Spreadsheets cannot reliably model role ordering, cross-module entitlements, or the volume of security lines in a mature JD Edwards estate. That leads to missed conflicts, stale access, and weak audit evidence. A review process that cannot keep pace with configuration change stops being a control and becomes a report.
Why This Matters for Security Teams
JD Edwards access reviews fail when teams treat security as a spreadsheet exercise instead of a live control. JDE estates often contain inherited roles, indirect entitlements, and module-specific exceptions that do not flatten cleanly into rows and columns. The result is not just administrative drift. It is missed segregation-of-duties conflicts, stale access that survives reorgs, and review evidence that cannot prove what changed between exports. That is exactly the kind of gap highlighted in the Ultimate Guide to NHIs, where NHI Mgmt Group notes that only 5.7% of organisations have full visibility into their service accounts.
For JD Edwards, the practical problem is that reviewers need to understand effective access, not just assigned access. A spreadsheet can list a security profile, but it does not reliably show whether that profile is inherited, duplicated across business units, or enabled only under certain processing options. NHI security discipline points in the same direction: without current state and lifecycle awareness, review output becomes brittle documentation rather than enforceable governance. In practice, many security teams encounter the control failure only after an audit exception or an access incident has already exposed the gap.
How It Works in Practice
Effective JD Edwards reviews need to start from system truth, then map that truth into reviewable evidence. That usually means extracting security records, role definitions, and user-to-role assignments directly from the environment, then normalising them so reviewers can see effective access across modules. Static exports from OWASP Non-Human Identity Top 10 reinforce a similar principle for machine access: visibility is only useful when it is tied to ownership, lifecycle, and revocation.
In a mature JDE estate, the review process should account for:
- role ordering and inheritance, so reviewers understand what access is granted indirectly
- cross-module entitlements, especially where finance, manufacturing, and procurement overlap
- security lines that multiply across business units, environments, or data centers
- segregation-of-duties conflicts that emerge only when entitlements are combined
- evidence of recertification, approval, and remediation that can be reproduced later
Current guidance suggests using a controlled extraction pipeline, then applying policy checks before the review reaches approvers. That is closer to how modern identity governance works in practice and is consistent with the lifecycle focus in the NHI Lifecycle Management Guide. Where possible, teams should preserve source timestamps, change identifiers, and reviewer decisions in a tamper-evident workflow so the audit trail shows what was reviewed, when, and against which configuration state. These controls tend to break down when JDE security is heavily customised across multiple environments because effective access can change faster than spreadsheet-based certification cycles.
Common Variations and Edge Cases
Tighter review control often increases operational overhead, requiring organisations to balance audit precision against remediation speed. That tradeoff becomes sharper in JDE environments with custom roles, emergency access paths, or frequent post-deployment security updates. Best practice is evolving here: there is no universal standard for how much role inheritance detail must be shown to every reviewer, but there is broad agreement that reviewers must see enough context to make a meaningful decision.
Some teams try to manage complexity by splitting reviews by module or business unit. That can help readability, but it also creates blind spots if a user’s effective access spans more than one workflow. Others rely on signed spreadsheets as evidence. That may satisfy a narrow documentation requirement, but it does not resolve the underlying problem when access changes after the export. The most reliable approach is to pair the review cadence with change management, so any role redesign, batch security update, or emergency entitlement is immediately reflected in the next certification cycle.
Where this breaks down most often is in estates that mix legacy JDE customisations with inconsistent ownership. In those environments, even a well-run spreadsheet review can miss the exact entitlements that matter most, especially when the control depends on people manually interpreting exported data instead of validating live access.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST CSF 2.0 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-01 | Spreadsheet reviews miss lifecycle state and ownership for machine access. |
| NIST CSF 2.0 | PR.AC-4 | JDE access reviews are about validating least privilege and entitlement accuracy. |
| NIST CSF 2.0 | GV.RM-06 | Spreadsheet-based reviews weaken evidence quality for access governance and risk decisions. |
Use repeatable, auditable review evidence that ties access decisions to current system state.
Related resources from NHI Mgmt Group
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on June 25, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
