PrevPrev Go to previous topic
NextNext Go to next topic
Last Post 4/17/2013 11:23 AM by  Georgette
Securing AR reports by Credit Analyst
 9 Replies
Sort:
You are not authorized to post a reply.
Author Messages
Wade-T
Private
Private
Veteran Member
(106 points)
Veteran Member
Posts:54


Send Message:

--
4/16/2013 11:42 AM
    I have a listing of Analyst codes and names on AR06 and would like to keep the AR pieces seperated by these names. I see, for instance, that the AR251 has a selector on the Customer tab for Credit Analyst, and that LSF has a form.ANLYST_NAME object but I am not sure how to write the rule so a user can only see their grouping. Would I assign the rule one time, or on each screenthat contains the Credit Analyst field?
    Georgette
    Financial Systems Coord
    MRHS
    Veteran Member
    (152 points)
    Veteran Member
    Posts:52


    Send Message:

    --
    4/16/2013 3:22 PM
    Hi Wade,
    What you are referencing above is Data Control based on User Attribute.

    Values are assigned to the attributes in each employee's profile in the Security Administrator application. The rules are then written on each form (select user folder) to compare the values in the Lawson tables to the values assigned to the employee's profile attribute.

    For example, suppose the CompanyControl attribute is assigned the values 1220 and 4321 to represent companies the employee is allowed to access.

    The rule would be written on the form as user.attributeContains('CompanyControl'.form.____).

    We don't use AR, but I am assuming you may want to populate the ANALYST_NAME attribute with whatever the value is in the appropriate Lawson tables (analyst code, or whatever). The other thing is make sure the credit analyst field is actually being populated on each form.

    Hope this helps.
    Georgette
    Financial Systems Coord
    MRHS
    Veteran Member
    (152 points)
    Veteran Member
    Posts:52


    Send Message:

    --
    4/16/2013 4:43 PM
    Sorry, another quick comment. I just noticed your title mentions reports. The above will not secure the report data, it will only determine who can run the reports.

    A way around this is to publish the AR reports in LBI and use the bursting tool to distribute the reports to the various analysts. Make sure drill around is also secured which is another layer.
    Wade-T
    Private
    Private
    Veteran Member
    (106 points)
    Veteran Member
    Posts:54


    Send Message:

    --
    4/16/2013 4:56 PM
    Thanks for the info. We do not have LBI at this time, just a very basic HR/Financials install using the Portal. The one user we are trying to lock down is also tied to one process level. I attempted to secure him to only that process level witht he following, but it didn't seem to work.

    if(SystemCode=='AR'&&((COMPANY==1999&&PROCESS_LEVEL>=650000&&PROCESS_LEVEL<=650999)))
    'ALL_ACCESS,'
    elseif(SystemCode!='AR')
    'ALL_ACCESS,'
    else
    'NO_ACCESS,'
    Georgette
    Financial Systems Coord
    MRHS
    Veteran Member
    (152 points)
    Veteran Member
    Posts:52


    Send Message:

    --
    4/16/2013 5:50 PM
    Additional attributes to People Object in RM are available in versions 9.0.0.6, 9.0.1.3 and higher. Such as CompanyControl, AccountingUnitControl, etc. Or you can create your own using the schema editor.

    I am assuming you assigned the user these values in the appropriate attributes on his/her profile on the Security Administrator. CompanyControl should be assigned 1999 and UserProcessLevell has the range of values you mentioned.

    I am not familiar with the AR tables so I don't know which forms you need to secure the Company and Process Levels with. You can use two different security classes, one to secure the AR files and the other to secure the forms.

    First secure the tables (files) with an ARFileAccess security class that grants all access to all AR tables. This security class will be assigned to the credit analyst role.

    Then to secure the AR forms create another security class (or create an ARFileAccessLimited security class that grants all access to AR system code and then limits the forms),

    Go to each form and place the rules (select the user folder) --

    If(user.getAttribute(‘CompanyControl’) == form.______
    &&
    user.isAttributeInRange(‘UserProcessLevel’) == form.______)
    then Grant All Access
    else no Access

    Hope this helps!




    Georgette
    Financial Systems Coord
    MRHS
    Veteran Member
    (152 points)
    Veteran Member
    Posts:52


    Send Message:

    --
    4/16/2013 5:58 PM
    for example for PA42.1, the form name would be

    ==form.PJR_PROCESS_LEVEL
    Georgette
    Financial Systems Coord
    MRHS
    Veteran Member
    (152 points)
    Veteran Member
    Posts:52


    Send Message:

    --
    4/16/2013 6:02 PM
    i realize it is a pain to go to every single form, but you have to secure the form AND the drill around. No easy way around it.
    Greg Moeller
    Private
    Private
    Veteran Member
    (4137 points)
    Veteran Member
    Posts:1477


    Send Message:

    --
    4/16/2013 6:12 PM
    Unless you are just concerned about company control, then there's a (relatively) simple solution to it.
    Create a rule against Object Type of Element.
    user.attributeContains('CompanyControl',lztrim(COMPANY)))
    'ALL_ACCESS,'
    else
    'NO_ACCESS,'

    I see Process-Level in the Element list as well... perhaps it could be expanded to secure by process level as well? Unsure.
    Greg Moeller
    Private
    Private
    Veteran Member
    (4137 points)
    Veteran Member
    Posts:1477


    Send Message:

    --
    4/16/2013 6:17 PM
    Assign this security class to a role and every form/table seems to follow it.
    We don't have this implemented yet in production, but in test, it seems to work just fine.
    Georgette
    Financial Systems Coord
    MRHS
    Veteran Member
    (152 points)
    Veteran Member
    Posts:52


    Send Message:

    --
    4/17/2013 11:23 AM
    Hi Wade,
    I was looking at your code again and have a suggestion. I learned best practice is to create different security classes for each system code. Such as ARFileAccess for all of the AR tables, HRFileAccess, GLFileAccess, etc. Each of these security classes are assigned to the role. Give access to all tables that fall in each system code. For the one credit analyst, create an ARFileLimited security class and apply either the ANALYST_NAME or PROCESS_LEVEL user rule to each form that needs the data limited.

    Again, the values need to be in the employee's profile attribute to use as a compare to either the form value or the file value.
    You are not authorized to post a reply.