OneWorld Security

1
OneWorld Security
Katye Summers J.D. Edwards
2
Security - Concepts
3
Security - User Issues

• OneWorld security is configured using the
  concepts of . . .
• User IDs
• Group IDs
• PUBLIC
• System IDs
• Object Security

4
Purpose of OneWorld User IDs

• Uniquely identify individual users within
  OneWorld
• Track activities for each user
• Restrict overall access to the OneWorld system
  through login authentication
• Implement user-specific security models

5
Basic Uses of OneWorld User IDs

• OneWorld security provides
• Access to OneWorld environments
• Access to menus/tasks
• Ability to use fast path and menu travel
• Access to printers
• Access to data sources (logic and database)

6
Purpose of OneWorld Group IDs

• Create security models which can be applied to
  groups of users
• Classify users by job description and access
  needs
• Simplify the administration of security policies

7
Purpose of PUBLIC

• PUBLIC
• Controls security for all users
• Special group ID that automatically includes all
  users
• Doesnt require specific user profile record

8
Purpose of OneWorld System IDs

• Allow indirect access to database systems and
  OneWorld services
• Create hidden passwords that prevent users from
  accessing non-OneWorld components from outside of
  the OneWorld system
• Simplify the administration of security policies

9
How OneWorld Checks Security

• OneWorld will check for security by User ID
  first
• If security for the User ID is not set up, then
  Group ID will
• be checked next
• If security for the Group ID is not found, then
  all records
• with PUBLIC in the Group ID field will be
  checked
• If there is no security found, then the user has
  access

10
OneWorld Sign-on Security
11
OneWorld Sign-on Security

• Control of who gains access to the critical
  business information
• contained in OneWorld is central to effective
  security. Sign-on
• security is the mechanism OneWorld uses to
  control who gains
• access to the system. Sign-on security
• Is used to grant Users access to OneWorld.
• Allows Users access to certain data sources
  within OneWorld.
• Is used to require users to change passwords on a
  regular basis.
• Is used to allow users to change their own
  passwords.
• Is used to allow administrators to change user
  password in case of emergency.

12
How Sign-on Security Works

• At Signon - when a user attempts to sign onto
  OneWorld, several conditions are checked
• User signs onto OneWorld
• If OneWorld does not find a network connection,
  users is admitted into OneWorld store and
  forward.
• If OneWorld finds a network connection, the User
  ID and Password are encrypted and sent across the
  network to the Enterprise Server
• The security server checks the supplied User ID
  and Password against the entries in the security
  table (F98OWSEC).
• If the User ID and Password are valid, the User
  is allowed into OneWorld.

13
Sign-on Process User Security
2
JDENET_k DEF4
JDENET_n
JDE.INI Security SecurityServerENTSERV
DataSourceSystem B7333 UserJDE PasswordJDE
6
Cache sysid syspswd
ENTSERV
JDE
OW Data
USER
JDENET Message (Security)
3
4
DBMS Login JDE
System B7333 F98OWSEC UserId UserPswd
SystemId SysPswd Data Source USER
JDE JDE DEFAULT
JDE.INI Security SecurityServerENTSERV
1
5
Password Encryption (JDENET)
JDENET Communication
JDEBase Communication
14
Security Approaches
15
Two Security Approaches

• The OneWorld system is designed to support two
  basic approaches to security
• User-based security
• System-based security
• One of these two approaches to security must be
  selected before you design and implement a
  security model for your system.

16
User-Based Security

• In the user-based approach . . . every user has
  an individual logon for all systems.

17
System-Based Security

• In the system-based approach, each user has a
  unique ID only within OneWorld.

18
User-based Security
Advantages
Disadvantages

• Users can bypass OneWorld to directly access
  database systems
• Changes to the security model can be cumbersome

• Database journaling can track activities at the
  individual user level
• All remote processes can be traced to individual
  users

19
System-based Security
Advantages
Disadvantages

• Database and Host journaling efforts are
  restricted
• The ability to track processes by individual user
  is restricted

• Security administration efforts are simplified
• Users are not allowed to directly access
  non-OneWorld components

20
Security Server
21
What is the Security Server?

• The Security Server is a dispatched kernel
  process (jdenet_k) running on the server side for
  security validation.
• The Security Server is used to access the sign-on
  security table (F98OWSEC) to validate OneWorld
  sign-on (Userid/Password) and get Security
  information necessary to access OneWorld
  databases (e.g. Oracle Userid and Password).
• Security information is indexed by the
  combination of User ID and DataSource Name.

22
Security Server Functions

• Validation of OneWorld Userid/Password
• Mapping of OneWorld Userid to Database
  Userid/Password
• Encryption/Decryption of Passwords in the
  Security Table (F98OWSEC)
• Password Expiration - Automatic Expiration of
  OneWorld Userid after specified number of days
  without password change

23
Security Server Functions (cont)

• Keep track of security validation and security
  table update history
• Maximum number of consecutively failed sign-on
  attempts
• Maintain Password History - New password can not
  be any of a number of previously used passwords

24
Cached Security Information

• OneWorld caches information from the Security
  Workbench table (F00950) in workstations memory
• If changes are made to the F00950, workstations
  must log off and back log before the security
  changes are enabled.

25
Object-Based Security
26
What is OneWorld Security?

• OneWorld security is accomplished by restricting
  users from OneWorld objects

• Objects can be data or logic
• Data may be a record, a table, or a set of tables
• Logic may be an action item on a form, an
  application form itself, or an entire interactive
  or batch application

27
Types of OneWorld Security

• Application Security
• Action Security
• Row Security
• Column Security
• Processing Option Security
• Tab Security
• Exit Security
• Exclusive Application Security
• External Calls Security
• Solution Explorer Security
• Portal Security

28
Security Workbench

• Application Security
• Secure users from executing and/or installing a
  particular application or a particular form
  within an application.
• Action Security
• Secure users from executing a particular action,
  such as adding, deleting, revising, inquiring, or
  copying a record.

29
Security Workbench

• Row Security
• Database level security
• Secure users from accessing a particular range or
  list of data in any table
• Two-step process, must be enabled in the data
  dictionary

30
Security Workbench

• Column Security
• Secure users from viewing a particular field or
  changing a value for a particular field
• This can be a database or non-database field that
  is defined in the Data Dictionary, such as work
  fields or calculated fields

31
Security Workbench

• Processing Option Security
• Secure users from viewing or changing the values
  of processing options, or from prompting for
  versions in specific applications
• Tab Security
• Secures Users and/or Groups from tab pages on a
  form
• Exit Security
• Secures Users and/or Groups from Row and Form
  Exits on a form

32
Security Workbench

• Exclusive Application Security
• Temporarily gives a User/Group access to an
  Application or UBE that had previously been
  restricted in Application Security

33
Security Workbench

• External Calls Security
• Secures Users and/or Groups from non-OneWorld
  applications that can be accessed from within
  OneWorld
• Will secure a user out of the executable if the
  user is trying to access it through OneWorld

34
Security Workbench

• Solution Explorer Security
• Restrict users from accessing features such as
  Internet, Documentation, Fast Path, Favorites and
  Rough Cut
• Portal Security
• Secures users from performing certain Portal
  Actions such as Personalization or Modifying
  Relationships

35
OneWorld Security

• Security Workbench application (P00950) uses the
  Security Workbench table (F00950)
• The User Security application (P98OWSEC) uses the
  OneWorld Security table (F98OWSEC)

36
Security and Coexistence

• If you have a coexistence environment where you
  share data and applications between OneWorld and
  WorldSoftware, you need to maintain two
  independent sets of security profiles one for
  WorldSoftware and one for OneWorld.

37
Solution Explorer Security
38
Solution Explorer Features

• You can set security for these Solution Explorer
  features
• Internet
• Documentation
• Fine Cut
• Favorites
• Effectivity dating (date of release)
• Fast Path
• Rough Cut
• Universal Director

39
Solution Explorer Settings
Security Setting
Meaning

• Restricts the user from accessing the feature
• Allows the user read-only access
• Allows the user to add data to the system, but
  not to delete data
• Gives the user full access to the feature with no
  restrictions on changing, adding, or deleting
  data.

• Secured
• View
• Add
• Change

40
Roles-based Security

• The concept of roles is currently applied to the
  Solution Explorer and OneWorld Portal. For
  example, roles are
• Based on UDC H95/RL and App P95921
• Not tied to OneWorld security or the B9 roles
  system
• Full Roles-Based Security will be implemented in
  Release B9. In that release
• Complete roles system tied into the OneWorld
  security system
• Multiple roles will be supported
• Portal security is completely integrated with the
  B9 roles system

41
Security Base Components
42
Security the BIG Picture
Best Practices for security demands a Systems
Thinking model and defense in depth. Since
OneWorld relies upon networks host
systems database products . . . a OneWorld
implementation will only be as secure as the
weakest link in this chain of components.
43
Securing Networks
When securing networks for OneWorld, access to
the following items needs to be considered

• Network Services
• File Sharing, File Transfers
• ODBC, OCI
• Remote Login Sessions
• Printing

• Network Devices
• Servers
• Workstations
• Printers
• Storage Devices

44
Networks - Securing Devices

• Network devices are actual destination points on
  the network.
• Users should only have access to those devices
  that are required for their work.
• In most network environments there are two
  methods to restrict access to devices
• Use network domains to restrict user access
• Use IP filtering to restrict users from overall
  access to remote networks and network segments

45
OneWorld Host Systems

• OneWorld has the ability to use the following
  types of host systems
• Deployment Servers
• Enterprise Servers
• WTSE Servers
• Web Servers
• Database Servers
• Workstations

46
Deployment Server Security

• The Deployment Server typically contains OneWorld
  source code, package build areas, install
  packages, and licensing information
• Only allow system administrators to log onto the
  deployment server
• Only share the package portions of the file
  systems or use CDs for workstation installs
• Do not share help files from this machine
• Do not place shared services such as printing or
  DNS services on this host
• Only run OneWorld on this machine for software
  installs and upgrades

47
Enterprise Server Security

• The Enterprise Server stores data, runs OneWorld
  services, and contains OneWorld code
• Only allow system administrators to log onto the
  enterprise server
• Do not give job control authority or system
  administration privileges to regular users
• Do not share or give general access to the
  OneWorld code and work directories on this server
• Do not allow users to access or read the server
  INI files
• Do not give users the authority to start, stop,
  or configure OneWorld services

48
TSE and Web Servers

• These 2 types of servers should be treated like
  workstations.
• TSE and Web Servers should be considered to be
  single-purpose machines they facilitate
  thin-client access. Therefore
• Users should only be able to log on to these
  servers to run OneWorld and nothing else
• Remote session access/remote session control
  should be prohibited or severely limited on for
  these servers

49
Database Management Systems

• OneWorld uses 3rd party Databases to store all
  data records.
• These databases must be accessible through
  network services such as ODBC and OCI.
• Databases that are shared or reside on any server
  machine must be secured.

50
Workstation Security

• OneWorld Workstations should be considered
  UNSECURE hosts
• Users can access all information stored on their
  workstations
• Do not store any data on a workstation unless the
  user is allowed to read it and modify it
• All validation and control records should be kept
  off of the workstations

51
Other Security Considerations
52
Other Security Considerations

• Form Level Security for Interactive Applications
• Form Level Security should be implemented when
  you need to limit particular user or group access
  to part of an application. This decision is made
  by the Application team lead. This is similar to
  Application level security except it is more form
  specific.
• Control Table Ownership
• Ownership should be assigned to certain control
  tables (UDCs, Address Book, AAI, Account Master)
  to ensure data integrity.

53
Other Security Considerations

• SQLNet Security
• SQL query tools can easily provide access to and
  be harmful to confidential business data. In
  order to avoid these costly errors, you should
  limit user access to the Query Tool.
• Database Security on F98OWSEC
• The F98OWSEC table contains the OneWorld and
  database USER IDs and password. Only the
  MIS/DB/OW Administrator should have access to
  this table. No one should be locked out using
  native database security.

54
Other Security Considerations

• OMW Considerations
• OMW is an administrators tool and access should
  be limited.
• Change management integrity requires that limits
  should be placed on who has the ability to
• Purge logs
• Add additional project owners
• Add additional project roles
• Secure the following OMW/OMC components by
  applying Application Security
• P98230 (Object Management Configuration)
• P98210B (Object Management Workbench Log Purge)
• Apply Row Security to the PUOMWUR field in F98221
  to prevent users from adding owners to a project

55
Recommendations andBest Practices
56
Security Strategies

• Custom Menus/Task Views
• Custom Menus can be created to restrict user from
  accessing other menus.
• Fast path, new tab, menu search (binoculars), and
  File Open must also be restricted from the user
  for this to be effective.
• User may be able to use Exit Bar to gain access
  to other applications not in menu, so you will
  have to set up Exit Bar security for all
  applications
• This is a much simpler setup if the user have
  access to limited number of applications.

57
Security Strategies (cont)

• Open/Restrict
• Users have access to all One World Objects (JDE
  Default).
• Objects are restricted one at a time from users.
• Most work
• Restrict/Open
• Restrict access to all applications.
• Access is granted to one object at a time.
• Safest
• Easiest

58
Setup Recommendations

• After software installation, users should
  immediately be restricted from accessing certain
  critical tables (I.e. Sign-on security table).
• Set up with a high level plan on how to implement
  security within the organization.
• Define a Job Function Chart and map the users and
  objects to each job function.

59
Achieving a Secure OneWorld Implementation (cont)

• Test, validate, and document the overall security
  implementation
• Consider conducting evaluations to assess overall
  security posture prior to going live (where
  possible)
• Maintain rigorous monitoring and change control
  processes

60
Conclusion
61
Key Takeaways

• Security is a process, not a product or a
  technology, and is continual
• Increased Awareness and understanding (plus
  action) is key

62
Thank You !!!