PrevPrev Go to previous topic
NextNext Go to next topic
Last Post 11/11/2009 11:37 AM by  Ellen Melton
Inactivating Security in LSF9
 5 Replies
Sort:
You are not authorized to post a reply.
Author Messages
SharonM
Private
Private
New Member
(1 points)
New Member
Posts:1


Send Message:

--
09/29/2008 11:15 AM

    We will be going LIVE with S3 financials on November 1,2009.   We are using LSF9 Security with LDAP bind.  I am wondering if there is a way to inactivate a user's security when they leave the organization or do we depend on the Acitve Directory account being disabled which would prevent the user from logging into the Portal.  Is this typically good enough for the auditors?

    Ellen Melton
    Private
    Private
    Advanced Member
    (58 points)
    Advanced Member
    Posts:28


    Send Message:

    --
    09/29/2008 12:14 PM
    From what I have found, there is no longer an "inactivation" function. I, among others, have submitted an enhancement request. Here is the procedure I implemented at our organization. I've taken these steps because I don't manage the active directory and I want to ensure users can't inadvertently access Lawson if their network ID is reassigned to another user.

    I add an OS identity with username = termed. Since this is not a valid OS account, if the user tries to log into Portal, they get an error message. I also added a custom RM field called "Comments". I record the actual effective term date in that field which helps the auditors in review. And then on the RM "Name" field, I add TERM xx/xx/xx: before the name and record the term action date. Both of those steps are just for documentation purposes.

    If the user was an application user and had a valid OS account, I remove the security class iin LAUA, and change the OS identity from that account to the "termed" account, same as above.

    Hope those ideas help.
    rockie12_us
    Advanced Member
    (76 points)
    Advanced Member
    Posts:32


    Send Message:

    --
    09/29/2008 12:26 PM
    Hi Ellen
    Question for you... if you do not remove them from RM, are you not concerned about exceeding your max LDAP query limit for your LDAP? If you exceed this, you will not bring back all rows in any LDAP searching. Just a thought.

    Ellen Melton
    Private
    Private
    Advanced Member
    (58 points)
    Advanced Member
    Posts:28


    Send Message:

    --
    10/01/2008 1:49 PM
    Dean,
    Guess I wasn't too worried since I didn't know there was such a thing!  I asked our LDAP administrator and he said ours is set to the default.  I haven't run into any problems that I've noticed.  I have approximately 5,000 RMIDs right now including all the termed IDs.

    Our auditors don't want us to delete userids since this is a financial system and they want to be able to trace transactions back to the user.  If we delete RMIDs then we loose the cross-reference - or so I'm told.
    Rodney
    Private
    Private
    Basic Member
    (19 points)
    Basic Member
    Posts:7


    Send Message:

    --
    11/10/2008 11:03 AM
    Just set the check LS flag to "NO" in RM.  This will make the user use laua security.   Also make sure they are not assigned a security class in laua.
    Ellen Melton
    Private
    Private
    Advanced Member
    (58 points)
    Advanced Member
    Posts:28


    Send Message:

    --
    11/11/2009 11:37 AM

    Guess what!!!  We hit our limit and now I'm getting errors in Lawson Security Administrator.  We are now having to bump up our QueryResults.  Now I know what that is!!

    Someone else posted that all you have to do is remove the security class - but since our ESS users are assigned to the privileged account, there is not OS Identity assigned for me to remove a security class from.

    You are not authorized to post a reply.