Prev
Next
Forums Infor / Lawson Platforms S3 Security

Define element group

 5 Replies
 0 Subscribed to this topic
 15 Subscribed to this forum
Sort:
Author
Messages
wintergreen
Veteran Member
Posts: 93
Veteran Member
10/1/2010 1:21 PM

    I created a  security class and use the element group(which was delivered by Lawson) to control data security globally for all forms and files from Roles assgined to the user.  It is like this:

    PrimaryDataControl Class:

    Element groups - PROCLEVEL (Lawson delivered)

    if(user.attributeContains('PrimaryLevel',PROCESS_LEVEL))
       'ALL_ACCESS,'
    else
       if(user.attributeContains('PrimaryLevel',subString(PROCESS_LEVEL,0,3)))
       'ALL_ACCESS,'
    else
       'NO_ACCESS,'

    (--> 'PrimaryLevel' is the attribute that I created in the Lawson security console, so I can enter user's process levels. )
    This class works globally to all the foms and files that was assigned to the user. 

    The problem I have is I want to define an element group to secure HR11 by Department, instead of Process Level,  but the element group I created didn't work at all, it didn't secure anything.  Even I create an exactly one like Lawson delivered, it still doesn't take effect.

    Do I miss any concept here?  Thanks for your help.

    wintergreen
    Veteran Member
    Posts: 93
    Veteran Member
    10/1/2010 1:26 PM
      BTW, the example above works great. I just need to assign the class to the user and it will secure all the forms and files according to the user's process level in the 'PrimaryLevel' attribute.
      Jimmy Chiu
      Veteran Member
      Posts: 641
      Veteran Member
      10/1/2010 5:46 PM

        Programs of type 730-HR-FIELD-SECURITY do not use element group. Can't use element group to secure HR11. To secure HR11, I would use HR security, SEC_LVL in combination with condition rules.

        wintergreen
        Veteran Member
        Posts: 93
        Veteran Member
        10/4/2010 2:23 PM
          Jimmy, thank you for the information. I have a question,
          When I use the element group - PROCLEVEL, it can jump to the next/previous employees that I'm granted to access without giving me the security violation error.
          I can secure the data on HR11 by department if I writing rule on HR11, but I can't use the previous and next button, it gives me the security violation, it won't jump to the next/previous employee that I should be able to see. I can only browser/Inquire those employees that I'm granted from the select box. Is this supposed to be that way? Also, I still can drill around and see those data I am not granted to access, is it a bug?
          wintergreen
          Veteran Member
          Posts: 93
          Veteran Member
          10/4/2010 8:10 PM
            I resolved the drill around issue. It's one of my security class causing the issue. But it seems to me we can't do the previous/next button to browse data if we don't use the PORCLEVEL element group to control data security.
            Jimmy Chiu
            Veteran Member
            Posts: 641
            Veteran Member
            10/8/2010 6:30 PM

              You can use PROCLEVEL to secure some part of the HR11 that's not 730-HR-FIELD-SECURITY. As matter of fact, i would recommend using both PROCLEVEL and HREMP to secuire your HR11 fields. Your original problem is to secure it by department. Maybe you can populate the department to SEC_LOCATION in HR11. then use the lawson delivered HREMP element groups to secure the SEC_LOCATION (which is your department code). There is a "next/previous" bug in LS that I have an open case with lawson. The workaround is to drill around and inquire on an employee first, then next/previous works when you use HREMP/PROCLEVEL combo to secure HR11 data.

              Also, there's a builtin "ProcessLevelControl" RM object you can use to restrict user's processlevel access.

              IE: PROCLEVEL: you populate user's with "ProcessLevelControl" 100, 200, 300 etc

              if(user.attributeContains('CompanyControl',lztrim(COMPANY))&&user.attributeContains('ProcessLevelControl',PROCESS_LEVEL)&&SystemCode=='HR')
                 'I,'
              else
                 'NO_ACCESS,'

              This would give the user processlevel 100,200,300 (I also use CompanyControl RM object since we have multiple companies.)

              IE: HREMP

              if(lztrim(SEC_LEVEL)=='9'&&(lztrim(SEC_LOCATION)=='9999999999'||lztrim(SEC_LOCATION)=='700')&&SystemCode=='HR')
                 'I,'
              else
                 'NO_ACCESS,'

              Based on the work tab SEC_LVL and SEC_LOCATION of the HR employee to verify access

              in the end, you can use these 2 element groups to restrict access to the

              online.HR11.1

              if(isElementGrpAccessible('HREMP','','HR',lztrim(table.SEC_LOCATION),lztrim(table.SEC_LVL))&&isElementGrpAccessible('PROCLEVEL','','HR',lztrim(table.COMPANY),table.PROCESS_LEVEL))
                 'I,'
              else
                 'NO_ACCESS,'

              and file.EMPLOYEE

              if(isElementGrpAccessible('HREMP','','HR',lztrim(table.SEC_LOCATION),lztrim(table.SEC_LVL))&&isElementGrpAccessible('PROCLEVEL','','HR',lztrim(table.COMPANY),table.PROCESS_LEVEL))
                 'I,'
              else
                 'NO_ACCESS,'

              I would also recommend to refine the data item SEC_LEVEL in HR10.1. Then you can further defines who gets to see what or change what by data item. I know I would not want those social security numbers printed or see by everyone who has HR11 access.