Lean, agile, scalable JD Edwards security: It’s easier than you think
The need to rapidly adapt to remote working during the last few months has been quite challenging for some organizations – but it has also yielded some unexpected benefits.
A recent survey found some employers reporting that remote working has increased productivity, and they are likely to encourage employees to continue to work from home on economic grounds even post-Covid (a state that we are all dreaming of…)
But of course, this poses technological challenges, particularly around security. With people accessing your JD Edwards EnterpriseOne system from a multitude of locations, it’s never been more important to manage and monitor who can see and do what.
But JDE security is very complex. It can take even skilled technical staff an inordinate amount of time to establish what users can excess, and to implement security changes when processes, working practices and personnel change.
If you’re concerned about possible gaps in your security, or find that managing JDE security is too costly and time-consuming, now may be a good time to review it and reduce your dependence on specialist skills. A little investment now will deliver peace of mind, significant savings over time, and agility to respond quickly and easily to changes in the future, whether planned or unforeseen.
The only place to be: All Doors Closed and Role-based Access Control
Most people would agree on the destination. Consultants, auditors and security experts who offer advice on Best Practice extol the virtues of implementing a Deny-All security with a policy of Least Privilege Access. Or in other words, you close everything down, and then explicitly grant access only to the functions and data that users need to do their jobs.
To manage that efficiently you need to implement Role-based Access Control – so you’re managing security for (say) 50 roles, rather than for hundreds or thousands of users. If business processes change, you just update the affected roles to apply the changes to all the relevant users. As new staff join or existing users change jobs, you add and remove roles as appropriate. As you diversify or acquire more businesses, you can add new roles to support the new processes. Consistent controls with minimal effort.
So far so good. But getting to that place can take a fair amount of effort. To successfully design roles from scratch, IT and Business need to work together to understand the processes, establish who should carry out which tasks, identify which applications are involved, and then translate that into security settings that grant the right access to all roles.
We’ve found that the best way to achieve that is by organizing Role Design Workshops which bring IT and Business users together, and we’ve helped many of our customers to run them, resulting in great role-based security models geared to the organization’s precise needs. But the process can take a fair amount of time.
Sometimes, for a variety of reasons, companies just need to get reliable JDE security in and working as quickly as possible. But they don’t want to sacrifice efficiency, flexibility and sustainability for the sake of expediency.
Introducing AutoSecure: the fast route to compliant, role-based security
We recently launched AutoSecure to address this need. It offers JD Edwards customers a comprehensive set of predefined roles, including the security settings needed to grant users their required access.
Now don’t get me wrong. There’s no such thing as a “standard” or “Best Practice” set of roles, because every organization has processes that are specific to the way they do business. But many companies use similar processes, so in some cases it makes sense to take a “starter” set and tailor them to achieve the perfect fit.
So you use AutoSecure to import seeded roles and security settings, add security for any custom applications or versions, and data security as appropriate, and assign the roles to test user IDs so that you can test and adapt them as needed.
You can also import a starter set of Segregation of Duties rules, which can be customized to reflect your company policies. The seeded roles as issued are free from SoD conflicts when tested against the SoD rules provided, but as you adapt the roles and/or rules, you can check for SoD conflicts before you deploy them to your test or production environment.
So, depending on how many customizations you have, you can create an efficient role-based security model and be ready to test it within hours.