Company/Accounting Unit Level Security

 5 Replies
 0 Subscribed to this topic
 15 Subscribed to this forum
Sort:
Author
Messages
terrig
New Member
Posts: 2
New Member
    I am fairly new to Lawson Security and we have received a request to set up an additional level of security in HR11.

    We would like to be able to set controls at the Company/Accounting Unit level.  We have several companies and within each of those we can have the same Accounting Unit number.  I have not been able to find anything on how to utilize the combination

    Example:
    Co 100 AU 4350
    Co 300 AU 4350
    Co 870 AU 4350

    Any suggestions would be appreciated.
    Roger French
    Veteran Member
    Posts: 549
    Veteran Member
      You may want to rethink Co/AU level security.

      Lawson provides Company/Process Level and Security Level/Security Location 'out of the box' (but of course you have to define the security for them). For both online and batch forms it does work properly if you set it up properly. You should look into this if you've not already.

      If you really want to use Co/AU or other non-standard combinations, you are faced with obstacles such as customizing your Lawson programs so in fact they can take advantage of that specific type of security. I've been through this type of scenarios and from my experience you are better to take advantage and use the 'out of the box' standard type of security structures. But...you're organization may be different and you have the resources and ways to customize your programs.

      -Roger
      terrig
      New Member
      Posts: 2
      New Member
        Thanks for your input Roger!
        Kwane McNeal
        Veteran Member
        Posts: 479
        Veteran Member
          I'll disagree with Roger on this one. The work I did at a large healthcare client's security team, was the catalyst for these fields being added to the standard Lawson installation for all clients.

          The issue you have, is the same one we had, and why we implemented this in a far different way than Lawson did. The key is the security engine evaluates the fields independently of each other, and in a linear fashion. This means that AU will be evaluated across all Company, and vice-versa.

          If you are willing to re-evaluate the execution of this, you get some very nice results from security to accomplish this.

          If you have any questions, feel free to contact me.

          Kwane
          954-547-7210
          Roger French
          Veteran Member
          Posts: 549
          Veteran Member
            From my experience (the last instance is that we tried to use Company/User Level as the security component) is that we ran into the road block for Batch Jobs. Within many HR, PR batch jobs, there are the security API's which specifically use 'built in' Company/Process Level and Sec Level/Sec Location as the security components to secure the data within batch reports. We first tried to secure the Company/User Level on the EMPLOYEE table and other PR related tables, but it did not work, and on the PR batch jobs we saw data we should have not been seeing.

            We tried other combinations and saw the same thing. Yes we were able to secure ONLINE screens OK, but not batch jobs report data using Company/User Level.
            You can, as I said before, customize your batch jobs with API's to take into account Company/Accounting Unit or other 'non-standard' combinations. From my experience I don't know of many customers who wish to customize their standard batch reports just for security, but, maybe there are some.

            Again, I do know that you can customize your batch jobs to take into account. And, I'd be happy to understand if any other client has successfully secured batch jobs using 'non-standard' Company/Accounting Unit, etc WITHOUT customizing the batch jobs.

            Thanks,
            Roger
            Jesse
            Basic Member
            Posts: 10
            Basic Member
              Terrig, if by accounting unit you are referring to process level in HR, then you can use the PROCLEVEL element group in LS 9, populated with COMPANY and PROCESS-LEVEL. This element group is treated in a special way by LS 9, in that it secures the combination of COMPANY and PROCESS-LEVEL across all application suites in Lawson. Note that PROCESS-LEVEL is the equivalent of ACCT-UNIT on the Finance side.

              Using this approach, you can write a rule on the PROCLEVEL element group to check the user's access to each COMPANY/PROCESS-LEVEL combination. Of course, you also need to store the COMPANY and PROCESS-LEVELs that the user has access to somewhere. We have done this by creating extra multi-value fields in RM, as well as using an existing Lawson table, HRUTILITY. You really do have some flexibility on the approach you'd like to take, depending on your organization's needs.

              However, one big caveat to note—when securing a combination of COMPANY and PROCESS-LEVEL using LS 9, it truly applies the security across all suites, which may have unintended consequences if you don't keep this in mind. You basically will need to make sure the rule isn't accidentally granting all access to other suites, or the opposite, securing all access to other suites.

              Again, a lot of this will depend on your requirements, but at least from what I've read, it does sound like what you'd like to do is possible, and we are in fact doing what I described successfully at the University of Pennsylvania Health System (UPHS). I can give you a great contact at Lawson who helped us if you send me a private message.

              Jesse