Prev
Next
Forums S3 Systems Administration

Way to 'simulate' dual-login ID's in LSF9?

Sort:
You are not authorized to post a reply.
Author
Messages
ShawnV
Advanced Member
Posts: 37
Advanced Member
6/22/2009 4:26 PM

    Hello anyone and everyone,
      We are currently migrating from 8.0.3 to LSF9 (planning to remain on LAUA security).
      Currently all the RSS/Portal people have 2 ID's for login.  One for ESS/MSS which is their 'LAN ID' and the other is their RSS/Portal ID which is their 'LAN ID' + "P"  (ie. ESS => "m045757": Portal => "m045757P").
      In 8.0.3 we modified the index.htm & login.htm pages to create a login page for ESS/MSS and a login page for RSS/Portal.  The RSS/Portal page appends the "P" onto the users LAN ID when they login thereby creating a 'dummy' single-signon look/feel.  

      We are looking to do something similar in LSF9 where a user can enter their LAN ID for RSS/Portal and our code would append a "P" before it actually makes the login call.

      After reading some of the posts one option may be to create our own RSS/Portal login page and 1) Append the "P"; 2) Use Lawson's Single Signon process to login.  I'm not sure if this will work and I am not very comfortable about passing the password in clear text to the signon component.

      If anyone has any direction it would be much appreciated.  If necessary, you can reach me directly at 507-538-4267 or shawnvs@hotmail.com.

    Thank you in advance.
    Shawn

    Gary Davies
    Veteran Member
    Posts: 248
    Veteran Member
    6/23/2009 4:18 PM
      Even if you are using LAUA, ESS/MSS and RSS have roles assigned in Lawson security outside of LAUA.   SSO means single sign on, no need for duplicate ids any more.
      John Henley
      Senior Member
      Posts: 3348
      Senior Member
      6/23/2009 4:40 PM
        Gary, I disagree. Even with LSF9 SSO, using LAUA security in certain situations is a security hole. For example, consider a user who is 1) an employee, 2) a requester, 3) a requisition approver, and 4) a portal user in Finance. In order to satisfy all of those roles, the user has to have 1) full access to HR11 (for employee self-service), and 2) the RM "Access" flag = "Y" (in order to approve requisitions that are not their own). Therefore, the user can be in Portal, and change--via HR11--any employee.  That is the primary reason why LS 9 exists--to satisfy role-based security requirements.
        Thanks for using the LawsonGuru.com forums!
        John
        Alex Tsekhansky
        Veteran Member
        Posts: 92
        Veteran Member
        6/23/2009 9:31 PM
          It is possible to create a custom login page to mimic 8.0.3 behavior in that respect.

          Note that you will also need to modify some WAS-deployed files as well to address session expiration screen.
          Shane Jones
          Veteran Member
          Posts: 460
          Veteran Member
          6/24/2009 1:10 PM
            Great topic....

            We have two accounts for all HR/PR/BN users as well and it is a pain in the #$%^. We recently moved to LSF9 but are still using LAUA. We were told that when we move to LSA we will be able to code this so my users will not need two account. I have not started looking into it yet. (It is an example of someone at Lawson not thinking about how the system would be used....)

            When I first opened a ticket I was told that I would have to give full access to everyone in HR. I explained that it that was the case their security model was not needed. Then They came out with LSA which is designed to allow for "if then" slections based on associate numbers.

            Shane
            Shane Jones
            Tools: HR, Payroll, Benefits, PFI, Smart Office, BSI, Portal and Self-Service
            Systems: Lawson, Open Hire, Kronos, Crystal Reporting, SumTotal Learning
            ** Teach others to fish...
            Sal Serafino
            New Member
            Posts: 2
            New Member
            7/1/2009 1:35 PM
              Don't do a dual-login -- you don't need it. Look at what you WANT to do, not at what you have already. When I did the 803-900 upgrade, I went straight to LS so I could avoid this problem.

              If you have questions, I'll be happy to answer whatever I can. Just message me.
              allbusinessgomab
              Advanced Member
              Posts: 31
              Advanced Member
              7/1/2009 1:52 PM
                I agree with the comment about not doing dual logins. However, it is very much possible. If I were attempting to do what you are doing, I would set up two endpoints in Lawson with two different URLs. I would modify the login.js file's submitLogin() function so that it looks at the URL. If the url is A, I would append the p to the username. If it is B, leave it alone.
                Brian K
                Advanced Member
                Posts: 20
                Advanced Member
                8/21/2009 6:47 PM
                  We had the same sort of set up in Env 803 in changing the login page to use the username differently (except we are on Unix so we used all lower case for one portal log ins and all uppercase for ESS log ins).

                  When we went to LSF9, we went to LSA as well, because the cons of creating another end point and changing the SSO to work with this new configuration that isn't supported by lawson and could potentially need to get reworked for every core and portal patch you apply.
                  mark.cook
                  Veteran Member
                  Posts: 444
                  Veteran Member
                  8/24/2009 2:08 PM
                    We modified the xml file to remove the search box to the application, then in the portal role file attached the new xml for ESS /MSS users. This kept the users that were just related to ESS & MSS out of HR11 and other application forms. Their only access was based on bookmarks.
                    You are not authorized to post a reply.