Login
Register
Search
Home
Forums
Jobs
LawsonGuru
LawsonGuru Letter
LawsonGuru Blog
Worthwhile Reading
Infor Lawson News Feed
Store
Store FAQs
About
Forums
Infor / Lawson Platforms
S3 Security
LS9 ESS security and Servlet calls
Home
Forums
Jobs
LawsonGuru
LawsonGuru Letter
LawsonGuru Blog
Worthwhile Reading
Infor Lawson News Feed
Store
Store FAQs
About
Who's On?
Membership:
Latest:
Julie
Past 24 Hours:
0
Prev. 24 Hours:
0
Overall:
5312
People Online:
Visitors:
198
Members:
0
Total:
198
Online Now:
New Topics
S3 Systems Administration
Quick Access report
8/25/2025 7:17 PM
Looking for a good way to see who has access Lawso
S3 Customization/Development
LP01 hiding a PTO plan from the list
8/13/2025 4:44 PM
Hi all. is there a way to hide a specific PTO&n
Lawson Business Intelligence/Reporting/Crystal
GLTrans - PO Line/MAInvdtl
8/6/2025 6:13 PM
Hello, we have an existing tabular model for fina
IPA/ProcessFlow
Retrieving GUID from InforOS
7/25/2025 2:22 AM
Hello everyone, I was wondering if there is a way
IPA/ProcessFlow
IPA for forwarding cost messages (MA64/MA66.3)
7/23/2025 6:07 PM
When a buyer has an invoice cost message where the
Lawson Portal
Lawson ESS customization
6/23/2025 10:28 AM
I want to add new links and customize the ESS (sel
S3 Security
Securing forms and programs that use Company Group
6/17/2025 5:41 PM
Is there a way to write a rule, that looks up a co
S3 Customization/Development
Self-Serve Customization and Modification of home page
6/17/2025 3:40 PM
Hi, I want to add new links and customize the E
S3 Customization/Development
Data / List view on Lawson Portal
5/21/2025 2:37 AM
Client is on S3 V10. All delivered and custom form
Lawson S3 Financials
Applying credits to open AP invoices
4/28/2025 1:26 PM
Hello, I am new to the Lawson system and after ru
Top Forum Posters
Name
Points
Greg Moeller
4184
David Williams
3349
JonA
3290
Kat V
2984
Woozy
1973
Jimmy Chiu
1883
Kwane McNeal
1437
Ragu Raghavan
1377
Roger French
1315
mark.cook
1244
Forums
Filtered Topics
Unanswered
Unresolved
Announcements
Active Topics
Most Liked
Most Replies
Search Forums
Search
Advanced Search
Topics
Posts
Prev
Next
Forums
Infor / Lawson Platforms
S3 Security
LS9 ESS security and Servlet calls
Please
login
to post a reply.
10 Replies
0
Subscribed to this topic
16 Subscribed to this forum
Sort:
Oldest First
Most Recent First
Author
Messages
Lien
Basic Member
Posts: 6
8/18/2010 3:25 PM
Hi, we are on LS9 and came across an issue where an ESS employee can view another employee’s personal information through a servlet call. The employee uses a debugging tool to get the URL then substitute their employee ID with someone else’s. We’ve tried to lock down all the HR, PA, PR, etc. related tables and forms with conditional rules. But we are still able to return sensitive data using the servlet call.
Tried with this rule:
if(user.getCompany()==table.COMPANY&&user.getEmployeeId()==form.EMP_EMPLOYEE)
'A,M,D,'
else
'ALL_ACCESS,'
Then tried with this rule:
if(trim(table.EMPLOYEE)==user.getEmployeeId())
'A,C, D, I,'
else
'NO_ACCESS,'
The only form that seems to be working with the second rule is for PA67, no other forms or tables seem to be working. Has anyone experience this? Any help will be much appreciated.
John Henley
Posts: 3359
8/18/2010 3:40 PM
Split
Hi Lien. I'm assuming you have fired the (devious) employee using a debugging tool!
I notice that you have mixed table.COMPANY and form.EMP_EMPLOYEE -- was that intentional?
Lien
Basic Member
Posts: 6
8/18/2010 4:37 PM
Split
Hi John, I actually got this from one of the postings and wanted to try it. At this point...I am lost :-(
Jimmy Chiu
Veteran Member
Posts: 641
8/19/2010 2:32 PM
Split
Your first rule will give either "A,M,D" access or "ALL ACCESS", so it's no good.
Try something like this under "files" / "HR" / "EMPLOYEE/PAEMPLOYEE" table
if(user.getCompany()==lztrim(table.COMPANY)&&user.getEmployeeId()==lztrim(table.EMPLOYEE))
'ALL_ACCESS'
else
'NO_ACCESS'
Lien
Basic Member
Posts: 6
8/19/2010 3:44 PM
Split
Hi Jimmy, I just tried it and I can still see the return data.
Greg Moeller
Veteran Member
Posts: 1498
8/19/2010 9:06 PM
Split
From a command line, What is returned by
lawsec
?
Lien
Basic Member
Posts: 6
8/19/2010 9:40 PM
Split
security is on: Lawson Security Is On.
John Henley
Posts: 3359
8/20/2010 12:03 PM
Split
You probably have another class/role that is overruling this one. I'm assuming you aren't actually testing as that user, but rather as a test user assigned to the same roles. Easiest way to trouble shoot is to turn on debug for that test user and then look at lase logs, which will show which rule granted access.
Also, what is the specific servlet call that is used?=
Lien
Basic Member
Posts: 6
8/20/2010 12:37 PM
Split
Yes, I am testing on DEV. Here is the servlet call
https://servername/servle...ET1&SELECT=EMPLOYEE=
&OUT=XML%20HTTP/1.1
John Henley
Posts: 3359
8/20/2010 12:48 PM
Split
You would need to add the rule that was added for EMPLOYEE/PAEMPLOYEE to apply to all tables you want to protect, including PRRATEHIST.
Lien
Basic Member
Posts: 6
8/20/2010 1:28 PM
Split
Yes, I added the rule to all the forms that we wanted to protect and all tables like BENEFICRY, BENEFIT, EMPLOYEE, HRDEPBEN, PAEMPLOYEE, PRRATEHIST, TAEMPTRANS, etc. I will turn on the debug and see if I see anything.
Please
login
to post a reply.