Prev
Next
Forums IPA/ProcessFlow

Automated User Setup and ISS

Sort:
You are not authorized to post a reply.
Author
Messages
Bob Canham
Veteran Member
Posts: 217
Veteran Member
3/2/2015 7:55 PM

    We are working to implement Infor Security Services (ISS) in our test environment to federate our 10.0.4 LSF and 10.0.4 CU19 Landmark environments.  In the past, I had a process flow that created all of our user accounts in LSF automatically when an employee is hired.  I just started working on modifications to it today to account for ISS and Landmark but have run into a snag.

    In a webinar I attended, it was suggested that the same process could be kept, but would need nodes added to create the user on the Landmark side manually.  I haven't started that side yet, as I wanted to see what does get created when you use the Resource Transaction node (if I create a user in the Security Administrator, it creates the Actor on Landmark).  However, after running the update (just S3 Resource Transaction), I don't even see a record in ISS that the user exists.

    Has anyone done this yet that they have suggestions on how it can be accomplished?

    Tim Cochrane
    Veteran Member
    Posts: 154
    Veteran Member
    3/3/2015 12:45 PM
      If i understand correctly - you're already running a flow that creates LS users/account, and you want to modify the flow to create Landmark Actors, etc...correct??
      If so, you'll be using the Landmark node exclusively. You'll use the Landmark node to: create the Actor (Actor class), add Roles (ActorRole), create Identities (Identity), then add Identities to the Actor (Identity Actor). Depending on your setup, you'll also use it to add the Security Answers (SecurityAnswer) to the Actors, but that would only depend on if you KNEW their security questions/answers. After this, you can also add User profiles, Tasks, Cat Values, etc.

      If can get tricky, so my advice is to test, test & test...then test again. I also have legs in my versions that go thru and do a cascade delete of everything. That way i can continue to test with the same users over and over. It also prepares me for when business owners say "can we use this to delete users and do clean-up?"
      Tim Cochrane - Principal LM/IPA Consultant
      Bob Canham
      Veteran Member
      Posts: 217
      Veteran Member
      3/3/2015 1:02 PM
        What do you mean by using the Landmark node exclusively? We are using LSF as our primary authentication source, so ISS should be connected to the LSF side, not the Landmark side, right?

        As for deletes, does that work from Landmark? I was advised by Xtreme Support yesterday that you can't actually delete a user from Landmark, it keeps them in the Gen database.
        Tim Cochrane
        Veteran Member
        Posts: 154
        Veteran Member
        3/3/2015 2:49 PM
          in your original post you said "...but would need nodes added to create the user on the Landmark side manually", which is why i prefaced my answer with "If I understand correctly..."...meaning it appeared that you wanted to add logic to your flow to create/update Actor records.
          SO...if you were going to create Landmark Actor records in a flow, it would require using the Landmark node.

          Not sure why you got that answer from Infor. I've got a flow that creates Actor records on the LTM side (where Actor records are typically added by business owners, even though you can do the same in GEN), then deletes the Actor from LTM. When i view the Actor in GEN (while this flow is running) I can see them following the Create, then after the Delete node runs, they are no longer in the Actor business class in Gen.
          Tim Cochrane - Principal LM/IPA Consultant
          Carl.Seay
          Veteran Member
          Posts: 109
          Veteran Member
          3/3/2015 2:57 PM
            When you manually add a user in ISS, it adds additional attributes to the LSF LDAP user record. Without these attributes, the user will not display in ISS. I have not troubleshooted any further than that. I assume the new ISS List Based Sync would create those attributes and allow you to view in ISS, but you would need to be on LSF 10.0.6.
            Bob Canham
            Veteran Member
            Posts: 217
            Veteran Member
            3/3/2015 3:05 PM
              Darn, that's not the answer I was hoping for Carl, we're only on LSF10.0.4. So you that without the list-based sync we wouldn't be able to modify the users in ISS? Do you think the user would function properly if they were to log into Ming.le and then access Landmark (single sign-on)?
              Bob Canham
              Veteran Member
              Posts: 217
              Veteran Member
              3/3/2015 3:59 PM
                Ok, I just tried using the list-based sync (it was in the instruction manual so I figured I'd give it a shot). It seems to have run and processed the user through all the systems. I did look through the security_provisioning.log file and it looks like it is still doing a sync on all of the categories. Is this normal?
                Carl.Seay
                Veteran Member
                Posts: 109
                Veteran Member
                3/3/2015 4:19 PM
                  From my experience, the users were able to log into all applications as normal. The only issue was they did not show in ISS.
                  adnan512
                  Advanced Member
                  Posts: 24
                  Advanced Member
                  5/22/2015 12:54 AM
                    Once you run the sync they will show up in ISS. I have a PF that creates the users on LSF side and then I run the sync. I can also create the users in LMK using the same flow but I chose to run sync.
                    JeffR
                    Advanced Member
                    Posts: 22
                    Advanced Member
                    6/1/2015 2:04 PM
                      You can automate adding the users to Landmark and ISS by creating an xml file and running the ssoconfig command on the LSF server. The XML format and syntax for the ssoconfig is in the ISS documentation. The only change to the documentation is where it says to enter the InputFile in the ssoconfig command line, make sure you add the entire path along with the filename.
                      Highgrove
                      New Member
                      Posts: 1
                      New Member
                      6/9/2015 4:22 PM
                        I have a client that is experiencing some issues with Landmark roles being added to the wrong employees and would like to delete the roles without deleting the users. Are the following true statements?

                        1. I believe that the ISS tool is what keeps the LSA and LTMPROD security in sync. When you make the security changes in ISS, both the LSA and LTMPROD security gets updated. I do not think there is a automated process to move the LTMPROD changes to LSA

                        2. We currently use ISA I believe to do our maintenance but we call is ISS. The issue in PROD is that Landmark is the only accurate keeper of the security roles. If you run the sync from Lawson to ISA/ISS through to Landmark the security will be messed up

                        3. the synchronization will only sync the LSF and Landmark environment security roles. The sync does not add roles to user records. It simply takes the roles that are in LSF and copies them to Landmark and vice versa. From Paula's last response it appears that the issue is that their are some users that have roles that shouldn't be assigned to them? If that is accurate then running the sync will not help.

                        4. Will running the sync cause users to get access to roles that they should not have?

                        I will appreciate any comments as Infor is not aware of issues with ISS and suggesting upgrade to 10.0.6.12 from 10.0.6.6
                        You are not authorized to post a reply.