PrevPrev Go to previous topic
NextNext Go to next topic
Last Post 01/16/2017 9:18 AM by  John Henley
ESS and Portal Security from 8.03 to 9.0
 23 Replies
Sort:
You are not authorized to post a reply.
Author Messages
Joe O'Toole
Private
Private
Veteran Member
(778 points)
Veteran Member
Posts:304


Send Message:

--
03/19/2008 3:12 PM

    We're implementing LSF9 and I'd like to understand what the "best practices" setup is for ESS users if you do not want to maintain a LAUA record for everyone. In 8.03 I beleive the necessary security was inherited by defining a RD30 record and assigning the user to a ESS group that had the application assigned to it. In LSF9 we are getting Logan security errors when logging into ESS if the Domain user in Identity Manager is blank or not defined in LAUA security as having access to Logan.

    My second question is for dual portal users (apps and ESS). On 8.03 we defined 2 windows accounts for these users. The first was defined in LAUA security and was used for LID and ESS (with a limited portal menu). The second was used to run apps from Portal (full menu) but was bound to LAUA security via the domain user field in the RD30 record. Our goal in LSF9 is to have a single account for these dual users that would provide access to ESS and Lawson Financial apps in Portal and LID while restricting their access to HR applications. Is this possible without implementing the new security model? Any advice appreciated. 

     

    John Henley
    Private
    Private
    Senior Member
    (9563 points)
    Senior Member
    Posts:3205


    Send Message:

    --
    03/19/2008 3:52 PM

    Answer to your first question: You need to use the 'mass assignment' feature in Lawson Security to assign the ESS users to a common OS identity.  See section "Sharing the OS Identity for ESS Users" in my article "Converting LID/Portal Users for LSF9" (https://www.danalytics.com/guru/let...07-10.htm)

    .

    Thanks for using the LawsonGuru.com forums!
    John
    Joe O'Toole
    Private
    Private
    Veteran Member
    (778 points)
    Veteran Member
    Posts:304


    Send Message:

    --
    03/19/2008 4:09 PM
    Thanks, John. We have the common OS identity defined in Priviledged Identities and assigned to the ESS users OS identity but the only way I can get around the LO secured errors is by assigning the common identity to the Admin security class in LAUA which I'm not thrilled about. Even when we have this set as such we're still getting errors within the ESS screens ie when executing a move life event: " 'undefined' is null or not and object". It appears that all the necessary users info is still not available for ESS to complete it's transaction request.
    John Henley
    Private
    Private
    Senior Member
    (9563 points)
    Senior Member
    Posts:3205


    Send Message:

    --
    03/19/2008 4:13 PM
    The answer to your second question is yes, kinda. You can do it with one OS identity, but as with 8.x, your LAUA security class would have to have access to the HR forms in order for that employee to have access to ESS functionality.
    Thanks for using the LawsonGuru.com forums!
    John
    John Henley
    Private
    Private
    Senior Member
    (9563 points)
    Senior Member
    Posts:3205


    Send Message:

    --
    03/19/2008 4:16 PM
    The common essuser definitely needs access to the LOGAN product line, LO systemcode / forms.
    Thanks for using the LawsonGuru.com forums!
    John
    Joe O'Toole
    Private
    Private
    Veteran Member
    (778 points)
    Veteran Member
    Posts:304


    Send Message:

    --
    03/20/2008 11:43 AM
    We got this working last night - things we changed were: Added the common essuser to the Lawson group in LAUA, added logan to all LAUA security classes and assigned the common essuser in the domain user field of the test ess user in Manage Identities. Oddly enough, I tested another new account this morning skipping the common ess user asignment in Manage Identities and ESS still worked fine. This makes me wonder if OS identity really need to contain the the common user id for "ESS only" users...
    John Henley
    Private
    Private
    Senior Member
    (9563 points)
    Senior Member
    Posts:3205


    Send Message:

    --
    03/20/2008 5:12 PM
    I may be misunderstanding what you're saying, but if you don't have an OSID for those users and you're using LAUA security, how can they have an assigned LAUA security class? Are you sure you're testing with security turned on?
    Thanks for using the LawsonGuru.com forums!
    John
    Joe O'Toole
    Private
    Private
    Veteran Member
    (778 points)
    Veteran Member
    Posts:304


    Send Message:

    --
    03/21/2008 9:11 AM
    The common user is defined in LAUA, assigned a security class and is assigned to the Lawson group. In my initial test, I assigned this common user to the ESS users "Domain_Users" field in Manage Identities. In a subsequest test for another ESS user I did not assign anything in Manage Identites and the user was sill able to log into ESS and retrieve their information. Lawsec is on and both ESS users Check LS flag is set to No in the RM record. Does this make sense?
    Joe O'Toole
    Private
    Private
    Veteran Member
    (778 points)
    Veteran Member
    Posts:304


    Send Message:

    --
    03/21/2008 11:30 AM
    Sorry - to clarify: the ESS test users are not defined in LAUA security, only the Common ESS user is - this scenario was part one of my original post.
    The dual user (ESS and Apps) is defined in LAUA - this was part two of my original post.
    John Henley
    Private
    Private
    Senior Member
    (9563 points)
    Senior Member
    Posts:3205


    Send Message:

    --
    03/21/2008 1:03 PM
    I guess I didn't say that very clearly. What I meant was that you need to assign the ESS users to a common identity/OSID that is assigned to an LAUA security class.
    Thanks for using the LawsonGuru.com forums!
    John
    Joe O'Toole
    Private
    Private
    Veteran Member
    (778 points)
    Veteran Member
    Posts:304


    Send Message:

    --
    03/24/2008 9:32 AM

    Ok, I'm with you now.

    So do we really don't need to assign the common user in the Manage Identities screen of lawsecadmin?

    John Henley
    Private
    Private
    Senior Member
    (9563 points)
    Senior Member
    Posts:3205


    Send Message:

    --
    03/24/2008 9:56 AM
    You do--you are assigning the common OS/LAUA user which has the security class (e.g., "essuser") to each ESS user, which doesn't have a security class or OS identity.
    Thanks for using the LawsonGuru.com forums!
    John
    Joe O'Toole
    Private
    Private
    Veteran Member
    (778 points)
    Veteran Member
    Posts:304


    Send Message:

    --
    03/24/2008 10:12 AM
    That's what's perplexing. On the second test account I created, I did not put the common webuser ID in the Domain User field of Manage Identities in lawsecadmin, but was sxtill able to log into ESS and pull up info just fine.
    John Henley
    Private
    Private
    Senior Member
    (9563 points)
    Senior Member
    Posts:3205


    Send Message:

    --
    03/24/2008 10:53 AM
    Do you have an ONLINE identity defined under privileged identities?  That would be used if the OS identity doesn't exist for an RM user...?
    Thanks for using the LawsonGuru.com forums!
    John
    Joe O'Toole
    Private
    Private
    Veteran Member
    (778 points)
    Veteran Member
    Posts:304


    Send Message:

    --
    03/24/2008 4:00 PM

    That expalins it - we don't need the domain login since the common account is assigned to online user in privileged identities.

    Now for the dual users (Apps and ESS) that DO have a LAUA record and security class, will that take precedence over the security class assigned to the common account that is assigned to the online role in privileged iden?

    John Henley
    Private
    Private
    Senior Member
    (9563 points)
    Senior Member
    Posts:3205


    Send Message:

    --
    03/24/2008 4:08 PM
    For the dual users, they need to have an identity, which points them to an LAUA user/security class. The existence of that identity will override the ONLINE identity.
    Thanks for using the LawsonGuru.com forums!
    John
    Joe O'Toole
    Private
    Private
    Veteran Member
    (778 points)
    Veteran Member
    Posts:304


    Send Message:

    --
    03/24/2008 4:09 PM
    Thanks, that's what we want.
    Joe O'Toole
    Private
    Private
    Veteran Member
    (778 points)
    Veteran Member
    Posts:304


    Send Message:

    --
    04/02/2008 4:01 PM

    John,

    Does the LAUA security settings for a user with their own OS identity set override the (online role) common ESS user access rights? We have dual mode (App / ESS) users that are "finance only" according to LAUA security and since moving to LSF9 it seems to be preventing them from accessing some of their ESS data in portal.

    Thanks,

    Joe

    John Henley
    Private
    Private
    Senior Member
    (9563 points)
    Senior Member
    Posts:3205


    Send Message:

    --
    04/03/2008 9:04 AM

    Does the LAUA security settings for a user with their own OS identity set override the (online role) common ESS user access rights?

    Yes. The ONLINE identity is only used if a user does not have an OS identity. You would need to update the LAUA security class for your finance users to include rights to the forms/tables needed for ESS. That may or may not be enough reason to start looking at Lawson 9.0 security. Some organizations also use dual IDs to deal with it.

    Thanks for using the LawsonGuru.com forums!
    John
    Joe O'Toole
    Private
    Private
    Veteran Member
    (778 points)
    Veteran Member
    Posts:304


    Send Message:

    --
    04/03/2008 9:52 AM
    Thanks for the update. On 8.03, our LID users security class was not enforced when they used Portal for ESS. We used dual ID's for the few Finance application users that used Portal to keep them out of HR. In 9.004 it seems that portal is enforcing the LAUA security class regardless of whether they are ESS only or App users.
    Ronnie
    Business Analyst
    BMH
    Veteran Member
    (341 points)
    Veteran Member
    Posts:143


    Send Message:

    --
    01/13/2017 12:28 PM
    what happens when you go to Lawson 10? We are on 9 and currently set up as well with an ONLINE privileged user that is tied to class in LAUA to get all the things they need for ESS, but in 10 LAUA no longer exists.

    How does this set up work in 10 or does it anymore?
    John Henley
    Private
    Private
    Senior Member
    (9563 points)
    Senior Member
    Posts:3205


    Send Message:

    --
    01/13/2017 1:06 PM
    You create the privileged 'ONLINE' identity in Lawson 10 security administrator. It is an OS user that is used as a proxy for any user who is not assigned an environment identity. However, what a user can do and see is still governed by what roles are assigned to the actual user. For instance, if a user doesn't have a role that allows access to AP forms, just because a user doesn't have an identity, and is using the ONLINE identity, doesn't give them access to AP forms.
    Thanks for using the LawsonGuru.com forums!
    John
    Ronnie
    Business Analyst
    BMH
    Veteran Member
    (341 points)
    Veteran Member
    Posts:143


    Send Message:

    --
    01/13/2017 1:48 PM

    So really, all the privileged user is doing is allowing all the users to be without an environment identity? They dont inherit actual security once logged in? I know in 9 they inherited the security class etc that the privileged user had in LAUA.

    So in 10 every user has to have their own roles? ....if that is the case, what would be the benefit of even having an ONLINE privileged user set up in version 10?

    John Henley
    Private
    Private
    Senior Member
    (9563 points)
    Senior Member
    Posts:3205


    Send Message:

    --
    01/16/2017 9:18 AM
    In v10 (or v9 with CHECKLS=YES), the online privileged identity is required in order to associate an RM user with an OS identity for GEN. Security roles from the RM user are required and used. Unlike v8 (or v9 when CHECKLS=NO), where an LAUA class is assigned to that user, there are no roles associated with the privileged identity.
    Thanks for using the LawsonGuru.com forums!
    John
    You are not authorized to post a reply.