JDE Security Best Practices (Part I): Function-based Roles

This is the first part of a three-part blog series on Security best practices.  The recommendations included focus on how to accomplish those best practices as defined specifically in Oracle JD Edwards EnterpriseOne (E1). The three part series will address Function-based Roles, Business Unit Security, and Super Roles.

JD Edwards E1 Security has advanced to the point that we need to revisit our security settings.  Due to earlier releases of Oracle JD Edwards (JDE), we were limited in our options for setting up Roles and Groups.  I don’t think any of us likes to redesign security – I know I don’t.  However, now that a User ID can have up to 30 Roles assigned to them, we have expanded horizons which necessitates a redesign to stay current with enforceable Best Practices.

Roles Best Practices

This takes a new way of looking at Roles.  Rather than assigning Roles to a job description, we must look at the functions or tasks that a job description requires.  Some people call these “process-based” Roles but I tend think of a process as something like “Order to Cash” which is comprised of many different functions.

For example, the job description for an Accounts Payable Clerk might contain the following list of duties:

  • Maintains Vendors
  • Enters Vouchers
  • Standard
  • Logged
  • Matched
  • Completes Check Printing
  • Prepares Cash Requirements
  • Seeks Approval from Controller when Checks are ready to print (Provides documents to support Vendor Payment and Disburses Checks)
  • Prepares 1099

User Tasks as Business Functions

Previously, we made Roles that matched the job description – e.g., the Accounts Payable Clerk was set up with the Role APCLERK and specific menus were designed for APCLERK.  The job description remains the same for an Accounts Payable Clerk.

Best Practices now call for the functions to be defined as the Roles like this:

User Task = “Business Function”Role
Maintains VendorsVNDMAINT
Enters VouchersVCHMAINT
Completes Check PrintingCHKPREP
Prepares 10991099PREP

These could be broken down further into STDVOUCH, 2WAYVOUCH, 3WAYVOUCH or CSHREQUIRE, CREATEPYMT – if that was how the organization is structured.  For Segregation of Duties requirements, you may also want to narrow the scope of Vendor maintenance to allow APCLERK only rights to change a Vendor (not add a new one), and turn on Address Book Approvals while some other department or person has only the rights to add a new Vendor.

Because of my background, I think of these like business functions; only one function is completed for each Role.  A business function is a task, or a part of a task.  If you told your child to go to the store and get a loaf of bread, your child would know that they were to return upon the procuring and paying for the bread.  Unlike your child, a computer must be told every step. So, the list of business functions, tasks, for a computer would be as follows:

  • Get money
  • Exit the house
  • Go to the store (designating the location of the store)
  • Enter that store
  • Go to the bread aisle (designating the location of the bread aisle)
  • Pick up the bread
  • Go to the cashier, etc.
  • Return home

Even though we went through the exercise of changing the Users’ Roles, we didn’t see any need to change the menus.  All of the functions and Roles that were assigned to APCLERK were on the same menus.  If a User ID were to change Roles, we might potentially have to change menus but we didn’t have that need.

In the next post, I’ll explain how to assign Business Units in JDE according to best practices, complete with examples.

There’s more to explore at Smartbridge.com!

Sign up to be notified when we publish articles, news, videos and more!