security flaw? or any solutions?

 9 Replies
 0 Subscribed to this topic
 17 Subscribed to this forum
Sort:
Author
Messages
sk
Basic Member
Posts: 10
Basic Member
Hi,

We are upgrading from Lawson 803  to 9.x both environment and Lawson HR Application. During 803 we haven't used portal much, from 9.x we are going to use portal.

We are not going for Lawson Security as part of this upgrade. we are going to continue with LAUA and LDAP.

I am facing a problem in Lawson Portal.

For webusers we are allowing to update their details in HR11, PA52 etc  related tables via employee self service applications. So we are providing form access for the forms HR11, PA52 to the webusers(via form security in laua).

Now after logging into portal as a webuser, if I append a _TKN=HR11.1 or PA52.1 etc in the portal url, it launches the form HR11, PA52 etc which is undesirable. we dont want users to see the form in portal, because then they can inquire on other employee records.

 is this a flaw?

We want employee to update their details (to the tables) via ESS but we dont want the HR11 or PA52 etc forms to be pulled for them in the portal when we add the _TKN=HR11.1 parameter in the portal url

is there any solution for this?

Please help with your suggestions
John Henley
Posts: 3362
That is a flaw which existed in version 8 as well. The only workaround is to turn the Access flag to N (in RM now, used to be RD30). The drawback is that it will cripple RSS if they are also a requester.
Thanks for using the LawsonGuru.com forums!
John
sk
Basic Member
Posts: 10
Basic Member
Can you  provide some details about the workaround?
sk
Basic Member
Posts: 10
Basic Member
Hi John,

Do you mean in the form RD30, Web Info Tab, Access= "N"

What that field signifies?

if this field is set, then when we type url with _tkn=hr11.1, it wont bring the form?  even though HR11 is allowed in the program security-> "accessible programs" for that security class

if Access= "N", still employees can update the data using ESS?

please help me to understand
Roger French
Veteran Member
Posts: 549
Veteran Member
I will add my two cents.

In 8.0.3 environment, in the RD30, with the Access field = N, this means that My Data Security is turned ON (or to NOT bypass My Data Security), which means employees can, when logging into Portal, and they have access to HR11 using bookmark or direct URL, it will allow them ONLY to view the record of the employee indicated in the Employee field on RD30, and that's it. If you try to do a Next or Previous on HR11 or type in another employee ID, you will get the message, "Record Secured". Try it and you should see the same thing. I just did and I confirmed that. Ultimately this works with ESS in that you can only view the Employee Self Service records for the EIN indicated on the RD30 and that's it. That's what it was designed for, in part.

In the 9.0 environment, it should be the same concept too. In the security record, make the Access field = N.

This does NOT apply to LID.

Roger
John Henley
Posts: 3362
With Access = N, an employee can *also* see their direct reports, based on HR supervisor hierarchy.

As long as the user is ONLY an ESS/MSS user, setting access = N will work just fine.

The issues are:
1) when the user is also an HR/Payroll user (i.e. they need access to HR11 for all employees). In that case they will need to have Access = Y.

2) A bigger issue is an RMID is also a requester and requisition approver in addition to an employee. If you set Access = N to satisfy ESS/MSS security, it prevents them from approving any requisitions, since they Access = N means they can only see requisitions where requester is same as their requester identity...in that case the only solution is to use two RMIds, or use LS 9.0 security rules.
Thanks for using the LawsonGuru.com forums!
John
Roger French
Veteran Member
Posts: 549
Veteran Member
I don't know if they are "issues" per se, but in the past and present, I've not seen any customers where users use the same login ID for both ESS/MSS and regular HR/Payroll access (except for System and Portal Administrators maybe). They already know the security design by using the My Data Security (in 8.0.3)

In 9.0, if you want to use the same login ID for multiple roles (e.g. ESS/MSS, Requisitions Approval, HR/Payroll), then you will need to set up Role, and Security Rules using LSF9.0 security, not LAUA security.

But I think we are all on the same page.

-R
GregSl
Veteran Member
Posts: 38
Veteran Member
We are on LSF9.0 and here is the Rule what I use for EMSS - Web users on HR11. Similar Rules are needed for EMPLOYEE and other related Tables.

if(user.getCompany()==form.EMP_COMPANY&&user.getEmployeeId()==form.EMP_EMPLOYEE)
'+,-,C,I,M,'
else
'NO_ACCESS,'

You may be able to do something similar in LAUA.

Webuser can view HR11 ONLY for the user.They use ESS - Life Events to make any changes.

We use the same Login profile for EMSS/Lawson Applications but their horizon to employee data is restricted by access to Process Levels.

Hope this helps.
sk
Basic Member
Posts: 10
Basic Member
Thanks a lot...John, Roger, Greg

It worked fine as you mentioned...

Its a nice a learning!
Thanks for sharing :-)
CindyW
Veteran Member
Posts: 169
Veteran Member
Posted By Roger French on 02/12/2009 09:33 AM
I don't know if they are "issues" per se, but in the past and present, I've not seen any customers where users use the same login ID for both ESS/MSS and regular HR/Payroll access (except for System and Portal Administrators maybe).


We are using 8.03 apps, on LSF9, with LAUA security.  Management would simply not allow us to continue the use of dual logins.  So we had to do some customizing /cloning of the ESS pages to ensure that our backoffice users would have the proper access.  I can't even begin to provide the details, but it was a lot of work.  We simply had no alternative, as we were no where near ready to implement LS security yet.