Securing AR reports by Credit Analyst

 9 Replies
 1 Subscribed to this topic
 15 Subscribed to this forum
Sort:
Author
Messages
Wade-T
Veteran Member
Posts: 54
Veteran Member
    I have a listing of Analyst codes and names on AR06 and would like to keep the AR pieces seperated by these names. I see, for instance, that the AR251 has a selector on the Customer tab for Credit Analyst, and that LSF has a form.ANLYST_NAME object but I am not sure how to write the rule so a user can only see their grouping. Would I assign the rule one time, or on each screenthat contains the Credit Analyst field?
    Georgette
    Veteran Member
    Posts: 52
    Veteran Member
      Hi Wade,
      What you are referencing above is Data Control based on User Attribute.

      Values are assigned to the attributes in each employee's profile in the Security Administrator application. The rules are then written on each form (select user folder) to compare the values in the Lawson tables to the values assigned to the employee's profile attribute.

      For example, suppose the CompanyControl attribute is assigned the values 1220 and 4321 to represent companies the employee is allowed to access.

      The rule would be written on the form as user.attributeContains('CompanyControl'.form.____).

      We don't use AR, but I am assuming you may want to populate the ANALYST_NAME attribute with whatever the value is in the appropriate Lawson tables (analyst code, or whatever). The other thing is make sure the credit analyst field is actually being populated on each form.

      Hope this helps.
      Georgette
      Veteran Member
      Posts: 52
      Veteran Member
        Sorry, another quick comment. I just noticed your title mentions reports. The above will not secure the report data, it will only determine who can run the reports.

        A way around this is to publish the AR reports in LBI and use the bursting tool to distribute the reports to the various analysts. Make sure drill around is also secured which is another layer.
        Wade-T
        Veteran Member
        Posts: 54
        Veteran Member
          Thanks for the info. We do not have LBI at this time, just a very basic HR/Financials install using the Portal. The one user we are trying to lock down is also tied to one process level. I attempted to secure him to only that process level witht he following, but it didn't seem to work.

          if(SystemCode=='AR'&&((COMPANY==1999&&PROCESS_LEVEL>=650000&&PROCESS_LEVEL<=650999)))
          'ALL_ACCESS,'
          elseif(SystemCode!='AR')
          'ALL_ACCESS,'
          else
          'NO_ACCESS,'
          Georgette
          Veteran Member
          Posts: 52
          Veteran Member
            Additional attributes to People Object in RM are available in versions 9.0.0.6, 9.0.1.3 and higher. Such as CompanyControl, AccountingUnitControl, etc. Or you can create your own using the schema editor.

            I am assuming you assigned the user these values in the appropriate attributes on his/her profile on the Security Administrator. CompanyControl should be assigned 1999 and UserProcessLevell has the range of values you mentioned.

            I am not familiar with the AR tables so I don't know which forms you need to secure the Company and Process Levels with. You can use two different security classes, one to secure the AR files and the other to secure the forms.

            First secure the tables (files) with an ARFileAccess security class that grants all access to all AR tables. This security class will be assigned to the credit analyst role.

            Then to secure the AR forms create another security class (or create an ARFileAccessLimited security class that grants all access to AR system code and then limits the forms),

            Go to each form and place the rules (select the user folder) --

            If(user.getAttribute(‘CompanyControl’) == form.______
            &&
            user.isAttributeInRange(‘UserProcessLevel’) == form.______)
            then Grant All Access
            else no Access

            Hope this helps!




            Georgette
            Veteran Member
            Posts: 52
            Veteran Member
              for example for PA42.1, the form name would be

              ==form.PJR_PROCESS_LEVEL
              Georgette
              Veteran Member
              Posts: 52
              Veteran Member
                i realize it is a pain to go to every single form, but you have to secure the form AND the drill around. No easy way around it.
                Greg Moeller
                Veteran Member
                Posts: 1498
                Veteran Member
                  Unless you are just concerned about company control, then there's a (relatively) simple solution to it.
                  Create a rule against Object Type of Element.
                  user.attributeContains('CompanyControl',lztrim(COMPANY)))
                  'ALL_ACCESS,'
                  else
                  'NO_ACCESS,'

                  I see Process-Level in the Element list as well... perhaps it could be expanded to secure by process level as well? Unsure.
                  Greg Moeller
                  Veteran Member
                  Posts: 1498
                  Veteran Member
                    Assign this security class to a role and every form/table seems to follow it.
                    We don't have this implemented yet in production, but in test, it seems to work just fine.
                    Georgette
                    Veteran Member
                    Posts: 52
                    Veteran Member
                      Hi Wade,
                      I was looking at your code again and have a suggestion. I learned best practice is to create different security classes for each system code. Such as ARFileAccess for all of the AR tables, HRFileAccess, GLFileAccess, etc. Each of these security classes are assigned to the role. Give access to all tables that fall in each system code. For the one credit analyst, create an ARFileLimited security class and apply either the ANALYST_NAME or PROCESS_LEVEL user rule to each form that needs the data limited.

                      Again, the values need to be in the employee's profile attribute to use as a compare to either the form value or the file value.