JDE Security Best Practices (Part II): Business Unit Security

In my last post, I discussed how Function-based Roles Best Practices in Oracle JD Edwards (JDE) help us better organize User Tasks. In this post, I’ll discuss the benefits of assigning User Roles according to Business Unit Security best practices.

JDE Security

JDE Business Unit Security has always been widely used in many different ways.  In some companies I’ve seen it connected to the company Address Book by using the Business Unit there to enforce access for the User.  Unfortunately, that limits you to one Business Unit–which is fine if the Business Unit is associated with a Company and that’s the lowest denominator for your organizational structure.  What do you do when your lowest denominator is Department?

Of course, you can assign Business Units to the User ID.  That’s one reliable way of way of accomplishing the requirement but certainly not Best Practices.  Best Practices dictate that, as much as humanly possible, you want to avoid assigning security to a User ID.  Assignments by Role should be the rule.

You can design your Business Unit Security to the Role level.  Let’s take a look at the organizational structure below:


As you can see, we have three User IDs that need access to two separate Departments: 10380 and 10385.  These three User IDs handle the budgeting to and reporting of costs to the two Departments.  If USER3 were to leave the organization, the Role is still intact and can be changed when the replacement of USER3 arrives.

If USER3 changes departments, just change their Role Relationships.  No need to go in and change the User Security.

(Hint: Use the Organizational Structure Inquiry/Revisions, P0050, to help you build your organizational structure diagram, get the way that accurately reflects your organization and then construct your Business Unit Security using that framework.)

This same methodology can be used for all types of Row Security.  We also used it to limit access to certain Object Accounts.  In the above example, USER2 and USER3 are at the executive level.  They need to see the information for all General Ledger Accounts within both Departments.  USER1 is at the administrative level and should be restricted from seeing Accounts that contain Salary and Wage information – this is particularly true in very small departments (three people) where a little math could divine the salaries of your co-workers, at least in total.

The Role, AL_EXCLS_W, has the following exclusions:

As you can see from a partial listing of the Chart of Accounts shown below, the only Account that USER1 with the Role AL_EXCLS_W has assigned to them is the S & W (Salaries and Wages) for Temporary Clerical workers.  They need this type of access to verify the charges on the incoming Invoices from the temp agencies.

With standard JDE, you can only go one level.  When using ALL Out Security, you can build hierarchical levels.

In my next post, I’ll be discussing the uses of Super Roles.

There’s more to explore at Smartbridge.com!

Sign up to be notified when we publish articles, news, videos and more!