PrevPrev Go to previous topic
NextNext Go to next topic
Last Post 06/30/2017 2:53 PM by  thanef
RSS and restrictions
 29 Replies
Sort:
You are not authorized to post a reply.
Author Messages
Greg Moeller
Private
Private
Veteran Member
(3873 points)
Veteran Member
Posts:1377


Send Message:

--
08/24/2011 4:22 PM
    I'm just relatively OK with this new Lawson security product. I've tried rules like:

    On the POR-PO-NUMBER field in PO30.1
    if(trim(getDBField('POLINESRC','REQUESTER',form.POR_COMPANY,form.POR_PO_NUMBER))==user.getRequesterId())
    'ALL_ACCESS,'
    else
    'NO_ACCESS'

    But it never seems to take effect. What am I missing here? Is there a better way to do it?

    I know I also have to limit the drills, but wanted to get the form portion of this working first.

    Thanks in advance for any help that you may offer.
    -Greg

    John Henley
    Private
    Private
    Senior Member
    (9563 points)
    Senior Member
    Posts:3205


    Send Message:

    --
    08/25/2011 10:32 AM
    Try putting a trim() around user.getRequesterId(). I would also recommend moving this to the form itself rather than the POR-PO-NUMBER field.
    Thanks for using the LawsonGuru.com forums!
    John
    Greg Moeller
    Private
    Private
    Veteran Member
    (3873 points)
    Veteran Member
    Posts:1377


    Send Message:

    --
    08/25/2011 3:56 PM
    John/others: I've tried that as well (the trim around user.get...) I think I had tried it on the form itself, but was getting other strange errors. Maybe I need to try again?
    And maybe this should be in the security forum?
    Greg Moeller
    Private
    Private
    Veteran Member
    (3873 points)
    Veteran Member
    Posts:1377


    Send Message:

    --
    08/25/2011 4:04 PM
    OK... just tried it on the form itself. Waiting for the reload time to the server, and then I'll test. Will update you more when I know more.
    Greg Moeller
    Private
    Private
    Veteran Member
    (3873 points)
    Veteran Member
    Posts:1377


    Send Message:

    --
    08/25/2011 4:17 PM
    Is it possible that the attached screen shot is just a web-page-generated one, that would require customizations to a javascript, or other to enable this feature?

    Whooops..... I don't have an attachment button here??
    John Henley
    Private
    Private
    Senior Member
    (9563 points)
    Senior Member
    Posts:3205


    Send Message:

    --
    08/26/2011 8:06 AM
    Thanks for noticing that I didn't have attachments enabled.
    Thanks for using the LawsonGuru.com forums!
    John
    John Henley
    Private
    Private
    Senior Member
    (9563 points)
    Senior Member
    Posts:3205


    Send Message:

    --
    08/26/2011 8:06 AM
    Moved to S3 security forum.
    Thanks for using the LawsonGuru.com forums!
    John
    Greg Moeller
    Private
    Private
    Veteran Member
    (3873 points)
    Veteran Member
    Posts:1377


    Send Message:

    --
    08/26/2011 11:07 AM
    Is it possible that the attached screen is a javascript screen and not "actually" PO30.1 controlled?
    Attachments
    John Henley
    Private
    Private
    Senior Member
    (9563 points)
    Senior Member
    Posts:3205


    Send Message:

    --
    08/26/2011 1:43 PM
    Now I understand why you're so frustrated
    RSS uses a combination of javascript/XML/XSL that calls Data/DME and AGS/Transaction. This particular screen is using Data, and probably pulling from the PURCHORDER table I guess. There is a tracing/debug function in RSS/RQC that you enable by appending &DEBUG=TRUE to the RSS URL (or pressing Ctrl+Shift+T), and it will show the calls as they are made.
    Thanks for using the LawsonGuru.com forums!
    John
    Greg Moeller
    Private
    Private
    Veteran Member
    (3873 points)
    Veteran Member
    Posts:1377


    Send Message:

    --
    09/13/2011 4:52 PM
    So, if I understand what you are saying, John is that this is NOT LSF security controlled. Correct?
    And I'm sure if we'd like it modified, it would be billable and customized. We have a group of users here that should see everything, and a group of users that should ONLY see their "stuff".
    John Henley
    Private
    Private
    Senior Member
    (9563 points)
    Senior Member
    Posts:3205


    Send Message:

    --
    09/13/2011 5:59 PM
    Posted By Greg Moeller on 09/13/2011 04:52 PM
    So, if I understand what you are saying, John is that this is NOT LSF security controlled. Correct?
    And I'm sure if we'd like it modified, it would be billable and customized. We have a group of users here that should see everything, and a group of users that should ONLY see their "stuff".

    It is under LSF control.  It's a mix of putting rules on the tables to control drill around, select lists, etc. as well as rules on the forms (e.g. RQ10) to control transactions (i.e. if a user enters directly without a select list).  It can ALL be done with security rules (I know because I've done it).  
    Thanks for using the LawsonGuru.com forums!
    John
    Greg Moeller
    Private
    Private
    Veteran Member
    (3873 points)
    Veteran Member
    Posts:1377


    Send Message:

    --
    09/14/2011 3:53 PM
    OK, John. I'm sorry if I seem short with anyone... it's been an extremely LONG month for me already.
    I'll just have to try more rule-writing. Thanks for all of your help so far! I'm sure I'll be asking for more.
    Greg Moeller
    Private
    Private
    Veteran Member
    (3873 points)
    Veteran Member
    Posts:1377


    Send Message:

    --
    10/18/2011 9:51 AM
    All:
    Sorry if I seem to be beating a dead horse here... I got the security restriction to work by restricting the LOCATION = Requester ID, but am now told that will not work for us here. So I'm back to trying to make RequesterID=Requester on the PO. Just can't seem to get the rule correct.
    I've got the rule set on the PO-NUMBER field of the PURCHORDER table... like this:
    trim(user.getRequesterId())==trim(getDBField('POLINESRC','REQUESTER','COMPANY','PO-NUMBER'))
    What am I doing wrong, or missing here?
    Greg Moeller
    Private
    Private
    Veteran Member
    (3873 points)
    Veteran Member
    Posts:1377


    Send Message:

    --
    10/24/2011 9:46 AM
    Question: Am I using the key fields correctly in my rule (10/18/2011 @ 8:51 AM)?
    John Henley
    Private
    Private
    Senior Member
    (9563 points)
    Senior Member
    Posts:3205


    Send Message:

    --
    10/24/2011 10:53 AM
    No, when using getDBField, you need to pass in the key values for the primary index. Are you trying to get the requester for the purchase order?
    Thanks for using the LawsonGuru.com forums!
    John
    Greg Moeller
    Private
    Private
    Veteran Member
    (3873 points)
    Veteran Member
    Posts:1377


    Send Message:

    --
    10/24/2011 11:00 AM
    Yes, John. Trying to match the requester id to the requester on the PO.
    Greg Moeller
    Private
    Private
    Veteran Member
    (3873 points)
    Veteran Member
    Posts:1377


    Send Message:

    --
    10/24/2011 1:20 PM
    How would I write the rule correctly?
    John Henley
    Private
    Private
    Senior Member
    (9563 points)
    Senior Member
    Posts:3205


    Send Message:

    --
    10/24/2011 1:47 PM
    Let's go back a step. What object are you trying to secure -- PO20 ?
    Thanks for using the LawsonGuru.com forums!
    John
    Greg Moeller
    Private
    Private
    Veteran Member
    (3873 points)
    Veteran Member
    Posts:1377


    Send Message:

    --
    10/24/2011 2:06 PM
    no, actually that screen that I uploaded earlier... from Fiddler, I got that it was accessing the PURCHORDER table... So, I'm trying to write the rule on the PO-NUMBER field.
    John Henley
    Private
    Private
    Senior Member
    (9563 points)
    Senior Member
    Posts:3205


    Send Message:

    --
    10/24/2011 2:44 PM
    Well, that could be a problem, depending on how requisitions are entered and POs are generated. The *easy* thing to do would be to look at the "default" requester (PCR-DFLT-REQUESTER) on the PO, since you already have PURCHORDER record. However, be aware that it's on the default requester. So scenarios could exist with multiple requisitions/reqlines result in a single PO, in which case you'd need to look at each POLINE one the PURCHORDER record, then POLINESRC, which has the REQUESTER field. So, I'd start simple and see if you can assume one req to one PO (I think that was one of the changes in RSS->RQC), and in that case you can just look at the PCR-DFLT-REQUESTER on the PURCHORDER record.
    Thanks for using the LawsonGuru.com forums!
    John
    John Henley
    Private
    Private
    Senior Member
    (9563 points)
    Senior Member
    Posts:3205


    Send Message:

    --
    10/24/2011 2:45 PM
    Which means that on the PURCHORDER table, your rule is simply:
    if(trim(user.getRequesterId())==trim(table.DFLT-REQUESTER))
    'ALL_ACCESS,'
    else
    'NO_ACCESS'
    Thanks for using the LawsonGuru.com forums!
    John
    Greg Moeller
    Private
    Private
    Veteran Member
    (3873 points)
    Veteran Member
    Posts:1377


    Send Message:

    --
    10/24/2011 3:05 PM
    I'll see if that will work for our users. I've already asked the 'can we assume...' question. Haven't heard anything back yet. Thanks as always!!
    Greg Moeller
    Private
    Private
    Veteran Member
    (3873 points)
    Veteran Member
    Posts:1377


    Send Message:

    --
    10/25/2011 7:52 AM
    Our Lawson is set to combine reqs to PO's to cut down on the number of PO's processed so if they have the same ship to vendor and purchase from there would be multiple reqs and requesters on some PO's. -- on the multiple requesters PO's, you can't see them with just the DFLT-REQUESTER rule in place.
    Greg Moeller
    Private
    Private
    Veteran Member
    (3873 points)
    Veteran Member
    Posts:1377


    Send Message:

    --
    10/25/2011 8:00 AM
    I'm not sure if we "need" to see those PO's or not. My "guess" is that the users will want to see those PO's as well. I think I'll need more help in rule-writing.
    Greg Moeller
    Private
    Private
    Veteran Member
    (3873 points)
    Veteran Member
    Posts:1377


    Send Message:

    --
    10/25/2011 9:59 AM
    Would it be easier to just have whomever is logged in see everything in that initial Receiving screen, but only be allowed to receive their own stuff?

    So, would that then be PO30 that I'd need to secure?
    Greg Moeller
    Private
    Private
    Veteran Member
    (3873 points)
    Veteran Member
    Posts:1377


    Send Message:

    --
    10/25/2011 11:34 AM
    Then I guess I'm back to using trim(getDBField('POLINESRC','REQUESTER', ...... , ......))
    What's some of the ways to finding what to pass in for the key fields?
    Greg Moeller
    Private
    Private
    Veteran Member
    (3873 points)
    Veteran Member
    Posts:1377


    Send Message:

    --
    10/26/2011 1:21 PM
    Shifting gears again... I'd like to limit on the LINE-NBR field in POLINE table so that only the requester ID that is logged in is able to see the line... Since there is no requester value in POLINE table, I'm assuming that I still need to go to the POLINESRC table.

    I'm down to passing in the key fields for POLINESRC table. Question: Is there an easy way to determine what the key fields are? Do I need to pass them in order? Do I need to pass all of them in?
    John Henley
    Private
    Private
    Senior Member
    (9563 points)
    Senior Member
    Posts:3205


    Send Message:

    --
    10/26/2011 2:17 PM
    https://www.lawsonguru.com/gurucont...nesrc.html :)

    PLSSET1

    COMPANY
    PO-CODE
    PO-NUMBER
    PO-RELEASE
    LINE-NBR
    ORIGIN-CD
    OPER-COMPANY
    SOURCE-DOC-N
    SOURCE-DOC-A
    SRC-LINE-NBR
    Thanks for using the LawsonGuru.com forums!
    John
    Greg Moeller
    Private
    Private
    Veteran Member
    (3873 points)
    Veteran Member
    Posts:1377


    Send Message:

    --
    10/26/2011 4:16 PM
    Thank you very much, John!!!

    I got it working!! Here's how:
    On the POLINE table I've written a conditional rule on the LINE-NBR field
    trim(getDBField('POLINESRC','REQUESTER',table.COMPANY,table.PO_CODE,table.PO_NUMBER,table.PO_RELEASE,table.LINE_NBR))==trim(user.getRequesterId())

    Also, on PO30.1 I've written a conditional rule against the actual form PO30.1:
    trim(getDBField('POLINESRC','REQUESTER',form.POR_COMPANY,form.POR_PO_CODE,form.POR_PO_NUMBER,form.POR_PO_RELEASE,form.PT_LINE_NBR))==trim(user.getRequesterId())

    I've tested (very limited) with a PO with multiple requesters on it --- Since our system is set to combine items if they are the same vendor and ship-to location -- and going through RQC's receiving module, I only see the lines that belong to the specific requester.
    thanef
    Private
    Private
    Veteran Member
    (103 points)
    Veteran Member
    Posts:43


    Send Message:

    --
    06/30/2017 2:53 PM

    Greg,

        To verify....were you just able to secure by constructing a security rule on POLINE --> LINE-NBR to retrieve the requester ID from polinesrc?  This secures the RQC --> Receiving Self Service bookmark page?
    You are not authorized to post a reply.