Brian,
I think you answered your own question. Process security would seem the most efficient to maintain long term (versus customization and deployment of two version of the application that would trap & effectively disable specific sets of BO methods in each version).
I'd go with your gut on this one. The reasoning is sound & it is probably more likely to survive the upgrade cycle with much less need to tinker.
The only caveat to process security is to make sure you don't have manager (full admin db & process rights) enabled BPMs, BAMs (and possibly SC workflows - although I know little about them in this regard) running that might circumvent your desired limits on groups of users to execute specific processes.
With this particular app, there probably is only a minute chance you've put anything in place like that that might cause your process security to fail to truly limit access to desired groups of related BO method execution.
It seems like a low risk/time investment way to attempt to comply with your SOX auditor recommendation.
Why not give it a trial run?
Rob
I think you answered your own question. Process security would seem the most efficient to maintain long term (versus customization and deployment of two version of the application that would trap & effectively disable specific sets of BO methods in each version).
I'd go with your gut on this one. The reasoning is sound & it is probably more likely to survive the upgrade cycle with much less need to tinker.
The only caveat to process security is to make sure you don't have manager (full admin db & process rights) enabled BPMs, BAMs (and possibly SC workflows - although I know little about them in this regard) running that might circumvent your desired limits on groups of users to execute specific processes.
With this particular app, there probably is only a minute chance you've put anything in place like that that might cause your process security to fail to truly limit access to desired groups of related BO method execution.
It seems like a low risk/time investment way to attempt to comply with your SOX auditor recommendation.
Why not give it a trial run?
Rob
--- On Fri, 5/1/09, Brian W. Spolarich <bspolarich@...> wrote:
From: Brian W. Spolarich <bspolarich@...>
Subject: [Vantage] Separation of Duties: GL Entry Create vs. Post
To: vantage@yahoogroups.com
Date: Friday, May 1, 2009, 5:50 PM
Vantage puts the creation and posting of GL entries in the same
program.
How to accomplish separation of duties? Our SOX auditors want us to
ensure that those who create JEs aren't the same folks that approve
them.
I'm thinking I can use Process Security to restrict access to
BO.GLJrnGroup. PostGroupJournal s() to only a given security group, but I
figured I'd ask folks here how they've accomplished this.
-bws
--
Brian W. Spolarich ~ Manager, Information Services ~ Advanced Photonix /
Picometrix
bspolarich@advanced photonix. com
<mailto:bspolarich@advanced photonix. com> ~ ~
www.advancedphotoni x.com <http://www.advanced photonix. com>
[Non-text portions of this message have been removed]