Prev
Next
Forums S3 Security

MSS and ProcessLevelControl

Sort:
You are not authorized to post a reply.
Author
Messages
MC
Advanced Member
Posts: 41
Advanced Member
3/13/2014 4:01 PM
    We have placed a custom rule, then an role in RM for MSS users.  This custom rule is checking the PROCESSLEVELCONTROL feature in RM.  The goal was when the manager would create a personal action they would only be able to select the departments that are in the specific process level...Works like a charm for fields like Department (only shows the departments that the mgr has access to).  The problem is the Expense Account / Sub Account and activity.  when we have the rule for Process Level control, we no longer can use the selection to view the account information, it comes back with 'no accounts'.  I have tried adding system control restraints, but have not found any combination that will allow me to see only the departments that I should see...and still get the list of accounts.

    Has anyone fiured this out ?

    Thanks
    MikeD
    Basic Member
    Posts: 4
    Basic Member
    4/29/2014 2:38 PM
      We have a similar issue at our company.

      We're implementing a ProcessLevelControl rule as follows:

      if(user.attributeContains('ProcessLevelControl',lztrim(PROCESS_LEVEL)))
      'ALL_ACCESS,'
      else
      'NO_ACCESS,'

      However, when this rule is used, it prevents users from accessing their information in Employee/Manager Self Service. How can we modify this rule so that employees can view their own information, but not have access to everyone else's information in the HR forms? I've tried a couple things but it hasn't worked.

      Thanks,
      Mike
      BarbR
      Veteran Member
      Posts: 306
      Veteran Member
      4/29/2014 3:12 PM
        I'll be anxious to see if anyone else replies with a solution to this, as it is a problem for us with Process Level limited roles where the employee is not themselves in any of the process level to which they are limited for their backoffice working role.
        I had been told in the past that the Process Level Control is "at the program level" - and that it the RMID has failed that rule, no other security rule will be read. So the "greater access wins" does not work with hte PLControl rule.
        Roger French
        Veteran Member
        Posts: 545
        Veteran Member
        5/1/2014 2:16 PM
          Are you using Element Groups in any of your security rules?

          Also what you are wanting can be done. 

          Something like this:

          if(user.attributeContains('ProcessLevelControl',lztrim(PROCESS_LEVEL))) ||
          getIdentityAttribute('PROD_EMPLOYEE','Employee',user.getRDId())==table.EMPLOYEE
          'ALL_ACCESS,' 
          else 
          'NO_ACCESS,' 


          Where PROD_EMPLOYEE is the name of the ESS Service,



          MikeD
          Basic Member
          Posts: 4
          Basic Member
          5/2/2014 12:18 PM
            Yes, we are using Element Groups for the above ProcessLevelControl rule I posted.
            MC
            Advanced Member
            Posts: 41
            Advanced Member
            1/15/2015 5:11 PM

              not sure if you have an answer, but we had to add   SystemCode=='IF'||

              in front to be able to get those accounts.

              You are not authorized to post a reply.