Login
Register
Search
Home
Forums
Jobs
LawsonGuru
LawsonGuru Letter
LawsonGuru Blog
Worthwhile Reading
Infor Lawson News Feed
Store
Store FAQs
About
Forums
Human Capital Management
Lawson S3 HR/Payroll/Benefits
ESS Security - Form access through URL
Home
Forums
Jobs
LawsonGuru
LawsonGuru Letter
LawsonGuru Blog
Worthwhile Reading
Infor Lawson News Feed
Store
Store FAQs
About
Who's On?
Membership:
Latest:
Starr
Past 24 Hours:
0
Prev. 24 Hours:
0
Overall:
5327
People Online:
Visitors:
293
Members:
0
Total:
293
Online Now:
New Topics
S3 Systems Administration
Lawson Security Admin (LSA) - Securing Print Manager to self only
10/24/2025 6:27 PM
Looking for someone who would be willing to share
Lawson Add-Ins for Microsoft Office
Lawson Add-in
9/30/2025 6:51 PM
I am looking for a Lawson Add-ins query to add new
Lawson S3 Procurement
Anyone getting PO 0000 not found for company error in PO23?
9/30/2025 2:45 AM
Anyone getting PO 0000 not found for company error
Lawson Add-Ins for Microsoft Office
PO20 - Cancel PO via Add-in
9/25/2025 8:03 PM
Is it possible to cancel PO's using add-ins? I
S3 Systems Administration
S3 Payroll - PayStubs
9/18/2025 6:58 PM
Looking for a reliable solution to streamline the
S3 Systems Administration
Quick Access report
8/25/2025 7:17 PM
Looking for a good way to see who has access Lawso
S3 Customization/Development
LP01 hiding a PTO plan from the list
8/13/2025 4:44 PM
Hi all. is there a way to hide a specific PTO&n
Lawson Business Intelligence/Reporting/Crystal
GLTrans - PO Line/MAInvdtl
8/6/2025 6:13 PM
Hello, we have an existing tabular model for fina
IPA/ProcessFlow
Retrieving GUID from InforOS
7/25/2025 2:22 AM
Hello everyone, I was wondering if there is a way
IPA/ProcessFlow
IPA for forwarding cost messages (MA64/MA66.3)
7/23/2025 6:07 PM
When a buyer has an invoice cost message where the
Top Forum Posters
Name
Points
Greg Moeller
4184
David Williams
3349
JonA
3293
Kat V
2984
Woozy
1973
Jimmy Chiu
1883
Kwane McNeal
1437
Ragu Raghavan
1377
Roger French
1315
mark.cook
1244
Forums
Filtered Topics
Unanswered
Unresolved
Announcements
Active Topics
Most Liked
Most Replies
Search Forums
Search
Advanced Search
Topics
Posts
Prev
Next
Forums
Human Capital Management
Lawson S3 HR/Payroll/Benefits
ESS Security - Form access through URL
Please
login
to post a reply.
8 Replies
0
Subscribed to this topic
68 Subscribed to this forum
Sort:
Oldest First
Most Recent First
Author
Messages
jcooper
Basic Member
Posts: 5
3/8/2011 4:15 PM
We found that a logged in user who has access to the PA67.1 screen for ESS can get the XML data for any employees by going through the /servlet/Router/Transaction/Erp url and entering in the proper url parameters which would include the desired employee number.
I've found other posts on this site which seem related to getting data from this URL, but none which clearly state how this can be locked down.
This user is an ESS only user, no admin roles/security. They just have Inquiry access to the PA67.1 screen which appeared to be required for ESS to work.
Is there a way to lock this down so that the user either can't see the xml data for that screen at all, or else can only see the xml data for their employee number, while still allowing ESS to work?
Thanks
Deleted User
New Member
Posts: 0
3/8/2011 5:30 PM
Split
Are you using the newer Lawson Security or are you still on LAUA?
jcooper
Basic Member
Posts: 5
3/8/2011 5:56 PM
Split
We are still on LAUA
Deleted User
New Member
Posts: 0
3/8/2011 8:05 PM
Split
"We are still on LAUA" Ouch. It has been quite awhile since I have delt with that issue so hopefully my memory is correct.
When we were on LAUA we actually had to create two users accounts. There is a flag on the employee I think called "Access" for the ESS user we had to set the flag to 'N' however once the flag was set to 'N' then managers in Lawson could not view requisitions created by other employees.
At the time we were on 8.1 and we were able to use a trick to create an upper case and lower case user. Active Directory is not case sensitive so the users could log into either account using Active Directory authentication. I believe this trick will not work in 9.x.x. Lawson. The trick also made us kind of nervous as the possiblity of a patch breaking the behavior.
jcooper
Basic Member
Posts: 5
3/9/2011 1:02 PM
Split
How would we go about securing the Transaction URL in LSF9 security?
Roger French
Veteran Member
Posts: 549
3/9/2011 7:06 PM
Split
[quote]
Posted By jcooper on 03/09/2011 08:02 AM
How would we go about securing the Transaction URL in LSF9 security?
[/quote]
In a nutshell, you would do it by, at first, securing the EMPLOYEE table in LS Security, then securing the PA67 to only allow it to access the user.
This is only the tip of the iceberg; to secure ESS properly, you should really look at the security documentation which addresses ESS, but again, it does not include everything you 'need' to know.
Just remember, that to securing forms (e.g.inquire/add/change/delete) is different than securing data on the forms (which records on the form you can see or do a inq/add/chg/del).
Good luck,
Roger
jcooper
Basic Member
Posts: 5
3/10/2011 2:23 PM
Split
Can you confirm that the Transaction/Router/Erp URL method of retrieving data will also be locked down by this security modeling in LSF9? This isn't going to just "hide" the data from showing up on the portal screens, it's actually going to prevent the searching for the data from the URL as well as from within portal?
Thanks,
Joel
Roger French
Veteran Member
Posts: 549
3/10/2011 3:51 PM
Split
[quote]
Posted By jcooper on 03/10/2011 09:23 AM
Can you confirm that the Transaction/Router/Erp URL method of retrieving data will also be locked down by this security modeling in LSF9? This isn't going to just "hide" the data from showing up on the portal screens, it's actually going to prevent the searching for the data from the URL as well as from within portal?
Thanks,
Joel
[/quote]
When you type in that URL, if the form is secured properly, you will get a 'Security Violation' message in the browser. This is for FORM security.
For DATA security, if you try to type in within the URL your search parameters for data you've properly secured (for example, Employee ID's you're not supposed to see), it will still go through the process of searching, but first it has to pass the security checking (i.e. LS Security) and it will not return that data if you've properly secured it. You will either get a 'Security Violation' message or blank data when you type in the URL and hit 'Enter'. If the data is properly secured, it will work for Portal and URL access, as well as Add-Ins (if they have addin access).
Also, not to explicitly add complexity to this, but you also can keep in mind that if you've got more than one security role for this user, and the other security role has more wide/open access for your PA67, then that is the role that takes effect . Just something to keep in mind.
jcooper
Basic Member
Posts: 5
3/10/2011 4:37 PM
Split
Thanks. This answers my questions.
Please
login
to post a reply.