Batch Jobs

We ran into a problem with a custom locale. When the users were assigned the custom locale you had to inquire on the job twice before the submit button was available. Are you using the default locale for these users?

I'm pretty new to this so can you tell me where I check to see which locale is assigned to the users?

Sure thing, if you go into Lawson Security Administrator, User Maintenance, find a user and go to the Edit Lawson Environment Information. You will see the locale listed there (this is the screen where you do user groups and printers and etc.)

The locale for our users is blank.

Ok, then it must be something else. You are using Lawson 9 security right? Do the users have the BatchRole assigned to them?

Yes, we are using Lawson 9 security. The users do have BatchRole assigned to them. This would make so much more sense if it didn't work all of the time. Instead, it works intermittently which makes me think their security must be correct and it has to be something else. Do you know if there is some sort of caching of the security classes/roles that may take some time to load when the user logs in? I know I'm grasping at straws but I've been through every piece of documentation I can find and have checked and double checked the "batch" security rules and it appears everything is set up correctly. There must be some setting or something we're missing.

I don't know of anything except the initial IOS Cache Refresh or the Server Management Clear Cache which would only be used if security changes are taking a while to propagate. I am not sure what would cause the security to change intermittently. Is it only the first time the user accesses the form or can it be the 3rd or 4th time they access the form?

Check the users Lawson Environment Info and verify the users are assigned to a User Group. Also check that the data Area/ID is populated.

It can happen at any time. I was hoping someone out there would have the exact rules that are needed to allow users to run batch jobs. That way I could compare them to what we have and make sure we didn't miss anything.

All of the users are assigned to a User Group and have the data area/ID filled in.

If it works sometimes, then it's probably not an issue with the rules. Have you looked at the lase*.log files?

Do each of the users have unique environment/OS IDs? I think this can cause issues for batch users too.

riegerj - Checking for unique environment/OS IDs is something I've already checked and they are unique. Thanks for the suggestion.

John - Lawson has also suggested looking at the lase*.log files but we cannot reproduce the security violation error on demand so at this point I'm stuck.

Good News! One of our users just got the "security violation" error. Now, can someone tell me what I need to be looking for in the logs?

You can check IOS log file as well as lase.logs depending on CHECKLS flag for the users concerned.

To trap the error messages, use Auditing + logging, select ALL and select the users ( who got the security violation)
Logs will tell you the reason for the security violation eg. access denied.

Hoep this helps.

I found this in a log but I don't know what was denied access. The nodeName is blank.

2009-11-05 10:54:29 com.lawson.lawsec.default.FINE com.lawson.lawsec.author.runtime.LawsonSecurityRequestOptImpl.evaluateNonContentNodeSecurity()
USER: jafoley
nodeName=, FC=I, Default ruleResult=NO_ACCESS, FcResult=ACCESS DENIED

Never seen that. I would suggest you select user jafoley for Auditing.

I am not sure if stoplase/startlase, will clear the cache or bouncing the server might help.

We also had an issue with intermittant security issues on one security class. Ours will work fine for 4-6 weeks with no issues and then out of no where the issue appears again. We had been given a PT to install and have not seen it reappear for a while. If your on SP4 the PT is 183606 or if on SP6 183785. Check to see where you are on these PT's. They basically push out a new lawsec.jar file so you have to make sure enough testing is completed. A similar PT that effected lawsec.jar also required us to upgrade our RSS because we could not click check out without an error.

We just applied the patch to our production box. I'll update this post in a few weeks if all goes well. Thanks for all of your help.

The patch seemed to fix our issue. Thanks for everyone's help.

Does anyone no what this means "Submitting job GL240HH to default job queue (User secured from submitting jobs)" 

The user cannot submit any jobs.

 

Yes, it means that the user does not have the security rights to submit batch jobs.

The user must be granted:
ENV profile - a number of the online securable types (executables)
GEN profile - online UN, several files (job, jobstep, queuedjob, userrpt) and element username

Thank you for the responses it lead us in the right direction. We found a missing role "process flow role" and a setting in security for workflows that was supposed to be set to a "1" and not "0".