ESS Security - Form access through URL

Are you using the newer Lawson Security or are you still on LAUA?

We are still on LAUA

"We are still on LAUA" Ouch. It has been quite awhile since I have delt with that issue so hopefully my memory is correct.

When we were on LAUA we actually had to create two users accounts. There is a flag on the employee I think called "Access" for the ESS user we had to set the flag to 'N' however once the flag was set to 'N' then managers in Lawson could not view requisitions created by other employees.

At the time we were on 8.1 and we were able to use a trick to create an upper case and lower case user. Active Directory is not case sensitive so the users could log into either account using Active Directory authentication. I believe this trick will not work in 9.x.x. Lawson. The trick also made us kind of nervous as the possiblity of a patch breaking the behavior.

How would we go about securing the Transaction URL in LSF9 security?

[quote]
Posted By jcooper on 03/09/2011 08:02 AM
How would we go about securing the Transaction URL in LSF9 security?
[/quote]
In a nutshell, you would do it by, at first, securing the EMPLOYEE table in LS Security, then securing the PA67 to only allow it to access the user.

This is only the tip of the iceberg; to secure ESS properly, you should really look at the security documentation which addresses ESS, but again, it does not include everything you 'need' to know.

Just remember, that to securing forms (e.g.inquire/add/change/delete) is different than securing data on the forms (which records on the form you can see or do a inq/add/chg/del).

Good luck,
Roger

Can you confirm that the Transaction/Router/Erp URL method of retrieving data will also be locked down by this security modeling in LSF9? This isn't going to just "hide" the data from showing up on the portal screens, it's actually going to prevent the searching for the data from the URL as well as from within portal?

Thanks,
Joel

[quote]
Posted By jcooper on 03/10/2011 09:23 AM
Can you confirm that the Transaction/Router/Erp URL method of retrieving data will also be locked down by this security modeling in LSF9? This isn't going to just "hide" the data from showing up on the portal screens, it's actually going to prevent the searching for the data from the URL as well as from within portal?

Thanks,
Joel
[/quote]

When you type in that URL, if the form is secured properly, you will get a 'Security Violation' message in the browser. This is for FORM security.

For DATA security, if you try to type in within the URL your search parameters for data you've properly secured (for example, Employee ID's you're not supposed to see), it will still go through the process of searching, but first it has to pass the security checking (i.e. LS Security) and it will not return that data if you've properly secured it. You will either get a 'Security Violation' message or blank data when you type in the URL and hit 'Enter'. If the data is properly secured, it will work for Portal and URL access, as well as Add-Ins (if they have addin access).

Also, not to explicitly add complexity to this, but you also can keep in mind that if you've got more than one security role for this user, and the other security role has more wide/open access for your PA67, then that is the role that takes effect . Just something to keep in mind.

Thanks. This answers my questions.