Combo Roles ESS MSS w LS9 Security

 3 Replies
 0 Subscribed to this topic
 15 Subscribed to this forum
Sort:
Author
Messages
Margie Gyurisin
Veteran Member
Posts: 538
Veteran Member
    We just discovered that if we give a manager both the MSS and ESS role, they are able to drill back to information on their direct reports that they should not be able to see.

    Example:

    With MSS role only, they do not see dependents.

    When ESS role is added they do even though the EMDEPEND table has this conditional rule on it. if(isElementGrpAccessible('COMPEMP','','HR',lztrim(table.COMPANY),lztrim(table.EMPLOYEE))) { 'ALL_ACCESS,' } else { 'NO_ACCESS,' }

    Any help you can provide would be appreciated. We are in the process of rolling out ESS and this is preventing us from rolling it out to the managers.
    Karen Sheridan
    Veteran Member
    Posts: 142
    Veteran Member
      Margie,
      Did you also include the element group in your security class?
      Karen
      Margie Gyurisin
      Veteran Member
      Posts: 538
      Veteran Member
        Our element group rules are currently like this:

        EmployeeSelfServ EmployeeSSFile ELG ELG$_$COMPEMP if(user.getCompany()==lztrim(COMPANY)&&user.getEmployeeId()==lztrim(EMPLOYEE)) { 'ALL_ACCESS,' } else { 'NO_ACCESS,' }
        ManagerSelfServ ManagerSSFile ELG ELG$_$COMPEMP if(user.isInChainOfCmdOfEmpInHR(COMPANY,EMPLOYEE)) { 'I,' } else { 'NO_ACCESS,' }

        Our IS person is going to try this on the table based on a suggestion received on Lawson community.


        If (table.COMPANY==user.getCompany()) && (table.EMPLOYEE==user.getEmployeeId())
        'ALL_ACCESS,'
        else
        'NO_ACCESS,'
        Jimmy Chiu
        Veteran Member
        Posts: 641
        Veteran Member
          The suggested workaround is a quick fix for your problem.