Access Management in JD Edwards (JDE) Security

What does Access Management mean?

Access management is the process of identifying, tracking, controlling and managing authorized or specified user's access to a system, application or any IT instance.

It is a broad concept that encompasses all policies, processes, methodologies and tools to maintain access privileges within an IT environment. It is primarily an information security, IT and data governance process used in granting access to valid users and prohibiting invalid users.

JDE EnterpriseOne and Access Management

The need for access management in JD Edwards is not only critical to comply with an established access management program, but is good business practice.  There is a great deal of confidential data and 'at risk' processing that exists in your system.  It must be protected.  Automating the process involved in access management ensures compliance and reduces risk.  With the right user access management processes in place, you can decrease costs and increase efficiency when it comes to hiring, onboarding, and ongoing security.

Role based Access Control

Has it been a while since you have implemented JD Edwards (JDE) at your company? Since implementation, much has likely changed, but the initial security setup has remained ….. it is time to start rethinking it - or simply ensure that the original design has not deteriorated in implementation over time!  Assuring that your Access Management process is addressing your organizational risks is imperative.

Security in JDE is all about ensuring access is only permitted by appropriate and authorised users.

There are many types of security and many ways of securing access, but if you’re undertaking a security project, being it a rewrite or ongoing maintenance, you are going to want to take the most effective route, for your own sake and to ensure best practice for your organisation.

Some reasons to revamp JDE security include:

  • Roles are no longer aligned to current business processes
  • Duties are not clearly defined and it is becoming harder to justify open access in JDE
  • People wear too many hats at the same time and need access to more than what their job entails
  • There are no defined controls for assigning and delegating security
  • User management takes significant efforts

Role-based access control allows you to assign users to a role, and to assign privilege based on the assigned role.  It reduces the opportunity for error and saves time.

What is Role based Access Control and how can it help?

  • People move in and out of business and change jobs within them, but the basic business processes remain constant.
  • Process based roles work on individual business processes e.g. journal entry – security is assigned (to a role) so that a business process can function in isolation. These Process based roles are then assigned to users who need to perform that business process.
  • Process roles function best when employing a ‘Closed’ security model
  • Base your security on allocating these process based roles to users, rather than setting up security user by user.  Simple add or remove roles as a user’s job functionality changes.
  • The key is to keep it simple.  Define your processes in order to create your process based roles – e.g. ‘Voucher Entry, Payment Entry and Vendor Maintenance’.
  • Avoid creating security at the user level security – it will greatly increase the overall number of your security records and will make security management much more complicated and time-consuming.  Can you imagine having to update all user profiles affected every time there is a small change?
  • You can then apply company and business unit access security in a separate role, or at the user level if needed, to ensure that security is in place within geographical or business boundaries.

Within the ALLOut software there are a number of features that can help you control the changes to your system.

Since the role assignment is the most powerful method of changing a user’s access, some of these controls are features of the ALLOut ‘Work with Role Relationships’ program PAOS0002.

One control options is to define and prevent Invalid role combinations both when assigning a role to a user and also when changing the composition of ‘Super-Roles’ by adding a ‘Child-Role’ to the parent.  The conflicts are normally identified to avoid critical Segregation of Duties rules but can also be created to support other business needs.  A second Option is to identify controlled roles where any time these are assigned to a user or “Super-Role”,must be approved.  Often this is used to control access to an at risk role such as CNC Administrator or Payroll Processing.

You have 2 options available when determining how to handle these scenarios:

  • Hard Stop - Option 1 is to produce an error condition that does not allow the role assignment to take place.
  • Warning - Option 2 produces a warning, letting whoever is assigning roles that this action will result in a SoD violation or assignment of a controlled role but letting them continue.

o With this option, the requested role assignment will need to be reviewed by the appropriate staff and either approved, or denied.

o If allowed to continue, the reasons could be documented and controls be put in place if desired.

Summary

Replacing time-consuming and costly ad hoc processes with the automation made possible with role based access management eliminates (or at least drastically reduces) the potential for human error, thereby significantly decreasing your organization’s risk. As the gatekeeper, of sorts, to your system, user access management is a logical area to focus on to begin your journey towards comprehensive and proactive approaches to security management. After all, preventing unauthorized access is half the battle.

To find out more about how ALLOut can help with your security project, email hazel.jackson@alloutsecurity.com for a no obligation discussion.