PrevPrev Go to previous topic
NextNext Go to next topic
Last Post 3/13/2012 2:27 PM by  Greg Moeller
Company Level Security Restriction
 14 Replies
Sort:
You are not authorized to post a reply.
Author Messages
Greg Moeller
Private
Private
Veteran Member
(4137 points)
Veteran Member
Posts:1477


Send Message:

--
2/16/2012 6:48 PM
    We've been tasked to implement company level security to an already existing LSF9 security setup.  We are taking on a different hospital, and now need their data to be separate from ours.

    What's the best way to do such a feat?  I'd prefer not to have to go into each and every security class and write more rules.

    Any way to use the CompanyControl attribute of RM to do this?  Who's willing to share an example?

    Thanks in advance,
    -Greg
    Jimmy Chiu
    System Analyst
    Federal Government
    Veteran Member
    (1880 points)
    Veteran Member
    Posts:640


    Send Message:

    --
    2/16/2012 7:37 PM
    CompanyControl is just an multi-value attribute you can use to "compare" against forms/tables/elements/element groups to grant access or not. So I am afraid you still need to go in secClass to add/modify the rules.

    typically for table:
    if(user.attributeContains('CompanyControl',lztrim(table.COMPANY)))
    'I,'
    else
    'NO_ACCESS,'
    Greg Moeller
    Private
    Private
    Veteran Member
    (4137 points)
    Veteran Member
    Posts:1477


    Send Message:

    --
    2/17/2012 4:04 PM
    Thanks, Jimmy... I was afraid you were going to say that! We have 540+ security classes and 5500+ rules. This is going to take us a while, then.

    I was hoping that there was a simpler (global) solution to company level security for both the screens and the tables.
    John Crudele
    Private
    Private
    Veteran Member
    (108 points)
    Veteran Member
    Posts:50


    Send Message:

    --
    2/17/2012 5:17 PM
    Greg

    What created a structure is resource manager
    Then made it an attribute on the users profile and assigned the users company to the attribute

    Then we created a security class with a rule on the company element

    if(isStructNodeTitleAbove('PlatformStructure',COMPANY,user.getAttribute('Platform')))
       'ALL_ACCESS,'
    else
       'NO_ACCESS,'

    We assigned the security class to a role then assigned the role to everybody
    Greg Moeller
    Private
    Private
    Veteran Member
    (4137 points)
    Veteran Member
    Posts:1477


    Send Message:

    --
    2/20/2012 4:01 PM
    So, John, when you assign this role to everyone, does that fix the other existing roles that may have access wide open to company.. permission for every company?
    John Henley
    Private
    Private
    Senior Member
    (9899 points)
    Senior Member
    Posts:3317


    Send Message:

    --
    2/20/2012 6:41 PM
    Since with LS, "most restrictive wins", having a "global" rule like that should achieve your goal. You just have to make sure it is include in a role that is assigned to every user.
    Thanks for using the LawsonGuru.com forums!
    John
    Greg Moeller
    Private
    Private
    Veteran Member
    (4137 points)
    Veteran Member
    Posts:1477


    Send Message:

    --
    2/20/2012 6:47 PM
    John: I thought it was "most permissive wins" ?
    John Henley
    Private
    Private
    Senior Member
    (9899 points)
    Senior Member
    Posts:3317


    Send Message:

    --
    2/20/2012 7:48 PM
    Man, I blew that one, didn't I? You are correct: the first rule encountered that grants access ends the rules processing.
    Thanks for using the LawsonGuru.com forums!
    John
    John Crudele
    Private
    Private
    Veteran Member
    (108 points)
    Veteran Member
    Posts:50


    Send Message:

    --
    2/21/2012 12:45 PM
    Greg

    We set-up a role called "company role" and assign it to whoever needs to have their access limited by company. If you have full access to all companies we do not assign the role.

    Regards
    JC
    Greg Moeller
    Private
    Private
    Veteran Member
    (4137 points)
    Veteran Member
    Posts:1477


    Send Message:

    --
    2/21/2012 7:00 PM
    So, John. What do you have in the "company role"?
    John Crudele
    Private
    Private
    Veteran Member
    (108 points)
    Veteran Member
    Posts:50


    Send Message:

    --
    2/24/2012 12:40 PM
    Greg

    1) we created our company structure in resource manager
    2) Created an attribute on the user profile and entered in the company information
    3) created a security class called CompanySecClass with a conditional rule on the company element
    if(isStructNodeTitleAbove('PlatformStructure',COMPANY,user.getAttribute('Platform')))
       'ALL_ACCESS,'
    else
       'NO_ACCESS,'
    4) Created a security profile calle CompanyRole and assigned the above security class to it
    5) Add the CompanyROle security profile to the individual users profile

    Regards
    JC
    Greg Moeller
    Private
    Private
    Veteran Member
    (4137 points)
    Veteran Member
    Posts:1477


    Send Message:

    --
    2/24/2012 6:38 PM
    JC, Thanks! This helps, but since I've never done anything like this (except in class 4 years ago) I'd appreciate more help. Would it be possible for you to send me a screen shot of your structure? That way I may be able to wrap my brain around this quicker. If you cannot, I understand.
    John Crudele
    Private
    Private
    Veteran Member
    (108 points)
    Veteran Member
    Posts:50


    Send Message:

    --
    2/28/2012 8:17 PM
    Greg

    I am finishing up our LSO install and training. i will send you screenshots on Thursday
    Greg Moeller
    Private
    Private
    Veteran Member
    (4137 points)
    Veteran Member
    Posts:1477


    Send Message:

    --
    2/29/2012 3:43 PM
    That would be great, John. Thanks!
    Greg Moeller
    Private
    Private
    Veteran Member
    (4137 points)
    Veteran Member
    Posts:1477


    Send Message:

    --
    3/13/2012 2:27 PM
    John: A screenshot would be appreciated.
    You are not authorized to post a reply.