PrevPrev Go to previous topic
NextNext Go to next topic
Last Post 10/27/2016 3:53 PM by  LeslieP
S3 LSF9 Securing User drops in Print Manager and on Jobs
 15 Replies
Sort:
You are not authorized to post a reply.
Author Messages
LeslieP
Private
Private
Basic Member
(17 points)
Basic Member
Posts:7


Send Message:

--
07/01/2008 2:38 PM

    I have been unable to successfully secure the print files and user drop downs. I do not want an AP bookkeeper to see the check files created by a PR User. I do want supervisors in departments to see their group but do not want the members of the group to access other members. I have approached it with rules on gen tables, rules on My security is complex having multiple companies and multiple productlines and users with different hats for different combinations of prodline, company and process level.

    I have also tried this and variations on this but not been sucessful

    On Unix, in the GEN profile for the 'UserName' element write the rule:
    if(UserName==user.getHostServiceId()||isMemberOf('payroll',UserName))
       'ALL_ACCESS,'
    else
       'NO_ACCESS,'

    MattM
    Private
    Private
    Veteran Member
    (214 points)
    Veteran Member
    Posts:82


    Send Message:

    --
    07/01/2008 3:01 PM
    I can see why the UserName==user.getHostServiceId() would work but, don't see how isMemberOf('payroll',UserName) would work. For the group piece, would
    user.attributeContains('Group','payroll') work?
    John Henley
    Private
    Private
    Senior Member
    (9563 points)
    Senior Member
    Posts:3205


    Send Message:

    --
    07/01/2008 3:13 PM
    if(UserName==user.getHostServiceId()||isMemberOf('payroll',UserName))
    'ALL_ACCESS,'
    else
    'NO_ACCESS,'

    What is your intention for that rule?
    Thanks for using the LawsonGuru.com forums!
    John
    LeslieP
    Private
    Private
    Basic Member
    (17 points)
    Basic Member
    Posts:7


    Send Message:

    --
    07/02/2008 1:39 PM

    That rule was from a consultant. And was written on the UserName Element in GEN.

    The intention was to allow the user to see people in their group.

    John Henley
    Private
    Private
    Senior Member
    (9563 points)
    Senior Member
    Posts:3205


    Send Message:

    --
    07/02/2008 2:17 PM
    Well, then that rule should work for you. It's probably that you have another rule which is conflicting and has greater access.
    Thanks for using the LawsonGuru.com forums!
    John
    Kwane McNeal
    Private
    Private
    Veteran Member
    (1197 points)
    Veteran Member
    Posts:399


    Send Message:

    --
    07/11/2008 2:12 PM
    No it's not that......

    You need to write the rule in a few places. A few tips:
    1) GEN rules apply to GEN objects...ONLY
    2) There are TWO UserName ELEMENTS, one in GEN and one in the Productline. You have to have rules in BOTH places
    3) There are SIGNIFICANT bugs with the rules engine for this exact issue. Your ESP level matters here.
    4) Print Files cannot be secured in and of themselves

    With that said, it can be done, in *certain* ESPs.

    Give me a call, and I will help where I can,
    Kwane
    954.547.7210
    alincoln
    Private
    Private
    Basic Member
    (26 points)
    Basic Member
    Posts:12


    Send Message:

    --
    02/25/2009 4:51 PM
    Thread... rise from your grave!

    I'm running into the exact same scenario here. I'm not so much concerned with securing individual print files, but I do need to grant the ability for users to view the print managers of people who are in the same group as they are.

    I tried borrowing the conditional rule from above (using my own group name of course):

    isMemberOf('payroll',UserName)

    But I'm not getting anywhere with it. I've tried with various other conditional statements without success.

    Did you ever get anywhere with this effort? Any help would be much appreciated! For reference sake, we're on Version 9.0.1.2.102 2008-02-20 04:00:00.
    LeslieP
    Private
    Private
    Basic Member
    (17 points)
    Basic Member
    Posts:7


    Send Message:

    --
    02/26/2009 8:20 AM

    Yes, I do have this working. Contact me at lesliep@britthaven.com for details or call 800 676 1191 x2302

    Frank Z
    Advanced Member
    (82 points)
    Advanced Member
    Posts:32


    Send Message:

    --
    03/31/2009 4:33 PM
    I am very curious about how this ended up working out as well.... Our Lawson consultant can't get it to work either using :

    if(user.getUserName()==UserName)
    'ALL_ACCESS,'
    elseif(user.isMemberOf('PrintMgrPR2Group'))
    'ALL_ACCESS,'
    else
    'NO_ACCESS,'
    Chris
    Private
    Private
    Advanced Member
    (65 points)
    Advanced Member
    Posts:23


    Send Message:

    --
    02/09/2012 7:43 AM
    I realize it's almost two years later, but has anyone been able to get this to work? We're still trying without success to grant access to jobs and reports to a group of users.
    Chris
    Private
    Private
    Advanced Member
    (65 points)
    Advanced Member
    Posts:23


    Send Message:

    --
    02/09/2012 8:56 AM
    Finally figured it out. In Windows (where username is the NT#) and in UNIX or IBM i when the RMID is not the same as the OS ID (as in our case), all the functions that evaluate group participation do not work. See KB #5427427.) The alternative solution is to create a structure in RM.
    Patricia Mane
    Systems Analyst II
    Private
    Basic Member
    (42 points)
    Basic Member
    Posts:22


    Send Message:

    --
    10/21/2016 12:21 PM
    Help Please.  We have been with Lawson for 2 years now and we need to put into place security around the Printer Manager and user changed the User name field to see reports.  Now that Payroll is part of the equation, what can we do to stop this.  A previous comment mentioned KB #5427427, and I wasn't able to find anything.
    Brian Allen
    Private
    Private
    Veteran Member
    (276 points)
    Veteran Member
    Posts:94


    Send Message:

    --
    10/21/2016 12:35 PM
    Have you looked at KB 1208815 - "How do I secure users so they can see only their own jobs and/or print files in the job scheduler and print manager".  This one also discusses env release levels.
    Dave Amen
    Private
    Private
    Veteran Member
    (173 points)
    Veteran Member
    Posts:61


    Send Message:

    --
    10/21/2016 6:33 PM
    A couple of thoughts with KB 1208815 . . .

    First, here is the essential part of that KB:
    Assign each user an environment user group that contains ALL users (example: the ALL user group). This can be done within the laua user profile OR in the Lawson Security Administrator, User Maintenance under Edit Lawson Environment Information.

    Dave's note: you will probably need to first add the user through the usergrpdef command in LID. Then the system will let you attach them to the ALL user group.

    In Lawson Security, under the GEN profile, create a security class with a conditional rule on the USERNAME Element as follows:
    if(user.getUserName()==UserName)
    'ALL_ACCESS,'
    else
    'NO_ACCESS,'

    Make sure the security class is assigned to a valid security role that is assigned to the user.

    Dave's note: attach that rule to the BatchRole, and everyone who sees batch jobs will be secured by it!

    Regards,
    Dave
    (303) 773-3535
    Russell E
    Lawson Sr Developer
    BAE Systems
    Basic Member
    (18 points)
    Basic Member
    Posts:8


    Send Message:

    --
    10/27/2016 3:38 PM

    I have tried this and it does restrict users from seeing others print files, but I have found it also restricted the user from submitting any batch jobs.

     

    Anyone have any idea?

    LeslieP
    Private
    Private
    Basic Member
    (17 points)
    Basic Member
    Posts:7


    Send Message:

    --
    10/27/2016 3:53 PM

    I have a word document that shows my rules and the conditions I applied. It works for me and I would be happy to share what I used. Using the user group never did work for me.

    Contact me at

    Lesliep@principle-it.com

    You are not authorized to post a reply.