Needing help locking down drill screens

Name	Points
Greg Moeller	4184
David Williams	3349
JonA	3291
Kat V	2984
Woozy	1973
Jimmy Chiu	1883
Kwane McNeal	1437
Ragu Raghavan	1372
Roger French	1315
mark.cook	1244

Ronnie

Veteran Member

Posts: 152

12/16/2014 6:23 PM

We are in the process of implementing our infor 10 system. We are currently on Lawson 9 and have been now since 2008. HR has just noticed during implementation that managers can potentially go to PA42 and drill around and see info they should not see.

The way they can do this is by getting a job requisition workunit in their inbasket to approve or deny. Inside of the details for that workunit there is a related links screen which takes them to the form where they can see info on the requisition. Apparently this has never been locked down and if someone is smart enough, they can go to the position field and choose any position and then drill around and pull up any employees info they wanted. They should only be able to see their own employees or positions.

I know how to lock forms down doing the basic grant or no grants / giving add , inquire, view etc...but I dont really have much experience with locking down drill screens to see only certain info.

Is there a way to lock the drill screens down to only display what they should be assigned or is there somewhere else I have to lock things down? I contacted lawson support but they were not much help.

BarbR

Veteran Member

Posts: 306

12/16/2014 6:34 PM

Yes, drill screen info is secured by securing the tables/fields. In Lawson Security those are called files. You have to write security rules against those as well. We have a file security class for ESS and a different one for MSS, same as we have form security for ESS different from form security for MSS.

BarbR

Veteran Member

Posts: 306

12/16/2014 6:35 PM

Just realized, these may not be EMSS-only users, but the same applies to back-office users. You need security rules on the tables/fields as well as the forms, or they can see everything in drill-around.

Ronnie

Veteran Member

Posts: 152

12/16/2014 6:36 PM

We too have MSS / ESS security classes. One for forms, and one for files.

Ronnie

Veteran Member

Posts: 152

12/16/2014 6:40 PM

It appears that many of the things I am worried about use the PAJOBREQ "file". It appears that whoever created this security class set that PAJOBREQ with unconditional access for action of I (inquire)

I guess I do not know how I would write this for them to only be able to inquire or drill only for positions or employees that belong to them...or not drill at all.

They need access to see the info, but only certain info. My security rule skills have not gone that in depth yet as I am still trying to learn.

BarbR

Veteran Member

Posts: 306

12/16/2014 6:50 PM

I use this User object: iF(user.isInChainOfCmdOfEmpInHR(lztrim(table.COMPANY),lztrim(table.EMPLOYEE))) 'All_ACCESS,' else 'NO_ACCESS,'

Ronnie

Veteran Member

Posts: 152

12/16/2014 6:58 PM

Posted By BarbR on 12/16/2014 1:50 PM
I use this User object: iF(user.isInChainOfCmdOfEmpInHR(lztrim(table.COMPANY),lztrim(table.EMPLOYEE))) 'All_ACCESS,' else 'NO_ACCESS,'

Thanks,

I was actually looking at that rule to use. I did not know what to put exactly where you have lztrim(table.company), and lztrim(table.employee)

Can you tell me what exactly that is doing? the lztrim and then just saying table.company

BarbR

Veteran Member

Posts: 306

12/16/2014 7:11 PM

If you are editing a security rule, just hover over it and the description of what it does is shown under the "Verify Expression" button. lztrim is under global functions, utils. lztrim trims off leading zeros so the compare works between the security LDAP and the Lawson application table.
Regarding table.company - the object names are what they are, we don't get to choose (see under objects, table).
The company field is called table.object and the employee number field is called table.employee.

BarbR

Veteran Member

Posts: 306

12/16/2014 7:17 PM

As for what the rule does:
Let's say we have company 1000 employee 123 who reports to supervisor 987, manager 654, and Vice Pres 321.
The rule is on the file being viewed, and that file record is for company 1000 employee 123.
When evaluated the rule is giving "all access" to the people "in the chain of command" of that employee (company 1000 employee 123) else it gives "no access".
This would allow the employee's managers 987, 6654, and 321 to see the data of employee 123 on this file - but no other employee or manager could see it.

Ronnie

Veteran Member

Posts: 152

12/22/2014 12:39 PM

Thanks for this help.

Here is something I have never thought about. Say in MSS, managers have a link for creating new job requisitions. Its not the normal pa42.1 screen, but just a dumbed down screen for managers with only a submit button.

Well, this will trigger a flow when created, and the next manager in line for approval will get the workunit to approve. There is a link inside of inbaskets where they can click related links and this opens up the PA42.1 form with the requisition filled out....but now here is the problem. Managers can drill from here and previous , next, etc etc.

How would I lock it down so they cant hit next, change, delete , add etc.

I would think they would have to have at least some options since they need it open to create the requisition inside of the MSS dumbed down link.

BarbR

Veteran Member

Posts: 306

12/22/2014 12:43 PM

That would be done through Lawson security, in this case on the form (PA42.1). You can give them inquiry only and not allow next, prev, change, delete, whatever you want/don't want.

KatieW

New Member

Posts: 1

1/6/2015 9:53 PM

We took a different approach... we hid the link to "related links"