PrevPrev Go to previous topic
NextNext Go to next topic
Last Post 09/25/2015 12:08 PM by  Leonard Courchaine
Read-only access to LSA
 4 Replies
Sort:
You are not authorized to post a reply.
Author Messages
Leonard Courchaine
Private
Private
Veteran Member
(128 points)
Veteran Member
Posts:50


Send Message:

--
12/12/2014 11:32 AM

    Hi,

    Wondering if anyone out there has had success with setting up a read-only view of LSA??  

    We have some functional superusers that would like to be able to use the tool to view attributes of users in their department but don't want/need to change anything.

    So far, I've had **some** sucess in that I created the following roles:
    - ADM Profile - set up one security class (SuperInquiry) with Deny All for all objects except SERVER. For SERVER I have I and InqTypeRole. (otherwise you can't login to LSA)
    - RM Profile - set up one security class (SuperInquiry) with Inquire access to all RM attributes.

    This *seems* to *mostly* work but it doesn't restrict Manage Identities, for some reason.  I'm trying to figure out where that's controlled.

    Thanks very much for any thoughts you might have!
    Lenny
    leonard.courchaine@choa.org

    Brian Allen
    Private
    Private
    Veteran Member
    (276 points)
    Veteran Member
    Posts:94


    Send Message:

    --
    12/12/2014 1:35 PM
    I've setup sub-admins before for functional areas with rules for only accessing roles that start with "FN" for finance for example, but I don't recall any way to control the identities if someone has access to the security administrator.
    Leonard Courchaine
    Private
    Private
    Veteran Member
    (128 points)
    Veteran Member
    Posts:50


    Send Message:

    --
    12/12/2014 1:46 PM

    Hi all,

    Quick update:  We discovered that I was using an older v10 of LSA.  I updated to the newest at the recommendation of Infor Support and now I'm seeing Identities and Services objects.  So I'll move forward from there.  But I'd still be interested in knowing details about how others have done this if you have.

    Thanks!

    Xin Li
    Private
    Private
    Veteran Member
    (288 points)
    Veteran Member
    Posts:130


    Send Message:

    --
    09/25/2015 10:06 AM

    Hi Leonard,

    Have you been successfully secure identities and Service in "Manage Identifies" screen? I have created a Role for sub-administrator and created security class that deny access to identity and service. However, it won't work. Sub-Administrator is still be able to change and delete and add in "Manage Identities" Screen. Wonder whether you have any success with that.

     

    Leonard Courchaine
    Private
    Private
    Veteran Member
    (128 points)
    Veteran Member
    Posts:50


    Send Message:

    --
    09/25/2015 12:08 PM
    Hi,
    Wow! It's been a while! Turned out to be a bug that was getting fixed with a later environment patch. I never have gotten back to it to verify/try further. Sorry!
    We're on v10 now with ISS and are just as bummed that we can't easily lock out certain ISS functionality!! Future enhancement maybe?!
    You are not authorized to post a reply.