One of the most overlooked best practices when managing JDE
E1 is user security. When you set up a new user inside E1 you have to assign
them a password. Pretty simple, right? Unfortunately that’s not all there is to
security inside E1. As shipped, JDE E1 is essentially wide open for all users
and companies must develop a plan to handle all aspects of E1 security. Once
the plan is in place it requires regular maintenance and adjustment as users come
and go or company needs change.
Any good CNC knows that in a vanilla E1 installation, the
JDE user and all the schema accounts (PRODDTA, SY900, CRPCTL, etc.) all have
very well known default passwords on the database. Many times during an
implementation those passwords will stay as shipped to make the process easier
and the company may have the best intentions to address that problem after
go-live, but that doesn’t always happen. If you don’t change
these passwords, anyone with basic knowledge of E1 could access any data on
your system.
A little-known tidbit about JDE E1 database security – in
versions 9.1 and older, all database users have all permissions to all tables.
This means if you give someone a login directly to the database they will be
able to view, change, or delete any record or any table regardless of what
permissions you give that user. The only way to fix that is by running the Oracle
Public Shutdown procedure.
There’s also operating system security. The physical files
that reside on your E1 servers are fully accessible by default. Some of them
need to be available, but many do not need to be wide-open. The most important
files to protect are your INIs since they contain passwords for your key system
users. Prior to tools release 9.1.4.x you had to rely on OS level security to
protect those files, but in TR 9.1.4.x and above the passwords
are encrypted.
Inside JDE you can control the E1 user passwords as well as
other details, such
as password complexity. Most CNCs already know about that, but one
overlooked part of E1 security is within OMW. If a user has access to OMW they
will be able to assign themselves to any project as any type of user –
developer, manager, PVC administrator – the sky’s the limit! There’s no
built-in security management application for OMW users, so you have to use row
or application security to keep people from assigning themselves to
whatever they want.
There are many
other questions related to JDE E1 security that you might have and it’s
likely that the answers you get will create even more questions. JDE E1
security is a very complex topic and if you require unique or specialized restrictions
you’re going to need an expert.
No comments:
Post a Comment