Add Role To User Spring Security Manually

Posted : admin On 10/6/2021

You can do this manually by copying over the JAR files to your Spring Security application or, if your Spring Security application is a Maven project, you can add the Crowd Spring Security connector as a project dependency. Both methods are described below. 2.1.1 Manually Adding the Crowd Spring Security Connector Libraries. The trouble is that I am getting an Access Denied exception from Spring in the CommandLineRunner when I try to add the user. I'm assuming that the issue is that I am manually 'injecting' a Spring User incorrectly. The addAdminUser method has to be run by a user in the ADMIN role, so I need to temporarily run as an ADMIN user.

This chapter contains the following topics:

3.1 Understanding User and Role Profiles

You use the User Profile Revisions application (P0092) to add users and to set up user profiles. For every user, you must create a user profile, which defines such information as a list of environments that a user can select when signing in to JD Edwards EnterpriseOne and the language preference of the user. You can also assign roles to users. A role defines the tasks that an end user sees in JD Edwards EnterpriseOne.

You can use P0092 to define specific users or roles. This definition includes:

  • The role to which a user belongs.

    For example, an accounts payable clerk would be part of the AP role. Roles are an important aspect of JD Edwards EnterpriseOne. By assigning users to roles, system administrators can set user preferences and securities that are based on the roles rather than the individual user.

  • The environments that the user can select when signing in to JD Edwards EnterpriseOne. Environments are assigned to roles.

  • The language preference and country code for the text that appears on JD Edwards EnterpriseOne menus, forms, and country-specific applications.

3.1.1 How to Assign and Delete Environments for User and Role Profiles

You assign environments so that a user can select a role and environment combination when starting JD Edwards EnterpriseOne. You can assign more than one environment to a role. You can delete environments that are no longer relevant to a role.

3.1.2 How to Assign Business Preferences to User and Role Profiles

When setting up profiles, you can assign business preference codes. These codes can be used by a customized workflow process to send messages, update a database, or start an application. You define the codes for the preferences based on industry, business partner, or customer. Then you can create a JD Edwards EnterpriseOne workflow process that is based on whether a specific code resides in the user profile.

For example, you assign the code CUS for a customer business preference, and then create a workflow process that begins whenever a user or role profile with the CUS business preference enters a sales order.

3.1.3 User and Role Profile Copying

You can copy all or part of a user or role profile. When you copy an entire user or role profile (display and environment preferences), you are creating a new user or role profile with the information from another profile. When you copy part of a user profile, you are copying the environment preferences from another profile to an already existing user profile.

3.2 Understanding How Role Profiles Make Profiling Easier

Roles eliminate the need to set up preferences for each individual user profile. By assigning individual users to a role, you can assign preferences to the role and have those settings available to all of the individual users who have that role. We recommend creating all role profiles that are needed for the enterprise first. This method makes creating user profiles easier; instead of defining specific environments, packages, and machine configurations for each user, administrators can define them for the role. If an individual in a role needs a different setup, you can assign different setups at the user profile level, which overrides the role settings.

JD Edwards EnterpriseOne uses roles for these purposes:

  • Environments.

  • User overrides.

  • Application security.

  • Creation of sign-in security records.

3.3 Tables Used by the User Profile Revisions (P0092)

The P0092 application uses these tables:

  • Library Lists - User (F0092)

  • User Display Preferences (F00921)

  • User Display Preferences Tag File (F00922)

  • User Access Definition (F00925)

  • Library List Control (F0093)

  • Library List Master File (F0094)

  • Anonymous User Access Table (F00926)

See Also:

  • 'Defining Machines' in the JD Edwards EnterpriseOne Tools Package Management Guide.

  • Setting Up User Profiles.

  • Creating and Modifying User Profiles.

  • Creating Profiles by Using a Batch Process.

3.4 Setting Up User Profiles

This section contains the following topics:

3.4.1 Understanding User Profile Setup

As a system administrator, you use User Profile Revisions (P0092) to create user profiles for each user in the system. You also determine the environments that are available for each user, and set up display preferences, such as language.

These steps outline the high-level process for setting up user profiles.

  1. Create all of the role profiles for the enterprise.

    See Setting Up Roles.

  2. Create a user profile for every user.

  3. Assign to each role or user these preferences:

    • Environments, to determine the environments that you want to be available to each role or user. Environments are assigned at the role level only.

    • Display preferences, to determine JD Edwards EnterpriseOne display characteristics such as language, date format, and country code.

      The Display preferences are controlled on the User Profile Revisions form.

      Note:

      If you are setting up user profiles during the installation process, you must sign in to the deployment server using the deployment environment. After you have completed the installation process, you can add or modify user profiles from any machine except the deployment server.

3.4.1.1 User Profile Creation and Modification

The user profile defines certain setup and display features, such as access to Fast Path, language, date format, or country code. If you select a country code for a user, the menu filtering process displays for that user any special menu selections unique to that country code. For example, if you enter CA (Canada), that user would see the Canadian Tax Information application on the appropriate menu, which users without that country code would not see.

3.4.1.2 Batch Process for Creating User Profiles

If address book records already exist for employees, you can run a batch process to automatically create user profiles from those address book records. This process can save time, ensure accuracy between the Address Book and user profile records, and ease the transition of taking JD Edwards EnterpriseOne to production.

You can create user profiles through the Populate User Profiles batch application (R0092). With this process, you can assign display and environment preferences to users. This process enables you to create hundreds of new user profiles at a time.

3.4.1.3 Report Used for Reviewing User Profiles

Add User To Role Oracle

The Summary of Environments, Packages and Profiles report (R00921) enables you to review a list of user and role profile definitions. This report summarizes the environment or environments assigned to a role and lists the users in the role. JD Edwards EnterpriseOne provides two default versions that enables you to summarize either all roles or only specific roles.

3.4.2 Understanding How to Add Users

You can create user profiles one at a time by using the User Profile Revisions application, or you can simultaneously create multiple profiles by using batch processes.

Note:

This section is a checklist for all the steps needed to add a new user. These steps do not address third-party setup issues such as assigning network user IDs.

3.4.2.1 How to Add an Individual User

If you need to add only a few users, use the User Profile Revisions program. The following list details the steps for adding user profiles one at a time.

  1. If you plan to create a new role for the user, add an address book record with a valid search type code (for example, E for employee).

  2. If the existing role profiles are not acceptable for the new user, add a role profile.

  3. Add an address book record for the new user.

  4. Add a user profile.

  5. Add sign-in security records for the user.

  6. Use Security Workbench (P00950) to add any security overrides for the user if the user needs different security than the roles to which the user belongs.

  7. Populate the machine table for the user's machine.

  8. Use User Overrides Revision (P98950) to add any new user overrides for the user if the user needs different user overrides than the role to which the user belongs.

3.4.2.2 How to Add Multiple Users

When you are ready to create user profiles for the first time, you might need to create hundreds of profiles simultaneously. In this case, JD Edwards EnterpriseOne provides batch processes to create the profiles. These batch processes automate the process of user profile creation.

When you decide which role to assign to a user, consider application security as the most important role because:

  • Application security has the most extensive setup.

  • Managing overrides to the role security is more difficult than, for example, managing overrides to deployment preferences.

    Note:

    Sign-in security is not based on roles because individuals must have their own passwords. A program exists with sign-in security to quickly create individual security records by role; however, after the records are created, security is assigned by an individual.

The following list details the steps that you need to perform when you add multiple user profiles simultaneously.

  1. Using the Address Book application (P01012), create address book records for roles that you will use in user profiles.

  2. Using the User Profile Revisions application, add the role profiles.

  3. Populate the various Address Book tables.

    If you are migrating data from a non-JD Edwards EnterpriseOne system, you can populate the data tables with a table conversion. Otherwise, you can manually add data to the Address Book tables.

  4. Run the Populate User Profiles (R0092) batch process to create user profile records from existing Address Book records.

    Normally, this report is based on address book records with a search type for employees (E).

  5. Adjust each user's role assignments.

    Determine the role in which you want to place an individual and manually assign each user to a role.

    These settings are dictated by role:

    • Environments

    • User Overrides

    • Application Security

  6. Run the Summary of Environments, Packages and Profiles batch process (R00921) to view the new user profiles.

  7. Use Security Workbench (P00950) to apply application, action, and processing option security for roles and any individual overrides to those roles.

  8. Create sign-in security records using the EnterpriseOne Security application (P98OWSEC).

    You can create sign-in security records for all individuals within a role by entering one record for the role.

  9. Manually populate the F00960 table.

    This table is automatically populated each time a machine signs in to JD Edwards EnterpriseOne. However, if you intend to use schedule packages, you must manually populate this table.

  10. Create user overrides for roles.

    Normally, you will not create any overrides for individuals because they can easily create their own as they use the software.

3.4.3 Prerequisites

Before you complete the tasks in this section:

  • Create all of the role profile information by using the User Profile Revisions application.

  • Define:

    • Role profiles.

    • Environments that each role can access.

3.4.4 Forms Used to Set Up User Profiles

Form NameFormIDNavigationUsage
Work With User / Role ProfilesW0092DSystem Administration Tools (GH9011), User Management, User Profiles (P0092). Locate and review existing roles and profiles records and access additional forms.
User Profile RevisionsW0092AOn the Work With User/Role Profiles form, click Add or select a record and then click Select.Create, modify, or copy a user profile.
User Environment RevisionsW0092COn the Work With User/Role Profiles form, select Copy Environment from the Row menu.Copy environment preferences from one user profile to another. Assign or delete environments from user profiles.
Business PreferencesW0092EOn User Profile Revisions, select Bus Preferences from the Form menu.Assign business preferences to user and role profiles.
Work With Batch Versions - Available VersionsW98305AReport Management (GH9111), Batch Versions (P98305)Run the Populate User Profiles batch application (R0092) and the Summary of Environments, Packages and Profiles report (R00921).

3.4.5 Setting Processing Options for User Profile Revisions (P0092)

Access the Processing Options form. Select the A/B Validation tab.

  1. Enter 1 to enable Address Book validation.

    When enabled, this processing option validates each new user ID against the Address Book Master (F0101) table upon the creation of a user profiles. Upon creation of a user profile, each new user ID is validated against the F0101 table. As a result, you cannot create a user profile for a user who is not already defined in the F0101 table. We recommend that you enable this setting to ensure that Work Center operates correctly. That application requires valid address book numbers.

  2. Enter 0 (or leave blank) to disable Address Book validation.

    When disabled, this processing option allows you to create user profiles for Address Book entries that do not yet exist in the F0101 table.

3.4.6 Creating and Modifying User Profiles

Access the User Profiles Revision form.

User ID

The code that identifies a user profile.

WhosWhoLineID

A number that identifies an entry in the Address Book system, such as employee, applicant, participant, customer, supplier, tenant, or location.

Batch Job Queue

The computer waiting line that a particular job passes through. If blank, it defaults to the job queue specified in the user's job description.

Language

A user defined code (01/LP) that specifies the language to use on forms and printed reports. Before you specify a language, a code for that language must exist at either the system level or in the user preferences.

Justification

An option that determines how text is to be read, left to right or right to left. This option is enabled only when Arabic is selected as the language. For all other languages, the system automatically selects the left to right option.

Set Accessibility Mode

An option that enables the JD Edwards EnterpriseOne web client to be accessible through the JAWS screen reader software for visually impaired users. The option is deselected by default when a user profile is created.

Date Format

The format of a date as it is stored in the database.

These date formats are valid: YMD, MDY, DMY, EMD. If you leave this field blank, the system displays dates based on the settings of the operating system on the workstation. With NT, the Regional Settings in the Control Panel control the settings for the operating system of the workstation.

Date Separator Character

The character to use when separating the month, day, and year of a given date. If you enter an asterisk, the system uses a blank for the date separator. If you leave the field blank, the system uses the system value for the date separator.

Decimal Format Character

The number of positions to the right of the decimal that you want to use. If you leave this field blank, the system value is used as the default.

Localization Country Code

A code that identifies a localization country. It is possible to attach specific county functionality that is triggered baed on this code using the country server methodology in the base product.

Universal Time

A code that you use to associate a time zone with a user's profile. This code represent the user's preferred time zone, and it must be a value from the UDC table (H91/TZ).

Time Format

A value that determines the user's preferred format for time-of-day. The user can choose from a 12- or 24-hour clock.

Daylight Savings Rule

The rule name that specifies the daylight savings rule for a region or country.

See 'Creating Daylight Savings Rules' in the JD Edwards EnterpriseOne Tools System Administration Guide.

3.4.7 Copying User Profiles

Access the Work With User/Role Profiles form.

  1. To copy an entire profile (the display and deployment preferences), select a user ID in the grid area, and then click Copy.

    The User Profile Revisions form appears. Because this action creates a new profile, the user profile that you create cannot already exist in JD Edwards EnterpriseOne.

    Note:

    Environments are assigned at the role level. See Add Environments.
  2. In the User/Role field, enter a user ID to copy the profile into and change any other information.

  3. Click OK.

3.4.8 Assigning Business Preferences to User Profiles

Access the Work With User/Role Profiles form.

  1. Click Find.

  2. Select a user profile, and then click Select.

  3. On the User Profile Revisions form, from the Form menu, select Bus Preferences.

  4. On the Business Preferences form, complete any of these fields and click OK:

    • Industry Code

      This field associates the user profile with a specific industry, such as manufacturing.

    • Business Partner Code

      This field associates the user profile with a specific business partner.

    • Customer Code

      This field associates the user profile with a specific customer.

      Note:

      Click Cancel on the Business Preferences form to cancel the addition of the current business preference.

3.4.9 Creating Profiles by Using a Batch Process

Access the Work With Batch Versions - Available Versions form.

Note:

If you need to add just a few users, you should use the User Profile Revisions application.
  1. Enter R0092 in the Batch Application field and click Find.

  2. Select the JD Edwards EnterpriseOne default version (XJDE0001) or the equivalent for the installation, and then click Select.

  3. On the Versions Prompting form, click Data Selection, and then click Submit.

  4. On the Data Selection form, create a logic statement that describes the set of users for which you want to create profiles.

    This form already has a search type of E (employees) populated, which assumes that the users are all employees. You might want to narrow this selection by submitting it for only a range of employees.

    After you complete the Data Selection form, the Processing Options form appears.

  5. On the Processing Options form, enter:

    • One of these values for option 1:

      Enter 1 to run this report in proof mode, which provides an example of what would happen if you were to run the report in final mode.

      Leave blank to run this report in final mode, which creates the user profiles that you specified and creates a report showing the profiles created.

    • One of these values for option 2 to define the user profile record being created for each user:

      Enter 1 to populate the User ID field with the users' address book numbers plus their initials. Typically, user profiles are created with the users' initials preceding their Address Book number.

      Leave this field blank to use just the address book number.

      Complete these user profile fields for option 2:

      Fast Path

      Language

      Date Format

      Data Separator Character

      Data Format Character

      Country

3.4.10 Reviewing User and Profile Definitions

Access the Work With Batch Versions - Available Versions form.

  1. Select a version and click Select.

    Default version XJDE0001 creates a report for all role profiles in the enterprise. Default version XJDE0002 creates a report about a specific role profile that you specify.

  2. On the Versions Prompting form, click Data Selection and click Submit.

  3. On the Data Selection form, create a logic statement that describes the role profiles that you want to summarize.

  4. Click OK.

3.5 Setting Up Roles

This section provides overviews of user roles, role-to-role relationships, the sign-in Role Chooser, the menu filtering Role Chooser, workstation initialization file parameters, and discusses how to:

  • Create and modify roles.

  • Migrate roles.

  • Sequence roles.

  • Add an environment to a role.

  • Assign business preferences to a role.

  • Set up a role relationship.

  • Enable the Role Chooser.

  • Create role-to-role relationships.

  • Revise role relationships.

  • Delegate roles.

  • Add roles to a user.

  • Add users to a role.

  • Copy user roles.

  • Add a language translation to a role.

3.5.1 Understanding User Roles

As part of the system setup, you must define the roles for users in the organization. Roles define the tasks that users see when they work in the JD Edwards EnterpriseOne Menu and determine what authority the users have in JD Edwards EnterpriseOne.

After you have defined a role, you can associate users with it and apply security to it to provide the appropriate level of access to JD Edwards EnterpriseOne functions. You can assign more than one user to a role, or you can assign more than one role to a user. To establish a role relationship, you use the Role Relationships application (P95921), which enables you to add, remove, or revise a role relationship for a user. Role relationships are revised by removing an assigned role or by changing the expiration date for an assigned role.

Assigning roles accomplishes these purposes:

  • Users see only those tasks and perform only those activities that relate to their jobs.

    For example, a user acting in the role of accounts payable clerk might not need to see all of the tasks that an accounts payable manager would need to see. You can create both of these roles and define a different set of tasks for each one.

  • Users can have multiple roles.

    Within an organization, a user might have many responsibilities, none of which are defined by a single role. A user who is assigned multiple roles can switch roles according to the work required.

    Note:

    Security for a user is not affected when a user changes a role after signing on to JD Edwards EnterpriseOne; only menu filtering and the display of menu information is affected for that user. The security applied to a user is based on how a user signs-on to the system.
  • Administrators can set up security based on user roles.

    A user's access to applications, forms, table columns, data sources, and so on is based on one or more roles to which the user is assigned.

Note:

JD Edwards EnterpriseOne stores the role descriptions in the F00926 table. If you previously defined roles using the UDC table H95/RL, you can run the Populate Role Descriptions From F0092 report (R89959211) to populate the Anonymous User Access Table with those older role descriptions.

This table summarizes the steps an administrator must perform to set up roles for users:

Administrative StepApplications UsedForms UsedTables Used
Populate the User Profile table with roles that are stored in UDC H95/RL during Roles Phase I.R89959211, R89959212Not applicable (NA).F00926, F0092
Run a program to populate the Role Relationships table.R8995921NA.F0092, F95921
Create roles.P0092 (User Profile Revisions)W0092A (User Profile Revisions); Form exit from the Work With User Profiles form (W0092D).F0092
Sequence the roles.P0092W0092L (Work With Role Sequences); Form exit from the Work With User Profiles form.F00926
Create role relationships that associate users with roles.P95921 (Role Relationships)W95921A (Work With Role Relationships).F95921
Add security to roles.P00950 (Security Workbench)Various, depending on type of security to be applied to each role.F00950

The Portal, JD Edwards Solution Explorer, and client workstations use the role relationships data in the F95921 table (Role Relationships) and various APIs to retrieve data and allow users to have assigned roles.

You use JD Edwards EnterpriseOne to administer defined roles for which you have created role relationship records. You can add large numbers of roles to a single user, and you can add large numbers of users to a single role relationship record. You can also use JD Edwards EnterpriseOne to specify the language that is used for the description of a new role.

After you have created one or more role relationships for a user, you can revise the relationships. Role relationships are revised by removing an assigned role or by changing the expiration date for an assigned role. You can also exclude an assigned role from *ALL or add a role to *ALL that was previously excluded.

In addition, you might want to delegate one or more of the roles to another user if a particular user will be unavailable. When you delegate the role relationship records, you can copy existing records to another user. You cannot add role relationships to another user unless those roles are already assigned to you.

See Also:

  • 'Applying Roles to a Task' in the JD Edwards EnterpriseOne Tools Solution Explorer Guide.

  • Using Security Workbench.

3.5.2 Understanding Role-to-Role Relationships

You create lists of roles that are subsets of another role. For example, you might create an ADMIN role that includes users with the greatest number of administrative responsibilities and the broadest access to applications in JD Edwards EnterpriseOne. You might also create other roles that include individuals with limited administrative responsibilities and access to fewer applications in JD Edwards EnterpriseOne. If you create a distribution list based on roles, you might want to include on the list all roles with some level of administrative responsibility. Anyone in a role that is part of the distribution list would receive messages sent to the ADMIN role.

You use the Work With Distribution Lists form to add or remove roles from the distribution list as needed. Work With Distribution Lists does not influence how security is applied. It only helps to define workflow e-mail distribution lists.

3.5.3 Understanding the Sign-In Role Chooser

When signing into JD Edwards EnterpriseOne, if enabled, users can use the Role Chooser to select a particular role from a list of valid roles. In the Role Chooser, users can either select a particular role or *ALL. You can limit the freedom that a user has to select roles by disabling the Role Chooser. With the Role Chooser disabled, the user must enter JD Edwards EnterpriseOne with *ALL.

At the JD Edwards EnterpriseOne sign-in form, the user enters a user ID and password. The user must then enter a valid environment and role before entering JD Edwards EnterpriseOne. User roles and assigned environments are dependent on each other. The user can select an environment, which then determines what roles appear in the Role Chooser; or the user can select a role, which determines the environments that appear in the Environment Chooser.

The option for enabling the Role Chooser is a global setting. When enabled, it applies to all users in the system.

This table summarizes the scenarios that can occur when the user encounters the Environment and Role fields at sign-in on the Microsoft Windows client, and the behavior of JD Edwards EnterpriseOne in each scenario:

Sign-in ScenarioJD Edwards EnterpriseOne Behavior
User enters values in both the Environment and Role fields.The software validates the role against the environment. If the role is not valid for the chosen environment, the Environment Chooser appears and the user must choose a valid environment for the role.
User enters a value only in the Role field.The Environment Chooser displays only the valid environments for the chosen role.
User enters a value only the Environment field.The Role Chooser displays only the valid roles for the user and the chosen environment.
User does not enter a value in either the Environment field or the Role field.The Role Chooser appears, containing the valid roles for the user and the default environment that is defined in the jde.ini file, followed by the Environment Chooser, containing only the valid environments for the chosen role.

If you do not enter an environment, the Role Chooser displays the roles that are assigned to the default environment, which is defined in the jde.ini file.


3.5.4 Understanding the Menu Filtering Role Chooser

In P95921, you can select the 'Choose role on Menu filtering page' option to give users the ability to filter menus by role in the EnterpriseOne Menu. When enabled, the JD Edwards EnterpriseOne web client displays the Role drop-down menu above the EnterpriseOne Menu. From the Role drop-down menu, users can select *ALL (All My Roles) to view a concatenated list of all the tasks enabled for every role that is included in the *ALL role. Alternatively, users can select a particular role from the Role drop-down menu and the system displays only the tasks enabled for that role in the EnterpriseOne Menu.

The 'Choose role on Menu filtering page' option is a global setting. When enabled, it applies to all users in the system.

In order for users to filter menus by role:

  • The system administrator must enable the 'Choose role on Menu filtering page' option in P95921.

  • Users must sign in using *ALL.

Note:

If a user signs in to JD Edwards EnterpriseOne using a particular role instead of *ALL, then the system only displays the tasks in the EnterpriseOne Menu for that role; the user cannot select a different role in the EnterpriseOne Menu.

See Also:

  • Enabling the Role Chooser.

  • Understanding User Roles.

3.5.5 Understanding Workstation Initialization File Parameters

At the JD Edwards EnterpriseOne sign-in, you can select one or more roles, depending on how many are assigned to you. If you select *ALL, you enter JD Edwards EnterpriseOne in all of the assigned roles that are flagged as Include in *ALL. Two parameters relate to roles in the workstation jde.ini file. These parameters are defined by the administrator when JD Edwards EnterpriseOne is first configured, so you should not have to perform this task when performing routine administrative tasks. This table shows the parameters, the .ini file section in which they are found, and the default settings:

Jde.ini ParameterJde.ini SectionDefault Setting
LASTROLE[SIGNON]*ALL

Defines the role that appears for the user at sign-in.

Default Role[DB SYSTEM SETTINGS]*ALL

The LASTROLE parameter value defines the role that appears in the sign-in screen when JD Edwards EnterpriseOne is launched.

3.5.6 Forms Used to Set Up Roles

Form NameFormIDNavigationUsage
Work With User / Role ProfilesW0092DSystems Administration Tools (GH9011), User Management, User Profiles (P0092).Locate and review existing roles and access additional forms to add or revise roles.
User Profile RevisionsW0092AOn the Work With User/Role Profiles form, from the Form menu, select Add Role.

Click the Roles Only option, click Find, select a role, and then click Select.

Create a role or revise information for an existing role.
Work With Role SequencesW0092LOn the Work With User/Role Profiles form, from the Form menu, select Role Sequence.Define the sequence of roles.
User Environment RevisionsW0092COn the Work With User/Role Profiles form, select a role, and then select Environments from the Row menu.Add an environment to a role.
Work With Role RelationshipsW95921AOn the Work With User/Role Profiles form, select Role Relationships from the Form menu.Set up, revise, and remove roles for a user.
Role RevisionsW95921COn the Work With Role Relationships form, select a role from the Available Roles tree and click the left-arrow button.Enter dates on which you want the role to start and end (optional). You can also select an option to add the role to the user's *ALL sign-in.
Enable/Disable Role ChooserW95921EOn the Work With Role Relationships form, select Enable Role Chooser from the Form menu.Enable user to choose role from a list of all assigned roles at sign-in.
Work with Distribution ListsW95921AOn the Work With Role Relationships form, select Distribution Lists from the Form menu.Create role-to-role relationships that help define workflow r-mail distribution lists.
Work With Delegation RelationshipsW95921JOn the Work With Role Relationships form, select Roles Delegation from the Form menu.Delegate role relationship records to other users.
Add Roles to UserW95921POn the Work With Role Relationships form, from the Form menu, select Add Roles to User.Add roles to a user.
Add Users to RolesW95921QOn the Work With Role Relationships form, from the Form menu, select Add Users to Roles.Add users to a role relationship record.
Copy User RolesW95921OOn the Work With Role Relationships form, complete the User field and click Find. Click Copy.Copy roles from one user to another.
Work With Language Role DescriptionsW0092JOn the Work With User/Role Profiles form, click the Roles Only option. Select a role, and from the Row menu, select Role Description.View a role to which you want to add a language translation. Change a role description.
Language Role Description RevisionsW0092IOn the Work With Language Role Descriptions form, click Add.Add or revise a description of the language translation.

3.5.7 Creating and Modifying Roles

Access the Work With User/Role Profiles form.

  1. Perform one of these operations:

    • To create a new role, select Add Role from the Form menu.

    • To modify an existing profile, click the Roles Only option; click Find and select a role in the detail area; and then click Select.

      Note:

      You cannot add a role by clicking the Add button on the toolbar of the Work With User/Role Profiles form.
  2. On the Role Revisions form, enter the name of the role, such as ACCOUNTING, and a description in the Role field.

    When you modify a role profile, this field displays the name of the role.

  3. In the Sequence Number field, enter a number to specify the sequence number of the role in relation to other roles.

    For a user assigned to more than one role, the sequence number determines which role is chosen when a security conflict exists among the different roles.

  4. Complete any of the remaining fields, as necessary, and click OK.

3.5.8 Migrating Roles

On a client machine, open the Batch Versions application in JD Edwards EnterpriseOne, and run these universal batch engines (UBEs) to migrate generic roles into the environments.

3.5.8.1 Run the TC R89959211

Table Conversion (TC) R89959211 takes all of the current roles in the UGRP field in the Library Lists - User table (F0092) and adds a Description record for them in the Anonymous User Access Table (F00926). Both the role and description are populated with the group name (for example, OWTOOL). A sequence number is added to the record in the F00926 table as well. This sequence number begins at 1500 and increments by 5 with each record that is written.

This TC has no processing options.

The performance of this TC is directly dependent upon the number of *GROUP records in the F0092 table. It should finish quickly.

After processing, this TC produces no report. To verify that the table conversion completed, open the Universal Table Browser (UTB) and check the F00926 table for some of the groups that are defined in the F0092 table. For example, check the field USER for OWTOOL, the field ROLEDESC for OWTOOL, and the field SEQNO for a sequence number that is greater than 1500.

3.5.8.2 Run the TC R8995921

TC R8995921 takes all of the current user profile records in the F0092 table and inserts a user/role relationship record that is based on the F0092.USER and F0092.UGRP tables. The record that is added to the F95921 table contains the user, role (formerly the group for this user in the F0092 table), and effective and expiration dates. Some of these values are based upon the values in the processing options.

The recommended processing option values are:

  • Final/Proof Modes

    It is recommended that the TC be run in proof mode first. This mode inserts records to the F95921 table, but it does not remove the group from the user's profile. After the UBE is successfully run in proof mode, check some of the records in the F95921 table to see if they were added successfully. You can re-run the TC in final mode with the same processing options. A new record is not inserted for the user if the effective date is the same as the previously run TC's effective date, so you only remove the group data from the F0092.UGRP field for that user.

  • Effective Date

    The start date of the role relationship. With current users (those in F0092 table), you want to use the date that the TC is run. (When running in final mode, use the date that the TC was run in proof mode to prevent the system from adding a new set of records into the F95921 table.) This field must not be modified within the role relationship record later.

  • Expiration Date

    The end date of the role relationship. If this date is left blank, the relationship never expires. The role will expire at the beginning of the day of the date that you enter. With the current users (those in the F0092 table), you should leave this blank so they do not expire from their current group or role.

    This field can be modified within the role relationship record later.

  • Included In All

    This flag indicates that the security of this role is applied when the user chooses to enter JD Edwards EnterpriseOne under the role of *ALL. Use this flag if a user is being added to a sensitive role, such as Payroll or PVC. This field can be modified within the role relationship record later.

The performance of this TC directly depends upon how many user records are in the F0092 table. It should finish quickly.

This TC produces no report. To verify that the TC completed in proof mode, open the UTB and check the F95921 table for some of the users who were defined in the F0092 table. See that their old group (F0092.UGRP) is now their Role F95921.RLFRROLE. To verify that the TC has completed in final mode, view the F0092 table through the UTB, and verify that no data is in the UGRP fields.

3.5.8.3 Sequence the Roles

All roles must be assigned a valid sequence number greater than zero in order for the security associated with the role to be applied correctly. The previous UBE and TCs sequence the roles, but probably not in the desired order. Sequence the roles through the Sequence Roles menu option. This displays all of the current roles in a parent/child tree. Expand the tree and view the current sequence number. You can drag and drop these roles into the desired sequence. You must click the exit Set Sequence to commit the roles sequence to the database.

3.5.8.4 Add Environments

Environments are added to roles. When a user selects a particular role at sign-in, the environments that are associated with that role appear in the Environment Selection List form. If the user selects *ALL environments, all of the environments that are associated with all of the users roles which have been marked as 'included in all' appear in the Environment Selection List form. All environments are validated against the user's pathcode.

3.5.8.5 Set up the JDE.INI/JAS.INI file

Open the jde.ini file and jas.ini file and verify these settings:

Note:

You should not have to add or change these settings.

3.5.8.7 Set Up Security

Complete these Universal Batch Engines (UBEs) to set up user security.

3.5.8.8 Run the UBE R98OWPU

UBE R98OWPU performs a select distinct on the F98OWSEC table to find all unique combinations of Proxy (System) User and Data Source. After these records are found, the UBE inserts this record into the F98OWPU table. The record contains the Proxy User, Data Source, Password, and audit information.

Note:

This UBE must be run locally because the business function resides only on the client machine.

This UBE has no processing options.

The performance of this UBE is directly dependant upon how many system users are associated with user records in F98OWSEC table. It should finish quickly.

To verify that the UBE completed successfully, open the UTB and check the F98OWPU table for some of the system users that are in F98OWSEC table.

User

If you want to change a system user password, you have to change it only once for each system user and not for every record in the F98OWSEC table that contains the system user.

3.5.8.9 Run the UBE R98OWUP (Optional)

UBE R98OWUP updates the current F98OWSEC table records, based upon the processing options that you select. This UBE can populate these new fields for current users, as their F98OWSEC table records do not contain values for these options:

  • Password Change Frequency

  • Allowed Sign-in Attempts

  • Enable / Disable User

  • Daily Password Change Limit

  • Force Password Change

Set these procession options:

  • Proof or Final

    Indicates whether to run in proof or final mode. Proof mode does not commit records.

  • Password Change Frequency

    For a given user, this option determines the maximum number of days before the system requires a password change.

  • Allowed Attempts

    The number of times that uses can unsuccessfully attempt to log on before their JD Edwards EnterpriseOne account is disabled.

  • Enable/Disable User

    Indicates if the user's account is enabled or disabled. A disabled account is not allowed into JD Edwards EnterpriseOne.

  • Daily Password Change Limit

    The number of times that users can change their password in one day. Because the last ten passwords of a user are stored in the BLOB, it is a security hole to allow users to change their password as many times as they want. If users want to keep their current password, they can change it 11 times in one day so that they are not back to the original.

  • Force Immediate Password Change

    This option requires users to immediately change their password. You might not want to set this option for all users.

The performance of this UBE is directly dependant upon how many system users are associated with user records in the F98OWSEC table. It should finish quickly.

To verify that the UBE completed successfully, access the User Security application (P98OWSEC), and find a user or role whose record should have changed. Verify that the values are correct.

3.5.9 Sequencing Roles

The Work With Role Sequences form contains all of the roles that you defined and enables you to assign a sequence to the roles. The sequence defines a hierarchy of roles and determines which role is used when a security conflict exists among roles when a user signs in as *ALL.

The Windows client and Web client differ as to how they use the role sequence to determine which security record is applied. The Web client only checks the first role in the role sequence to determine the security for an application, form, column, row, and so forth. The Windows client checks all the roles in *ALL for security, but uses the role sequence to determine which role to use when there are duplicate security records.

This is an example of duplicate security records in which the JD Edwards EnterpriseOne Windows client is forced to use the role hierarchy to determine which security record to apply:

A user signs in as *ALL. The *ALL has two roles associated with it—Role 1 and Role 2.

  • Role 1 = Form A is secured; no access allowed.

  • Role 2 = Form A is not secured; access allowed.

Because of the conflict in security between these two roles, JD Edwards EnterpriseOne uses the information in the role sequence to determine which role to use for security. If Role 1 was higher in the sequence, then the security for that role is applied.

In this same example, if each of these roles had different security records for the same security type, the system would apply the security as defined by both records. For example, if Role 1 does not allow users to view column A and Role 2 does not allow users to view column B, the user would not be able to view either column on the form.

You can configure the JD Edwards EnterpriseOne Web client to use the same role sequencing functionality as the Windows client. This is recommended if you are migrating from the Windows client to the Web client. To enable this functionality in the Web client, use Server Manager to configure the following setting in the [OWWEB] section of the JAS.INI:

userRoleHierarchy=true

Access the Work With Role Sequences form.

  1. Select a role from the tree structure and drag it to the point in the sequence that you want.

    Note:

    The system checks the sequence of roles in descending order.
  2. After you have set the order that you want, select Set Sequences from the Form menu and click Close.

  3. If you decide you do not want to change the sequence, select Close Without Set from the Form menu and click Close.

3.5.10 Adding an Environment to a Role

Use the Work With User/Role Profiles form to assign one or more environments to a role or to change an existing environment for a role. When a user signs in to JD Edwards EnterpriseOne, the Environment Chooser and Role Chooser present each user with a list of valid roles and environments.

Access the Work With User/Role Profiles form.

  1. Select the Roles Only option and click Find.

    Note:

    The Both Users and Roles option also enables you to perform the same task, although the Roles Only option is the simplest way to add an environment.
  2. Select a role from the detail area of the grid, and select Environments from the Row menu.

  3. On the User Environment Revisions form, in the Display Seq. (display sequence) column, specify the order in which the environments will be presented in the Environment Chooser at JD Edwards EnterpriseOne sign-in.

  4. In the Environment column, click the search button to select an environment, and then click OK:

    Note:

    If you want to change an existing environment for a role, enter a new value for the Environment parameter and click OK.

3.5.11 Assigning Business Preferences to a Role

Access the Work With User/Role Profiles form.

  1. Click Find.

  2. Select a role, and then click Select.

  3. On the Role Revisions form, from the Form menu, select Bus Preferences.

  4. On the Business Preferences form, click the search button in the Industry Code field to associate the role with a specific industry, such as manufacturing.

  5. In the Business Partner Code field, click the search button to associate the role with a specific business partner.

  6. In the Customer Code field, click the search button to associate the role with a specific customer.

3.5.12 Setting Up a Role Relationship

Access the Work With Role Relationships form.

  1. Complete the User field and click Find.

    The system displays the user's assigned roles and the available roles in separate tree controls.

  2. Select a role from the Available Roles tree control and click the left arrow button to add it to the list of assigned roles.

  3. On the Role Revisions form, enter an effective date if you want an effective date that is different from today's date.

    Today's date is the default value for the Effective Date field. If you do not use the default value, enter a date later than today's date; otherwise the software returns an error message.

  4. Enter an expiration date in the Expiration Date field, if one is needed.

    The role will expire at the beginning of the day of the date that you enter. The role will not expire if you do not complete the Expiration Date field.

  5. Select the Include in ALL* option if you want the role to be one that the user can play if the user enters JD Edwards EnterpriseOne playing all roles, and click OK.

    If you do not select the Include in *ALL option, this role will not be part of the active roles when the user enters JD Edwards EnterpriseOne using *ALL as his role at sign-in. To activate a role that is not included in *ALL, the user must select that particular role when signing on to the system. The chosen role will be the only active role during that session.

3.5.13 Enabling the Role Chooser

Access the Work With Role Relationships form.

  1. From the Form menu, select Enable Role Chooser.

  2. To enable users to select a role from a list of assigned roles at sign-in, on the Enable/Disable Role Chooser form, select the 'Choose role on Login page' option.

    If you do not select this option, users must enter JD Edwards EnterpriseOne using *ALL.

  3. To enable users to filter menus by role in the EnterpriseOne Menu, select the 'Choose role on Menu Filtering page' option.

Note:

Both the Role Chooser and Menu Filtering Role Chooser options are global settings. When enabled, they apply to all users in the system.

3.5.14 Creating Role-to-Role Relationships

Access the Work With Role Relationships form.

  1. From the Form menu, select Distribution Lists.

  2. On the Work With Distribution Lists form, complete the Role field and click Find.

  3. To add a role to the distribution list, select a role from the Available Roles tree control and click the left-arrow button.

  4. On Role Revisions, complete these fields and click OK:

    • Effective date

      Enter an effective date if you want the delegation to occur at a date other than the current date.

    • Expiration date

    • Include in *All

      Select this option if you want the role to be one that the user can use if the user enters JD Edwards EnterpriseOne playing all roles.

  5. Select the *ALL option if you want the role to be one that the user can play if the user enters JD Edwards EnterpriseOne playing all roles.

    JD Edwards EnterpriseOne adds the role to the Assigned Roles tree control.

  6. To remove a role from the distribution list, select a role from the Assigned Roles tree control and click the right-arrow button.

    Note:

    JD Edwards EnterpriseOne does not currently support multilevel roles.

3.5.15 Delegating Roles

Access the Work With Role Relationships form.

  1. From the Form menu, select Roles Delegation.

  2. On the Work With Delegation Relationships form, complete the Delegate field by entering the user ID of the user being delegated to and click Find.

    The roles of the user who is delegating appear in the Available Roles tree control. The roles of the user who is being delegated to appear in the Assigned Roles tree control.

  3. To delegate a role, select the role from the Available Roles tree control and click the left-arrow button.

  4. Complete these fields and click OK:

    • Effective date

      Enter an effective date if you want the delegation to occur at a date other than the current date.

    • Expiration date

  5. Select the *ALL option if you want the role to be one that the user can play if the user enters JD Edwards EnterpriseOne playing all roles.

    JD Edwards EnterpriseOne adds the delegated role to the Assigned Roles tree control on the Work With Delegation Relationships form.

    Note:

    You can use the right-arrow button in the Work With Delegation Relationships form only to remove a role that you delegated to another user. If you try to remove a role that you did not delegate to the user, the software will display a dialog box notifying you that the action is invalid.

3.5.16 Adding Roles to a User

The Add Roles to User form enables you to copy one or more role relationship records to a single user, which is a particularly useful action if you want the user to play many roles. You can copy as many records as you want at one time.

Access the Work With Role Relationships form.

  1. From the Form menu, select Add Roles to User.

  2. Complete the User ID field and click Find.

  3. Select the roles that you want to add to the user and click Select.

    Hold down the Control key to select more than one role to add.

  4. On the Role Revisions form, complete these fields:

    • Effective Date

      Enter a date if you want the effective date to be different from the current date.

    • Expiration Date

      The role will expire at the beginning of the day of the date that you enter.

    • Include in *All

  5. Select the *ALL option if you want the role to be one that the user can play if the user enters JD Edwards EnterpriseOne playing all roles.

  6. Click OK.

  7. If you are adding more than one role relationship record, complete the Role Revisions form for each record that you are adding.

3.5.17 Adding Users to a Role

Access the Work With Role Relationships form.

  1. Select Add Users to Roles from the Form menu.

  2. Complete the Role field and click Find.

  3. Select the users that you want to add to a role and click Select.

    Hold down the Control key to select more than one user to add.

  4. In the Role Revisions form, complete these fields:

    • Effective Date

      Enter a date if you want the effective date to be different from the current date.

    • Expiration Date

    • Include in *All

  5. Select the *ALL option if you want the role to be one that the user can play if the user enters JD Edwards EnterpriseOne playing all roles.

  6. Click OK.

  7. If you are adding more than user record, complete the Role Revisions form for each record you are adding.

3.5.18 Copying User Roles

You can copy the role relationship records of one user to another from Role Relationships (P95921). You can either copy and add the records, which means that JD Edwards EnterpriseOne adds the copied records to the user's existing records; or you can copy and replace the records, which means that the copied records replace the user's existing records.

Access the Work With Role Relationships form.

  1. Complete the User field and click Find.

    The user's roles appear in the Assigned Roles tree control.

  2. Click Copy.

  3. On the Copy User Roles form, select one of these options:

    • Copy and Add

    • Copy and Replace

  4. Complete the To User field to specify the user to whom you want the records copied.

  5. Click OK.

3.5.19 Adding a Language Translation to a Role

Using the Language Role Description Revisions form, you can either set up the translation of any role that you have defined, or you can change role descriptions for any language.

If you want to view the descriptions of any role in all the languages into which it is being translated, use the Work With Language Role Description form.

Access the Work With User/Role Profiles form.

  1. Select the Roles Only option.

    Note:

    The Both Users and Roles option also enables you to perform this task.
  2. Select a role from the detail area of the grid and select Role Description from the Row menu.

  3. To add a language to a role, click Add.

  4. On the Language Role Description Revisions form, in the Role field, enter the name of the role to which you want to add a language.

  5. In the Language field, click the search button to select a language from the list of supported languages.

  6. Enter a description of the role in the Role Description field, and then click OK.