ESS & Address Changes

Sort:
You are not authorized to post a reply.
Author
Messages
MatthewD
Veteran Member
Posts: 53
Veteran Member
    I'm trying to allow employees to make address changes via ESS however i do not want them to have access to HR11.1 screen to make any changes to their or anyones elses data. 

    I've tried giving full access to HR11, Employee specific access to HR11.1 using "lztrim(table.EMPLOYEE)==lztrim(user.getEmployeeId())" and then denying access to all tabs except Address but i'm still getting the "Address change cannot be made at this time; please contact your HR department to make this change.  (Security Violation)" message.

    I've tried giving full access to the Main-Tab and denied access to everything in that tab.  Allowed full access  to The Effect-Date but still the same results.
    John Henley
    Senior Member
    Posts: 3348
    Senior Member
      We live in an imperfect world, so what you're trying to accomplish isn't quite possible.
      Thanks for using the LawsonGuru.com forums!
      John
      John Henley
      Senior Member
      Posts: 3348
      Senior Member

        You need to add several types of rules (I'm typing in these rules, not cutting/pasting, but these should give you the general idea...):

        1. Employees/Managers need access to selected tables in system codes AC, IF, GL, HR, PA, BN, PR, TA, and LP.

        2. Employees/Managers should only have access to their own records, and certain records of their direct reports. Based on COMPANY/EMPLOYEE, you need to restrict employee to see their own records for any HR/BN/PA/PR/TA/LP tables. Based on COMPANY/EMPLOYEE, restrict employee to see records for their direct reports in certain HR/BN/PA/PR/TA/LP tables; for example, manager can see a direct report’s salary history, but not dependents or beneficiaries. This is critical, and client-specific, and requires the most analysis at the table level to decide what a manager can see related to an employee....

        3. create a COMP_EMPLOYEE element group, which contains COMPANY and EMPLOYEE elements.

        4. this rule goes into the COMP_EMPLOYEE element group:
        if((user.getCompany()==lztrim(COMPANY)&&user.getEmployeeId()==lztrim(EMPLOYEE)))

        5. create a COMP_EMPLOYEE_HIER element group, which contains COMPANY and EMPLOYEE elements.

        6. this rule goes into the COMP_EMPLOYEE_HIER element group:
        NOTE use of the 'Access' attribute allows quick override using an old feature in LAUA/IOS to allow someone with the Access='Y' attribute to see ANYONE ... use with caution...
        if((user.getAttribute('Access')=='Y' || (user.getCompany()==lztrim(COMPANY)&&user.getEmployeeId()==lztrim(EMPLOYEE)) || (user.isInChainOfCmdOfEmpInHR(lztrim(COMPANY),lztrim(EMPLOYEE))) || 
         (user.isSupervisorOfEmpInHR(lztrim(COMPANY),lztrim(EMPLOYEE))) )
        Note: this rule allows access to the employee, his/her direct reports (down the chain of command)

        7. add rule to restrict HR forms (e.g. HR11) to only themselves (which is form.EMPLOYEE, not table.EMPLOYEE): 
        if(isElementGrpAccessible('COMP_EMPLOYEE','I','HR',form.EMP_COMPANY,form.EMP_EMPLOYEE))
        'ALL_ACCESS';
        else
        'NO_ACCESS';

        8. add rules to restrict them to only themselves on HR, PR, etc. tables (e.g. EMDEPEND, etc.):
        if(isElementGrpAccessible('COMP_EMPLOYEE','I','HR',table.COMPANY,table.EMPLOYEE))
        'ALL_ACCESS';
        else
        'NO_ACCESS';

        9. add rules to restrict them to only themselves (and their direct reports) on HR, PR, etc. tables (e.g. EMPLOYEE, PAEMPLOYEE, etc.):
        if(isElementGrpAccessible('COMP_EMPLOYEE_HIER','I','HR',table.COMPANY,table.EMPLOYEE))
        'ALL_ACCESS';
        else
        'NO_ACCESS';
        Thanks for using the LawsonGuru.com forums!
        John
        MatthewD
        Veteran Member
        Posts: 53
        Veteran Member
          John, Thank you very much! I have a question regarding the use of the 'Access' attribute. If an employee has the Access flag set to 'Y' but doesn't have any directs will they still be able to see other employees? I believe we have a lot of user setup with the flag set to 'Y' currently.
          You are not authorized to post a reply.