Skip to main content

Rights — Users / Roles / OUT

The Rights — Users / Roles / OUT screen returns the union of two data sets:

  • Declared rights — every SER_RUN = 'Y' row from the security rights table (the rules the source system applies at runtime).
  • Observed activity — every distinct (user, object) pair captured by Object Usage Tracking, marked with synthetic role *ALL, action *DEFAULT and full Y / Y / Y action flags.

The result is the security workbench as seen through the eye of usage: what users are allowed to do plus what they have actually been doing, side by side.

At a glance

Nomasx-1 · Applications · Rights · Users / Roles / OUTAPPUSERROLEOBJECTVERSIONRUNADDCHGDEL12APMGRACCT_APP0411ZJDE0001YYYN12APMGR*ALL (observed)P4310ZJDE0001YYYY12SVC_BATCH*ALL (observed)R31410XJDE0001YYYYDECLARED vs OBSERVEDRows marked *ALL (observed) come from Object Usage Tracking — the user did run that object regardless of whether a declared rule covers it.

Goal of the view

For each connected application:

  • Declared + observed in one place. Audit the right as written (declared rows) and the right as exercised (observed rows) without juggling two screens.
  • Spot the over-grants. A user with declared rights they have never exercised is the cleanest revocation candidate — the Activity log and OUT views are the supporting evidence.
  • Spot the under-grants. A user appearing on *ALL (observed) rows for an object that has no declared coverage points to either an inherited rule the analysis missed or a bypass that needs investigation.
JDE-specific

This view is JDE-specific: the observed half comes from LICENSE_JDE_OUT, joined to the JDE objects and licence component tables. Other source systems can populate the same view by exposing an equivalent usage log.

Columns

ColumnSourceWhat it tells you
Application IDSER_APPS_ID — application identifier. Filterable.Which application the row applies to.
User IDSER_USER_ID — user. Filterable.The effective user.
Role IDSER_ROLE_ID — role granting the right, or *ALL for observed rows.Provenance of the row.
ObjectSER_OBJECT — technical object. Filterable.What the row covers.
FormSERL_FORM — form code, or *ALL for observed rows.Specific form, when known.
VersionSER_VERSION — processing version.Configuration variant.
Run / Add / Change / DeleteSER_RUN, SER_ADD, SER_CHG, SER_DELY / N.Action flags. Observed rows always report Y / Y / Y / Y (the source system would not have run the call otherwise).
Role Action IDSER_ROLE_ACTION_ID — action identifier, or *DEFAULT for observed rows.Source-system action descriptor.

Tips & best practices

  • Filter on a single user + group by Object — rows with several entries cross-prove that the right is both declared and exercised. Rows with only one entry (declared or observed, not both) are the discrepancies worth investigating.
  • Sort by Role ID with *ALL rows at the top — that brings the observed-but-not-declared rows to the surface.
  • Trim role-level rights of objects only seen on *ALL — meaning never declared, never reached from a menu — they are usually leftovers of a previous configuration.
  • For batch / service accounts, expect the majority of rows to be *ALL (observed) since these accounts rarely have explicit role-level coverage. Tag them in Settings → Users properties so they do not pollute the analysis.