Académique Documents
Professionnel Documents
Culture Documents
This document is copyright to Q Software Global Ltd 2007 JDE and JD Edwards are registered trademarks of Oracle & Company AS/400 and IBM are registered trademarks of IBM Corporation SEC-Qure is a registered trademark of Q Software Global Ltd Q Software Global Ltd is an Oracle Certified Partner Q Software Global Ltd is an IBM Partner in Development Registration No 19026559
2 August 2007
Contents
Support ......................................................................................................................... 6 Introduction .................................................................................................................. 7 Generating Security ..................................................................................................................... 7 New Functionality ....................................................................................................................... 7
Accessing E1Config ..................................................................................................................... 8
Solution Explorer......................................................................................................................... 9
E1Config Setup ........................................................................................................................... 10
Version Security functionality ................................................................................................... 12 Hidden Programs ....................................................................................................................... 14 Reports................................................................................................................................... 17 Name Encryption ....................................................................................................................... 18 Auditing ..................................................................................................................................... 21 Segregation of Duties................................................................................................................. 23 General....................................................................................................................................... 24 E1Config...................................................................................................................... 25
Template Manager ...................................................................................................................... 26
Adding a Template .................................................................................................................... 28 Header.................................................................................................................................... 28 Defaults.................................................................................................................................. 29 Locking a Template ................................................................................................................... 31 Modifying a Template Header................................................................................................... 32 Copying a Template................................................................................................................... 33 Deleting a Template................................................................................................................... 34 Modifying Template Detail ................................................................................................... 35
Work with Parents....................................................................................................................... 36
Introduction................................................................................................................................ 36 Parent Type Component ............................................................................................................ 37 Position to Parent ................................................................................................................... 38 Component Level................................................................................................................... 38 Adding a Component ............................................................................................................. 41 Component Level Definition ................................................................................................. 42 Component Level Revisions .................................................................................................. 44 Modifying a Component Header ........................................................................................... 45 Copying a Component ........................................................................................................... 46 Deleting a Component ........................................................................................................... 48 Parent Type Function................................................................................................................. 52 Adding a Function ................................................................................................................. 53 Modifying a Function Header................................................................................................ 55 Copying a Function................................................................................................................ 56 Deleting a Function................................................................................................................ 58 Parent Type Segregation of Duties ............................................................................................ 59 Adding a Segregation of Duties Rule .................................................................................... 60 Modifying a Segregation of Duties Header ........................................................................... 62 Deleting a Segregation of Duties Rule................................................................................... 63
Parent Details .............................................................................................................................. 64
Component Detail Definition..................................................................................................... 64 Add Security Type ................................................................................................................. 65 Security Detail ....................................................................................................................... 67 E1Config v3.0 User Manual Rev 1.1 2 2 August 2007
Set Defaults............................................................................................................................ 69 Apply Detail Heads Down.................................................................................................. 70 Modifying Security................................................................................................................ 70 Deleting Security ................................................................................................................... 70 Apply Detail Selector.......................................................................................................... 71 Version Security Enabled .......................................................................................................... 74 Security Types allowing Version Security ............................................................................ 75 Hidden Programs Enabled ......................................................................................................... 76 Copying Component Detail ................................................................................................... 80 Deleting Security ................................................................................................................... 82 Function Detail .......................................................................................................................... 83 Adding Function Detail ......................................................................................................... 83 Function Detail ...................................................................................................................... 84 Deleting Function Detail........................................................................................................ 85 Segregation of Duties Detail...................................................................................................... 86 Adding Segregation of Duties Detail..................................................................................... 86 Segregation of Duties Detail.................................................................................................. 88 Copying Segregation of Duties Detail ................................................................................... 89 Deleting Segregation of Duties Detail ................................................................................... 90
Entity Management ..................................................................................................................... 91
Entity Manager .......................................................................................................................... 91 Adding an Entity.................................................................................................................... 93 Modifying an Entity............................................................................................................... 94 Deleting an Entity .................................................................................................................. 95 User Clean Up........................................................................................................................ 96
User Management ....................................................................................................................... 99
User Security Manager .............................................................................................................. 99 Accessing User Security Manager ....................................................................................... 100 Position to Functionality/Search Criteria............................................................................. 103 Adding Parents to User/System Roles ................................................................................. 107 User/System Role Detail...................................................................................................... 108 Deleting records from the User Security Manager .............................................................. 110 Reviewing Component Detail.............................................................................................. 112 Copy User/System Role....................................................................................................... 113 User Security Workbench Reports .......................................................................................... 115 Report .................................................................................................................................. 115 Validate All Users................................................................................................................ 117 Build Validated.................................................................................................................... 119 Build All .............................................................................................................................. 120 Component/Function Security Management ....................................................................... 121 Adding User/System Roles to Parents ................................................................................. 122
Conflict Management................................................................................................................ 123
Conflict Manager ..................................................................................................................... 123 Security Conflict Resolution................................................................................................ 126 Component level Segregation of Duties .............................................................................. 128 Object level Segregation of Duties ...................................................................................... 129 Multi-level Conflicts............................................................................................................ 131 Multiple Roles Conflicts in 8.x versions.............................................................................. 133 Multiple Roles Sequencing Conflicts in 8.x versions.......................................................... 134 E1Config Administration.......................................................................................... 135
SEC-Qure E1Config Rev 1.1 3 2 August 2007
Q Software SPC......................................................................................................................... 136 Update Inclusive/Exclusive Row Security.............................................................................. 138 Component Data Conversion (RY5AF500) ............................................................................. 139 Security Data Capture (RY5AF950) ......................................................................................... 142 Component Generator (RY5AF540) ........................................................................................ 146 User Clean Up QSG Tables Only.......................................................................................... 151 User Clean Up F00950 Table Only........................................................................................ 153 User Clean Up QSG and F00950 Tables .............................................................................. 155
E1Config Reporting.................................................................................................. 157 Maintain Reporting Codes (PY5AF945)................................................................... 158 Advanced E1Config Reports Front-End (PY5AF550) ............................................. 161
Template Reporting .................................................................................................................. 163
Functions by Template............................................................................................................. 164 Segregation of Duties by Template ......................................................................................... 168 Components by Template ........................................................................................................ 171
Entity Reporting ........................................................................................................................ 174
Auditing..................................................................................................................... 194 Tables................................................................................................................................... 194 Audit Fields ......................................................................................................................... 194 Actions................................................................................................................................. 195 Audit Enquiry .......................................................................................................................... 196 Audit Reports........................................................................................................................... 198 User Status (FY5AF402) Report (RY5AF555A) ................................................................ 198 Component Detail (FY5AF405) Report (RY5AF555B) ..................................................... 200 Parent Header (FY5AF501) Report (RY5AF555C) ............................................................ 202 Parent Detail (FY5AF510) Report (RY5AF555D).............................................................. 204 Template Master (FY5AF430) Report (RY5AF555E)........................................................ 206 Entity Master (FY5AF440) Report (RY5AF555F) ............................................................. 208 Function Tracker (FY5AF512) Report (RY5AF555G) ....................................................... 210 Component Tracker (FY5AF513) Report (RY5AF555H)................................................... 212 Conflict Manager (FY5AF515) Report (RY5AF555I)........................................................ 214 Control Table (FY5AF905) Report (RY5AF555J).............................................................. 216 Purge Audit Tables (RY5AF557) ........................................................................................ 218 Glossary .................................................................................................................... 220 Appendix A - E1Config............................................................................................. 222 QComponents .......................................................................................................................... 222 Naming Conventions ........................................................................................................... 222 Component Level................................................................................................................. 222 Security Type (Work with Components by Security Type vs. Selector)................................. 223
SEC-Qure E1Config Rev 1.1 4 2 August 2007
Appendix B - Security Table Set-up ........................................................................ 225 Single Security Table............................................................................................................... 225 Multiple.................................................................................................................................... 226 Appendix C - External Call Security in E1Config ................................................... 227 Introduction.......................................................................................................................... 227 Default Values ..................................................................................................................... 227 Adding new UDCs............................................................................................................... 228
2 August 2007
Support
If you cannot find the information you require in this manual, please contact Q Software Technical Support via the Customer dedicated Support section of the Q Software web site (www.qsoftware.com/support). This is the preferred mechanism for logging support calls and will require a unique Username and a Password to access, which should have been supplied to you with your original software purchase. If you do not yet have a Username and Password, you can request one by emailing support@qsoftware.com. Alternatively, you can contact Technical Support directly by phone on +44 (0) 1483 280 410 Office hours are between 9am and 5:30pm UK time (GMT). Or email support on support@qsftware.com.
Ranmore Manor Ranmore Common Dorking Surrey RH5 6SX United Kingdom
2 August 2007
Introduction
SEC-Qure E1Config (E1Config) is a tool designed to make implementing Enterprise One (E1) security a great deal easier and less time consuming than using standard E1 functionality. For an explanation of E1Config terminology see the glossary section of this document. The idea is simple but effective and requires a little more planning than creating a standard security Matrix. We are approaching security strategy, and the resulting matrix, from a different angle. Menus/Tasks are not used to enhance security (although they are still relevant) as this can lead to mass duplication of security records. Instead the security Matrix is split into tasks or Components such as Add Standard Vouchers. All security records required to Add Standard Vouchers are recorded against a Component. The method of adding records is also made more efficient than the dragging and dropping of the E1 Security Workbench. Once a Component has been created, that reusable Component can then be added into a larger Job Function such as AP Clerk along with numerous other Components that an AP Clerk requires in performing their day-to-day duties. Multiple Components can be added to Functions and in turn several Functions can be added to other Functions, where necessary, all in an effort to save time in applying security. All Component and Function information is held in Templates. A Template can be equated to a security matrix and different matrices can exist to facilitate a multiple security table set up.
Generating Security
At no point in the process do you update any E1 tables, until you generate security through E1Config. Once all your Components and Functions have been created they can be attached to Users/Roles/*PUBLIC. This method of creating security means that once the Components and Functions have been generated then security records do not have to be duplicated. Instead they can be appended to Users where necessary. Any User that needs to Add Standard Vouchers can just have that Component attached to their profile. In the same way an AP Manager that needs to have all AP Clerk security plus additional records can have the AP Clerk Function assigned to their profile and then any additional Components added on top so that the same security does not have to be replicated. Once these records have been attached to the relevant users then the security records are built and at this point records are written to the F00950 table. A record of all security that has been applied is kept. Any Conflicts that emerge are tracked and the facility to manage these separately is provided. Also, if a change is made to a Component all profiles that have that Component as part of their security make-up are flagged so that you know when to update your user population. Batch jobs are available to refresh the security for all profiles that have changed to further expedite the process.
New Functionality
Please see the associated document SEC-QureE1ConfigV30NewFeatures.doc for new features available in the latest version.
SEC-Qure E1Config Rev 1.1 7 2 August 2007
Accessing E1Config
If you are using oexplore.exe to access E1Config then fast path directly QE1C100 and the Menus named below will be displayed. This will take you to the main Q Software menu. Alternatively you can create a menu call to the E1Config menus on your existing Menu structure at the point of installation. This is discussed in the Installation Manual that comes with the software.
2 August 2007
Solution Explorer
If you are using Solution Explorer (activConsole.exe) to access EnterpriseOne then you will need to have added QE1C100 to an existing task view. This process is discussed in the Installation guide that comes with your software. Once the Parent task has been added to a Task View the tasks displayed below will be available to you. In the example below we have added them to the Content Development Tools task view and you can then see the E1Config Security Manager task containing all E1Config applications. Or you can fast path directly to the task by entering QE1C100.
2 August 2007
E1Config Setup
The various E1Config Control functions can be maintained using the E1Config Setup application (PY5AF905), found on the Sec-Qure E1Config Administration Menu/Task View (QE1C102). Please note - Any changes to these settings will automatically be audited and recorded in the FY5AFA10 audit table whether auditing has been enabled or not. See the auditing section of this manual for more information about this topic.
10
2 August 2007
Tab Descriptions
Version Security
This tab enables Version Security within E1Config for the relevant Security Types. See below for more detail on this functionality. This tab enables Hidden Program Functionality within E1Config for Application Security. See below for more detail on this functionality. This tab disables Name Encryption for Components within E1Config. See below for more detail on this functionality. This tab enables Auditing functionality for the E1Config product. See below for more detail on this functionality. This tab enables Segregation Of Duties functionality for the E1Config product. See below for more detail on this functionality. This tab controls non specific functionality for the E1Config product. See below for more detail on this functionality.
Hidden Programs
Name Encryption
Auditing
11
2 August 2007
For a list of the security types and forms that will be affected by this change please see the Version Security Enabled section of this manual.
12
2 August 2007
If, however, you do not use version security you may need to turn this option off. Uncheck the box to disable version security for your E1Config implementation. This will generate a warning message as seen below. Ok this message if you wish to disable version security.
13
2 August 2007
Hidden Programs
The Hidden Program functionality allows Associated Applications, Reports, Search & Select Forms and Hidden Programs to be selected through the Template Manager via a new Associated Object Selector form. This functionality is only available for Application Security.
The Hidden Program functionality requires the Cross Reference Table (F980011) to be populated in order to glean the necessary information. The Reports below should also be run before this functionality will work correctly.
14
2 August 2007
Checking or unchecking the Enable Hidden Program Functionality check box will either display or hide four object selection check boxes. When active at least one of the four object selection check boxes must be ticked, otherwise an error will be displayed when the OK button is pressed. The object selection check boxes control which types of objects can be selected on the Template Manager Work with Application Security grid.
15
2 August 2007
Check-box Descriptions
Associated Applications
Applications that are called from a selected application or form. Identified by records in the F980011 table with an object name (SIOBNM) equal to the selected object and a secondary attribute (SIATRS) of CLFRM. Only one level is allowed i.e. application A calls application B. Reports that are called from a selected application, form or report. For reports multiple levels are allowed i.e. Report 1 calls Report 2 which calls Report 3. Identified by records in the F980011 table with an object name equal to the selected object and a secondary attribute of RI Forms that are called from a selected application or form via a visual assist button attached to one or more fields on the form. Fields on the form are identified by records in the F980011 table with an object name equal to the selected object and a secondary attribute of DTAN. Each form name is retrieved from the field Search Form Object Name (FRSFMN) in the F9210 table identified with a Data Item (FRDTAI) value that matches the Name Field (SIFDNM) value in the F980011 table. Only one level is allowed. Applications or reports that are called from NER business functions (C business functions are currently not supported). NER functions are identified by records in the F980011 table with an object name equal to the selected object and a secondary attribute of BSFN. Each function name is retrieved from the Name Field (SIFDNM). Applications are identified by records in the F980011 table with an object name equal to the function name, a primary attribute of FORM and a secondary attribute of CLFRM. Reports are identified by records in the F980011 table with an object name equal to the function name, a primary attribute of FUNC and a secondary attribute of RI. For performance reasons the selected NER business functions are stored in a new table FY5AF519. Only one level is allowed.
Associated Reports
Hidden Programs
16
2 August 2007
Reports
These reports populate the tables that E1Config uses as a reference for the Hidden Programs functionality. The F980011 must be populated for these reports to construct the reference information. RY5AF563 QSG0001 This UBE reads the F9860 table for the object type BSFN and Source Language NER to see if any Business Functions call another application. The F980011 table, which must first be populated, is read with the object name matching the function name, a primary attribute of FORM and a secondary attribute of CLFRM. To see if the business function calls a report, the F980011 table is read with the object name matching the function name, a primary attribute of FUNC and a secondary attribute of RI. The FY5AF519 table is then populated with business function name, object name and form name of any NER business function that calls an application or report. If the object name is a report the form name will be blank. This UBE runs over vanilla Business Functions. Note: This Report must be run before the RY5AF561 report. RY5AF563 QSG0002 This UBE performs that same function as the above version but does it over any custom Business Functions that may exist for your implementation. RY5AF561 QSG0001 This UBE reads through the F9860 table for applications and reports and populates the FY5AF518 table with one record per object. The associated apps flag is set to Y if the object has an associated application, the associated rpts flag is set to Y if the object has an associated report, the associated search & select flag is set to Y if the object has an associated search & select form and the hidden program flag is set to Y if a matching record for the object is found in the FY5AF519 table. This UBE runs over vanilla Applications. Note: This Report must be run after the RY5AF563 report. RY5AF561 QSG0002 This UBE performs that same function as the above version but does it over any custom Applications that may exist for your implementation.
17
2 August 2007
Name Encryption
In previous versions of E1Config and QBuild, the object name field (OBNM) in the FY5AF405 table (Component Detail) was encrypted. This prevented custom reports being created over this table. This functionality can now be disabled by ticking the Disable FY5AF405 Object Name Encryption box. Please note Once encryption is disabled, it cannot be re-enabled.
18
2 August 2007
A warning message will be displayed to remind you to run report RY5AF960, which will decrypt the Object Name field for all the records in your existing FY5AF405 table.
19
2 August 2007
Once Name Encryption has been disabled it cannot be re-enabled and therefore the check-box will be greyed out as in the example below.
20
2 August 2007
Auditing
The Auditing functionality allows you to log any changes to your E1Config security configuration. Switch on auditing by ticking the Enable Auditing box.
21
2 August 2007
Please note Auditing can only be disabled by the person who enabled it. See the auditing section of this manual for more information on this topic.
22
2 August 2007
Segregation of Duties
The new Segregation of Duties functionality allows SOD conflict checking to be done at the Component level (as earlier versions of E1Config), Object level or both levels. Select the appropriate level by clicking the corresponding radio button.
23
2 August 2007
General
The General tab covers functionality that does not fall under a specific category. User Security Manager Form Set Default for Filter Clicking the appropriate radio button determines the default setting of the filter radio buttons on the User Security Manager form (PY5AF450/WY5AF450A). Please see the User Management section of this manual for further information.
24
2 August 2007
E1Config
Menu/Solution Explorer Task QE1C101 contains the E1Config daily use applications.
25
2 August 2007
Template Manager
The Template Manager is the entry point to creating and managing your security matrices for E1Config. As with the majority of E1Config functionality and a large amount of E1 functionality you have to create a header record and attach detail records to that header. Each Template is classified as a Header record and the Components, Functions and Segregation of Duties parents are the detail records attached to each Template and will be discussed in more detail in the Parent Revisions section of this manual. From within the Template Manager you can create and manage your own Templates either from scratch or by copying all or parts of existing E1Config Template/s.
26
2 August 2007
Field Descriptions
This is the 10-character Id that identifies your templates. This is the 10-character Id that identifies your templates. This is the 30-character description that is assigned to each of your templates. This field shows whether a Template is LOCKED or BLANK (unlocked). Only the User that LOCKED a Template can work with it or Unlock it. The Level is a value of 1, 2 or 3. This describes the Level convention 1 Master. A Master Template should be Locked. This is your pristine Template and should be used in that way. 2 Dependent. Dependent Templates should be a copy or copies of your Master Template that can be modified to fit a particular need/site. 3 Independent. As the name suggests this type of Template is independent, therefore can be free form and used in any way.
Template Master
If a Template is a dependent this field should show the Master Template that it is derived from.
Row Exits
Lock
This button changes the Lock Indicator value for the highlighted template to the opposite value. Once a Template is Locked only the User that Locked it can modify, unlock or delete that Template. This exit allows you to access the Components, Functions and Segregation of Duties Parents for each template that you have created. Displays the version number of the E1Config software that you have and some contact details for QSoftware.
Parents
Form Exits
QSG
27
2 August 2007
Adding a Template
Templates are essentially individual security matrices and can be as similar or as different as you like. You will receive QComponents as one template if you have bought the software. It is advisable that you copy this Template and modify it, so that any new versions of the QComponents Template will not overwrite changes that you have made. See the Copying a Template section below. Templates are especially useful if you have a multi-company implementation where one site is going live before others. A Template can then be tailored to your needs and this Template can then be rolled out as a model and modified by site. Templates are also very useful when you have multiple security tables. If you have this structure then it is likely that you will want different levels of access by environment. You could have your Development and Test environments with one Template allowing Developers to have wide access to the system. Then a Template for Production that is restrictive in its access.
Header
To create a Template you must firstly add a header record. Click Add from within the Work with Templates form and you will be able to define a Template and the defaults that are to be used for it.
28
2 August 2007
Header Descriptions
This is the 10-character Id that identifies your templates. This is the 30-character description that is assigned to each of your templates. Select or Enter the numbered value to determine whether the Template is a Master, Dependent or Independent Template. This field displays whether a Template is Locked or Unlocked. The value cannot be changed from this Tab. This field allows you to select or add the Master Template for a Dependent Template.
Lock Indicator
Template Master
Defaults
The Default and Default1 tabs of the Template define which default values will be used when applying security detail records to the Components that will make up your Template. They refer to all of the different security features within Enterprise One that use different values. The values that should be established in the defaults for each template relate to what values you will use most when applying security records and is highly dependant on whether you are employing an All Doors Closed, or an All Doors Open security strategy. For example if you were using an All Doors Closed policy then you would set your Application Security settings to YY as the default would be NN and therefore all of the Application security records that you apply would be YY to give the necessary Applications back to users. See the Set Defaults section of this manual for more information on how these defaults work. The Defaults1 tab will be protected for EnterpriseOne releases 8.10 and below, as this tab handles the default values for the new security types introduced with tools release 8.96 for 8.11 and above. You may notice that Miscellaneous, Solution Explorer, Portal and Data Browser (8.11 upwards only) security are not included in this defaults section. These types of security are supported by E1Config, but work in such a way as to not need default values to be created.
29
2 August 2007
30
2 August 2007
Note - The above examples are the recommended configuration for an All Doors Closed Template.
Locking a Template
Once you have created your Template and are satisfied that the Components have been customized to your liking, or if you are not currently using the software and other users potentially have access to the E1Config software we advise that you LOCK your Template/s. Lock a Template simply by highlighting the desired Template and clicking on the Lock Row exit. Locking is simple but effective and is controlled by User Id. When a User Locks a Template, the profile of that User is recorded in the FY5AF430 table. That user is then the only user that can unlock the Template. To be able to modify the Template the User that locked it must unlock it. Once it is unlocked any user can modify the Template details. Even when a Template is locked any user that has access to the software can copy the Locked Template so if you do not want users to be able to do this then deny access to the E1Config applications using standard application/action security.
31
2 August 2007
* Note If you attempt to modify a Template that is locked, a message will inform you that the Template cannot be modified.
32
2 August 2007
Copying a Template
Highlight a Template and click Copy. Simply add a new Template ID and Description to the Template and then you can modify any of the defaults or attached parents. By doing this you will be able to copy the Header record and the default settings for your selected Template, as well as Copying all the detail of that Template including Components (and their attached security records), Functions and Segregation of Duties rules.
33
2 August 2007
Deleting a Template
Highlight the Template you wish to delete and click Delete. You will be prompted with the Delete message Confirmation window. Simply click OK to delete the Template or Cancel to stop the Delete.
WARNING this will also delete the Components, Functions and Segregation of Duties rules attached to the deleted Template. If you try and delete a Template that is attached to an Entity an error message will inform you that this is not possible. You must first delete the Entity.
34
2 August 2007
This will take you into the Parent Revisions form. * Note If a Template is LOCKED then the Parents exit will not be available to you, as you are not authorized to modify the Template or its details.
35
2 August 2007
36
2 August 2007
Once you have created a Component Header you can define the detail beneath it by highlighting a Component or Object (depending on the Control table setting) and clicking Select. Existing Components can also be interrogated and edited in this manner. Select Component as the Parent Type. All defined components will be displayed. Once the Parent Type Component is displayed you can create new Components, or modify and delete existing Components.
37
2 August 2007
Position to Parent
Once a Parent Type has been selected and a list of the relevant parents has been displayed, enter a value in this field and the list will start from the selected value (see figure below). This field is alphanumeric and will display from the first match it finds, or the next in order. Wildcards do not work but if you enter an N, for example, all Parents that start with an N onwards will be displayed.
Component Level
The Component Level field is a filter that is only available when you have selected the Parent Type Component, which is defaulted when you enter the form. The field will default to an * which means that all Components are displayed. You can use the Visual assist or enter a Component Level value (0-9) directly into this field and the Components will sort to only display those that have a Component Level equal to the value entered. This is useful to search for specific types of Component. In the example below, all Components have been created at a level 3. See Appendix A - Component Level for examples of Component Levelling strategies.
38
2 August 2007
39
2 August 2007
Field Descriptions
Template ID Position To
The Template ID and description for the Template that you are working within. A Display from field. Enter a value and the list of the relevant Parent Type will start from that value or next alphanumerically. A filter for Components. Entering a Component level value in this field will sort the list of Components to only display those with a matching Component level. An * will show all Components. Click this radio button to display Components. Click this radio button to display Functions. Click this radio button to display Segregation of Duties rules.
Component Level
Parent Type
Exits
Row
Parent Details
This exit performs differently depending on the Parent type that is currently selected. For Components this will access the Work with Components form (WY5AF405A) from where you can add/maintain Component Detail (physical security records). For Functions this will access the Parent Selection screen (WY5AF501E) form from where you can attach Functions and/or Components to a Function. For Segregation of Duties this will access the Parent Selection form from where you can attach only Components or Objects to an SOD rule.
Form
Objects
This button will call the Work with Object Components form (WY5AF405E) from where you can locate where specific objects are located in Components. See the Locating an Object section of this manual for more information.
QSG
Displays the version number of the E1Config software that you have and some contact details for QSoftware.
40
2 August 2007
Adding a Component
To add components ensure that the Parent Type is Component and then click the Add button.
41
2 August 2007
Header Descriptions
Template ID Type
Shows the Template ID for the Template to which you are adding a Parent. Shows the code that defines which type of Parent you are adding. In this case it is a Component. This is the 10-character Id that denotes each component. See Appendix A E1Config for more information on naming conventions.
Parent Name
This is the 80-character description that is assigned to each of your parents. Internal security for assignment of E1Config Parents. This field is for future use. The level assigned to each component. Further explanation of this feature can be seen below. See below for further Information. These are 3-character user defined fields which can be used to classify the Component. See the Maintain Reporting Codes section of this manual for more information.
Reporting Codes
Component A has a higher Component Level and therefore takes precedence. The user will therefore have application security of YY set against P01012. The conflict is only relevant for P01012 and all other security records are applied to the user.
42
2 August 2007
If both Components had the same level then an actual Conflict would exist. A warning message will appear informing you that a conflict exists. Use the Conflict Manager application to resolve any existing conflicts. An explanation of this can be seen later in this manual.
43
2 August 2007
See the Component Level section in Appendix A - E1Config for recommended use of Component levels.
44
2 August 2007
Note If you change the Component Level for any Component/s that are attached to profiles through an associated Entity, either directly or through a Function, then the User Status or that profile/s will be reset to Changed. See the Entity Manager section of this manual for more information on User Statuses.
45
2 August 2007
Copying a Component
Highlight a Component and click Copy. You will be taken to the Copy Parent form from where you can copy the Component in the following ways: 1. Copy to an existing Component by entering that Component name in the To Details Component field. See Add/Replace records in the Field Descriptions section. 2. Create a new Component by entering a new Component name into the To Detail Component field *. 3. Copy to the same Template by leaving the To Details Template as the default. You would do this if you were copying a level 9 component (Inquiry) to a level 3 component (update). Once copied you would add the Action Code records to this component to make it an update component. 4. Copy to a different Template by overwriting the value in the To Details Template with the Template Id of the target Template. You could do this to replicate proven test Components in Production Templates or to replicate modified Components across multiple Templates.
* - Creating a New Component will default the same Component Level as the From Component. If you are modifying a QComponent, and creating an update Component for example, then you should be aware that you will need to reset the Component Level for the To Component.
SEC-Qure E1Config Rev 1.1 46 2 August 2007
Field Descriptions
Add Records
Select this button to add any new records from the selected Component to the Copy To Component. This will leave any existing records and add any that do not exist. Removes any existing records from the Copy to Component and Replaces them with all the records attached to the Copy From Component. Displays the name and description of the Template to which the selected Component is attached. Displays the name and description of the Component that you are copying. Displays the name and description of the Template to which the selected Component is attached. This can be changed to another Template thus enabling you to copy Components across Templates. This field allows you to enter the name and description of a new Component or select or enter the name of an existing component.
Replace Records
From Details
Template ID
Component
The Parent Header details of your Copy From Component will be carried across so if you are going to modify a Component ensure that the correct level is maintained.
47
2 August 2007
Deleting a Component
Highlight the Component that you wish to delete and click Delete. You will be prompted with the Delete message confirmation window. Simply click OK to delete the Component or Cancel to stop the Delete.
WARNING this will delete the selected Component from User/System Roles, Functions and/or Segregation of Duties Rules to which it is attached. To highlight this, additional warning messages may appear along with the Delete message confirmation box. If this is the case be very careful that you have made allowances for this with regards to the security and compliance of users as deleting this component and rebuilding security for one or more users could affect their access rights. Note You cannot delete a Component that is the Header record for an existing SOD rule. You must first delete the rule before deleting the relevant Component.
48
2 August 2007
Locating an Object
E1Config holds Component detail information in the FY5AF405 table but the object name field in this table is encrypted to protect against un-authorized access. Only users that have E1Config with a valid SPC can therefore view this information. Existing users of Version 2.02 will be aware that this makes tracking down objects when customizing Components awkward as the only time to see what Components contain which objects is once they are attached to a user. This information can then be viewed through the Component Tracker File (FY5AF513). In order to make the product more user-friendly we have therefore added the Work with Object Components form (WY5AF405E). Access this form by taking the Objects Form exit from within the Work with Parents screen. This form allows users to input a particular object and all Components containing this object will be returned to the grid. The Components that are returned can then be worked with in more detail.
49
2 August 2007
The Template ID and description for the Template that you are working within. This field is mandatory. Use the visual assist or enter in an object name i.e. P01012 or F0006. Click find and a list of the Components that contain the selected object will be returned.
Security Type
Some objects can exist for more than one security type i.e. APPL can exist for multiple security types. Depending on the type of Component you are working with you may wish to filter the Component list to only show a particular security type. Use the visual assist or enter in a valid E1 security type. Click find (ensuring that there is an object in the object name field) and a list of Components that contain the selected object and security type will be returned.
Component Level
When working with Components certain objects may be repeated through Components that have different levels i.e. an Update Component and an Inquiry Component for Voucher Entry will both contain the same Application security records. In order to make a potentially long list more manageable use the visual assist or enter a valid Component level into this field along with an object name. Click find and the grid should display a list of Components that match your search criteria. The names of all Components that match the search criteria entered. See below for all Components that contain the Address Book application (P01012).
Component ID
Description
The description of all Components that match the search criteria entered. See below for all Components that contain the Address Book application (P01012).
50
2 August 2007
Exits
Row
Component Objects
Highlight the Component that you wish to work with and click this Row exit. This will access the Component Detail Header form Work with Components (WY5AF405A) from where you can add, delete, copy or modify existing Component detail records.
Form
QSG
Displays the version number of the E1Config software that you have and some contact details for QSoftware.
In the example below an attempt is being made to track down all Components that contain the Address Book application (P01012).
By double-clicking a record, or highlighting and clicking Select you can drill down and work with the detail of this Component or use it to copy records to a new/existing Component.
51
2 August 2007
52
2 August 2007
Adding a Function
To add a Function, ensure that the Parent Type is Function and then click the Add button.
53
2 August 2007
Field Descriptions
Template ID Type
Shows the Template ID for the Template to which you are adding a Parent. Shows the code that defines which type of Parent you are adding. In this case it is a type 2 (Function). This is the 10-character Id that denotes each component. See Appendix A - E1Config for more information on naming conventions.
Parent Name
This is the 80-character description that is assigned to each of your parents. These are 3-character user defined fields which can be used to classify the Function. See the Maintain Reporting Codes section of this manual for more information.
54
2 August 2007
55
2 August 2007
Copying a Function
Highlight a Function and click Copy. You will be taken to the Copy Parent form from where you can copy the Function in the following ways: 1. Copy to an existing Function by entering that Function name in the To Details Function field. See Add/Replace records in the Field Descriptions section. 2. Create a new Function by entering a new Function name into the To Detail Function field. 3. Copy to the same Template by leaving the To Details Template as the default. You would do this to replicate an existing Function and then modify it. 4. Copy to a different Template by overwriting the value in the To Details Template with the Template Id of the target Template. You could do this to replicate proven test Functions in Production Templates or to replicate modified Functions across multiple Templates.
56
2 August 2007
Field Descriptions
Add Records
Select this button to add any new records from the selected Function to the Copy To Function. This will leave any existing records and add any that do not exist. Removes any existing records from the Copy to Function and Replaces them with all the records attached to the Copy From Function. Displays the name and description of the Template to which the selected Function is attached. Displays the name and description of the Function that you are copying. Displays the name and description of the Template to which the selected Function is attached. This can be changed to another Template thus enabling you to copy Function across Templates. This field allows you to enter the name and description of a new Function or select or enter the name of an existing Function
Replace Records
From Details
Template ID
Function
All Components attached to your selected Function will also be copied to the new/existing Function.
57
2 August 2007
Deleting a Function
Highlight the Function you wish to delete and click Delete. You will be prompted with the Delete message confirmation window. Simply click OK to delete the Function or Cancel to stop the Delete.
WARNING this will delete the selected Function from any Profiles and Functions to which it is attached. An additional warning message will be called if this is the case.
58
2 August 2007
59
2 August 2007
60
2 August 2007
Field Descriptions
Template ID Type
Shows the Template ID for the Template to which you are adding a Parent. Shows the code that defines which type of Parent you are adding. In this case it is a type 1 (Segregation of Duties). Level at which SOD conflict checking is done. 1=Component 2=Object This is the 10-character Id that denotes each component or object. See Appendix A - E1Config for more information on naming conventions.
This is the 80-character description that is assigned to each of your SODs. Enter or select a Security Indicator. These are 3-character user defined fields which can be used to classify the Segregation of Duties. See the Maintain Reporting Codes section of this manual for more information.
61
2 August 2007
62
2 August 2007
WARNING Deleting a Segregation of Duties child or parent may affect compliance and an additional warning message will be called to highlight this. *Note - All attached Components will be deleted from the Segregation of Duties Parent Type. The Components will not be deleted from the Component Parent Type.
63
2 August 2007
Parent Details
Once header records are created then you can add detail records to said parents. Simply highlight the required parent and take the Parent Details Row exit to be taken to the correct entry form dependant on Parent Type.
Component
Detail records added to Components actual security records. These can be any of the 11 Security Types available from the E1 Security Workbench (P00950) application. Detail records added to Functions can be either Functions or Components. Detail records added to Segregation of Duties rules must be Components or Objects only.
64
2 August 2007
To attach security to a Component click Add and you will be taken to a form (see below) that allows you to select the type of security that you want to apply. If records already exist for a Component you can amend or add new security either by clicking Add or by double clicking on the relevant record, or security type.
To select a particular kind of security click on the relevant security type and then click OK. Please note:The Data Browser Security Type is only available to clients that are using an 8.11 SP1, Tools Release 8.95 and above version of EnterpriseOne (E1Config will allow this security type to be selected on 8.11 but EnterpriseOne will not support it for users on an earlier tools release than 8.95). Link, Push Button and Image Security Types are only available to clients that are using an 8.11 SP1, Tools Release 8.96 and above version of EnterpriseOne (E1Config will allow this security type to be selected on 8.11 but EnterpriseOne will not support them for users on an earlier tools release than 8.96).
SEC-Qure E1Config Rev 1.1 65 2 August 2007
The Media Object Security Type is only available to clients that are using an 8.12 Tools Release 8.96 and above version of EnterpriseOne (E1Config will allow this security type to be selected on 8.12 but EnterpriseOne will not support it for users on an earlier tools release than 8.96).
66
2 August 2007
Security Detail
If you have accessed a security type either through the Select Security Type form or directly from the Work with Components by Security Type form you will be taken to a Work with Component form that differs for each type of security. Depending on the type of security that you are writing the entry methods vary. Some allow you to write records manually or Heads Down, others enable you to use Explorer functionality to select which records to apply security to and some allow you to check buttons to apply security. See Appendix A - E1Config Security Type (Work with Components by Security Type vs. Selector) for which types of security can be applied using which forms. See also the E1Config Setup section of this manual and/or Version Security Enabled below if you are using Version Security in your implementation. See also the E1Config Setup section of this manual and/or Hidden Programs Enabled below if you wish to employ this functionality.
Below is an example of a Work with Component form. All are different and the field descriptions below cover all likely fields.
67
2 August 2007
Field Descriptions
Component ID Defaults
The Component Name and Description. This field is hard coded. The default security settings for the relevant security type. These are controlled by Defaults section of the template you are currently working in. See the Template Manager Defaults section of this manual for more information. The default settings can be modified from within the application by clicking the Set Defaults button. A check indicates a Y and a blank indicates an N. Depending on the security type you are adding this field allows you to enter or select a specific Application to apply security to. Depending on the security type you are adding this field allows you to enter or select a specific Form to apply security to. If you are adding Row or Column security records this field enables you to enter or select a specific Table to apply security to. If you are adding External call security through the selector this field displays which Menu and Menu Selection has had security applied to it. This field will default to show the object description for the Application, Form, Table or Menu/Selection that you are writing records against. If you are creating Row or Column security records this field enables you to enter or select the specific Alias you wish to apply records against. This is a lot quicker and easier than E1 as there you have to enter the Data Item in full exactly first. Once you enter the Alias in E1Config the Data Item defaults into the line. The Values differ by Security type but can be broken down into the following: Run, Install, View, Add, Change, and Delete, Copy, OK/Select, Scroll to End, Prompt For Values, Prompt for Versions and Prompt for data selections. You can apply the default security settings to one or more highlighted objects if necessary.
Table Name
Alias
Values
Row Exits
Apply Defaults
68
2 August 2007
Form Exits
Selector
Calls the Selector application that allows you to add multiple security details to a component quickly and easily. Further explanation of this feature can be seen later in this manual. Enables you to set the defaults for the relevant security type. These defaults will remain for only as long as you remain within the application. As soon as you exit the application the defaults will reset to conform to the processing options.
Set Defaults
Set Defaults
Click on the Set Defaults button and you will be taken to a Default Entry form specific to each type of security (the form below is just an example of one type). By checking a box you are setting the selected value to a Y. By leaving a box blank you are setting the relevant value to an N. Click OK to confirm the defaults you have set. The initial settings are generated from the Default settings in the Template Header.
69
2 August 2007
Ensure that you press OK to save the records to the Component detail table before you exit this form. If you press close then the records are not necessarily saved.
Modifying Security
To change security details modify the records manually. Ensure that you click OK before exiting to save the changes.
Deleting Security
To delete security records, highlight the relevant records and click the Delete button. Ensure that you click OK before exiting to save the changes.
SEC-Qure E1Config Rev 1.1 70 2 August 2007
Using the Search Criteria The search and select criteria work in a very similar way to the E1 Security Workbench Unsecured selection, except that no wildcards can be entered. Click a button, then enter a value in the blank window and click Find. The display will show those records that match your search criteria. Application Click the Application button and then enter the name of an application and that application will be shown with all relevant elements.
71
2 August 2007
Menu Click the Menu button and then enter a particular Menu Id. All objects on the selected menu will be displayed with any relevant elements. This radio button is disabled if you are using an 8.x version of E1. Product Code Click the Product Code button and then enter the name of a E1 system and all objects and their elements that are part of that system will be displayed. Solution Explorer Click the Solution Explorer button and then use the Visual Assist to select a Task or enter a Task Id into the field and all objects on the selected Task will be displayed with any relevant elements. Secure This button returns highlighted values to the Work with Components by Security Type form with the Default Security settings applied.
Row Exits
Form Exits
Set Defaults
Enables you to set the defaults for the relevant security type. These defaults will remain for only as long as you remain within the application. As soon as you exit the application the defaults will reset to conform to the processing options. Enables you to apply *ALL security for the Security Type you are updating. This is only available for some security types.
Secure All
Secure Once you have found the relevant objects or elements that need to be secured you can highlight one or more and click the Secure button and these will be returned to the Work with Components by Security Type form with the Default security settings applied. If the Default settings are not requisite, they can be changed by taking the Form Exit Set Defaults. In order to view what security records have been taken you must Close out of this form to view the records in the Work with Components by Security Type form. You must then OK these records to save them to the Component. To highlight more than one object to secure you can use Explorer functionality. To select multiple records which are all in order hold down shift and click on numerous records or use the arrow keys. To select multiple records which are not in order hold down control and click on the required records. Then click Secure and the highlighted records will be secured. Secure All Certain Types of security can only be applied through E1Config using the Selector. The Secure All button has been incorporated to enable you to apply a *ALL value for these types of Security. This button is also active for other types of security that utilize the Heads Down entry Method. You can add *ALL settings to these other types of security through the grid as well.
SEC-Qure E1Config Rev 1.1 72 2 August 2007
Once you have returned to the Work with Component form for the relevant security type ensure that you click OK to save the records to the file or else they will be lost and you will have to do it again.
73
2 August 2007
74
2 August 2007
PY5AF405/WY5AF405G Selector Versions are displayed in the same way as the Security workbench, but multiple versions can be selected to secure at one time using the standard windows <Shift> or <Ctrl> functionality.
75
2 August 2007
76
2 August 2007
Field Descriptions
Assoc Apps
If a Y appears in this column then Associated Applications exist for this application. The Assoc Apps Row Exit should also be available for you to pull in any applications that you wish. If a blank appears in this column then no Associated applications exist for this Application. The Assoc Apps Row Exit will not be available. If a B appears in this column then information has not been built for this application and we suggest that you run the relevant tasks in the E1Config section of this manual.
77
2 August 2007
Assoc Rpts
If a Y appears in this column then Associated Reports exist for this application. The Assoc Rpts Row Exit should also be available for you to pull in any applications that you wish. If a blank appears in this column then no Associated applications exist for this Application. The Assoc Rpts Row Exit will not be available. If a B appears in this column then information has not been built for this application and we suggest that you run the relevant tasks in the E1Config section of this manual. If a Y appears in this column then Associated Search & Select Forms exist for this application. The Assoc Sch/Sel Row Exit should also be available for you to pull in any applications that you wish. If a blank appears in this column then no Associated applications exist for this Application. The Assoc Sch/Sel Row Exit will not be available. If a B appears in this column then information has not been built for this application and we suggest that you run the relevant tasks in the E1Config section of this manual. If a Y appears in this column then Hidden Programs exist for this application. The Hidden Programs Row Exit should also be available for you to pull in any applications that you wish. If a blank appears in this column then no Associated applications exist for this Application. The Hidden Programs Row Exit will not be available. If a B appears in this column then information has not been built for this application and we suggest that you run the relevant tasks in the E1Config section of this manual. Highlight the relevant grid record and click this button to drill down to the Associated Applications Selector. Highlight the relevant grid record and click this button to drill down to the Associated Reports Selector.
Assoc Sch/Sel
Hidden Programs
Row Exits
Assoc Apps
Assoc Rpts
78
2 August 2007
Highlight the relevant grid record and click this button to drill down to the Associated Search & Select Forms Selector. Highlight the relevant grid record and click this button to drill down to the Hidden Programs Selector.
The Selector works the same way for each of the drill downs and an example can be seen below.
Field Descriptions
Application
This field will be populated with the ID and description of the selected Application. Highlight one or more of the Applications, Forms, or Versions using standard windows <Shift> or <Ctrl> functionality and then click this button to add these objects to your Component.
Row Exits
Secure
79
2 August 2007
80
2 August 2007
You can copy the security details from one Component to another within the same Template or to another Template. The copy function allows you create new Components with the records that you are copying, to add records to existing Components or to delete all records from an existing Component and replace them with the records from the Component that you are using to copy.
Field Descriptions
Add Records
Select this button to add any new records from the selected Component to the Copy To Component. This will leave any existing records and add any that do not exist. Select this button and the records for the Copy To Component will be deleted and replaced with those from the Component that you are copying. This shows the Template that you are copying from. This shows the name of the Component from which you are copying some or all records.
Replace records
From Details
81
2 August 2007
To Details
Template ID
This displays the Template that you are copying to. It will default to the current template but allows you to enter or select which Template to copy to. Enter the Component that you wish to copy records to. You can copy to an existing Component or create a new Component. If you are creating a New Component and then modifying it then ensure that you give the new Component the correct Component Level once it has been created.
Component
The Parent Header details of your Copy From Component will be carried across so if you are going to modify a Component ensure that the correct level is maintained.
Deleting Security
To delete security records, highlight the relevant records and click the Delete button.
82
2 August 2007
Function Detail
Once you have created a Function Header you can define the detail beneath it by highlighting a Function and choosing the Parent Details Row exit. Existing Functions can also be interrogated and edited in this manner.
To add Functions or Components inquire on the relevant type, highlight the required record and click Select. The selected record will be attached to the Function. Functions and Components cannot be added at the same time.
83
2 August 2007
Function Detail
Click on the node next to a Function to see what Components and Functions are attached to a Function.
84
2 August 2007
WARNING this will delete the selected Function from Users and Functions to which it is attached. To highlight this, an additional warning message appears along with the Delete message confirmation box if a Function is attached to a profile through E1Config. If this is the case be very careful that you have made allowances for this with regards to the security of users as deleting this Function and rebuilding security for one or more users could affect their access rights.
85
2 August 2007
To add one or more Components highlight the required record(s) and click Select. The selected record(s) will be attached to the Segregation of Duties rule. Functions and Components cannot be added at the same time.
SEC-Qure E1Config Rev 1.1 86 2 August 2007
To add one or objects highlight the required record(s) and click Select. The selected record(s) will be attached to the Segregation of Duties rule.
87
2 August 2007
88
2 August 2007
You can create a new SOD rule by copying, or add/replace the Components or Objects to an existing SOD rule. The SOD rule that you are copying to or creating must exist in the Template that you are working within, or if you are copying across Templates then the new rule must exist in the target Template. If you are copying across Templates then if any of the Components or Objects that you are copying do not exist in the target Template then they will be created.
89
2 August 2007
90
2 August 2007
Entity Management
Entity Manager
The Entity Manager can be defined as the link between your Template (including all attached Components and their security records, Functions and Segregation of Duties) and each instance of the F00950 that you have. This link is similar to an OCM mapping* and defines where the security will be built to i.e. which security table will records be written to when the security for a User/System Role is built. * Note Entities must be created in conjunction with OCM mappings. Creating an Entity will not create OCM Mappings for you and without the correct OCM mappings E1 will not function correctly with a multiple security table configuration. For more information on different security set-ups see Appendix B Security Table Setup. For more information on Builds see the User Security Maintenance section of this manual.
91
2 August 2007
Field Descriptions
Entity ID
The 10-character user defined ID that denotes an Entity. The Entity provides the link between the Template and the security table.
Description Template ID
The 30-character description that defines an Entity. The Template ID and all attached parents that are assigned to an Entity.
Data Source The Data Source is the E1 mapping where your security table resides. If you have more than one security table then you may require different Entities with different data sources. Row Exits Users Access the User Security Manager that contains all User/System Roles in the F0092 and allows you to attach security to them depending on the Template and Data Source selected. Displays the version number of the E1Config software that you have and some contact details for QSoftware. This exit calls a front end for the User Clean Up report (RY5AF570). The screen allows you to select what version of the report you wish to run and therefore what parameters you wish to pass into the report. The RY5AF570 report allows you to remove orphan records from your E1 security table (F00950) and the E1Config tables (FY5AF512, FY5AF513, FY5AF515 and FY5AF402) for those user profiles that have been deleted from the F0092 table. See the User Clean Up Section of this manual, below, for more information on this process.
Form Exits
QSG
User Clean Up
92
2 August 2007
Adding an Entity
From the Entity Manager Work with Entities form click Add and then create an Entity. All fields are mandatory when creating an Entity.
Field Descriptions
Entity ID
The 10-character user defined ID that denotes an Entity. The Entity provides the link between the Template and the security table.
Description Template ID
The 30-character description that defines an Entity. The Template ID and all attached parents that is assigned to an Entity.
Data Source The Data Source is the E1 mapping where your security table resides*. If you have more than one security table then you may require different Entities with different data sources.
93
2 August 2007
* Note If a data source does not contain an instance of a security table an error message will be generated.
Modifying an Entity
To modify an Entity, highlight the record you wish to modify, double-click or click Select and you will be taken to the Entity Information form for the selected Entity. You can then modify all fields other than the Entity ID. If you wish to change this you must copy the Entity or delete it and start again.
94
2 August 2007
Deleting an Entity
To delete an Entity, highlight the record you wish to delete, click delete and then ok the confirm deletion window.
* Note Deleting an Entity will not remove the security that has been attached to any User/System Roles from the F00950 (Security Table).
95
2 August 2007
User Clean Up
When you remove a profile from the F0092 table that record will automatically be removed from the display on the User Security Workbench as the Business Function behind this screen checks the F0092 each time you access the screen. The E1 security table (F00950) and the E1Config tables (FY5AF512/FY5AF513/FY5AF515) will still show information relating to that user. By clicking the User Clean Up form exit you will run a batch process that compares the E1 security table and the E1Config tables with the F0092 table and will allow you to remove the records from both sets of tables. When you want to perform a User Clean Up, click the Form exit (see below) whereby all Entities will be cleaned and a report produced.
96
2 August 2007
This will submit RY5AF570 version QSG0001. This version of the report will remove any orphan records from the QSoftware tables for any E1 profiles that have been deleted. This will submit RY5AF570 version QSG0002. This version of the report will remove any orphan records from the F00950 table for any E1 profiles that have been deleted. This will submit RY5AF570 version QSG0003. This version of the report will remove any orphan records from the QSoftware tables and the F00950 table for any E1 profiles that have been deleted. This will submit whichever version of the RY5AF570 that you have selected and run it on Proof. No records will be removed. Proof mode allows you to see which records would be cleaned up from the relevant tables should you run this report in Final mode.
97 2 August 2007
Proof Mode
Final Mode
This will submit whichever version of the RY5AF570 that you have selected and run it on Final mode. Final mode will clear the records from the relevant files depending on which version was selected.
More detail for the three versions of this application can be seen in the E1Config Administration section of this manual. A sample of the RY5AF570 report can be seen below:
Field Descriptions
Table
Lists the Tables that contain records for obsolete profiles i.e. those that have been removed from the F0092 table. If more than one user, as in the above example, has been removed from the F0092 then multiple instances of a table may appear.
User/System Role
98
2 August 2007
User Management
User Security Manager
Once your Components and Functions are created they can be assigned to your user population through the User Security Manager. The User Security Manager retrieves the User/System Roles it needs directly from your F0092. It allows you to write security against User System roles and the *PUBLIC profile. Where the security is written to, and what security is available for writing, is dependant on the Entity that you are working within. The Entity is the link between the Template, which contains the Functions, Components and therefore the security records and the Data Source, which contains the Security table (F00950). Once you have added Functions and/or Components to your User/System Roles you can build these records to the Security table for the current Entity, which is predefined when you create the Entity. The User Security Manager enables you to build security for your user population individually or in batch mode for multiple profiles. Before you apply security you have the ability to validate the security and to check that no Conflicts (see Conflict Manager for more detail) exist for each of your User/System Roles. This is effectively building the profiles in Proof mode. Once your security has been created the User Security Manager also allows you to track any changes that occur so long as the changes occur from within E1Config. What this means is that if any detail for a Component changes or if any Functions are modified then the Status of each profile that the modified Component and/or Function is attached to will change to indicate that a rebuild is required. If you maintain security through the E1 security workbench (P00950) you will find that your security is not supported using E1Config and records in E1Config will differ from those in your F00950 table. To ensure that your security integrity is maintained see the following sections of this document: Entity Manager (PY5AF440) - User Clean Up Form Exit (RY5AF570/QSG0003). Config Administration Menu/Task QE1C102. User Clean Up UBEs RY5AF570 (QSG0001/2/3).
99
2 August 2007
Field Descriptions
Entity ID Template ID
The name and description of the current Entity. The name of the template that is attached to the current Entity. This determines what Components and Functions are available to apply to Users within this entity.
100
2 August 2007
Report Exits
Build Validated
This Batch Job will take all profiles that are at a status of 1 (Data Exists) and move them to a status of 2 (Validated). During this process it will also validate all these profiles and check that there are no Conflicts. A report will be produced listing any profiles that are in conflict. No security settings will actually be written against users. This report can be seen in User Security Workbench Reports section of this Manual below. This report will submit a batch job that will write all security records to the target Security Table for all profiles that have a status level of 2 (Validated). This report can be seen in User Security Workbench Reports section of this Manual below. This report will submit a batch job that will write all security records to the target Security Table for all profiles that have a status level of 1 (Data Exists), or 2 (Validated). It will also rebuild security for users who have a 3 (Completed Status). This may need to be done on a periodic basis if records have been updated using P00950, as security applied in this way will not be tracked through E1Config. This report can be seen in User Security Workbench Reports section of this Manual below. Highlight a User/System Role and click validate. This will advance the profile status to Validated (or green) and call an interactive Conflicts window if any Conflicts arise. These Conflicts can be viewed in the Conflict Manager. Highlight a User/System Role and take the Report Row exit. This will submit a batch job that will list all the Components, their detail and any Conflicts that arise for the selected profile. This report can be seen in User Security Workbench Reports section of this Manual below.
Build All
Row Exits
Validate
Report
Build
Highlight a User/System Role and take the Row exit Build. This will write the attached security records to the target data source specified in the current Entity and interactively pull up a Conflict window if any Conflicts exist.
101
2 August 2007
Conflicts
If Security Conflicts exist for a profile, highlight that profile and the Row exit button Conflicts will be active. If no Conflicts exist then the button will not be available. Select the button if active for a profile and you will be taken to the Conflict Manager. The Entity ID and the User/System Role will be greyed out and the Security Settings button will be checked. Any Conflicts for the Selected profile and Entity will be listed.
Segregation Issues
If Segregation of Duties Conflicts exist for a profile, highlight that profile and the Row exit button Segregation Issues will be active. If no Conflicts exist then the button will not be available. Select the button if active for a profile and you will be taken to the Conflict Manager. The Entity ID and the User/System Role will be greyed out and the Segregation of Duties button will be checked. Any Conflicts for the Selected profile and Entity will be listed.
Form Exits
QSG
Displays the version number of the E1Config software that you have and some contact details for QSoftware. Allows Users or Roles to be assigned to Functions or Components.
Cmpnts/ Functions
102
2 August 2007
Rather than scrolling down to find the User/System Role that you require the display will reset to the value that you overtyped. In the example above a P was typed in and the display has now selected the first profile beginning with P. We recommend that you utilize this functionality especially if you have a large number of profiles to deal with as it can greatly reduce the amount of time taken to apply security.
103
2 August 2007
System Role The System Role field enables you to perform a more specific search for a Group/System Role Profile and all users associated with that Group/System Role. Enter or use the visual assist to select a System Role. Then click on the Find button, which will refresh the search. If you then open the System Role directory you will only see the profile that you selected to search upon (see below). If you then open the Users directory you will only see the Users that are members of the Group/System Role that you selected to search upon (see below). The Subset and All radio buttons control how the System Role field behaves if a partial name is entered. If the All radio button is clicked and the Find button is pressed, when the System Role directory is opened the list This way you can easily filter the list of profiles to target one Group/Role to review, add or modify attached parents and/or security records.
104
2 August 2007
User ID This field behaves in exactly the same way as that of the Position To functionality discussed above. The User ID Field allows you to start the list of users from a particular point. Enter or use the visual assist to select a User ID. Then click on the Find button to refresh the screen. Open the Users directory and the list of user profiles will begin from the selected profile to search upon (see below).
105
2 August 2007
User ID field in 8.x versions Due to the Multiple Role nature of the 8.x versions of E1, additional functionality is available to you. Entering a valid User Profile will reference the Role Relationship table (F95921) and pull in all of the Roles associated with the selected user. The System Roles directory will filter to show only those roles that belong to the chosen User. This makes it easier to see where conflicts are inherited from.
106
2 August 2007
To add Functions or Components inquire on the relevant type, highlight the required record and click Select. The selected record will be attached to the User/System Role and sorted alphanumerically. Functions and Components cannot be added at the same time. If you are only choosing one Function or Component, you can double-click to attach it to the selected profile. You can use Ctrl>Click to choose multiple Functions or Components to attach to the Selected profile. You can use Shift>Click to choose a block of Function or Components to attach to a selected profile.
107
2 August 2007
108
2 August 2007
Bitmap Flags
Bitmap Blank
No Data or level 0
This setting means that no records have been attached to this profile in E1Config. Records may be attached in E1 but they will not be recorded or tracked unless incorporated into E1Config. This means that the status of the User security has changed in E1Config. This can mean one of three things has happened. Either new records, i.e. Components or Functions with Components, have been attached therefore the User Security needs to be built. Existing Components or Functions have been removed from the profile and therefore security needs to be rebuilt for the profile. Or existing records have changed, i.e. a Component has had an Application removed, and therefore security needs to be rebuilt for the profile.
Bitmap Red
Bitmap Green
Validated or level 2
This means that the profile has moved to a validated status. This is the same as building security for a User in proof mode so that Conflicts can be resolved before actual security records are appended to the profile. Any outstanding Conflicts can be viewed using the Conflict Manager. This means that the profile has moved to a Validated status but that Conflicts exits. Refer to the Conflict Manager section of this manual for resolution. This means that the Components and their security records have been attached to the profile and are now active that is they have been written to the F00950. Any outstanding Conflicts can be viewed using the Conflict Manager. If the completed white profile has a red top it means that conflicts exist for that profile.
Bitmap White
This means that the profile has moved to a Completed status but that Conflicts exits. Refer to the Conflict Manager section of this manual for resolution.
109
2 August 2007
* - Deleting against a validated profile or records attached to a validated profile should revert the user to an affected (red) status if there are other records still attached, or a blank status meaning that they are. - Highlighting a profile and clicking Delete will not delete the user from the F0092 table. - The Deletion button is only active against the profile or Functions/Components that are attached directly to the profile. This is to stop you from deleting Functions and their connected Functions and/or Components from the associated Template.
SEC-Qure E1Config Rev 1.1 110 2 August 2007
Built (white) Profiles If a profile has had their security records built to the F00950 table then you may want to remove those records when you delete from within the User Security Management Screen, or you may want to retain the F00950 records. In order to facilitate these requirements use the same functionality as discussed above and once you have confirmed the deletion an additional delete confirmation box will be called. This box will ask you to perform one of two actions (see below). Clicking Yes will remove the F00950 records and remove any associated records from all E1Config tables . Clicking No will retain the F00950 records whilst removing any associated records from all E1Config tables .
- This will not remove Functions, Components or Security records from the associated Template.
111
2 August 2007
112
2 August 2007
Field Descriptions
Add Records
Select this button to add any new records from the selected User/System Role to another profile. This will leave any existing records and add any that do not exist based on Parents not objects. Select this button and the records for the Copy To User/System Role will be deleted and replaced with those from the selected profile that you are copying. This displays the current Entity. This defaults to the current Entity but allows you to enter or select another as required.
113 2 August 2007
Replace Records
This displays the current User/System Role. Enter or select the User/System Role that you wish to Copy records to. Check this button and the Copy To User / System Role visual assist button will call the User Search & Select form. Check this button and the Copy To User / System Role visual assist button will call the Role Search & Select form.
Role
114
2 August 2007
Field Descriptions
Entity ID
The 10-character user defined ID that denotes an Entity. The Entity provides the link between the Template and the security table.
Description Template ID
The 30-character description that defines an Entity. The Template ID and all attached parents that are assigned to an Entity.
115
2 August 2007
Data Source
The Data Source is the E1 mapping where your security table resides. If you have more than one security table then you may require different Entities with different data sources.
The User/System Role and description for the profile that has been Validated. This should always read 2 = Validated. Whether there are Security Conflicts for this profile. If Y then use the Conflict Manager to resolve them, or view the detail output for this report. The Security Detail, Component Level and Selection Flag should help you to pinpoint the reason for the conflict. Whether there are Segregation of Duties Conflicts and two Components have been added to the same profile that contravenes an establish SOD rule. Use the Conflict Manager to resolve any conflicts. Each Security Type is printed on a separate page for the selected User System Role in Numeric order 1-9 The Component ID from where the record originated. The level of the Component from which the record originated. Where the record was actually written. If there are records with the same security type and object name, but different values are trying to be written to the same User/System Role this field explains which record has actually been written due to the Component Level.
116
2 August 2007
Field Descriptions
Entity ID
The 10-character user defined ID that denotes an Entity. The Entity provides the link between the Template and the security table.
The 30-character description that defines an Entity. The E1 User/System Role for any profiles that were at a Status of 1 (Records Exist) at the time of submission. The Address Book description for the User/System Role.
117
2 August 2007
Conflicts Exist
Whether there are Security Conflicts for this profile. If Y then use the Conflict Manager to resolve them, or view the detail output for this report. The Security Detail, Component Level and Selection Flag should help you to pinpoint the reason for the conflict. Whether there are Segregation of Duties Conflicts and two Components have been added to the same profile that contravenes an establish SOD rule. Use the Conflict Manager to resolve any conflicts. Whether the Validation was successful for the appropriate User/System Role or Conflicts exist. Will display a count of the profiles that have been validated.
118
2 August 2007
Build Validated
This report shows the results of builds that have occurred for all users that have a status of 1 (Records attached) or 2 (Validated).
Field Descriptions
Displays the current Entity with description, Template with description and Data Source. Displays a list of all profiles that were built by the batch job Build Affected. Displays a list of all profile descriptions that were built by the batch job Build Affected. This field will either show as Y or N for the User/System Role if any Security Conflicts exist for that profile when built. This field will either show as Y or N for the User/System Role if any Segregation of Duties Conflicts exist for that profile when built. Shows whether the build completed successfully and if any Conflicts arose as a result for each profile.
119 2 August 2007
Build All
This report shows the results of builds that have occurred for all users that have a status of 1 (Records attached), 2 (Validated) or 3 (Complete).
Field Descriptions
Displays the current Entity with description, Template with description and Data Source. Displays a list of all profiles that were built by the batch job Build Affected. Displays a list of all profile descriptions that were built by the batch job Build Affected. This field will either show as Y or N for the User/System Role if any Security Conflicts exist for that profile when built. This field will either show as Y or N for the User/System Role if any Segregation of Duties Conflicts exist for that profile when built. Shows whether the build completed successfully and if any Conflicts arose as a result for each profile.
120 2 August 2007
Field Descriptions
Entity ID Template ID
The name and description of the current Entity. The name of the template that is attached to the current Entity. This determines what Components and Functions are available to apply to Users within this entity.
121
2 August 2007
To add Profiles, highlight the required records and click Select. The selected record will be attached to the Parent and sorted alphanumerically. If you are only choosing one profile, you can double-click to attach it to the selected parent. You can use Ctrl>Click to choose multiple profiles to attach to the selected parent. You can use Shift>Click to choose a block of profiles to attach to a selected parent.
122
2 August 2007
Conflict Management
Conflict Manager
The Conflict Manager facility can be accessed from the QE1C101 Menu/Task, or from the Row Exit buttons in the User Security Manager form. If you access the Conflict Manager from QE1C101 it will show all User Conflicts and allow you to select different Templates or User/System Roles where necessary. If you access the Conflict Manager from the User Security Manager form then different results will show depending on which Row exit you take. Only the selected Template and User/System Role will be displayed. Segregation of Duties Conflicts will be displayed by Template and Profile if you select the Segregation Issues button and Security Conflicts will be displayed by Template and profile if you select the Conflicts button.
123
2 August 2007
Field Descriptions
Entity ID
If you access the form from the Menu then you can enter or select an Entity to Interrogate. If you only enter the Entity then all Security or SOD Conflicts will display. If you enter from the User Security Maintenance form then this will default to the Entity that you were managing and only allow you to work with that Entity. This field is mandatory. If you access the form from the Menu then you will be able to enter or select a profile for this field. Only those Conflicts that exist against that profile will be displayed for the selected Template. If you enter from the User Security Maintenance form then this will default to the selected profile and only allow you to work with that User/System Role.
User/System Role
The User and Role radio buttons control what happens when you press the Visual Assist button in the User/System Role field. If the User button is checked then a User profiles Search & Select form will be called from the Visual Assist. If the Role button is checked then Role profiles Search & Select form will be called from the Visual Assist. This field is only active when accessed from a Menu/Task.
Security Settings
Checking this button will only show Security Conflicts. These Conflicts arise from Components that have the same level, the same objects but with different values for one or more objects and are assigned to the same User/System Role. This button will be checked by default if you choose the Conflicts Row exit from the User Security Manager form.
124
2 August 2007
Segregation of Duties
Checking this button will only show Segregation of Duties Conflicts. These Conflicts arise from rules where one or more Components that should not be, are assigned to the same User/System Role. This button will be checked by default if you choose the Segregation Issues Row exit from the User Security Manager form.
Row Exits
Apply Records
This button allows you to select which conflicting record that you want to apply to the User ID that is in conflict. Displays the version number of the E1Config software that you have and some contact details for QSoftware.
Form Exits
QSG
125
2 August 2007
The Red record (Update) is the first record that was written and therefore has been applied. The Blue record (Update-no-delete) is causing the Conflict. If you would rather that the User/System Role that is in Conflict only had the Update-no-delete capability for the conflicting application then you can do one of three things: 1. Apply the correct Component to the profile so that Conflicts do not occur. * Note - This may affect other Components and cause conflicts elsewhere.
SEC-Qure E1Config Rev 1.1 126 2 August 2007
2. Apply the correct Component Level to the components so that the right record is assigned and no conflict generated. 3. Highlight the Update record in the Conflict Manager and click the Apply Record button (see below) and the Update record will overwrite the Inquire record in the Security Workbench. The Conflict record will remain in the Conflict Manager so that you have some evidence of why the relevant security was applied for Audit purposes. * Note - You will have to perform this action every time that you run the Build Security feature.
127
2 August 2007
In this example 40CTCOST13 is the Costing Update component. Any user that has this component should not be able to perform Pricing Update (40CTPRICE3). Components can potentially be attached directly to a User/Group/Role profile or they can be embedded within Functions that are attached to Users/Groups/Roles. It is more likely that Segregation of Duties Rules will be broken if Components are embedded within Functions. Note Component Level SOD functionality is available by default based on the Component ID. If Object Level SOD has been enabled then Component SOD Rules are set up as Type 1 SODs.
128
2 August 2007
In this rule a User/s should not be able to create a Vendor with their own Bank Account details and create a Payment to this Vendor. The two Applications that allow this are P03B11 and P0410. Note Object Level SOD functionality is not available by default. To enable Object Level SODs check the Both radio button on the Segregation of Duties Tab of the E1Config System Setup application (PY5AF905). If Object Level SOD has been enabled then Object SOD Rules are set up as Type 2 SODs. In Version 3.0, Object Level SODs only work against Application Security Y i.e. when a Profile is validated or built the security records are checked and any components that contain P03B11 Application Security (3) Run=Y and P0410 Application Security (3) Run=Y are flagged as breaching the Object Level SOD rule above.
129
2 August 2007
An example of both of a User/System Role that breaches both of the above rules and Segregation of Duties Conflicts being flagged can be seen below:
The Profile USER8 is a User whose security has been built and Segregation of Duties Conflicts have been generated. 40CTCOST13 is listed as the SOD rule and 40CTPRICE3 is next to it behind the II break as the Component that has caused the Conflict. This profile also has Components attached to it that contain the records that breach the Object level SOD rule and therefore P03B11 is listed as the SOD rule and P0410 is next to it behind the || break as the object that has caused the conflict. In order to resolve a Conflict you should first establish where the Components and Objects are coming from i.e. are they attached directly to the profile or are they embedded within a Function or Functions that are attached to the User/Group/Role. If they are attached directly to a profile then you can easily resolve this Conflict by removing either the Costing or the Pricing Component from the user or The Standard Invoice Entry or Payment Company Information Component and rebuilding security for that profile/s. If the Components are embedded within a Function/s then you must establish why that Function has been attached to the User/Group/Role and determine a way that the Segregation of Duties Rules are not broken by removing Components from Functions or creating new Functions that do not contain the offending Components.
130
2 August 2007
Multi-level Conflicts
Segregation of Duties Conflicts can potentially exist across multiple security levels. This means that you can apply a Component, or Function containing a Component, at the Group/System Role level and then apply a different Component, or Function containing a Component, at the User level that causes a breach of Segregation of duties. This functionality is also consistent down to the *PUBLIC level and across Multiple Roles in 8.x versions When a multi-level conflict is generated the following message will be caused if you use an interactive validation/build. If you are using a batch process then a message will be printed on the relevant report to signify the same thing.
131
2 August 2007
In the example below the user ALEX4 contains a Component that breaches a rule based on the Component that is applied to one of its associated Roles (ROLE1 in this instance) and therefore the User is flagged up as having a Segregation of Duties Conflict.
132
2 August 2007
133
2 August 2007
134
2 August 2007
E1Config Administration
Menu/Solution Explorer Task QE1C102 contains applications for the maintenance and administration of E1Config Version 2.0. See the E1 Config Setup section (above) of this manual for more information on this application and functionality therein.
135
2 August 2007
Q Software SPC
If this is a new installation of E1Config or you are upgrading from a previous version of QBuild, you must first add a unique Software Protection Code (SPC) via the application PY5AF900. If you have not entered an SPC before, the left hand side of your screen (see below) will be blank. If you have entered an SPC before, then the left hand side of your screen will be populated with the existing information as in the example below.
You must then contact QSoftware (preferably via the support section of www.qsoftware.com) so that we can generate a unique Software Protection Code for your E1Config software. In order to expedite this process, please send us a screen shot of the SPC form PY5AF900/WY5AF900B containing the following information:Number of JDE seats JDE License Expiry Date Deployment Server Name
136
2 August 2007
Once you have received an SPC from us, enter the provided code into the SPC Code fields and click OK. If the Code is accepted you will not receive an error message and will be able to use the software.
137
2 August 2007
Field Descriptions
None
This button will be unavailable unless you have previously set up a database Row Security record. If this button is available, check the button and press enter to delete the database Row Security record. This button will be checked by default, but no value will actually exist on the database until you set one up. Check this button and click OK to set up an Exclusive database Row security record. Check this button and click OK to set up an Exclusive database Row security record.
Exclusive
Inclusive
138
2 August 2007
A report will be produced that will list what records have been copied to the target Template and Entity.
139
2 August 2007
Field Descriptions
Header Template ID Entity ID Shows the Template ID and description for the Template that is being reported on. Shows the Entity ID and description for the Entity that is being reported on. Displays the QBuild V1.2 Component that the conversion was attempted for. The Parent type Component. The Parent description. If a Country code was added to the Component. If a Department code was added to the Component. Displays the Component level for components from V1.2. If the Component had been written to a User in Version 1.2. Blank if Yes N if no.
Detail Component Parent Name Parent Type Description Country Department Component Level Build Indicator
140
2 August 2007
Conflict Indicator Security Indicator Insertion status Detail Function Parent Name Parent Type Child Name Child Type Display Sequence Component Level Insertion Status Detail User User ID Alpha Name Display Sequence Function ID Insertion Status
Whether the Component had Conflicts associated with it in version 1.2. The Security Indicator for the Component from version 1.2. Displays whether or not the Component was successfully created. Displays the QBuild Config V1.2 Component that the conversion was attempted for. The Parent type Function. The ID of the parent attached to the Function in V1.2. Whether a Component or Function. The order in which the children were attached to the Function in V1.2. The Component Level of any Components attached to Functions in V1.2. Displays whether or not the Function and all appended records were successfully created. The User/System role to which version 1.2 parents were attached. The description of the User/System Role. The order in which the parents were attached to the User/System Role. The Parent ID that was attached to the User/System Role in V1.2 Displays whether or not the User/System Role and all appended records were successfully created.
* Warning: - The Template and Entity specified in the Processing Options will be deleted along with any data that they contain. Please be aware of this when running the report.
141
2 August 2007
Default
Enter the Template ID to contain the created Component Detail records. If left blank default value E1Config will be used.
142
2 August 2007
If a 1 is entered any existing components will be recreated. If left blank only new components will be created.
A report will be produced that will list what records have been copied to the Target Template. * Note: - All Components will be created with a Header record that is the same as the profile that was used to create it from the F00950. The description for each Component will read Automatically Generated Component. Each Component will have a Component Level of 8. It is recommended that you use these Components as a basis to create others by copying.
143
2 August 2007
Field Descriptions
Header Template ID Shows the Template ID and Description for the Template to which the security records have been captured. Displays all Components that are attached to the selected Template along with their descriptions. The E1 security type i.e. 1 = Action Code security. The description for each security type. The object ID that has been created in E1Config from the F00950 record. The object description The data item for Row and Column security. The Row security values. The E1 system code for the object.
144 2 August 2007
User ID Detail Security Type Security Type Description Object Name Object Name Description Data Item From Data Value Product Code
SEC-Qure E1Config Rev 1.1
Insertion Status Footer Number of Component records created Number of FY5AF405 entries created. Number of FY5AF501 entries created.
Describes whether each entry has been added successfully or that it already exists. After each profile that has had its security records added to E1Config the number of records for each Component will be listed. This figure is printed at the bottom of the report and will list how many Component Detail records have been created by the job. This figure is printed at the bottom of the report and will list how many Components have been created. This can also be used to denote how many profile records existed in the F00950.
145
2 August 2007
146
2 August 2007
4.
Enter or use the Visual Assist to Select a Product Code. This will create Components for all non-software (07) Tasks that are part of a Product Code i.e. 04 for Accounts Payable. Enter or use the Visual Assist to select the name of the Template that you wish to generate your Components within. Enter the Component Level that you wish your Components to be created at. You can only create components at one level at a time so if you need to create update and inquiry components then you will have to run this application twice.
Default
5.
Template
6.
Component Level
Process
7.
Replace Existing Components. Blank = Do not replace existing components. 1 = Replace Existing components. Where more than one component has been created based on the task the most recently created component will be replaced.
This option allows you to create multiple components for the same task. If a Task has been modified then this option allows you to keep your Components in synchronization with your tasks.
8.
Enter or use the Visual Assist to select a language. UDC 01/LP. If you are using multiple languages in your enterprise then this option will allow you to create tasks with different language descriptions.
147
2 August 2007
1. & 2. Entering a From and To task identifier/name will enable you to create a range of Components. For example: Identifier From G41 To G41411 will create components for all of the Inventory E1 Menus. Name From Inventory Management To Inventory User Defined Codes will create components for all of the Inventory E1 Menus. A report will be produced that will list what components have been created in the Target Template. The report will display the Processing Options that were selected, the Component Headers that were created and it will also list which application security records were created including which applications can be classified as Hidden Programs. * Note: - All Components will be created with a header record based on a Next Number routine for the Next Number system Y5AF E1Config.
148
2 August 2007
Field Descriptions
Header Task Task ID Type Product Detail Component Name View ID Displays the Component ID for each generated component. Displays the description for each generated component. Displays the Task View ID and that each generated component was based upon. Displays the name of the Task that each generated component was based upon. Displays the ID of the Task that each generated component was based upon. Displays the Task type that each generated component was based upon. Displays the product code of the Task that each generated component was based upon.
149
2 August 2007
View Program
Displays the Task view description that each generated component was based upon. Lists the application security records that have been created attached to the generated component in E1Config. Lists the Task name of the task/application that each generated security record was created for. Lists the Task ID of the task/application that each generated security record was created for. Lists the type of task/application that each generated security record was created for. List the product code of the task/application that each generated security record was created for.
150
2 August 2007
151
2 August 2007
Field Descriptions
Table
Lists the Tables that contain records for obsolete profiles i.e. those that have been removed from the F0092 table. If more than one user, as in the above example, has been removed from the F0092 then multiple instances of a table may appear.
User/System Role
152
2 August 2007
153
2 August 2007
Field Descriptions
Table
Lists the Tables that contain records for obsolete profiles i.e. those that have been removed from the F0092 table. If more than one user, as in the above example, has been removed from the F0092 then multiple instances of a table may appear.
User/System Role
154
2 August 2007
155
2 August 2007
Field Descriptions
Table
Lists the Tables that contain records for obsolete profiles i.e. those that have been removed from the F0092 table. If more than one user, as in the above example, has been removed from the F0092 then multiple instances of a table may appear.
User/System Role
156
2 August 2007
E1Config Reporting
Menu/Solution Explorer Task QE1C103 contains the menus calls for all of the reporting menus associated with E1Config.
157
2 August 2007
158
2 August 2007
Click the appropriate radio button and press the Next button.
159
2 August 2007
Field Descriptions
This is a 40-character field that is used to describe the reporting code. If ticked, allows users to be able to select a value for this reporting code on the Parent Header Information form (PY5AF501/WY5AF501B). This is a 3-character field that is used to define the reporting code value. This is a 40-character field that is used to describe the reporting code value.
160
2 August 2007
Click on the relevant button to access the available reports for that section.
161
2 August 2007
For each section there are some selection fields that you will be prompted for entry; these are discussed below. Field Descriptions Template ID Enter or use the Visual Assist to return a valid Template ID to report upon. Always enter a Template ID if you are prompted, either with other values or alone. Function ID Component ID App, Form, UBE, File Version Enter or use the Visual Assist to return a valid Function ID to report upon. Enter or use the Visual Assist to return a valid Component ID to report upon. Enter or use the Visual Assist to return a valid Object ID to report upon. Enter or use the Visual Assist to return a valid Version ID to report upon. Ensure that an Object value has been entered in conjunction with this field. Security Type Component Level Entity ID Enter or use the visual assist to select a valid security type to report on. Enter or use the visual assist to select a valid Component Level to report on. Enter or use the Visual Assist to return a valid Entity ID to report upon. Always enter a Entity ID if you are prompted, either with other values or alone. Reporting Codes Use any available reporting codes to filter the parents included in the report
162
2 August 2007
Template Reporting
Template Reporting is critical within the product to ensure that you and your auditors know what is contained within each Function, Component and Segregation of duties rule. To report on each parent type, take the relevant radio button from the Template Reporting screen and then see the relevant section below as to which reports are available.
163
2 August 2007
Functions by Template
Below is a list of all the available Function-based reports that you can run and below that is an explanation of each of these reports and a sample of one or more of the reports.
Title A simple list of functions A list of functions with all attached components
Description This report will print a list of the Functions that exist for a selected Template. This report will list all of the Functions for a selected Template and all of the Components that are attached to each of the listed Functions. Each Component will be displayed with its Component Level. This report will list all of the Functions for a selected Template and all of the Components that are attached to each of the listed Functions. Each Component will be displayed with its Component Level. This version will also show any embedded functions and their associated Components.
164 2 August 2007
A list of functions with all attached Components and all associated security records
This report will list all of the Functions for a selected Template, all of the Components that are attached to each of the listed Functions as well as their related Component Level and all the security records associated with each Component. This report will list all the Functions within a selected Template that contain a selected Function. This report will list all the Functions within a selected Template that contain a selected Component. The security records associated with each component will also be reported. This report will list all the Functions within a selected Template that contain Components that have security records associated with a selected object and/or version. The security records for the selected object and/or version will also be printed. This report will list all the Functions within a selected Template that contain Components that have security records associated with a selected security type i.e. Column Security. The security records for the selected security type will also be printed. This report will list all the Functions within a selected Template that contain Components that have security records associated with a selected object and/or version. The security records for the selected Components will also be printed.
A list of Functions that have a selected Function attached to them (Header and Detail) A list of Functions that have a selected Component attached to them (Header and Detail) A list of Functions that have Components that contain security records for a specific object (Application, Form, UBE, File) (Header and Detail) A list of Functions that have Components that contain security records of a specific security type (Header and Detail) A list of Functions that have a Component with a particular Component Level (Header and Detail)
165
2 August 2007
166
2 August 2007
167
2 August 2007
Title A Simple list of Segregation of Duties A list of Segregation of Duties and all attached Components A list of Segregation of Duties and their attached Components and associated security detail records
Description This report will print a list of the Segregation of Duties Rules that exist for a selected Template. This report will print a list of the Segregation of Duties Rules that exist for a selected Template as well as the Components associated with each SOD rule. This report will print a list of the Segregation of Duties Rules that exist for a selected Template as well as the Components associated with each SOD rule. All of the security records related with each Component will also be printed.
168
2 August 2007
A list of Segregation of Duties that have a selected Component attached to them (Header and Detail) A list of Segregation of Duties that have Component(s) that contain a specific object (Application, Form, UBE, File) (Header and Detail) A list of Segregation of Duties that have Component(s) that contain a specific security type (Header and Detail)
This report will print a list of the Segregation of Duties Rules within a selected Template that contain a selected Component. All of the related security records for the selected Component will also be printed. This report will print a list of the Segregation of Duties Rules within a selected Template that contain Components which have a selected object and/or version associated with them. All of the related security records for the selected object and/or version will also be printed. This report will print a list of the Segregation of Duties Rules within a selected Template that contain Components which have a selected security type associated with them. All of the related security records for the selected security type will also be printed.
169
2 August 2007
170
2 August 2007
Components by Template
Below is a list of all the available Component-based reports that you can run and below that is an explanation of each of these reports and a sample of one or more of the reports.
Description This report will print a list of all the Components that exist for a selected Template and their associated Component Level. This report will print a list of all the Components that exist for a selected Template and their associated Component Level. All of the related security records for each Component will also be printed.
171
2 August 2007
A list of Components that contain a particular object (Application, Form, UBE, File) (Header and Detail) A list of Components that contain a particular Security Type (Header and Detail)
This report will print a list of the Components within a selected Template that contain security records for a selected object and/or version associated with them. All of the related security records for the selected object and/or version will also be printed. This report will print a list of the Components within a selected Template that contain records for a selected security type. All of the related security records for the selected security type will also be printed. This report will list all the Components within a selected Template that have a selected Component Level. The security records for the selected Components will also be printed.
A list of Components that contain a particular Component Level (Header and Detail)
172
2 August 2007
173
2 August 2007
Entity Reporting
Entity Reporting is critical within the product to ensure that you and your auditors know what Functions and Components are attached to which Profiles on your system as well as the Integrity between your E1Config tables and your F0092 and F00950 tables. To report on either security or integrity take the relevant radio button from the Entity Reporting screen and then see the relevant section below as to which reports are available.
174
2 August 2007
Security by Entity
Below is a list of all the available Entity-based reports that you can run and below that is an explanation of each of these reports and a sample of one or more of the reports.
Title A list of Users that exist for a particular Entity, their Functions and optionally Components A list of Users that exist for a particular Entity, their Functions and Components and associated security records
Description This report prints a list of all the Profiles within a selected entity, that have been built, and what Functions and Components are applied to those profiles. This report prints a list of all the Profiles within a selected entity, that have been built, and what Functions and Components are applied to those profiles. The security records for each Component will also be printed.
175
2 August 2007
A list of users that have a selected Function (either directly or via another Function) attached to them (Header and Detail) A list of users that have a selected Component (either directly or via another Function) attached to them (Header and Detail) A list of Users that have Components attached to them that contain a selected object (Application, Form, UBE, File) (Header and Detail) A list of Users that have Components attached to them that contain a selected security type (Header and Detail) A list of Users that have Components attached to them with a particular Component Level (Header and Detail)
This report prints a list of all the Profiles within a selected entity, which have been built, that have a selected Function attached to them. The Functions and Components attached to the selected Function will be displayed as will the security records for each Component will also be printed. This report prints a list of all the Profiles within a selected entity, which have been built, that have a selected Component attached to them. The security records for each Component will also be printed. This report prints a list of all the Profiles within a selected entity, which have been built, that contain Components which have a security records associated with a selected object and/or version. The security records for the selected object and/or version will be printed. This report prints a list of all the Profiles within a selected entity, which have been built, that contain Components which have a security records associated with a selected security type. The security records for the selected security type will be printed. This report prints a list of all the Profiles within a selected entity, which have been built, that contain Components which have a selected Component Level in their Header Record.
176
2 August 2007
177
2 August 2007
178
2 August 2007
User Reporting
This report allows you to list the Functions, Components, Objects and security records applied to specific profiles on your system.
Description This report will list all the Functions and attached Components along with their associated security records that are attached to all the profiles for a selected Entity. This report will list all the profiles for a selected Entity that contain a selected Function. The security records for all components attached to the selected Function will also be printed. This report will list all the profiles for a selected Entity that contain a selected Component. The security records for the selected Component will also be printed. This report prints a list of all the Profiles within a selected entity, which have been built, that contain
179 2 August 2007
Function By User
Component By User
Components which have a security records associated with a selected object and/or version. The security records for the selected object and/or version will be printed. Segregation Of Duties Conflicts By User/Group This report will print a list of all the Security and Segregation of Duties Rule conflicts that exist for a selected Entity.
180
2 August 2007
181
2 August 2007
182
2 August 2007
A report will be produced that will list what records, related to each security type, that exist in the F00950. An example of the output can be seen below where the Action Code security for the GROUP 6 profile has been listed.
183
2 August 2007
Field Descriptions
Header Version The report will display the version of the RY5AF100 report that has been run and the security type that the report relates to. Each section of the report will display security records related to a different profile. The object that has had security applied to it for the listed profile. The description of the object. Depending upon the security type that the report has been submitted for, additional columns will be displayed e.g. Alias, From Value etc. The security values related to the object. The columns will vary depending on the security type that is being reported on.
184 2 August 2007
Values
Field Descriptions
The Environment Name as defined in the F0094. The Description of each environment. The E1 defined Path Code. The profile that has access to the displayed environment. The description of the profile from the Address Book.
185 2 August 2007
186
2 August 2007
Field Descriptions
System Role User Name Address Number Description Menu ID Fast Path
The name of the System Role profile. The name of each User that is associated with the displayed group/role. The Address Number, if any, that is associated with the listed User. The Address Book description, if any, that is associated with the listed user. The Initial Menu, if any, that will be called if a user signs on to oexplore.exe Whether or not the listed user has access to the Fast Path capability when they sign on to oexplore.exe.
187
2 August 2007
User ID
Enter or use the Visual Assist to return a User profile to this field to establish what Application &/or Action Code security an individual has. This application only supports User Profiles and not Groups or System Roles. An Application Name or Form ID must be entered in conjunction with this profile ID for the application to return any records.
188
2 August 2007
Application Name
Enter or use the Visual Assist to return an Interactive Application Id to this field to inquire on what, if any, security exists for that object. A User ID must be entered in conjunction with this object name in order to return any results.
Form ID
Enter or use the Visual Assist to return a Form ID to this field to inquire on what, if any, security exists for that object. A User ID must be entered in conjunction with this object name in order to return any results.
Version
Enter or use the Visual Assist to return a version of any selected application to only report on that version. This field can only be used when the Application button is checked. A User ID must be entered in conjunction with this object name in order to return any results. Once you have entered either a User and an Application Name or a User and a Form ID click on the Find Net Effect button to return the results of the query. Whether or not (Y/N) a User can Install (JITI) a specific application. Whether or not (Y/N) a User can Run an application or form. *ALL is a generic object name that will affect all applications and forms at the level to which it is applied. The specific program level will supersede any *ALL values at the same level. Whether or not (Y/N) the user has an Add capability from within an application/form. Whether or not (Y/N) the user has an Change capability from within an application/form. Whether or not (Y/N) the user has an Delete capability from within an application/form.
189 2 August 2007
Delete
Select
Whether or not (Y/N) the user has an OK/Select capability from within an application/form. Whether or not (Y/N) the user has an Copy capability from within an application/form. Whether or not (Y/N) the user has the ability to scroll to the end of the data selected from within an application/form or whether they see it a page at a time. These are the system accepted values for the user. Whether or not they have access to an application and what actions they can perform using that application. If any of these fields are blank then a Y value is assumed by E1 for the selected user and application/form.
Net Effect
In the example below APUSER1 has access and update to the Address Book because they are inheriting the application YY from their Group level and the action YYYYYY values at the User level which is overriding the *PUBLIC application *ALL NN (All Doors Closed) and action *ALL NNNYNY (Inquiry Only) values.
190
2 August 2007
Note This report can only be run against Applications (both Interactive and Batch). Also if you leave the From and To user fields blank this will report on all Profiles in your implementation and therefore could be potentially huge!
191
2 August 2007
192
2 August 2007
A detailed explanation of these reports can be seen in the E1Config Administration section of this manual.
193
2 August 2007
Auditing
Auditing is enabled by checking the Enable Audit check-box on the Audit tab of the E1Config Setup application (PY5AF905/WY5AF905A).
Tables
Once Auditing has been enabled the functionality will allow you to track and record any additions, changes and deletions to the following tables. QSG Table FY5AF402 FY5AF405 FY5AF430 FY5AF440 FY5AF501 FY5AF510 FY5AF512 FY5AF513 FY5AF515 FY5AF905 Description User Status Table Component Detail File Template Master Entity Manager Parent Header Parent Detail Function Tracker Component Tracker Conflict Manager Control Table Audit Table FY5AFA01 FY5AFA02 FY5AFA05 FY5AFA06 FY5AFA03 FY5AFA04 FY5AFA07 FY5AFA08 FY5AFA09 FY5AFA10
Each of the above tables has the same specifications as the corresponding QSG table plus the following additional fields that allow you to audit what change occurred, how, where, when and by whom. These fields can be seen below:
Audit Fields
Field UKID Description Unique ID Explanation This field allows each audit action a unique reference number. There may be multiple records related to a particular action. This code allows you to determine whether an audit record occurred Before or After an action. See the Actions section below for more detail.
2 August 2007
Y5AFBACD
194
File Operation Code (A,C,D) A=Add, C=Change, D=Delete Change Management Reference Audit Program ID
This code determines what action was performed to the table. This Change Management Reference is for future use. This field displays the Program that was used to employ the relevant action. This field displays the User Id that performed the relevant action. This field displays the Workstation from which the action was performed. This field displays the Date on which the action was performed. This field displays the time at which the action was performed.
Audit User ID Audit Workstation Audit Date Updated Audit Time Last Updated
Actions
The following types of actions will be recorded for each table. When a record is Added to a table then an After image record is added to the associated Audit table. When a record in a table is Changed then a Before image record and an After image record are both added to the associated Audit Table. When a record is Deleted from a table then a Before image record is added to the associated table.
195
2 August 2007
Audit Enquiry
The Audit Enquiry application (PY5AF553) can be accessed from the Auditing Menu (QE1C109) if you are using owexplore.exe or the Auditing Task (QE1C109) if you are using activeconsole.exe. This screen allows you to query all of the audit records that have been generated in the audit tables. See above for which tables are audited and which tables are used to record the associated audit records.
Check the Audit Table that you wish to query and then click the Continue button to view the contents of the selected audit table.
196
2 August 2007
Field Descriptions
This date will default to a month prior to todays date. Records will therefore be filtered to show all for the previous month. Enter or select a date to filter the audit records from that date onwards. This date will default to todays date. Records will therefore be filtered to show all for the previous month. Enter or select a date to filter the audit records from before that date. Each query relates to an audit table associated with a QSG table (see above). The QBE fields therefore allow you to filter the records for each of these tables based on the value entered for that specific field. Each query contains all fields for the relevant QSG table as well as the additional audit fields (see above).
To Audit Date
QBE Fields
197
2 August 2007
Audit Reports
The QE1C109 Menu/Task also allows you to run UBEs that produce .pdf reports of the audit records for each QSG table.
User/System Role
User Status
From Date
To Date
198
2 August 2007
199
2 August 2007
Component
Object Name
From Date
To Date
200
2 August 2007
201
2 August 2007
Type
Parent Name
To Date
202
2 August 2007
203
2 August 2007
Parent Type
Parent Name
To Date
204
2 August 2007
205
2 August 2007
From Date
To Date
206
2 August 2007
207
2 August 2007
From Date
To Date
208
2 August 2007
209
2 August 2007
User/System Role
Function
To Date
210
2 August 2007
211
2 August 2007
User/System Role
Component
Object Name
From Date
To Date
212
2 August 2007
213
2 August 2007
User/System Role
Conflict Type
Security Type
Object Name
Data Item
From Date
To Date
214
2 August 2007
215
2 August 2007
From Date
To Date
216
2 August 2007
217
2 August 2007
Processing options have been added to this UBE that allow you to purge data up to a selected date and also to run the UBE in proof mode so that you can see what is being cleared down before running the report in final mode.
Processing Options Type 1 2 Option Purge Date Proof or Final Explanation Enter a date or use the visual assist to select a date to run the purge up to. Enter a 0 in this field to run the report in Proof mode. Enter a 1 in this field to run the report in Final mode.
218
2 August 2007
219
2 August 2007
Glossary
All Doors Closed A term that describes which E1 security strategy you are adopting. If you have applied *ALL NN to Application Security against the *PUBLIC system role then no user will be able to access any program unless specifically granted. For further information on Security strategy see the related white paper at http://www.qsoftware.com . All Doors Open A term that describes which E1 security strategy you are adopting. If you have not applied *ALL NN to Application Security against the *PUBLIC system role then all users by default will be able to access any program on your system and therefore you will have to rely on access control to secure your implementation. For further information on Security strategy see the related white paper at http://www.qsoftware.com . Parent Type Component A Component is a task in E1 such as Payment Processing or Address Book Daily Processing. Contained within each Component are the individual security records by object that enable that task to be completed. The Component Level is a value between 0-9 with 0 as the highest and 9 as the lowest. The Component Level is used for resolving security Conflicts. If two Components with different security for the same object are applied to the same User then the Component Level determines what happens when security is built. If one Component is Level 4 and the other is level 6 then the security for the level 4 Component will be written. If both Components have the same level then a Conflict will be flagged for resolution. See Component Level. Segregation of Duties Conflicts will arise when a Segregation of Duties rule has been established in E1Config. If a rule has been created to say that Component X cannot be attached to the same profile as Component Y and this rule is broken then Segregation of Duties Conflicts will be flagged for resolution. Defaults are the Y and N values that correspond to each type of security for ease of entry when entering detail on Components. Defaults are created when a Template is set up and are likely to depend on which security strategy you are using. Defaults can be manually overridden at the detail entry level if for any reason they differ. Embedded Function
SEC-Qure E1Config Rev 1.1
Component Level
Defaults
A Function in E1Config is slightly different to a Job Function although similar in a lot of ways. Essentially all a Function is, is a group of Components that fit a Job role. It is more flexible however because an E1Config Function allows you to attach a Function to a Function whereas in E1 only one System Role (Function) is available for an individual user.
Applications or reports that are called from NER business functions (C business functions are currently not supported). Heads Down is simply the manual entry of security records using the Work with Components by security type form. This is not possible using the security workbench and allows for faster entry of records from a matrix either by typing or cut and paste from a spreadsheet. In earlier versions of E1Config and QBuild the object name in the FY5AF405 table was encrypted which prevented customers from creating their own reports over the table. A Segregation of Duties Parent type that allows you to create a rule that states Component A cannot be assigned to the same User/System Role as Component B or others. If the two or more Components are assigned to the same role then a Segregation of Duties Conflict will be flagged. This is a form within E1Config Component detail that allows you to assign certain security type records to a Component and not others. For which type see Appendix A - E1Config Security Type (Work with Component vs. Selector) The Status of a User/System Role in the User Security Manager. Whether the profile has no records, un-built records, validated records or built records attached to it. For more information see the User System Role Detail section of this manual. A security matrix that holds Functions Components and Segregation of Duties rules. A means of building security for a User/System Role in Proof mode so that any Conflicts are reported and can be resolved before security is actually applied. Enhancements to security functionality introduced by JDE in 8.x versions and then retrospectively into service pack 23/ESU JD23877. This improved specific security types to enable users to protect selected versions of programs rather than an all or nothing scenario as existed before.
Name Encryption
Selector
Status
Template Validate
Version Security
- This explanation assumes that an All Doors closed policy is being employed.
221
2 August 2007
Appendix A - E1Config
QComponents
Naming Conventions
Component Where mmnopppppq mm n o ppppp q = = = = = Module number C Component (Functions are defined as F) T Task / F File Access 5 character description/numbering Component Level (see below)
Component Level
Below are a couple of suggested ways of using component levels. Current Component levels should only cover levels 3 and 9: 0 - Level 0 1 - Level 1 2 - Level 2 3 - Add, Change and Delete 4 - Level 4 5 - Add and Change 6 - Level 6 7 - Add Only 8 Inquire only. 9 - QSG standard Components. Do not modify, copy as with E1 versions.
0 - Level 0 1 - Action - everything 2 - Action - everything except delete 3 - Action - add + change 4 - Action Security - change only 5 - Processing Option with change 6 - Processing Option - no change 7 - Row security 8 Application, Row Exit and all security apart from Row, Processing Option and Action. 9 - QSG standard Components. Do not modify, copy as with E1 versions.
222
2 August 2007
M O 1
Miscellaneous Security Form Portal Security Form Work with Component by Security Type & Selector Work with Component by Security Type. Work with Component by Security Type & Selector Work with Component by Security Type. Work with Component by Security Type & Selector Selector only Selector only Selector only Work with Component by Security Type & Selector
WY5AF405P WY5AF405I WY5AF405B & WY5AF405G WY5AF405B WY5AF405B & WY5AF405G WY5AF405B WY5AF405B & WY5AF405G WY5AF405G WY5AF405G WY5AF405G WY5AF405B & WY5AF405G
2 3
4 5
6 7 8 9
Exit Security External Call Security Tab Security Exclusive Application Security
223
2 August 2007
Media Object Security (8.12 and above only) Image Security (8.11 and above only) Link Security (8.11 and above only) Push Button Security (8.11 and above only)
Selector only
WY5AF405G
Selector only
WY5AF405G
224
2 August 2007
Linked to Data Source via Entity. This is the Path that the Build will take.
DV7333
Template
PY7333
PD7333
DV7333
Template 2
PY7333
Template 3
PD7333
225
2 August 2007
Multiple
For multiple security tables you can either link one Template to all security tables, a Template by security table or somewhere in between. Below are some examples of set ups that can be accommodated by E1Config. F00950 in Data Source 1 F00950 in Data Source 2 F00950 in Data Source 3
DV7333
Template
PY7333
PD7333
Template1
DV7333
Template 2
PY7333
Template 3
PD7333
Template1
DV7333 PY7333
Template 2
PD7333
2 August 2007
Default Values
227
2 August 2007
228
2 August 2007
Enter a new Code number, the executable name in the Description 01 field, the executable description in the Description 02 field and an N value in the Hard Coded field and then click the OK button.
229
2 August 2007
230
2 August 2007
231
2 August 2007