Login
Register
Search
Home
Forums
Jobs
LawsonGuru
LawsonGuru Letter
LawsonGuru Blog
Worthwhile Reading
Infor Lawson News Feed
Store
Store FAQs
About
Forums
Infor / Lawson Platforms
S3 Security
ESS & Address Changes
Home
Forums
Jobs
LawsonGuru
LawsonGuru Letter
LawsonGuru Blog
Worthwhile Reading
Infor Lawson News Feed
Store
Store FAQs
About
Who's On?
Membership:
Latest:
Lisa Powell
Past 24 Hours:
1
Prev. 24 Hours:
0
Overall:
5163
People Online:
Visitors:
202
Members:
1
Total:
203
Online Now:
John Henley
New Topics
Top Forum Posters
Name
Points
Greg Moeller
4184
David Williams
3349
JonA
3288
Kat V
2984
Woozy
1973
Jimmy Chiu
1883
Kwane McNeal
1437
Ragu Raghavan
1348
Roger French
1311
mark.cook
1244
Forums
Unanswered
Active Topics
Most Liked
Most Replies
Search Forums
Search
Advanced Search
Topics
Posts
Prev
Next
Forums
S3 Security
ESS & Address Changes
Sort:
Oldest First
Most Recent First
You are not authorized to post a reply.
Author
Messages
MatthewD
Veteran Member
Posts: 53
8/12/2013 8:09 PM
I'm trying to allow employees to make address changes via ESS however i do not want them to have access to HR11.1 screen to make any changes to their or anyones elses data.
I've tried giving full access to HR11, Employee specific access to HR11.1 using "lztrim(table.EMPLOYEE)==lztrim(user.getEmployeeId())" and then denying access to all tabs except Address but i'm still getting the "Address change cannot be made at this time; please contact your HR department to make this change. (Security Violation)" message.
I've tried giving full access to the Main-Tab and denied access to everything in that tab. Allowed full access to The Effect-Date but still the same results.
John Henley
Senior Member
Posts: 3348
8/13/2013 11:49 AM
We live in an imperfect world, so what you're trying to accomplish isn't quite possible.
John Henley
Senior Member
Posts: 3348
8/13/2013 12:23 PM
You need to add several types of rules (I'm typing in these rules, not cutting/pasting, but these should give you the general idea...):
1. Employees/Managers need access to selected tables in system codes AC, IF, GL, HR, PA, BN, PR, TA, and LP.
2. Employees/Managers should only have access to their own records, and certain records of their direct reports. Based on COMPANY/EMPLOYEE, you need to restrict employee to see their own records for any HR/BN/PA/PR/TA/LP tables. Based on COMPANY/EMPLOYEE, restrict employee to see records for their direct reports in certain HR/BN/PA/PR/TA/LP tables; for example, manager can see a direct report’s salary history, but not dependents or beneficiaries. This is critical, and client-specific, and requires the most analysis at the table level to decide what a manager can see related to an employee....
3. create a COMP_EMPLOYEE element group, which contains COMPANY and EMPLOYEE elements.
4. this rule goes into the COMP_EMPLOYEE element group:
if((user.getCompany()==lztrim(COMPANY)&&user.getEmployeeId()==lztrim(EMPLOYEE)))
5. create a COMP_EMPLOYEE_HIER element group, which contains COMPANY and EMPLOYEE elements.
6. this rule goes into the COMP_EMPLOYEE_HIER element group:
NOTE use of the 'Access' attribute allows quick override using an old feature in LAUA/IOS to allow someone with the Access='Y' attribute to see ANYONE ... use with caution...
if((user.getAttribute('Access')=='Y' || (user.getCompany()==lztrim(COMPANY)&&user.getEmployeeId()==lztrim(EMPLOYEE)) || (user.isInChainOfCmdOfEmpInHR(lztrim(COMPANY),lztrim(EMPLOYEE))) ||
(user.isSupervisorOfEmpInHR(lztrim(COMPANY),lztrim(EMPLOYEE))) )
Note: this rule allows access to the employee, his/her direct reports (down the chain of command)
7. add rule to restrict HR forms (e.g. HR11) to only themselves (which is form.EMPLOYEE, not table.EMPLOYEE):
if(isElementGrpAccessible('COMP_EMPLOYEE','I','HR',form.EMP_COMPANY,form.EMP_EMPLOYEE))
'ALL_ACCESS';
else
'NO_ACCESS';
8. add rules to restrict them to only themselves on HR, PR, etc. tables (e.g. EMDEPEND, etc.):
if(isElementGrpAccessible('COMP_EMPLOYEE','I','HR',table.COMPANY,table.EMPLOYEE))
'ALL_ACCESS';
else
'NO_ACCESS';
9. add rules to restrict them to only themselves (and their direct reports) on HR, PR, etc. tables (e.g. EMPLOYEE, PAEMPLOYEE, etc.):
if(isElementGrpAccessible('COMP_EMPLOYEE_HIER','I','HR',table.COMPANY,table.EMPLOYEE))
'ALL_ACCESS';
else
'NO_ACCESS';
MatthewD
Veteran Member
Posts: 53
8/13/2013 2:41 PM
John, Thank you very much! I have a question regarding the use of the 'Access' attribute. If an employee has the Access flag set to 'Y' but doesn't have any directs will they still be able to see other employees? I believe we have a lot of user setup with the flag set to 'Y' currently.
You are not authorized to post a reply.