Discover our industry leading expertise
Industry Insights
Working with UDOs in JD Edwards
Using E1 has never been easier than now with the new tools available with UDOs and UX1 - streamlining your interface with E1 information and applications.
What are the considerations and potential problems that can arise when using multiple roles in JDE EnterpriseOne solution? Automatically resolve them using the ‘Fix/Merge’ process and/or Super-Roles.
What are the considerations and potential problems that can arise when using multiple roles in Oracle’s JD Edwards (JDE) EnterpriseOne (E1) solution? What are the available solutions within native JDE and how can ALLOut's toolset highlight any multiple role issues and automatically resolve them using the ‘Fix/Merge’ process and/or Super-Roles (CombiRoles)?
The security hierarchy, or the order in which security records are applied, is known as the ‘Net Effect’. This ‘Net Effect’, or actual effective system accepted value, is fundamental to the workings of security in E1. Security can exist at the User, Group/Role and/or *PUBLIC level. When multiple security records exist, the system determines which security records to apply based on the logical hierarchy shown in the graphic below.
The logic applied when verifying security authority for an object is to check the user, then the group/role and then *PUBLIC – taking the first record that is found – if no records are found then authority to an object is given.
When a user has two (or more) roles that have different security authority (e.g. update/view) to the same object – E1 needs a way of determining which role takes priority – it uses the ‘Role Sequencer’ to do this.
When a role is created it is assigned a unique role sequence number (F00926) that determines its priority versus other roles – this is only applicable in a multiple roles configuration.
It is almost impossible to prove that users have access to what you think they do – they have been assigned a set of roles but without significant analysis determining which security records are effective is difficult.
A Role Sequencer ‘Conflict’ can be defined as when an individual user has two (or more) roles, each containing different security and/or Menu Filtering authorities to the same object (and data item when considering Row Security). Example When a user signs on (with Role Chooser *Disabled [*ALL is therefore implicit] or with *ALL Roles and Role Chooser *Enabled) the Role Sequencer will resolve any ‘Conflicts’ that may arise.
Role Sequencer Conflicts often go unaddressed as they are difficult to diagnose using the standard toolset, without proper testing.
Role Synchronization (Menus & Security)
ALLOut advocates synchronizing Menu Filtering (FineCut) and security for individual roles – this serves several purposes and when it is not implemented can cause issues with using those roles in a multiple roles framework.
It is difficult to know what (if any) multiple role issues exist or that Segregation of Duties Rules have been breached due to Role Sequencer assignments. ALLOut Software provides tools specifically designed to help find any ‘Sequencer Conflicts’ that may arise. A series of reports ( Role Sequencer Action Code Security Conflict report; Role Sequencer Row Security Conflict report & “No Wins” Role Sequencer Conflict report) help you to see what issues are evident on your system.
Super-Roles (Combination Roles)
A ‘Super-Role’ is an ALLOut construct that works on a parent-child basis – it allows multiple ‘Child’ roles (or subroles) to be attached to a ‘Parent’ role (Super-Role or Role List). Each Child-Role is associated with a Super-Role in the same way as a standard role-to-user relationship (F95921). Super-Roles facilitate the following:
Roles within Roles – ALLOut recommends using small process-based roles (sub-roles), which contain both Security and Menu Filtering. These can be combined so that users with access to each process will only see the required menu options and have the correct authorities to the objects that are called.
Multiple Role Sequencer Conflict Resolution – ‘Yes’ records are written (by the ALLOut Fix/Merge process) to a parent Super-Role when conflicting records exist for multiple roles, attached to the same user. This therefore allows users to continue to do their job where sequencer conflicts would stop them.
There are practical limits to the number of Child-Roles that should be assigned to a Super-Role – this is due to the maintenance and performance overheads involved.
From an assignment, troubleshooting and reporting standpoint, the number of sub-roles that are applied to a Super-Role should be limited to a manageable amount.
This can result in a one-to-one user-to-Super-Role relationship which defeats the purpose of using Super-Roles and is the same as using job-based roles.
ALLOut supports Super-Roles with up to 750 child-roles but testing should be carried out to ensure that there are no performance issues. Employing a process-based roles strategy minimizes security maintenance – once a process is tested it very rarely changes. Therefore security management becomes more about role assignment – requesting and then assigning a process (e.g. AP Voucher Entry) to a user is much easier than establishing which program(s) to apply to a user/role and then testing the implications of making these changes.
Using process-based roles & data roles in conjunction with ALLOut’s ‘Fix/Merge’ process has been proven to reduce the time spent managing security.
ALLOut has several tools available to help design and implement a complete process-based roles strategy from Task View creation (including Menu Filtering) or E1 Pages, through to security (including both program and data types) and preventative Segregation of Duties. ALLOut supports reporting over Super-Roles – this includes both Segregation of Duties Reporting, Security Access Reporting and Audit Access Reporting
ALLOut Super-Roles are the ideal way to convert from legacy Functions & Components
A healthy risk management and compliance strategy requires a best-fit approach to security and accountability in JD Edwards. The question is, how do you get there?
Register NowA healthy risk management and compliance strategy requires a best-fit approach to security and accountability in JD Edwards. The question is, how do you get there?
Register NowSave time, enhance risk visibility and be audit-ready with ALLOut Security for JD Edwards.
We use cookies to give you the best online experience. By agreeing you accept the use of cookies in accordance with our cookie policy. You can always revoke your consent by clicking on the icon at the bottom left of the screen.
When you visit any web site, it may store or retrieve information on your browser, mostly in the form of cookies. Control your personal Cookie Services here.
Cookie name | Default expiration time | Description |
---|---|---|
_ga | 2 years | Used to distinguish users. |
_gid | 24 hours | Used to distinguish users. |
_ga_<container-id> | 2 years | Used to persist session state. |
_gac_gb_<container-id> | 90 days | Contains campaign related information. If you have linked your Google Analytics and Google Ads accounts, Google Ads website conversion tags will read this cookie unless you opt-out. Learn more. |
visitor_id<accountid> | The visitor cookie includes a unique visitor ID and the unique identifier for your account. For example, the cookie name visitor_id12345 stores the visitor ID 1010101010. The account identifier, 12345, makes sure that the visitor is tracked on the correct Pardot account. The visitor value is the visitor_id in your Pardot account. This cookie is set for visitors by the Pardot tracking code. |
pi_opt_in<accountid> | If Tracking Opt-in preferences is enabled, the pi_opt_in cookie is set with a true or false value when the visitor opts in or out of tracking. If a visitor opts in, the value is set to true , and the visitor is cookied and tracked. If the visitor opts out or ignores the opt-in banner, the opt-in cookie value is set to false . The visitor cookie is disabled, and the visitor is not tracked. |
visitor_id<accountid>-hash | The visitor hash cookie contains the account ID and stores a unique hash. For example, the cookie name visitor_id12345-hash stores the hash “855c3697d9979e78ac404c4ba2c66533”, and the account ID is 12345. This cookie is a security measure to make sure that a malicious user can’t fake a visitor from Pardot and access corresponding prospect information. |
lpv<accountid> | This LPV cookie is set to keep Pardot from tracking multiple page views on a single asset over a 30-minute session. For example, if a visitor reloads a landing page several times over a 30-minute period, this cookie keeps each reload from being tracked as a page view. |
pardot | A session cookie named pardot is set in your browser while you’re logged in to Pardot as a user or when a visitor accesses a form, landing page, or page with Pardot tracking code. The cookie denotes an active session and isn’t used for tracking. |
Cookie name | Default expiration time | Description |
---|---|---|
_ga | 2 years | Used to distinguish users. |
_gid | 24 hours | Used to distinguish users. |
_ga_<container-id> | 2 years | Used to persist session state. |
_gac_gb_<container-id> | 90 days | Contains campaign related information. If you have linked your Google Analytics and Google Ads accounts, Google Ads website conversion tags will read this cookie unless you opt-out. Learn more. |
visitor_id<accountid> | The visitor cookie includes a unique visitor ID and the unique identifier for your account. For example, the cookie name visitor_id12345 stores the visitor ID 1010101010. The account identifier, 12345, makes sure that the visitor is tracked on the correct Pardot account. The visitor value is the visitor_id in your Pardot account. This cookie is set for visitors by the Pardot tracking code. |
pi_opt_in<accountid> | If Tracking Opt-in preferences is enabled, the pi_opt_in cookie is set with a true or false value when the visitor opts in or out of tracking. If a visitor opts in, the value is set to true , and the visitor is cookied and tracked. If the visitor opts out or ignores the opt-in banner, the opt-in cookie value is set to false . The visitor cookie is disabled, and the visitor is not tracked. |
visitor_id<accountid>-hash | The visitor hash cookie contains the account ID and stores a unique hash. For example, the cookie name visitor_id12345-hash stores the hash “855c3697d9979e78ac404c4ba2c66533”, and the account ID is 12345. This cookie is a security measure to make sure that a malicious user can’t fake a visitor from Pardot and access corresponding prospect information. |
lpv<accountid> | This LPV cookie is set to keep Pardot from tracking multiple page views on a single asset over a 30-minute session. For example, if a visitor reloads a landing page several times over a 30-minute period, this cookie keeps each reload from being tracked as a page view. |
pardot | A session cookie named pardot is set in your browser while you’re logged in to Pardot as a user or when a visitor accesses a form, landing page, or page with Pardot tracking code. The cookie denotes an active session and isn’t used for tracking. |