JDEdwards Security - A Primer

JDEdwards Security - A Primer

JDEdwards security can appear intimidating at first blush, but when the subtasks are
looked at, it is not unmanageable. There are two parts to JDEdwards security; system 
and application.

I. AS/400 System Security aka Object Level Security

The SAR 2662948 is pretty much the definitive answer to this question	.

A. All objects have one owner (e.g. JDEOWNER)
B. This profile is disabled. 
C. All objects have *PUBLIC *NONE for authority.
D. A group profile for all users (e.g. JDEUSER) is created (optional) 

At this point, only QSECOFR and users with *ALLOBJ can do anything.

E. Enabling Interactive 

   1. Wrappers are written for all initial programs (i.e. J98INITA) *or* the initial 
      programs can be modified.
   2. The wrapper will swap profiles with the owner (JDEOWNER) profile 
      (As an alternative, adopted authority can be used - there are some 
      audit advantages to this approach)
   3. All initial programs are set to *PUBLIC *NONE (this should have been done in I.C.)
   4. User authority for the initial programs is granted to individual users 
      *or* the group profile created above.

F. Enabling Batch (Routing Entry programs, oh my!)
   This is a little trickier.
   1. Create a batch subsystem for JDEdwards
   2. Create all necessary JOBQs, *PUBLIC *NONE, JDEUSER *USE
   3. Create a routing entry program (swapping profile and calling QCMD)
      If adopting owner authority, a one line program consisting solely of a
      call to QCMD can be created.
   4. Modify routing entries for new subsystem to point to profile swapper/command processor
   5. Modify all job descriptions, submits, etc, 

And that is all there is to it. The only way JDEdwards data can be accessed is through the application.
ftp, rmtcmd, etc., are no longer a threat because no user has adequate authority.

II. Application Security

A. Remove fast path and menu travel for all but super users
B. Verify all user profiles are LMTCPB(*YES)
C. Custom Menus 
   Only give users access to the functions they need
D. Action Code Security
   Manage for all user/function combinations that need to be Inquire only
E. Function Key Security
   Disable all function keys that exit to a program not reachable from the
   initial menu. :)  This is not nearly as hard as it sounds; I've done it
   several times.

Watch this space for information on Role Based Security. Until then:

Valid HTML 3.2! Creative Commons License

BrilligWare/ chris@pando.org / revised October 2010