ESS/MSS - Org chart - conflict with core user

Name	Points
Greg Moeller	4184
David Williams	3349
JonA	3288
Kat V	2984
Woozy	1973
Jimmy Chiu	1883
Kwane McNeal	1437
Ragu Raghavan	1348
Roger French	1311
mark.cook	1244

ChrisW

Basic Member

Posts: 10

8/28/2008 9:18 PM

Hi! Has anyone implemented ESS/MSS and Org chart functionality in Portal and LS 9?

Because of the access required on the Employee table, I'm having issues with core users (i.e. AP processor) and the ability to "drill" on an employee's information which shouldn't be available to anyone but the employee (salary).

I've tried field level security on the Employee and PAEmployee tables, but the performance is really bad, to the extent of not returning data.

Any suggestions??

John Henley

Senior Member

Posts: 3348

8/29/2008 1:12 PM

Are you saying that the AP processor has access to drill on his/her own data or the data for other employees?

ChrisW

Basic Member

Posts: 10

8/29/2008 3:59 PM

Yep, that's it and definately not the model we can go live with.

John Henley

Senior Member

Posts: 3348

8/29/2008 6:02 PM

You didn't answer the question: 1) his/her own data or 2) other employees data?

ChrisW

Basic Member

Posts: 10

9/1/2008 3:32 PM

Sorry John - 2, can see other employee's data (of course can see their own as well)

John Henley

Senior Member

Posts: 3348

9/1/2008 4:23 PM

Re: ESS/MSS - Org chart - conflict with core user (749ad3ed-72fb-4f74-aadf-b4ead106df2e)

I'm assuming your user has the "access" flag set to Y, which essentially opens up IOS data security to being able to access data for any employee.

Prior to LSF9 and 9.0 security, this resulted in a "fatal flaw" in how IOS (and therefore SEA) apps implemented security. The problem was that users need to wear multiple hats, i.e. you can be a manager, an employee, a requester, an approver, and a vendor--all of which requires appropriate security, and which breaks down with IOS security. Hence the addition of the Access flag, which basically says "let the user see any data within their designated LAUA security class, and ignore the restrictions added be IOS". While this opening up of security is obviously required for anyone working in HR, if you do it for other user (an example being req approval--if you have access set to N and you are both a requester and an approver, you can't see/approve any reqs!) You end up with your situation.
John Henley

ChrisW

Basic Member

Posts: 10

9/3/2008 11:36 AM

Thanks, John. After a reboot of the system, the field level security on the tables actually kicked in and is working as we thought it should. We do have the Access set to "N" and are using LS9 rather than LAUA. It's good to know what that flag does to the system.

Thanks for your assistance!

Shane Jones

Veteran Member

Posts: 460

9/12/2008 1:57 AM

Chris and John,
When we purchased Lawson we really like the Org Chart capability but had security problems so we shut it down. Are you saying that I will be able to open this feature back up when we complete our LSF9 migration?

John Henley

Senior Member

Posts: 3348

9/12/2008 11:41 AM

Yes, if you implement Lawson Security and replace LAUA security, you can properly implement role-based security.

ChrisW

Basic Member

Posts: 10

9/12/2008 7:42 PM

Hi Shane - we are using a modified version of Org Chart, but using it's structure. So far (MSS is still pending), I've been able to allow access to the data elements required for this feature, but block access to other senstive information.