 Enter Crystal Enterprise. Hard Coded Enter Y.

4.

Click OK.

17.2.2 Add the Crystal Enterprise Task to the JD Edwards EnterpriseOne Menu
In JD Edwards Solution Explorer, click the Menu Design button to access the Menu Design view.
1. 2. 3. 4.

Click the Views button and select the menu to which you want to add the task. Expand the appropriate nodes to locate the position in the menu where you want to place the Crystal Enterprise task. Right-click the parent menu node and select Insert New Task. On Task Revisions, complete these fields:

17-2 JD Edwards EnterpriseOne Tools Security Administration Guide

Configuring Single Sign-On Between JD Edwards EnterpriseOne and Crystal Enterprise


5.

Task ID Task Name Product Code (in the Common tab)

In the Executable tab, select the Crystal Enterprise option, and then click OK.

17.2.3 Setting Up the Default Domain in Crystal Management Console


In order for the Crystal Enterprise task to correctly launch from JD Edwards EnterpriseOne, you must make sure that the default domain for JD Edwards EnterpriseOne is set up correctly in Crystal Management Console (CMC). Sign in to CMC.
1. 2.

In CMC, click the Authentication button. In the EnterpriseOne tab, complete these fields: EnterpriseOne System User Domain Enter the default domain for EnterpriseOne. EnterpriseOne Role

3.

Click the Update button.

17.2.4 Verifying the Crystal Enterprise Web Server Definition


In JD Edwards Solution Explorer, enter P9654A in the Fast Path to access the Work with Locations and Machines form.
1. 2. 3. 4. 5.

Click Find. Expand each node until you see the Crystal Enterprise Web Server node. Click this node and make sure that at least one Crystal Enterprise web server definition is listed. If no entries are listed, select the Crystal Enterprise Web Server node, and then click the Add button to add a definition for the web server. On Crystal Enterprise Web Server Revisions, complete these fields and then click OK:
Description Enter the name of the machine on the network (server or workstation). Enter a description for the machine. Enter the release number as defined in the Release Master. Enter the host machine type. Enter the primary user for the listed machine. Enter the port number for the JD Edwards EnterpriseOne instance.

Field Machine Name Description Release Host Type Primary User Port Number (Crystal tab)

Setting Up Single Sign-On Between JD Edwards EnterpriseOne and Crystal Enterprise

17-3

Configuring Single Sign-On Between JD Edwards EnterpriseOne and Crystal Enterprise

17-4 JD Edwards EnterpriseOne Tools Security Administration Guide

18
Configuring SSL for JDENET (Release 8.98 Update 4.11)
18

This chapter contains the following topics:


Section 18.1, "Understanding SSL for JDENET" Section 18.2, "Installing SSL Programs on IBM System i" Section 18.3, "Generating an SSL Certificate and Key File" Section 18.4, "Configuring the Enterprise Server JDE.INI File"

18.1 Understanding SSL for JDENET


SSL (Secure Sockets Layer) is the standard security technology for establishing an encrypted connection between a server and a client. An SSL connection ensures that all data passed between the server and client remain private and complete. SSL, which is used by millions of websites to protect online transactions with customers, can also be used to encrypt data passed between almost any type of client/server application. With EnterpriseOne Tools 8.98 Update 4.11, you can configure JD Edwards EnterpriseOne to use SSL to encrypt all JDENET message data passed between the enterprise server and clients. In this context, a client would include an HTML web server, the deployment server, or any other client that makes requests to the EnterpriseOne enterprise server.

18.2 Installing SSL Programs on IBM System i


For the IBM System i platform, EnterpriseOne provides two SSL-based components within a save file. You have to extract these components to the system foundation IFS folder (such as E910SYS) before you can create and use SSL certificates as described in the following section, "Generating an SSL Certificate and Key File." The following steps describe how to use the command to extract the components for SSL Programs on IBM System i:
1.

Ensure the system foundation library is in your library list. If it is not in the list, you can add it by entering this command: ADDLIBLE E910SYS Where E910SYS is the name of the system foundation library.

2.

From an IBM System i command line, enter the following command: INSTALLSSL

Configuring SSL for JDENET (Release 8.98 Update 4.11) 18-1

Generating an SSL Certificate and Key File

3. 4.

Press F4 to prompt the command. Enter the name of your system foundation library, and then press Enter.

18.3 Generating an SSL Certificate and Key File


To use secure sockets, the server must have an SSL certificate and private key. This information is used by the SSL library functions to generate unique encryption keys for each connection and negotiate the secure connection with the client. EnterpriseOne provides a script file that can be used to generate a combination certificate/key file for use with SSL. On Windows servers, the gencert.cmd file is used to generate a combination SSL certificate/private key file that is suitable for use with JDENET SSL. On UNIX and Linux systems, the file is called gencert.sh. On IBM System i, the command is GENCERT, which must be run from QSHELL. These files can be found in the system/bin32 directory on the enterprise server and also on the deployment server. The following illustration shows an example of running the script to generate a certificate. Notice that the system prompts you to enter data that is unique to your site to create the certificate/key file:
Figure 181 Example of Running Script to Generate an SSL Certificate

The file generated by this script should be entered as the sslKeyFile parameter in the enterprise server JDE.INI file when using SSL. See Configuring the Enterprise Server JDE.INI File in this chapter. By default, the file is created in a directory outside the main system directory to ensure that the certificate/key file is preserved during an EnterpriseOne Tools release upgrade.

18-2 JD Edwards EnterpriseOne Tools Security Administration Guide

Configuring the Enterprise Server JDE.INI File

More about Certificates It is not required to generate the certificate/key file on the server that will use it. You could, for example, generate a certificate/key file on the deployment server and move it to your enterprise server when you are ready to start using SSL. You can also use commercially signed certificates, such as certificates validated by a company like Verisign or Cybertrust, to set up SSL for JDENET, with some caveats. The EnterpriseOne enterprise server currently requires a combination certificate and key file in PEM format. In addition, the file must not be pass-phrase protected. Currently, using a commercially signed certificate with the JDENET server does not offer any advantage over using the self-signed, internally generated certificate as described in this section.

18.4 Configuring the Enterprise Server JDE.INI File


With EnterpriseOne Tools 8.98 Update 4.11, the "Network and Queue Settings (JDENET Configuration)" section of the enterprise server JDE.INI file contains three settings for SSL support. These settings are used only by the enterprise server. Clients that connect to the enterprise server do not have any related settings, as the enterprise server tells the client the type of connection to be used. Because of this architecture, older EnterpriseOne clients that do not support SSL cannot connect with an EnterpriseOne server that is enabled with SSL. Therefore, SSL support for JDENET requires that the release level of EnterpriseOne clients matches the release level of EnterpriseOne servers. The SSL settings in the "Network and Queue Settings (JDENET Configuration)" section of the jde.ini include:

useSSL Valid values are Enable SSL or Disable SSL. Enabling this option specifies that JDENET messages will be exchanged using secure sockets (SSL). The setting is only set on the server, but does require that clients accessing the server can process SSL messages (that is, all clients must be running with a matching EnterpriseOne Tools release). Disable SSL is the default setting in EnterpriseOne Tools 8.98 Update 4.11.

sslRetries This setting specifies the maximum number of times the server or client will attempt to complete an SSL handshake. If the handshake is not completed within the retry limit, the SSL connection fails. The retry limit prevents the server from hanging on an SSL connection that may never complete. The default value of 1000 for this setting should be appropriate for most installations, but may need to be increased to allow for slow clients or high network latency.

sslKeyFile You must set this parameter to the fully qualified path of the file containing the server's SSL certificate and private key. The server must have a valid certificate/key file in PEM format in order to use secure sockets. See Generating an SSL Certificate and Key File in this chapter for more information.

The following is an example of a typical SSL setup viewed from Server Manager:

Configuring SSL for JDENET (Release 8.98 Update 4.11) 18-3

Configuring the Enterprise Server JDE.INI File

Figure 182

SSL Settings in the JDE.INI File

18-4 JD Edwards EnterpriseOne Tools Security Administration Guide

A
A

Creating a JD Edwards EnterpriseOne LDAP Configuration for OID


This appendix is a supplement to the "Enabling LDAP Support in Oracle JD Edwards EnterpriseOne" chapter in this guide. Use the settings detailed in this appendix as a reference when creating an LDAP configuration for Oracle Internet Directory (OID). This appendix contains the following topics:

Section A.1, "Understanding JD Edwards EnterpriseOne LDAP Configuration for OID" Section A.2, "Adding OID to the List of LDAP Server Types" Section A.3, "Creating an LDAP Configuration for OID" Section A.4, "Configuring the LDAP Server Settings for OID" Section A.5, "Configuring LDAP to JD Edwards EnterpriseOne Enterprise Server Mappings for OID"

A.1 Understanding JD Edwards EnterpriseOne LDAP Configuration for OID


OID is an LDAP compliant directory service. You can configure JD Edwards EnterpriseOne to use OID as the LDAP server. This enables administrators to use the directory service to manage user information such as user IDs, passwords, and user-role relationships.
Important: This section does not contain all of the steps for creating an LDAP configuration, only specific values that are required for setting up an LDAP configuration for OID.

When you configure OID as the LDAP server, the settings that you configure depend on how you plan to use OID, which can include these scenarios:

Managing only user IDs and passwords. Managing user-role relationships in addition to user IDs and passwords. Using Secure Socket Layer (SSL). Using the User Profile Self-Service application (P0092SS).

Creating a JD Edwards EnterpriseOne LDAP Configuration for OID

A-1

Adding OID to the List of LDAP Server Types

See Also:

Enabling LDAP Support in JD Edwards EnterpriseOne. Oracle Internet Directory Administrator's Guide.

A.2 Adding OID to the List of LDAP Server Types


Before you can create an LDAP configuration for OID, you must manually add OID as an option in the LDAP Server Type field of the LDAP Server Configuration Workbench program (P95928). To do so, use the User Defined Code program (P0004A) to add a UDC for OID. Access the Work With User Defined Codes form. In JD Edwards Solution Explorer, enter UDC in the Fast Path.
1.

Complete these fields and click Find:


Value 95 LS

Field Product Code User Defined Codes 2. 3.

Click Add. On the User Defined Codes form, scroll to the last empty row of the detail area.
Important:

Be sure to add the new code on the last detail row so that you do not inadvertently overwrite a blank code, which might appear in the first detail row. A blank code might have only a period in the Description field.

4.

Complete these fields and click OK:


Value OID Oracle Internet Directory

Field Codes Description 1

A.3 Creating an LDAP Configuration for OID


Use this section as a reference for creating an LDAP configuration. See Creating an LDAP Configuration. When you create an LDAP configuration for OID, on the LDAP Server Information form, you must select OID in the LDAP Server Type field.

A.4 Configuring the LDAP Server Settings for OID


Use the OID settings in this section as a reference for configuring the LDAP server settings. See Configuring the LDAP Server Settings. The values in the tables are variables and will differ depending upon your configuration.
A-2 JD Edwards EnterpriseOne Tools Security Administration Guide

Configuring LDAP to JD Edwards EnterpriseOne Enterprise Server Mappings for OID

Configure these attributes:


Attribute USRSRCHBAS USRSRCHFLT USRSRCHSCP Value cn=Users,dc=jdedwards,dc=com objectclass=inetOrgPerson subtree

If roles are enabled in LDAP, configure these attributes:


Attribute ROLSRCHBAS ROLSRCHFLT ROLSRCHSCP Value cn=Groups,dc=jdedwards,dc=com objectclass=groupofUniqueNames subtree

If you are using SSL with LDAP server, configure these attributes as well:
Attribute SSLPORT CERTDBPATH Value 636 c:\certdbdir (Directory path for cert7.db)

If you are using the user profile self-service application for the Manufacturing Sourcing module , configure these settings:
Attribute USRADDLOC USRCLSHRCY ROLADDLOC Value cn=Users, dc=jdedwards,dc=com top,person,organizationalperson,inetOrgPerson,orcluser, orcluserv2 cn=Groups,dc=jdedwards,dc=com

A.5 Configuring LDAP to JD Edwards EnterpriseOne Enterprise Server Mappings for OID
Use the OID settings in this section as a reference for configuring LDAP to JD Edwards EnterpriseOne enterprise server mappings. See Configuring LDAP to JD Edwards EnterpriseOne Enterprise Server Mappings. The values in the tables are variables and will differ depending upon your configuration. Configure these attributes:
Attribute E1USRIDATR USRSRCHATR EUSRIDATR Value uid uid uid

Creating a JD Edwards EnterpriseOne LDAP Configuration for OID

A-3

Configuring LDAP to JD Edwards EnterpriseOne Enterprise Server Mappings for OID

If roles are enabled in LDAP, configure these attributes:


Attribute ROLNAMEATR ROLSRCHATR Value cn uniquemember

If you are using the user profile self-service application for the Manufacturing Sourcing module, configure these settings:
Attribute CMNNAME SURNAME PASSWORD OBJCLASS Value cn sn userPassword objectClass

A-4 JD Edwards EnterpriseOne Tools Security Administration Guide

B
B

JD Edwards EnterpriseOne Cookies

This appendix contains the following topic:

Section B.1, "Web Runtime Cookies"

B.1 Web Runtime Cookies


This table lists the web runtime cookies that the HTML Web Server sends to a web browser when running JD Edwards EnterpriseOne web applications.
JD Edwards EnterpriseOne Web Runtime Cookie com_jdedwards_ LastLayout

Purpose This cookie stores the OneWorld Portal Workspace (WORKSPACEID) that was last accessed by a user (USERID). Note: This cookie is only applicable to OneWorld Portal users.

Life Span

Turn ON/OFF

The life span of the You cannot turn off cookie is one year. this cookie.

com_jdedwards_CSN

10000 milliseconds. You cannot turn off This cookie stores the this cookie. information to implement critical state functionality for the HTML Client Component running inside the OneWorld Portal. This cookie stores the information about whether to display the Environment and Role fields on the JD Edwards EnterpriseOne sign-in screen. Seven days. This cookie is created only if the DisplayEnvironment property defined in the [LOGIN] section of the JAS.INI is not set to "HIDDEN".

advancedState

JD Edwards EnterpriseOne Cookies B-1

Web Runtime Cookies

JD Edwards EnterpriseOne Web Runtime Cookie jdeLoginCookie

Purpose This cookie stores the username, password, role, language code and rtlLayout information about a user's login in an encrypted format.

Life Span The life span of the cookie depends on the value of CookieLifeTime property defined in the [SECURITY] section of the JAS.INI file. If this property is not defined, then by default, this cookie's life span is set to seven days.

Turn ON/OFF This cookie is not created if the UseLogonCookie property defined in the [SECURITY] section of the JAS.INI is set to false. The system does not create this cookie by default.

AutoPopulate

This cookie stores a user's The life span of the You cannot turn off cookie one year. this cookie. preference of whether to auto populate the grid on a form. A user can turn the autopopulate grid option on/off by using the AutoPopulate option in the Tools menu on a form. This cookie never This cookie determines the maximum number of expires. javascript debug statements that can be logged using JSMonitor.log() API. The default value for this cookie is 15. A developer can turn on the logging by clicking the Enable JSMonitor button after pressing Ctrl+D. You cannot turn off this cookie.

maxLogLength

B-2 JD Edwards EnterpriseOne Tools Security Administration Guide

Glossary
Accessor Methods/Assessors Java methods to get and set the elements of a value object or other source file. activity rule The criteria by which an object progresses from one given point to the next in a flow. add mode A condition of a form that enables users to input data. Advanced Planning Agent (APAg) A JD Edwards EnterpriseOne tool that can be used to extract, transform, and load enterprise data. APAg supports access to data sources in the form of rational databases, flat file format, and other data or message encoding, such as XML. application server Software that provides the business logic for an application program in a distributed environment. The servers can be Oracle Application Server (OAS) or WebSphere Application Server (WAS). Auto Commit Transaction A database connection through which all database operations are immediately written to the database. batch processing A process of transferring records from a third-party system to JD Edwards EnterpriseOne. In JD Edwards EnterpriseOne Financial Management, batch processing enables you to transfer invoices and vouchers that are entered in a system other than JD Edwards EnterpriseOne to JD Edwards EnterpriseOne Accounts Receivable and JD Edwards EnterpriseOne Accounts Payable, respectively. In addition, you can transfer address book information, including customer and supplier records, to JD Edwards EnterpriseOne. batch server A server that is designated for running batch processing requests. A batch server typically does not contain a database nor does it run interactive applications.

Glossary-1

batch-of-one

batch-of-one A transaction method that enables a client application to perform work on a client workstation, then submit the work all at once to a server application for further processing. As a batch process is running on the server, the client application can continue performing other tasks. best practices Non-mandatory guidelines that help the developer make better design decisions. BPEL Abbreviation for Business Process Execution Language, a standard web services orchestration language, which enables you to assemble discrete services into an end-to-end process flow. BPEL PM Abbreviation for Business Process Execution Language Process Manager, a comprehensive infrastructure for creating, deploying, and managing BPEL business processes. Build Configuration File Configurable settings in a text file that are used by a build program to generate ANT scripts. ANT is a software tool used for automating build processes. These scripts build published business services. build engineer An actor that is responsible for building, mastering, and packaging artifacts. Some build engineers are responsible for building application artifacts, and some are responsible for building foundation artifacts. Build Program A WIN32 executable that reads build configuration files and generates an ANT script for building published business services. business analyst An actor that determines if and why an EnterpriseOne business service needs to be developed. business function A named set of user-created, reusable business rules and logs that can be called through event rules. Business functions can run a transaction or a subset of a transaction (check inventory, issue work orders, and so on). Business functions also contain the application programming interfaces (APIs) that enable them to be called from a form, a database trigger, or a non-JD Edwards EnterpriseOne application. Business functions can be combined with other business functions, forms, event rules, and other components to make up an application. Business functions can be created through event rules or third-generation languages, such as C. Examples of business functions include Credit Check and Item Availability. business function event rule See named event rule (NER).

Glossary-2

Business Service Property Admin Tool

business service EnterpriseOne business logic written in Java. A business service is a collection of one or more artifacts. Unless specified otherwise, a business service implies both a published business service and business service. business service artifacts Source files, descriptors, and so on that are managed for business service development and are needed for the business service build process. business service class method A method that accesses resources provided by the business service framework. business service configuration files Configuration files include, but are not limited to, interop.ini, JDBj.ini, and jdelog.properties. business service cross reference A key and value data pair used during orchestration. Collectively refers to both the code and the key cross reference in the WSG/XPI based system. business service cross-reference utilities Utility services installed in a BPEL/ESB environment that are used to access JD Edwards EnterpriseOne orchestration cross-reference data. business service development environment A framework needed by an integration developer to develop and manage business services. business services development tool Otherwise known as JDeveloper. business service EnterpriseOne object A collection of artifacts managed by EnterpriseOne LCM tools. Named and represented within EnterpriseOne LCM similarly to other EnterpriseOne objects like tables, views, forms, and so on. business service framework Parts of the business service foundation that are specifically for supporting business service development. business service payload An object that is passed between an enterprise server and a business services server. The business service payload contains the input to the business service when passed to the business services server. The business service payload contains the results from the business service when passed to the Enterprise Server. In the case of notifications, the return business service payload contains the acknowledgement. business service property Key value data pairs used to control the behavior or functionality of business services. Business Service Property Admin Tool An EnterpriseOne application for developers and administrators to manage business service property records.
Glossary-3

business service property business service group

business service property business service group A classification for business service property at the business service level. This is generally a business service name. A business service level contains one or more business service property groups. Each business service property group may contain zero or more business service property records. business service property key A unique name that identifies the business service property globally in the system. business service property utilities A utility API used in business service development to access EnterpriseOne business service property data. business service property value A value for a business service property. business service repository A source management system, for example ClearCase, where business service artifacts and build files are stored. Or, a physical directory in network. business services server The physical machine where the business services are located. Business services are run on an application server instance. business services source file or business service class One type of business service artifact. A text file with the .java file type written to be compiled by a Java compiler. business service value object template The structural representation of a business service value object used in a C-business function. Business Service Value Object Template Utility A utility used to create a business service value object template from a business service value object. business services server artifact The object to be deployed to the business services server. business view A means for selecting specific columns from one or more JD Edwards EnterpriseOne application tables whose data is used in an application or report. A business view does not select specific rows, nor does it contain any actual data. It is strictly a view through which you can manipulate data. central objects merge A process that blends a customer's modifications to the objects in a current release with objects in a new release. central server A server that has been designated to contain the originally installed version of the software (central objects) for deployment to client computers. In a typical JD Edwards EnterpriseOne installation, the software is loaded on to one machinethe central
Glossary-4

database credentials

server. Then, copies of the software are pushed out or downloaded to various workstations attached to it. That way, if the software is altered or corrupted through its use on workstations, an original set of objects (central objects) is always available on the central server. charts Tables of information in JD Edwards EnterpriseOne that appear on forms in the software. check-in repository A repository for developers to check in and check out business service artifacts. There are multiple check-in repositories. Each can be used for a different purpose (for example, development, production, testing, and so on). checksum A fixed-size datum computed from an arbitrary block of digital data for the purpose of detecting accidental errors that may have been introduced during its transmission or storage. JD Edwards EnterpriseOne uses the checksum to verify the integrity of packages that have been downloaded by recomputing the checksum of the downloaded package and comparing it with the checksum of the original package. The procedure that yields the checksum from the data is called a checksum function or checksum algorithm. JD Edwards EnterpriseOne uses the MD5 and STA-1 checksum algorithms. connector Component-based interoperability model that enables third-party applications and JD Edwards EnterpriseOne to share logic and data. The JD Edwards EnterpriseOne connector architecture includes Java and COM connectors. Control Table Workbench An application that, during the Installation Workbench processing, runs the batch applications for the planned merges that update the data dictionary, user-defined codes, menus, and user override tables. control tables merge A process that blends a customer's modifications to the control tables with the data that accompanies a new release. correlation data The data used to tie HTTP responses with requests that consist of business service name and method. credentials A valid set of JD Edwards EnterpriseOne username/password/environment/role, EnterpriseOne session, or EnterpriseOne token. cross-reference utility services Utility services installed in a BPEL/ESB environment that access EnterpriseOne cross-reference data. database credentials A valid database username/password.

Glossary-5

database server

database server A server in a local area network that maintains a database and performs searches for client computers. Data Source Workbench An application that, during the Installation Workbench process, copies all data sources that are defined in the installation plan from the Data Source Master and Table and Data Source Sizing tables in the Planner data source to the system-release number data source. It also updates the Data Source Plan detail record to reflect completion. deployment artifacts Artifacts that are needed for the deployment process, such as servers, ports, and such. deployment server A server that is used to install, maintain, and distribute software to one or more enterprise servers and client workstations. direct connect A transaction method in which a client application communicates interactively and directly with a server application. See also batch-of-one and store-and-forward. Do Not Translate (DNT) A type of data source that must exist on the iSeries because of BLOB restrictions. embedded application server instance An OC4J instance started by and running wholly within JDeveloper. edit code A code that indicates how a specific value for a report or a form should appear or be formatted. The default edit codes that pertain to reporting require particular attention because they account for a substantial amount of information. edit mode A condition of a form that enables users to change data. edit rule A method used for formatting and validating user entries against a predefined rule or set of rules. Electronic Data Interchange (EDI) An interoperability model that enables paperless computer-to-computer exchange of business transactions between JD Edwards EnterpriseOne and third-party systems. Companies that use EDI must have translator software to convert data from the EDI standard format to the formats of their computer systems. embedded event rule An event rule that is specific to a particular table or application. Examples include form-to-form calls, hiding a field based on a processing option value, and calling a business function. Contrast with the business function event rule.

Glossary-6

Environment Workbench

Employee Work Center A central location for sending and receiving all JD Edwards EnterpriseOne messages (system and user generated), regardless of the originating application or user. Each user has a mailbox that contains workflow and other messages, including Active Messages. enterprise server A server that contains the database and the logic for JD Edwards EnterpriseOne. Enterprise Service Bus (ESB) Middleware infrastructure products or technologies based on web services standards that enable a service-oriented architecture using an event-driven and XML-based messaging framework (the bus). EnterpriseOne administrator An actor responsible for the EnterpriseOne administration system. EnterpriseOne credentials A user ID, password, environment, and role used to validate a user of EnterpriseOne. EnterpriseOne development client Historically called fat client, a collection of installed EnterpriseOne components required to develop EnterpriseOne artifacts, including the Microsoft Windows client and design tools. EnterpriseOne extension A JDeveloper component (plug-in) specific to EnterpriseOne. A JDeveloper wizard is a specific example of an extension. EnterpriseOne object A reusable piece of code that is used to build applications. Object types include tables, forms, business functions, data dictionary items, batch processes, business views, event rules, versions, data structures, and media objects. EnterpriseOne process A software process that enables JD Edwards EnterpriseOne clients and servers to handle processing requests and run transactions. A client runs one process, and servers can have multiple instances of a process. JD Edwards EnterpriseOne processes can also be dedicated to specific tasks (for example, workflow messages and data replication) to ensure that critical processes don't have to wait if the server is particularly busy. EnterpriseOne resource Any EnterpriseOne table, metadata, business function, dictionary information, or other information restricted to authorized users. Environment Workbench An application that, during the Installation Workbench process, copies the environment information and Object Configuration Manager tables for each environment from the Planner data source to the system-release number data source. It also updates the Environment Plan detail record to reflect completion.

Glossary-7

escalation monitor

escalation monitor A batch process that monitors pending requests or activities and restarts or forwards them to the next step or user after they have been inactive for a specified amount of time. event rule A logic statement that instructs the system to perform one or more operations based on an activity that can occur in a specific application, such as entering a form or exiting a field. explicit transaction Transaction used by a business service developer to explicitly control the type (auto or manual) and the scope of transaction boundaries within a business service. exposed method or value object Published business service source files or parts of published business service source files that are part of the published interface. These are part of the contract with the customer. fast path A command prompt that enables the user to move quickly among menus and applications by using specific commands. file server A server that stores files to be accessed by other computers on the network. Unlike a disk server, which appears to the user as a remote disk drive, a file server is a sophisticated device that not only stores files, but also manages them and maintains order as network users request files and make changes to these files. final mode The report processing mode of a processing mode of a program that updates or creates data records. foundation A framework that must be accessible for execution of business services at runtime. This includes, but is not limited to, the Java Connector and JDBj. FTP server A server that responds to requests for files via file transfer protocol. HTTP Adapter A generic set of services that are used to do the basic HTTP operations, such as GET, POST, PUT, DELETE, TRACE, HEAD, and OPTIONS with the provided URL. instantiate A Java term meaning to create. When a class is instantiated, a new instance is created. integration developer The user of the system who develops, runs, and debugs the EnterpriseOne business services. The integration developer uses the EnterpriseOne business services to develop these components.

Glossary-8

jde.ini

integration point (IP) The business logic in previous implementations of EnterpriseOne that exposes a document level interface. This type of logic used to be called XBPs. In EnterpriseOne 8.11, IPs are implemented in Web Services Gateway powered by webMethods. integration server A server that facilitates interaction between diverse operating systems and applications across internal and external networked computer systems. integrity test A process used to supplement a companys internal balancing procedures by locating and reporting balancing problems and data inconsistencies. interface table See Z table. internal method or value object Business service source files or parts of business service source files that are not part of the published interface. These could be private or protected methods. These could be value objects not used in published methods. interoperability model A method for third-party systems to connect to or access JD Edwards EnterpriseOne. in-your-face error In JD Edwards EnterpriseOne, a form-level property which, when enabled, causes the text of application errors to appear on the form. jargon An alternative data dictionary item description that JD Edwards EnterpriseOne appears based on the product code of the current object. Java application server A component-based server that resides in the middle-tier of a server-centric architecture. This server provides middleware services for security and state maintenance, along with data access and persistence. JDBNET A database driver that enables heterogeneous servers to access each other's data. JDEBASE Database Middleware A JD Edwards EnterpriseOne proprietary database middleware package that provides platform-independent APIs, along with client-to-server access. JDECallObject An API used by business functions to invoke other business functions. jde.ini A JD Edwards EnterpriseOne file (or member for iSeries) that provides the runtime settings required for JD Edwards EnterpriseOne initialization. Specific versions of the file or member must reside on every machine running JD Edwards EnterpriseOne. This includes workstations and servers.

Glossary-9

JDEIPC

JDEIPC Communications programming tools used by server code to regulate access to the same data in multiprocess environments, communicate and coordinate between processes, and create new processes. jde.log The main diagnostic log file of JD Edwards EnterpriseOne. This file is always located in the root directory on the primary drive and contains status and error messages from the startup and operation of JD Edwards EnterpriseOne. JDENET A JD Edwards EnterpriseOne proprietary communications middleware package. This package is a peer-to-peer, message-based, socket-based, multiprocess communications middleware solution. It handles client-to-server and server-to-server communications for all JD Edwards EnterpriseOne supported platforms. JDeveloper Project An artifact that JDeveloper uses to categorize and compile source files. JDeveloper Workspace An artifact that JDeveloper uses to organize project files. It contains one or more project files. JMS Queue A Java Messaging service queue used for point-to-point messaging. listener service A listener that listens for XML messages over HTTP. local repository A developers local development environment that is used to store business service artifacts. Location Workbench An application that, during the Installation Workbench process, copies all locations that are defined in the installation plan from the Location Master table in the Planner data source to the system data source. logic server A server in a distributed network that provides the business logic for an application program. In a typical configuration, pristine objects are replicated on to the logic server from the central server. The logic server, in conjunction with workstations, actually performs the processing required when JD Edwards EnterpriseOne software runs. MailMerge Workbench An application that merges Microsoft Word 6.0 (or higher) word-processing documents with JD Edwards EnterpriseOne records to automatically print business documents. You can use MailMerge Workbench to print documents, such as form letters about verification of employment.

Glossary-10

Object Librarian

Manual Commit transaction A database connection where all database operations delay writing to the database until a call to commit is made. master business function (MBF) An interactive master file that serves as a central location for adding, changing, and updating information in a database. Master business functions pass information between data entry forms and the appropriate tables. These master functions provide a common set of functions that contain all of the necessary default and editing rules for related programs. MBFs contain logic that ensures the integrity of adding, updating, and deleting information from databases. master table See published table. media storage object Files that use one of the following naming conventions that are not organized into table format: Gxxx, xxxGT, or GTxxx. message center A central location for sending and receiving all JD Edwards EnterpriseOne messages (system and user generated), regardless of the originating application or user. messaging adapter An interoperability model that enables third-party systems to connect to JD Edwards EnterpriseOne to exchange information through the use of messaging queues. messaging server A server that handles messages that are sent for use by other programs using a messaging API. Messaging servers typically employ a middleware program to perform their functions. Monitoring Application An EnterpriseOne tool provided for an administrator to get statistical information for various EnterpriseOne servers, reset statistics, and set notifications. named event rule (NER) Encapsulated, reusable business logic created using event rules, rather that C programming. NERs are also called business function event rules. NERs can be reused in multiple places by multiple programs. This modularity lends itself to streamlining, reusability of code, and less work. Object Configuration Manager (OCM) In JD Edwards EnterpriseOne, the object request broker and control center for the runtime environment. OCM keeps track of the runtime locations for business functions, data, and batch applications. When one of these objects is called, OCM directs access to it using defaults and overrides for a given environment and user. Object Librarian A repository of all versions, applications, and business functions reusable in building applications. Object Librarian provides check-out and check-incapabilities for developers, and it controls the creation, modification, and use of JD Edwards EnterpriseOne objects. Object Librarian supports multiple environments (such as

Glossary-11

Object Librarian merge

production and development) and enables objects to be easily moved from one environment to another. Object Librarian merge A process that blends any modifications to the Object Librarian in a previous release into the Object Librarian in a new release. Open Data Access (ODA) An interoperability model that enables you to use SQL statements to extract JD Edwards EnterpriseOne data for summarization and report generation. Output Stream Access (OSA) An interoperability model that enables you to set up an interface for JD Edwards EnterpriseOne to pass data to another software package, such as Microsoft Excel, for processing. package JD Edwards EnterpriseOne objects are installed to workstations in packages from the deployment server. A package can be compared to a bill of material or kit that indicates the necessary objects for that workstation and where on the deployment server the installation program can find them. It is point-in-time snapshot of the central objects on the deployment server. package build A software application that facilitates the deployment of software changes and new applications to existing users. Additionally, in JD Edwards EnterpriseOne, a package build can be a compiled version of the software. When you upgrade your version of the ERP software, for example, you are said to take a package build. Consider the following context: Also, do not transfer business functions into the production path code until you are ready to deploy, because a global build of business functions done during a package build will automatically include the new functions. The process of creating a package build is often referred to, as it is in this example, simply as a package build. package location The directory structure location for the package and its set of replicated objects. This is usually \\deployment server\release\path_code\package\package name. The subdirectories under this path are where the replicated objects for the package are placed. This is also referred to as where the package is built or stored. Package Workbench An application that, during the Installation Workbench process, transfers the package information tables from the Planner data source to the system-release number data source. It also updates the Package Plan detail record to reflect completion. Pathcode Directory The specific portion of the file system on the EnterpriseOne development client where EnterpriseOne development artifacts are stored. patterns General repeatable solutions to a commonly occurring problem in software design. For business service development, the focus is on the object relationships and interactions.

Glossary-12

published business service

For orchestrations, the focus is on the integration patterns (for example, synchronous and asynchronous request/response, publish, notify, and receive/reply). print server The interface between a printer and a network that enables network clients to connect to the printer and send their print jobs to it. A print server can be a computer, separate hardware device, or even hardware that resides inside of the printer itself. pristine environment A JD Edwards EnterpriseOne environment used to test unaltered objects with JD Edwards EnterpriseOne demonstration data or for training classes. You must have this environment so that you can compare pristine objects that you modify. processing option A data structure that enables users to supply parameters that regulate the running of a batch program or report. For example, you can use processing options to specify default values for certain fields, to determine how information appears or is printed, to specify date ranges, to supply runtime values that regulate program execution, and so on. production environment A JD Edwards EnterpriseOne environment in which users operate EnterpriseOne software. Production Published Business Services Web Service Published business services web service deployed to a production application server. program temporary fix (PTF) A representation of changes to JD Edwards EnterpriseOne software that your organization receives on magnetic tapes or disks. project In JD Edwards EnterpriseOne, a virtual container for objects being developed in Object Management Workbench. promotion path The designated path for advancing objects or projects in a workflow. The following is the normal promotion cycle (path): 11>21>26>28>38>01 In this path, 11 equals new project pending review, 21 equals programming, 26 equals QA test/review, 28 equals QA test/review complete, 38 equals in production, 01 equals complete. During the normal project promotion cycle, developers check objects out of and into the development path code and then promote them to the prototype path code. The objects are then moved to the productions path code before declaring them complete. proxy server A server that acts as a barrier between a workstation and the internet so that the enterprise can ensure security, administrative control, and caching service. published business service EnterpriseOne service level logic and interface. A classification of a published business service indicating the intention to be exposed to external (non-EnterpriseOne) systems.
Glossary-13

published business service identification information

published business service identification information Information about a published business service used to determine relevant authorization records. Published business services + method name, published business services, or *ALL. published business service web service Published business services components packaged as J2EE Web Service (namely, a J2EE EAR file that contains business service classes, business service foundation, configuration files, and web service artifacts). published table Also called a master table, this is the central copy to be replicated to other machines. Residing on the publisher machine, the F98DRPUB table identifies all of the published tables and their associated publishers in the enterprise. publisher The server that is responsible for the published table. The F98DRPUB table identifies all of the published tables and their associated publishers in the enterprise. QBE An abbreviation for query by example. In JD Edwards EnterpriseOne, the QBE line is the top line on a detail area that is used for filtering data. real-time event A message triggered from EnterpriseOne application logic that is intended for external systems to consume. refresh A function used to modify JD Edwards EnterpriseOne software, or subset of it, such as a table or business data, so that it functions at a new release or cumulative update level. replication server A server that is responsible for replicating central objects to client machines. rules Mandatory guidelines that are not enforced by tooling, but must be followed in order to accomplish the desired results and to meet specified standards. secure by default A security model that assumes that a user does not have permission to execute an object unless there is a specific record indicating such permissions. Secure Socket Layer (SSL) A security protocol that provides communication privacy. SSL enables client and server applications to communicate in a way that is designed to prevent eavesdropping, tampering, and message forgery. selection Found on JD Edwards EnterpriseOne menus, a selection represents functions that you can access from a menu. To make a selection, type the associated number in the Selection field and press Enter.

Glossary-14

super class

serialize The process of converting an object or data into a format for storage or transmission across a network connection link with the ability to reconstruct the original data or objects when needed. Server Workbench An application that, during the Installation Workbench process, copies the server configuration files from the Planner data source to the system-release number data source. The application also updates the Server Plan detail record to reflect completion. SOA Abbreviation for Service Oriented Architecture. softcoding A coding technique that enables an administrator to manipulate site-specific variables that affect the execution of a given process. source repository A repository for HTTP adapter and listener service development environment artifacts. Specification merge A merge that comprises three merges: Object Librarian merge, Versions List merge, and Central Objects merge. The merges blend customer modifications with data that accompanies a new release. specification A complete description of a JD Edwards EnterpriseOne object. Each object has its own specification, or name, which is used to build applications. Specification Table Merge Workbench An application that, during the Installation Workbench process, runs the batch applications that update the specification tables. SSL Certificate A special message signed by a certificate authority that contains the name of a user and that user's public key in such a way that anyone can "verify" that the message was signed by no one other than the certification authority and thereby develop trust in the user's public key. store-and-forward The mode of processing that enables users who are disconnected from a server to enter transactions and then later connect to the server to upload those transactions. subscriber table Table F98DRSUB, which is stored on the publisher server with the F98DRPUB table and identifies all of the subscriber machines for each published table. super class An inheritance concept of the Java language where a class is an instance of something, but is also more specific. Tree might be the super class of Oak and Elm, for example.

Glossary-15

table access management (TAM)

table access management (TAM) The JD Edwards EnterpriseOne component that handles the storage and retrieval of use-defined data. TAM stores information, such as data dictionary definitions; application and report specifications; event rules; table definitions; business function input parameters and library information; and data structure definitions for running applications, reports, and business functions. Table Conversion Workbench An interoperability model that enables the exchange of information between JD Edwards EnterpriseOne and third-party systems using non-JD Edwards EnterpriseOne tables. table conversion An interoperability model that enables the exchange of information between JD Edwards EnterpriseOne and third-party systems using non-JD Edwards EnterpriseOne tables. table event rules Logic that is attached to database triggers that runs whenever the action specified by the trigger occurs against the table. Although JD Edwards EnterpriseOne enables event rules to be attached to application events, this functionality is application specific. Table event rules provide embedded logic at the table level. terminal server A server that enables terminals, microcomputers, and other devices to connect to a network or host computer or to devices attached to that particular computer. transaction processing (TP) monitor A monitor that controls data transfer between local and remote terminals and the applications that originated them. TP monitors also protect data integrity in the distributed environment and may include programs that validate data and format terminal screens. transaction processing method A method related to the management of a manual commit transaction boundary (for example, start, commit, rollback, and cancel). transaction set An electronic business transaction (electronic data interchange standard document) made up of segments. trigger One of several events specific to data dictionary items. You can attach logic to a data dictionary item that the system processes automatically when the event occurs. triggering event A specific workflow event that requires special action or has defined consequences or resulting actions. user identification information User ID, role, or *public.

Glossary-16

web service softcoding template

User Overrides merge Adds new user override records into a customers user override table. value object A specific type of source file that holds input or output data, much like a data structure passes data. Value objects can be exposed (used in a published business service) or internal, and input or output. They are comprised of simple and complex elements and accessories to those elements. versioning a published business service Adding additional functionality/interfaces to the published business services without modifying the existing functionality/interfaces. Versions List merge The Versions List merge preserves any non-XJDE and non-ZJDE version specifications for objects that are valid in the new release, as well as their processing options data. visual assist Forms that can be invoked from a control via a trigger to assist the user in determining what data belongs in the control. vocabulary override An alternate description for a data dictionary item that appears on a specific JD Edwards EnterpriseOne form or report. web application server A web server that enables web applications to exchange data with the back-end systems and databases used in eBusiness transactions. web server A server that sends information as requested by a browser, using the TCP/IP set of protocols. A web server can do more than just coordination of requests from browsers; it can do anything a normal server can do, such as house applications or data. Any computer can be turned into a web server by installing server software and connecting the machine to the internet. Web Service Description Language (WSDL) An XML format for describing network services. Web Service Inspection Language (WSIL) An XML format for assisting in the inspection of a site for available services and a set of rules for how inspection-related information should be made. web service softcoding record An XML document that contains values that are used to configure a web service proxy. This document identifies the endpoint and conditionally includes security information. web service softcoding template An XML document that provides the structure for a soft coded record.

Glossary-17

Where clause

Where clause The portion of a database operation that specifies which records the database operation will affect. Windows terminal server A multiuser server that enables terminals and minimally configured computers to display Windows applications even if they are not capable of running Windows software themselves. All client processing is performed centrally at the Windows terminal server and only display, keystroke, and mouse commands are transmitted over the network to the client terminal device. wizard A type of JDeveloper extension used to walk the user through a series of steps. workbench A program that enables users to access a group of related programs from a single entry point. Typically, the programs that you access from a workbench are used to complete a large business process. For example, you use the JD Edwards EnterpriseOne Payroll Cycle Workbench (P07210) to access all of the programs that the system uses to process payroll, print payments, create payroll reports, create journal entries, and update payroll history. Examples of JD Edwards EnterpriseOne workbenches include Service Management Workbench (P90CD020), Line Scheduling Workbench (P3153), Planning Workbench (P13700), Auditor's Workbench (P09E115), and Payroll Cycle Workbench. workflow The automation of a business process, in whole or in part, during which documents, information, or tasks are passed from one participant to another for action, according to a set of procedural rules. workgroup server A server that usually contains subsets of data replicated from a master network server. A workgroup server does not perform application or batch processing. XAPI events A service that uses system calls to capture JD Edwards EnterpriseOne transactions as they occur and then calls third-party software, end users, and other JD Edwards EnterpriseOne systems that have requested notification when the specified transactions occur to return a response. XML CallObject An interoperability capability that enables you to call business functions. XML Dispatch An interoperability capability that provides a single point of entry for all XML documents coming into JD Edwards EnterpriseOne for responses. XML List An interoperability capability that enables you to request and receive JD Edwards EnterpriseOne database information in chunks.

Glossary-18

Z transaction

XML Service An interoperability capability that enables you to request events from one JD Edwards EnterpriseOne system and receive a response from another JD Edwards EnterpriseOne system. XML Transaction An interoperability capability that enables you to use a predefined transaction type to send information to or request information from JD Edwards EnterpriseOne. XML transaction uses interface table functionality. XML Transaction Service (XTS) Transforms an XML document that is not in the JD Edwards EnterpriseOne format into an XML document that can be processed by JD Edwards EnterpriseOne. XTS then transforms the response back to the request originator XML format. Z event A service that uses interface table functionality to capture JD Edwards EnterpriseOne transactions and provide notification to third-party software, end users, and other JD Edwards EnterpriseOne systems that have requested to be notified when certain transactions occur. Z table A working table where non-JD Edwards EnterpriseOne information can be stored and then processed into JD Edwards EnterpriseOne. Z tables also can be used to retrieve JD Edwards EnterpriseOne data. Z tables are also known as interface tables. Z transaction Third-party data that is properly formatted in interface tables for updating to the JD Edwards EnterpriseOne database.

Glossary-19

Z transaction

Glossary-20

Index
A
action security adding, 7-10 removing, 7-11 reviewing, 7-10 setting up, 7-9 Add Data Source form, 5-8 Add Roles to User form, 3-15 Add Users to Roles form, 3-15 Address Book Data Permissions program (P01138), 8-2 Address Book data security creating permission list definitions, 8-3 creating permission list relationships, 8-4 setting up permission list definitions, 8-3 setting up permission list relationships, 8-4 Address Book Master table (F0101), 3-7 Administration Password Revisions form, 5-3, 5-6 Anonymous User Access Table (F00926), 3-2 application failure recovery granting user access, 10-2 setting up, 10-1 application security adding, 7-7 adding exclusive application security, 7-27 managing, 7-6 removing, 7-9 removing exclusive application security, 7-28 reviewing, 7-7 understanding, 7-6 understanding exclusive application security, 7-27 authenticate tokens properties ofsingle sign-on, 12-1 understanding, 12-1 authentication mode, enabling for LDAP, 11-18 auxiliary security servers, 5-13 setting up transaction security, 9-6 setting up UDC sharing, 9-2 understanding, 9-1

C
cached security information, 2-4 clearing cache web client, 2-4 web client, using Server Manager, 2-4 workstation client, 2-4 Collaborative Portal EnterpriseOne Menu, configuring for single sign-onsingle sign-on, 13-9 column security deleting, 7-17 on a form, 7-16 on a table, 7-15 on an application, 7-16 on an application version, 7-16 options, 7-15 setting up, 7-16 understanding, 7-14 cookies web runtime cookies, B-1 Copy User Records form, 5-3 Copy User Roles form, 3-15 CRM portlets, configuring for single sign-on, 13-10 Cross Reference program (P980011), 7-12 CSS portlet, configuring for single sign-on, 13-10

D
Data Browser security adding, 7-46 granting permissions to search business views, 7-46 granting permissions to search tables, 7-46 removing, 7-47 understanding, 7-46 Data Browser Security Revisions form, 7-46 data privacy see Address Book data security data selection security adding, 7-20 reviewing current settings, 7-20

B
batch processes creating profiles, 3-3 creating user profiles with, 3-9 Business Preferences form, 3-6 business unit security

Index-1

understanding, 7-17 Data Source Revisions form, 5-8 data sources managing for user security, 5-8 revising for user security, 5-9

I
image securitypush button, link, and image security, 7-31 inclusive row security activating, 7-4 understanding, 7-2

E
Enable/Disable Role Chooser form, 3-15 encryption, of passwords, 4-2 enterprise server mappings, mapping from LDAP to EnterpriseOne, 11-16 enterprise servers changing the jde.ini file for security, 5-11 ENTERPRISE TIMEZONE ADJUSTMENT setting, configuring for single sign-on, 13-11 EnterpriseOne and Crystal Enterprise single sign-on adding Crystal Enterprise task to EnterpriseOne, 17-2 Crystal Enterprise web server definition, 17-3 EnterpriseOne default domain for CMC, 17-3 EnterpriseOne Links portlet, configuring for single sign-on, 13-10 ESS portlet, configuring for single sign-on, 13-10 exclusive application security adding, 7-27 removing, 7-28 understanding, 7-2 exit security adding, 7-26 removing, 7-27 setting up, 7-25 external calls security adding, 7-28 removing, 7-29 understanding, 7-28

J
jde.ini file changing for user security, 5-10 changing the timeout value, 5-11 changing the workstation file for security, 5-10 configuring settings for auxiliary security servers, 5-11 enabling and disabling unified logon, 5-16 enabling LDAP authentication mode, 11-18 enterprise server settings, 5-11 setting auxiliary security servers in the server jde.ini, 5-13 settings for single sign-on configuring the ENTERPRISEONE TIMEZONE ADJUSTMENT, 13-11 modifying settings for a pre-EnterpriseOne 8.11 release, 13-6 sample node settings, 13-6 Time Zone Setting Adjustment, 14-9 JDENET with SSL, 18-1 JSR168 portlet, configuring for single sign-on, 13-9

L
Language Role Description Revisions form, 3-15 LDAP application changes in LDAP-enabled EnterpriseOne EnterpriseOne Security, 11-7 Role Relationships, 11-7 Schedule Jobs, 11-8 User Password, 11-6 User Profile Revisions, 11-7 authentication mode, 11-18 authentication over SSL for Windows and UNIX, 11-23 creating an EnterpriseOne LDAP configuration for OID, A-1, A-2 understanding, 11-1 default role relationship settings, 11-20 default user security settings, 11-20 diagram of authentication process, 11-3 diagram of LDAP server data search hierarchy, 11-11 diagram of user data synchronization, 11-5 enterprise server mappings, 11-16 enterprise server mappings for OID, A-3 LDAP and EnterpriseOne relationships, 11-2 LDAP default user profile settings, 11-18 LDAP server settings, 11-14 user profile bulk synchronization, 11-21 using LDAP over SSLSSL, 11-23

F
F00092 table, 3-2 F00921 table, 3-2 F00922 table, 3-2 F00925 table, 3-2 F00926 table, 3-2 F0093 table, 3-2 F0094 table, 3-2 F00950 table, 2-4, 7-2 F0101 table, 3-7 F01138 table, 8-3 F986180 table, 13-2 F986181 table, 13-2 F986182 table, 13-2 F98OWSEC table, 4-2

H
Hosted EnterpriseOne Portlet, configuring for single sign-on, 13-10

Index-2

using with single sign-on, 13-12 LDAP Bulk Synchronization report (R9200040), 11-21 LDAP Server Configuration Workbench program (P95928), 11-2, A-2 Library List Control table (F0093), 3-2 Library List Master File table (F0094), 3-2 Library User table (F00092), 3-2 link securitypush button, link, and image security, 7-31

M
Maintain Business Unit Transaction Security batch application (R95301), 9-6 Maintain Permission List Relationships form, 8-4 media object security adding, 7-38 removing, 7-39 reviewing, 7-35, 7-38 understanding, 7-37 miscellaneous security managing, 7-30 understanding, 7-30 mod_osso, 14-2, 14-6, 14-8

processing option security adding, 7-20 removing, 7-22 reviewing current settings, 7-20 understanding, 7-17 profiles user and roleuserprofilesroles, 3-1 push button, link, and image security adding, 7-33, 7-35 removing, 7-34, 7-36 subforms diagrams of security on subforms, 7-32 understanding, 7-31

R
read/write reports security setting up, 7-30 understanding, 7-30 Remove Data Source form, 5-8 Role Chooser enabling, 3-21 understanding, 3-12 Role Relationships program (P95921), changes to P95921 when LDAP is enabled, 11-7 Role Revisions form, 3-14 role security copying, 7-53 copying a single security record, 7-53 deleting security on the Work with User/Role form, 7-54 roles adding a language translation, 3-24 adding an environment, 3-20 adding environments to, 3-10 adding roles to a user, 3-23 adding users to a role, 3-23 assigning business preferences, 3-20 copying security, 7-53 copying user roles, 3-24 creating, 3-15 creating role-to-role relationships, 3-12, 3-21 defining, 3-10 delegating, 3-22 enabling the Role Chooser, 3-12, 3-21 migrating R8995921 batch process, 3-16 R89959211 batch process, 3-16 sequencing, 3-17 understanding, 3-16 modifying, 3-15 removing data sources, 5-9 sequencing, 3-19 setting up, 3-10 workstation initialization file parameters for roles, 3-14 row security removing, 7-14 setting up, 7-12, 7-13 Row Security Revisions form, 7-14

N
Node Configuration Table (F986180), 13-2 Node Lifetime Configuration Table (F986182), nodes adding a node configuration, 13-3 for single sign-onsingle sign-on, 12-2 revising a node configuration, 13-4 13-2

O
Oracle Internet Directory, 14-3, 14-10, A-1

P
P0092 program, 11-7 setting processing options, 3-6 usage, 3-1, 3-2, 3-4 P00950 program, 6-1, 7-2 P01138 program, 8-2 P91300 program, 11-8 P95130 program, 9-2 P95921 program, 11-7 P95922 program, 8-2 P95928 program, 11-2, A-2 P980011 program, 7-12 P98OWSEC program setting processing options, 4-10 usage, 5-1 passwords changing sign-in (administrators only), 5-6 encryption of, 4-2 Permission List Relationships program (P95922), 8-2 permission listsAddress Book data security, 8-3 portlets, configuring for single sign-on, 13-9

Index-3

S
Schedule Jobs program (P91300), changes to P91300 when LDAP is enabled, 11-8 Secure Socket Layer (SSL)SSL, 11-23 security configuring jde.ini settings for auxiliary security servers, 5-11 copying a single security record, 7-53 copying for a user or role, 7-53 for users, roles, and *PUBLIC, 2-3 how JD Edwards EnterpriseOne checks security, 2-3 modifying enterprise server jde.ini security settingsjde.ini file, 5-11 object-level security, 2-1 reviewing security history, 5-7 securing a user or role from all EnterpriseOne objects, 7-8 Security Workbench records reports, 7-55 synchronizing the security settings, 5-10 typessecurity types, 2-2 understanding cached security information, 2-4 Security Analyzer by Data Source Report (R98OWSECA) running the report, 5-15 understanding, 5-13 Security Analyzer by User or Group Report (R98OWSECB), 5-15 Security Audit Report by Object (R009501), 7-55 Security Audit Report by Role (R009502, XJDE0002), 7-55 Security Audit Report by User (R009502, XJDE0001), 7-55 Security Detail Revisions form, 5-3 Security overrides adding, 7-6 Security Revisions form, 5-3 security server communication error, 5-11 security tables accessing, 4-2 F98OWSEC table, 4-2 Security Workbench table (F00950), 2-4, 7-2 security types actionaction security, 7-9 applicationapplicationsecurity, 7-6 columncolumn security, 7-14 Data BrowserDataBrowser security, 7-46 data selectiondata selectionsecurity, 7-17 exclusive applicationapplication security, 7-27 exitexit security, 7-25 external callsexternalcalls security, 7-28 media objectmedia object security, 7-37 miscellaneous securitymiscellaneous security, 7-30 object level security types, 2-2 processing option processingoption security, 7-17 push button, link, and imagepush button, link,and image security, 7-31 tabtab security, 7-23 useruser security, 5-1 Index-4

Security Workbench security records reports, 7-55 Security Workbench program (P00950), 6-1, 7-2 server jde.ini, setting auxiliary security servers, 5-13 services for unified logon, 5-17 removing for unified logon, 5-17 ShowUnifiedLogon setting, 4-8 Sign On Security - Required/Not Required form, 5-3 sign-in passwords, changing, 5-6 sign-in security for web users, 4-8 illustration of process flow, 4-5 password encryption, 4-2 requiring, 5-6 revising, 5-5 setting up, 4-2 understanding, 4-1 understanding unified logonunified logon, 4-2 single sign-on adding a trusted node configuration, 13-5 adding token lifetime configuration records, 13-4 authenticate token, 12-3 between Collaborative Portal and an EnterpriseOne application, 12-6 between Enterprise Portal and an EnterpriseOne application, 12-5 between Enterprise Portal and EnterpriseOne, 13-10 between EnterpriseOne and Crystal Enterprise single sign-on, 17-1 between EnterpriseOne and Oracle, 14-1 diagram of, 14-4 jas.ini settings, 14-5 changing the status of a node, 13-4 configuring for a pre-EnterpriseOne 8.11 release, 13-6 configuring for Collaborative Portal, 13-8 configuring nodes, 13-1 configuring TokenGen.ini settings for portlets, 13-9 configuring without a security server, 13-7 deleting a node configuration, 13-4 deleting token lifetime configuration records, 13-5 diagram of single sign-on table relationships, 13-2 diagram of token validation, 12-3 for portlets, 13-9 how nodes work in single sign-on, 12-2 synchronizing user mappings between LDAP and EnterpriseOne while using LDAP authentication, 13-12 understanding configurations, 13-2 understandingauthenticatetokens, 12-1 using with LDAP, 13-12 viewing user ID mapping when using LDAP, 13-13 Solution Explorer security settings for, 6-1

understanding, 6-1 SSL for JDENET, 18-1 using LDAP over SSL, 11-23 using LDAP over SSL for iSeries, 11-23 using LDAP over SSL for Windows and UNIX, 11-23 SSS portlet, configuring for single sign-on, 13-10 Synchronize the LDAP and EnterpriseOne Database (R9200040), 13-12

T
tab security adding, 7-24 removing, 7-25 setting up, 7-23 token lifetime configuration records adding, 13-4 deleting, 13-5 TokenGen.ini, configuring settings for single sign-on for portlets, 13-9 transaction security revising, 9-8 setting up, 9-6 understanding, 9-5 Trusted Node Configuration Table (F986181), 13-2 trusted nodes adding, 13-5

assigning environments to, 3-3 copying, 3-8 creating using a batch process, 3-3, 3-9 default settings for an LDAP configurationLDAP, 11-18 removing data sources from, 5-9 understanding, 3-1, 3-3 User Profiles Revision form, 3-7 user rolesroles, 3-10 user security changing the jde.ini file, 5-10 copying, 5-5, 7-53 copying a single security record, 7-53 creating, 5-3 deleting security on the Work with User/Role form, 7-54 managing data sources, 5-8 modifying the workstation jde.ini file, 5-10 removing data sources, 5-9 revising, 5-2, 5-6 revising data sources, 5-9 understanding, 5-1 User Security program (P98OWSEC) setting processing options, 4-10 usage, 4-1 users adding an individual user, 3-4 adding multiple users, 3-5

U
UDC groups, revising for UDC sharing, 9-4 UDC sharing revising UDC groups, 9-4 setting up, 9-2 understanding, 9-1 UDC Sharing application (P95130), 9-2 UDCs for the Crystal Enterprise Task Type, 17-2 unified logon enabling and disabling in the jde.ini file, 5-16 removing a service, 5-17 setting up a service, 5-17 ShowUnifiedLogon setting, 4-8 understanding, 4-2, 5-16 usage, 11-7 User Access Definition table (F00925), 3-2 User Default Revisions, changes to application when LDAP is enabled, 11-6 User Display Preferences table (F00921), 3-2 User Display Preferences Tag table (F00922), 3-2 User Environment Revisions form, 3-6, 3-14 User Profile Revisions form, 3-6, 3-14 User Profile Revisions program (P0092), 3-1, 3-4 changes to P0092 when LDAP is enabled, 11-7 setting processing options, 3-6 tables used by, 3-2 user profiles assigning business preferences to, 3-8

W
web user sign-in security configuring jas.ini file settings, 4-9 diagram of process flow, 4-9 understanding, 4-8 Work With Delegation Relationships form, 3-15 Work With Distribution Lists form, 3-12, 3-15 Work With Language Role Descriptions form, 3-15 Work With Permission List Relationships form, 8-4 Work With Role Relationships form, 3-14 Work With Role Sequences form, 3-14 Work With Security History form, 5-7 Work With User Security form, 5-3, 5-7, 5-8 Work with User/Role form, 7-54 Work With User/Role Profiles form, 3-6, 3-14 Work With User/Role Security form, 7-33, 7-35 workflow status monitoring security setting up, 7-30 understanding, 7-30

Index-5

Index-6

You might also like