Prev
Next
Forums S3 Security

Inactivating Security in LSF9

Sort:
You are not authorized to post a reply.
Author
Messages
SharonM
New Member
Posts: 1
New Member
9/29/2008 3:15 PM

    We will be going LIVE with S3 financials on November 1,2009.   We are using LSF9 Security with LDAP bind.  I am wondering if there is a way to inactivate a user's security when they leave the organization or do we depend on the Acitve Directory account being disabled which would prevent the user from logging into the Portal.  Is this typically good enough for the auditors?

    Ellen Melton
    Advanced Member
    Posts: 28
    Advanced Member
    9/29/2008 4:14 PM
      From what I have found, there is no longer an "inactivation" function. I, among others, have submitted an enhancement request. Here is the procedure I implemented at our organization. I've taken these steps because I don't manage the active directory and I want to ensure users can't inadvertently access Lawson if their network ID is reassigned to another user.

      I add an OS identity with username = termed. Since this is not a valid OS account, if the user tries to log into Portal, they get an error message. I also added a custom RM field called "Comments". I record the actual effective term date in that field which helps the auditors in review. And then on the RM "Name" field, I add TERM xx/xx/xx: before the name and record the term action date. Both of those steps are just for documentation purposes.

      If the user was an application user and had a valid OS account, I remove the security class iin LAUA, and change the OS identity from that account to the "termed" account, same as above.

      Hope those ideas help.
      rockie12_us
      Advanced Member
      Posts: 32
      Advanced Member
      9/29/2008 4:26 PM
        Hi Ellen
        Question for you... if you do not remove them from RM, are you not concerned about exceeding your max LDAP query limit for your LDAP? If you exceed this, you will not bring back all rows in any LDAP searching. Just a thought.

        Ellen Melton
        Advanced Member
        Posts: 28
        Advanced Member
        10/1/2008 5:49 PM
          Dean,
          Guess I wasn't too worried since I didn't know there was such a thing!  I asked our LDAP administrator and he said ours is set to the default.  I haven't run into any problems that I've noticed.  I have approximately 5,000 RMIDs right now including all the termed IDs.

          Our auditors don't want us to delete userids since this is a financial system and they want to be able to trace transactions back to the user.  If we delete RMIDs then we loose the cross-reference - or so I'm told.
          Rodney
          Basic Member
          Posts: 7
          Basic Member
          11/10/2008 4:03 PM
            Just set the check LS flag to "NO" in RM.  This will make the user use laua security.   Also make sure they are not assigned a security class in laua.
            Ellen Melton
            Advanced Member
            Posts: 28
            Advanced Member
            11/11/2009 4:37 PM

              Guess what!!!  We hit our limit and now I'm getting errors in Lawson Security Administrator.  We are now having to bump up our QueryResults.  Now I know what that is!!

              Someone else posted that all you have to do is remove the security class - but since our ESS users are assigned to the privileged account, there is not OS Identity assigned for me to remove a security class from.

              You are not authorized to post a reply.