Skip to main content

I want to brainstorm here with you experts. AT present, we are using IFSAPP for a lot of things, all scheduled and background jobs run by IFSAPP and all of our development team uses IFSAPP for their development ,testing and helping any stuck auto process, purposes.

Auditor thinks its a risk factor, especially in Accounting processes. We are planning on creating a finance user and schedule invoicing etc jobs under it. The Question is if i create a new user for this purpose, what should i keep in mind , any special treatment like any basic data etc requirement…

 

How are your business handling situations like this. For Example, are developers using their personal ID’s for development/implementation purposes.. Do you have any Super user accounts.

What are best practices….

Reference to any document etc.

 

Thanks

 

First of all it is good that you use ifsapp or at least generic user for scheduled jobs. You could also use ifssys. If you have a specific integration or automated process I believe it is quite common to create a user for that with the very exact/limited acces that it needs to perform what it should. 
 

Regarding development I would say that you can leave Ifsapp as a shared user in test, preprod environments but not production environment. There you can consider granting them acces to proxy as ifsapp on the database. (The application cannot do that) but at least that will allow developers to check things in the db whilst you can still tell who is logged in and doing what. A permission set for developers can also be created with a little extra/special permission set which would allow you to tell who is doing what. 

Hi @KHALIDU 

It is best practice to limit the use of the IFSAPP account even within technical teams on the PROD env. It is a risk so only use it when it is necessary.

Consider using IFSADMIN for managing security, creating custom objects, reports, etc.

When it comes to scheduled tasks (background jobs) it depends on what job is running. If it is a Finance related activity that could throw warnings/messages that the users should be able to see in order to resolve; then consider running those jobs as the user themselves. Or as you say create a generic account (I used to use one called FINSHED  - Finance Scheduling). Then multiple users can log in using that account as long as they are careful. Of course this consumes a full license.

Users can only see their own Background Jobs unless you grant the ADMINISTRATOR System Privilege - this isn’t ideal as this gives them enhanced access to reschedule any scheduled tasks as themselves (along with full access to Report Archive amongst other things). Not something I would recommend.

If you decide on this approach (disagreeing with @JULIAN  here) I would follow the same procedure in all instances (including test instances). Governance and control is much easier followed when staying consistent.

Cheers,

Pete

Thanks @JULIAN  and @pwlm 

so we decided to create a separate User for running scheduled Jobs for Finance, Do this new User will need any special permissions or need to include in any specific tables , grants etc for it to work for scheduled jobs smoothly…. i will be testing this in next week. 

As i saw in some views have code that checks if the user has certain privileges like history audit tables etc.

At present the finance user is able to invoice via ‘quick order flow handling’. 

Your tips will make my work smoother and life easier.

 

Thanks.

That is difficult for us to say exactly what it will need because it depends on what it needs to do. 
if it is a user that runs one specific scheduled task then it will need access scheduled jobs, whichever function it runs and surely the view(s) that it uses e.g. if custom event is involved where it select certain data. 

Reply


Terms & ConditionsCookie settings