Skip to main content

Assignments

The Assignments screen lists every active link between a user and a role, on every connected application. One line per (Application, User, Role) triplet. It is the table everyone goes back to in order to answer the single most common audit question: "who holds what?"

The query only returns assignments for users whose USR_STATUS = '01' — i.e. active accounts. Inactive accounts may still hold rows in the underlying table, but they are excluded from this view to keep the audit trail focused.

At a glance

Nomasx-1 · Security · AssignmentsAPPUSERROLEEFFECTIVEEXPIRATION12APMGRACCT_AP2019-03-1412APMGR*APPROVER2019-03-1412JDOECONTRACTOR2024-01-152026-06-3021BENEMGRHR_BEN2021-01-081 — 50 of 4 312 · 3 expiring this quarter

Goal of the view

For every active role assignment on any connected application:

  • Who holds what? This is the canonical table for the access review — one line per active user × granted role.
  • Since when? The effective date drives the new access this quarter question. Filter the column on the review period to list every new grant.
  • For how long? Time-bounded assignments (contractor accounts, project-based access, temporary delegations) carry an expiration date. Sort it ascending to spot what is about to expire.

The screen is the second stop after Users in every quarterly access review.

Columns

ColumnSourceWhat it tells you
Application IDRLU_APPS_ID — application identifier from the source system. Filterable.Which application the assignment applies to.
User IDRLU_USER_ID — linked to the user catalog (USR_APPS_ID, USR_ID). Filterable, filtered down by the selected application.The user holding the role.
Role IDRLU_ROLE_ID — linked to the role catalog (ROL_APPS_ID, ROL_ID). Filterable, filtered down by the selected application.The role granted to the user.
Effective DateRLU_DT_EFFECTIVE — date.When the assignment took effect in the source system.
Expiration DateRLU_DT_EXPIRATION — date, may be empty.When the assignment is scheduled to expire. Empty means permanent.

Hidden columns kept on the row: RLU_DT_REFRESH, RLU_UKID.

The three filter inputs above the grid (Application ID, User ID, Role ID) all support the standard contains / equals / not equals / starts with / ends with operators, and the User ID / Role ID lookups are scoped to the application chosen above.

JDE-specific

On JD Edwards EnterpriseOne, *ALL is the default sign-on role: when a user signs on with *ALL, the security of every role assigned to them is combined and applied together. Assigning a role to a user therefore includes it in that user's *ALL bundle. The alternative is to sign on under a single specific role, applying only that role's security.

Tips & best practices

  • Filter Effective Date on the current quarter to list every new assignment granted in that window — the baseline for the new access section of the audit report.
  • Sort Expiration Date ascending to bring time-bounded assignments to the top. Compare with HR to confirm departures and project ends.
  • Filter User ID on a single user to obtain that user's full role wallet — the same data appears richer on the Users Audit screen.
  • Filter Role ID on a single role to count its holders. Combined with the Roles screen sequence, this is what tells you whether a role can be retired safely.