LSF9 security, ESS, search box and restricting Drill Around

You will definitely need to write a specific rule to restrict access to those fields. Can you explain a little clearer what you're trying to accomoplish? Can employees see their own rates? Can HR see rates for any employee? etc. etc.

We are attempting to have one user id for all employees. Anyone who is an application user, in addition to having ess, will have the portal search box which if the employee knows about hr/pr forms, will allow them access. I am attempting to restrict drill around for those employees.

I have successfully restricted all drill around with the exception of the Wage Analysis. This has been accomplished by adding conditional checking to a lot of tables for the ESS security class. I am checking to see if the company and employee matches their manage identity in security. The employee table also has this restriction along with denying access to all of the rate fields with the exception of the pay rate (they need to be able to see their own pay rate) but the Wage Analysis still appears.

The only other thing I could think of was to modified the HR.or to remove all of the Wage Analysis but I have learned that many in the HR area use this drill around feature so at this point, that is not an option. Is it possible to block the rate fields on the Wage Analysis and if so, how?

Thanks!

Elizabeth Ardito

I also know that the amounts displayed on the Wage Analysis with the EMPLOYEE table are derived fields.

Since you say it's ok for the users to see their own salary, what is on the wage analysis screen that you don't want to show?  Is it the job code min/max/mean?

It shows on the Wage Analysis the Monthly Wage and Pay Period Wage for any employee who you select or enter in the employee box of the form for drill around.

Even though I have a condition on the EMPLOYEE table, it still lets me do the drop down to select employees or if I know an employee number, I can type it in the box.  Once I do this, it will give me a the employee's name along with a security violation on the form but will still allow me to do drill around.  

This is the conditional code I have on the EMPLOYEE table:

if(isElementGrpAccessible('COMPEMP','I','HR',table.COMPANY,table.EMPLOYEE))
   'ALL_ACCESS,'
else
   'NO_ACCESS,'

I am not sure if that is the proper way to limit the access to the table.  For the most part, all the other tables that I have the same type of condition on, you cannot see the information within drill around.

Thanks!

Elizabeth Ardito

I see what you mean. Try adding a similar rule against PRRATEHIST and see if that helps.

I already have the same condition on the PRRATEHIST table.  That is why this is so frustrating.

Where is this wage analysis?  What is the form number?

Another option you may want to consider for your ESS users, is to use design studio to remove the search box on the portal. You can then assign the design studio portal to your ESS users. (.xml)

"Wage Analysis" is a drill around from the Employee. What Elizabeth is running into is that she coded the security rule to work with the form, but rules for Drill around need to be written to tables, or specific elements.

Rather than using the isElementGrpAccessible against the form, you can try to write a more generic rule against the EMPLOYEE table that restricts access to the table itself:
if(table.COMPANY==user.getCompany() && table.EMPLOYEE==user.getEmployee())
'ALL_ACCESS,'
else
'NO_ACCESS,'

My condition is already on the EMPLOYEE table but I will try your suggestion and see if that makes a difference.

Thanks!

Okay - I am new to all this coding and am attempting to place the following in the edit box:

table.COMPANY==user.getCompany()&& table.EMPLOYEE==user.getEmployee()

When I attempt to verify expression - I am getting rule evaluation: Function user.getEmployee doesn't exist in this scope.  Am I mssing something?

 

Thanks!

 

 

 

try EmployeeId

Sorry, it should be user.getEmployeeId()

That conditional coding didn't make a difference at all.

Any other suggestions?

Thanks!

Create the rule for element MONTHLY-RATE with 'NO_ACCESS'. That should prevent it from displaying.

I already have all those fields in the EMPLOYEE table sent to deny all access.  I changed the BIWEEKLY-RATE and MONTHLY-RATE to this condition but with no access on either side of the if statement
isElementGrpAccessible('COMPEMP','I','HR',table.COMPANY,table.EMPLOYEE)

still didn't work.

I even did an IOS cache refresh.

I was wondering, since those fields are derived fields, could that be the reason why I cannot lock them down?

Do you have any role overrides set up, and/or have you tried specifying this rule as a role override?

I just figured out the issue.  We used the ESS template from Lawson which had a Role Detail of PhoneBook attached with had wide open security to the EMPLOYEE table.  Once I removed that, it locked down the file.

Thanks for all your help.

Elizabeth Ardito

Well now, how are they going to figure out who to call when they need Lawson support??

Hello, not only am I new to writing rules, I am new to using LSF9. I want a rule that will allow the person to be able to see the drop down list of employees so they can choose an employee or search for one, but allows no drill around. What rule do I write to elements group and tables (files)?