Needing help locking down drill screens

Sort:
You are not authorized to post a reply.
Author
Messages
Ronnie
Veteran Member
Posts: 152
Veteran Member

    We are in the process of implementing our infor 10 system. We are currently on Lawson 9 and have been now since 2008. HR has just noticed during implementation that managers can potentially go to PA42 and drill around and see info they should not see.

    The way they can do this is by getting a job requisition workunit in their inbasket to approve or deny. Inside of the details for that workunit there is a related links screen which takes them to the form where they can see info on the requisition. Apparently this has never been locked down and if someone is smart enough, they can go to the position field and choose any position and then drill around and pull up any employees info they wanted. They should only be able to see their own employees or positions.

    I know how to lock forms down doing the basic grant or no grants / giving add , inquire, view etc...but I dont really have much experience with locking down drill screens to see only certain info.

    Is there a way to lock the drill screens down to only display what they should be assigned or is there somewhere else I have to lock things down? I contacted lawson support but they were not much help.

    BarbR
    Veteran Member
    Posts: 306
    Veteran Member
      Yes, drill screen info is secured by securing the tables/fields. In Lawson Security those are called files. You have to write security rules against those as well. We have a file security class for ESS and a different one for MSS, same as we have form security for ESS different from form security for MSS.
      BarbR
      Veteran Member
      Posts: 306
      Veteran Member
        Just realized, these may not be EMSS-only users, but the same applies to back-office users. You need security rules on the tables/fields as well as the forms, or they can see everything in drill-around.
        Ronnie
        Veteran Member
        Posts: 152
        Veteran Member
          We too have MSS / ESS security classes. One for forms, and one for files.
          Ronnie
          Veteran Member
          Posts: 152
          Veteran Member

            It appears that many of the things I am worried about use the PAJOBREQ "file". It appears that whoever created this security class set that PAJOBREQ with unconditional access for action of I (inquire)

            I guess I do not know how I would write this for them to only be able to inquire or drill only for positions or employees that belong to them...or not drill at all.

             

            They need access to see the info, but only certain info. My security rule skills have not gone that in depth yet as I am still trying to learn.

            BarbR
            Veteran Member
            Posts: 306
            Veteran Member
              I use this User object: iF(user.isInChainOfCmdOfEmpInHR(lztrim(table.COMPANY),lztrim(table.EMPLOYEE))) 'All_ACCESS,' else 'NO_ACCESS,'
              Ronnie
              Veteran Member
              Posts: 152
              Veteran Member
                Posted By BarbR on 12/16/2014 1:50 PM
                I use this User object: iF(user.isInChainOfCmdOfEmpInHR(lztrim(table.COMPANY),lztrim(table.EMPLOYEE))) 'All_ACCESS,' else 'NO_ACCESS,'


                Thanks,

                 

                I was actually looking at that rule to use. I did not know what to put exactly where you have lztrim(table.company), and lztrim(table.employee)

                 

                Can you tell me what exactly that is doing? the lztrim and then just saying table.company

                 

                BarbR
                Veteran Member
                Posts: 306
                Veteran Member
                  If you are editing a security rule, just hover over it and the description of what it does is shown under the "Verify Expression" button. lztrim is under global functions, utils. lztrim trims off leading zeros so the compare works between the security LDAP and the Lawson application table.
                  Regarding table.company - the object names are what they are, we don't get to choose (see under objects, table).
                  The company field is called table.object and the employee number field is called table.employee.
                  BarbR
                  Veteran Member
                  Posts: 306
                  Veteran Member
                    As for what the rule does:
                    Let's say we have company 1000 employee 123 who reports to supervisor 987, manager 654, and Vice Pres 321.
                    The rule is on the file being viewed, and that file record is for company 1000 employee 123.
                    When evaluated the rule is giving "all access" to the people "in the chain of command" of that employee (company 1000 employee 123) else it gives "no access".
                    This would allow the employee's managers 987, 6654, and 321 to see the data of employee 123 on this file - but no other employee or manager could see it.
                    Ronnie
                    Veteran Member
                    Posts: 152
                    Veteran Member
                      Thanks for this help.

                      Here is something I have never thought about. Say in MSS, managers have a link for creating new job requisitions. Its not the normal pa42.1 screen, but just a dumbed down screen for managers with only a submit button.

                      Well, this will trigger a flow when created, and the next manager in line for approval will get the workunit to approve. There is a link inside of inbaskets where they can click related links and this opens up the PA42.1 form with the requisition filled out....but now here is the problem. Managers can drill from here and previous , next, etc etc.

                      How would I lock it down so they cant hit next, change, delete , add etc.

                      I would think they would have to have at least some options since they need it open to create the requisition inside of the MSS dumbed down link.
                      BarbR
                      Veteran Member
                      Posts: 306
                      Veteran Member
                        That would be done through Lawson security, in this case on the form (PA42.1). You can give them inquiry only and not allow next, prev, change, delete, whatever you want/don't want.
                        KatieW
                        New Member
                        Posts: 1
                        New Member
                          We took a different approach... we hid the link to "related links"
                          You are not authorized to post a reply.