Prev
Next
Forums S3 Security

LS9 ESS/MSS Security Quandary

Sort:
You are not authorized to post a reply.
Author
Messages
Fernando Labrada
Basic Member
Posts: 14
Basic Member
2/5/2009 3:04 PM
    <!--[if gte mso 9]> Normal 0 unctuationKerning /> false false false oNotPromoteQF /> EN-US X-NONE X-NONE ontGrowAutofit /> ontVertAlignCellWithSp /> ontBreakConstrainedForcedTables /> ontVertAlignInTxbx /> MicrosoftInternetExplorer4 <!-- /* Font Definitions */ @font-face {font-family:"Cambria Math"; panose-1:2 4 5 3 5 4 6 3 2 4; mso-font-charset:1; mso-generic-font-family:roman; mso-font-format:other; mso-font-pitch:variable; mso-font-signature:0 0 0 0 0 0;} @font-face {font-family:Calibri; panose-1:2 15 5 2 2 2 4 3 2 4; mso-font-charset:0; mso-generic-font-family:swiss; mso-font-pitch:variable; mso-font-signature:-1610611985 1073750139 0 0 159 0;} /* Style Definitions */ p.MsoNormal, li.MsoNormal, div.MsoNormal {mso-style-unhide:no; mso-style-qformat:yes; mso-style-parent:""; margin-top:0in; margin-right:0in; margin-bottom:10.0pt; margin-left:0in; line-height:115%; mso-pagination:widow-orphan; font-size:11.0pt; font-family:"Calibri","sans-serif"; mso-ascii-font-family:Calibri; mso-ascii-theme-font:minor-latin; mso-fareast-font-family:Calibri; mso-fareast-theme-font:minor-latin; mso-hansi-font-family:Calibri; mso-hansi-theme-font:minor-latin; mso-bidi-font-family:"Times New Roman"; mso-bidi-theme-font:minor-bidi;} .MsoChpDefault {mso-style-type:export-only; mso-default-props:yes; mso-ascii-font-family:Calibri; mso-ascii-theme-font:minor-latin; mso-fareast-font-family:Calibri; mso-fareast-theme-font:minor-latin; mso-hansi-font-family:Calibri; mso-hansi-theme-font:minor-latin; mso-bidi-font-family:"Times New Roman"; mso-bidi-theme-font:minor-bidi;} .MsoPapDefault {mso-style-type:export-only; margin-bottom:10.0pt; line-height:115%;} @page Section1 {size:8.5in 11.0in; margin:1.0in 1.0in 1.0in 1.0in; mso-header-margin:.5in; mso-footer-margin:.5in; mso-paper-source:0;} div.Section1 {page:Section1;} --> <!--[if gte mso 10]> Keeping in mind that one of the ultimate goals of LS9 is to have a single set of login credentials, securing the EMPLOYEE table so that only the right records are accessible is of paramount importance. This is critical for people who are application users and will have a search box in portal and thus will be able to access HR11 (required by Self Service).

    The EMPLOYEE table can be secured for the ESS role to only allow access if COMPANY/EMPLOYEE in the table = COMPANY/EMPLOYEE in the employee’s identity. The EMPLOYEE table can be secured for the MSS role by using the IsSupervisorOf function which gives access to only the direct reports of a manager. So, when both are in force, the less restrictive MSS role wins out and all is good.

    Enter the Org Chart link. The Org Chart allows one to navigate thru the organization’s structure (via HS10) and see who reports to whom. At any time you can click on a person’s name and get a profile of that person. And where does that profile come from? The EMPLOYEE table! So, if I click on the CEO’s name, since I am neither the CEO nor he/she is my direct report, the applet just spins and returns nothing. Sleuthing into the lase logs shows that “NO_ACCESS” was returned as a result of the EMPLOYEE table’s security rule from the MSS role (as it should!). Unfortunately the applet just spins, it doesn’t return any kind of “Security Violation” message or anything like that.

    So, is the answer to get Org Chart to work to open up access to EMPLOYEE in the ESS/MSS roles? I don’t think so since an application user would then have access to the full employee table from HR11 drill/selects.

     This is my quandary. 

    Any ideas?

    KerriR
    Advanced Member
    Posts: 34
    Advanced Member
    8/20/2009 1:22 PM
      Any solution for this problem? We have the same issue here.
      Tim Cochrane
      Veteran Member
      Posts: 154
      Veteran Member
      8/20/2009 2:38 PM
        See my comments in the "Employee Self Service under Lawson Security" thread, but bascially we've built a custom view (using sql) of the EMPLOYEE table and call the custom table in Org Chart. It's more custom coding, but once done it'll get us around the same issue you are currently having
        Tim Cochrane - Principal LM/IPA Consultant
        Jonnie
        Posts: 3
        8/25/2009 8:17 PM
          Our solution here was to create 4 seperate classes (1 for housing the files for each ESS and MSS, and 1 for housing the forms for ESS and MSS and attached the appropriate class to either the ESS or MSS role. We also used www.kinsey.com and fiddler app - this allows to see where the break in security maybe with x user or forms/tokens being accessed by x user if security needs to be tightened
          In doing this it made it a lot easier on wrting the necessary rules...especially if HR11 field are to be tighented for those users who have the search box

          For the supv - ensure the HR07 table is set correctly...the direct reports pulls form setup of there

          Jonnie - BMH
          Elizabeth Ardito
          Advanced Member
          Posts: 34
          Advanced Member
          9/16/2009 11:52 AM

            We had reported the spinning issue on the Org Chart to Lawson who had created a PT to resolve as the system should return some reasonable notification of what is happening whether it is security violation or something else.

            I was recently informed that the PT was completed and the change was made in the latest version of EMSS - 9.0.1.  Lawson also stated that with EMSS version 9.0.1, the version does not have to match application version.

            Unfortunately we are in the midst of getting ready for Open Enrollment on version 9.0.0 (app 9.0.0) and I haven't had a chance to upgrade EMSS to see if it has actually been resolved.

            Elizabeth Ardito

            You are not authorized to post a reply.