PrevPrev Go to previous topic
NextNext Go to next topic
Last Post 6/9/2015 4:22 PM by  Highgrove
Automated User Setup and ISS
 10 Replies
Sort:
You are not authorized to post a reply.
Author Messages
Bob Canham
Private
Private
Veteran Member
(596 points)
Veteran Member
Posts:216


Send Message:

--
3/2/2015 7:55 PM

    We are working to implement Infor Security Services (ISS) in our test environment to federate our 10.0.4 LSF and 10.0.4 CU19 Landmark environments.  In the past, I had a process flow that created all of our user accounts in LSF automatically when an employee is hired.  I just started working on modifications to it today to account for ISS and Landmark but have run into a snag.

    In a webinar I attended, it was suggested that the same process could be kept, but would need nodes added to create the user on the Landmark side manually.  I haven't started that side yet, as I wanted to see what does get created when you use the Resource Transaction node (if I create a user in the Security Administrator, it creates the Actor on Landmark).  However, after running the update (just S3 Resource Transaction), I don't even see a record in ISS that the user exists.

    Has anyone done this yet that they have suggestions on how it can be accomplished?

    Tim Cochrane
    Private
    Private
    Veteran Member
    (450 points)
    Veteran Member
    Posts:154


    Send Message:

    --
    3/3/2015 12:45 PM
    If i understand correctly - you're already running a flow that creates LS users/account, and you want to modify the flow to create Landmark Actors, etc...correct??
    If so, you'll be using the Landmark node exclusively. You'll use the Landmark node to: create the Actor (Actor class), add Roles (ActorRole), create Identities (Identity), then add Identities to the Actor (Identity Actor). Depending on your setup, you'll also use it to add the Security Answers (SecurityAnswer) to the Actors, but that would only depend on if you KNEW their security questions/answers. After this, you can also add User profiles, Tasks, Cat Values, etc.

    If can get tricky, so my advice is to test, test & test...then test again. I also have legs in my versions that go thru and do a cascade delete of everything. That way i can continue to test with the same users over and over. It also prepares me for when business owners say "can we use this to delete users and do clean-up?"
    Tim Cochrane - Principal LM/IPA Consultant
    Bob Canham
    Private
    Private
    Veteran Member
    (596 points)
    Veteran Member
    Posts:216


    Send Message:

    --
    3/3/2015 1:02 PM
    What do you mean by using the Landmark node exclusively? We are using LSF as our primary authentication source, so ISS should be connected to the LSF side, not the Landmark side, right?

    As for deletes, does that work from Landmark? I was advised by Xtreme Support yesterday that you can't actually delete a user from Landmark, it keeps them in the Gen database.
    Tim Cochrane
    Private
    Private
    Veteran Member
    (450 points)
    Veteran Member
    Posts:154


    Send Message:

    --
    3/3/2015 2:49 PM
    in your original post you said "...but would need nodes added to create the user on the Landmark side manually", which is why i prefaced my answer with "If I understand correctly..."...meaning it appeared that you wanted to add logic to your flow to create/update Actor records.
    SO...if you were going to create Landmark Actor records in a flow, it would require using the Landmark node.

    Not sure why you got that answer from Infor. I've got a flow that creates Actor records on the LTM side (where Actor records are typically added by business owners, even though you can do the same in GEN), then deletes the Actor from LTM. When i view the Actor in GEN (while this flow is running) I can see them following the Create, then after the Delete node runs, they are no longer in the Actor business class in Gen.
    Tim Cochrane - Principal LM/IPA Consultant
    Carl.Seay
    Private
    Private
    Veteran Member
    (316 points)
    Veteran Member
    Posts:108


    Send Message:

    --
    3/3/2015 2:57 PM
    When you manually add a user in ISS, it adds additional attributes to the LSF LDAP user record. Without these attributes, the user will not display in ISS. I have not troubleshooted any further than that. I assume the new ISS List Based Sync would create those attributes and allow you to view in ISS, but you would need to be on LSF 10.0.6.
    Bob Canham
    Private
    Private
    Veteran Member
    (596 points)
    Veteran Member
    Posts:216


    Send Message:

    --
    3/3/2015 3:05 PM
    Darn, that's not the answer I was hoping for Carl, we're only on LSF10.0.4. So you that without the list-based sync we wouldn't be able to modify the users in ISS? Do you think the user would function properly if they were to log into Ming.le and then access Landmark (single sign-on)?
    Bob Canham
    Private
    Private
    Veteran Member
    (596 points)
    Veteran Member
    Posts:216


    Send Message:

    --
    3/3/2015 3:59 PM
    Ok, I just tried using the list-based sync (it was in the instruction manual so I figured I'd give it a shot). It seems to have run and processed the user through all the systems. I did look through the security_provisioning.log file and it looks like it is still doing a sync on all of the categories. Is this normal?
    Carl.Seay
    Private
    Private
    Veteran Member
    (316 points)
    Veteran Member
    Posts:108


    Send Message:

    --
    3/3/2015 4:19 PM
    From my experience, the users were able to log into all applications as normal. The only issue was they did not show in ISS.
    adnan512
    Analyst
    none
    Basic Member
    (42 points)
    Basic Member
    Posts:18


    Send Message:

    --
    5/22/2015 12:54 AM
    Once you run the sync they will show up in ISS. I have a PF that creates the users on LSF side and then I run the sync. I can also create the users in LMK using the same flow but I chose to run sync.
    JeffR
    Private
    Private
    Advanced Member
    (66 points)
    Advanced Member
    Posts:22


    Send Message:

    --
    6/1/2015 2:04 PM
    You can automate adding the users to Landmark and ISS by creating an xml file and running the ssoconfig command on the LSF server. The XML format and syntax for the ssoconfig is in the ISS documentation. The only change to the documentation is where it says to enter the InputFile in the ssoconfig command line, make sure you add the entire path along with the filename.
    Highgrove
    Systems Analyst
    Private
    New Member
    (3 points)
    New Member
    Posts:1


    Send Message:

    --
    6/9/2015 4:22 PM
    I have a client that is experiencing some issues with Landmark roles being added to the wrong employees and would like to delete the roles without deleting the users. Are the following true statements?

    1. I believe that the ISS tool is what keeps the LSA and LTMPROD security in sync. When you make the security changes in ISS, both the LSA and LTMPROD security gets updated. I do not think there is a automated process to move the LTMPROD changes to LSA

    2. We currently use ISA I believe to do our maintenance but we call is ISS. The issue in PROD is that Landmark is the only accurate keeper of the security roles. If you run the sync from Lawson to ISA/ISS through to Landmark the security will be messed up

    3. the synchronization will only sync the LSF and Landmark environment security roles. The sync does not add roles to user records. It simply takes the roles that are in LSF and copies them to Landmark and vice versa. From Paula's last response it appears that the issue is that their are some users that have roles that shouldn't be assigned to them? If that is accurate then running the sync will not help.

    4. Will running the sync cause users to get access to roles that they should not have?

    I will appreciate any comments as Infor is not aware of issues with ISS and suggesting upgrade to 10.0.6.12 from 10.0.6.6
    You are not authorized to post a reply.