We are in the process of implementing Lawson Security for our super user community. EMSS users are already using Lawson Security. EMSS has custom rules and validation built and is the “preferred” method for performing updates. EMSS has a set of required programs that the EMSS role(s) have been granted access.
As we all know, with Lawson Security the user has a single login, which means those super users not only have access to EMSS but also the Infor application. Based on their security roles we know the super user can only access tokens that they have security rights to access.
Example of a super user: Super user who is a manager with direct reports.
Since the search box is available, since EMSS requires HR11 access to allow updates, how are any of you restricting the super user from accessing HR11, via the search box, for their own record and/or their direct reports record to perform updates directly within HR11 rather than the “preferred” EMSS bookmark? HR11 is just a single example, as we all know EMSS has other Infor forms that require update functionality, therefore the security role(s) has been granted access. Other examples are, but not limited to, Individual Action (PA52), Direct Deposit (PR12), or Employee Taxes (PR13). I will not even go into the fact that if a transaction is completed directly in some of those forms during payroll processing it can/will cause Payroll processing to error. Again, I will not go there
If you are not restricting are you auditing the transactions?
If you are auditing, how many of those transactions should have been completed via EMSS rather than the Infor form directly? How are you ensuring it does not happen again?
If this is not a concern of yours, why is it not a concern?
Our user account base: ~87k EMSS accounts. Of those, approximately 12k are super users.
Cross posting to get each sides perspective: S3 Security and S3 HR/Payroll/Benefits.
TYIA for your feedback.