PrevPrev Go to previous topic
NextNext Go to next topic
Last Post 10/14/2011 2:02 PM by  Nathan Smith
Securing LS Role Granting/Taking Away
 3 Replies
Sort:
You are not authorized to post a reply.
Author Messages
Roger French
Private
Private
Veteran Member
(1304 points)
Veteran Member
Posts:542


Send Message:

--
6/15/2011 2:48 PM
    Greetings:

    I'm creating some advanced security roles within LS Security, specifically for other security administrators.

    I've successfully secured the granting of specific roles in the ROLE attribute, which means that for users with this role, they cannot see or grant specific roles for other users within those users' security profile.

    Example: My advanced security role is called "SpecialAdminRole". I also have a role called "BenAdminRole".

    If I give SpecialAdminRole to Joe, then when Joe logs into Sec Admin, he does NOT see or is able to grant the BenAdminRole to another user called Sara. This part  works and is OK.

    But, now if Sara has already had the BenAdminRole for months, what happens now is that Joe *does* see the BenAdminRole in the list of existing (granted) roles for Sara. And, Joe is able to take away and ungrant the BenAdminRole. This should not be happening. The security works on the granting side but it does not work if I want to ungrant or take away a role. 

    I've looked at my security set up for the ROLE attribute and it all looks fine, but I did not see anything that pops up.

    Does anyone have any idea how to secure roles if the role being secured has already been granted? I'm thinking this is a bug or something else.

    Thanks in advance,
    Roger
     
    Kwane McNeal
    President
    Private
    Veteran Member
    (1431 points)
    Veteran Member
    Posts:477


    Send Message:

    --
    6/16/2011 2:46 AM
    Roger,
    Ok, I really had to think through this, and logically you are right, because Lawson didn't think through this well, but I think technically it *could* be right, but not sure of your exact implementation...

    Here's what seems to be happening:

    You have rules on ROL objects, restricting what can be seen, presumably disallow if ROL is in my list roles .

    That works. The key is, IF a person already has a ROL, your users sees it because what you're seeing is a list of values on an RMA object, not a list of ROL objects.

    Get the difference?

    I don't know if you wrote an appropriate rule for the Role multivalue RMA for a specific RMO or all RMO's.

    ======================
    NOTE: All *other* LawsonGuru readers:
     My apologies for using very technical terms, with little explanation. For this post using the type code for the SecObjects (such as ROL, RMO, and RMA) was needed, instead of the description, because that would have been more confusing.

    Legend:
    RMO = Resource Manager Object (aka a resource, like an RMID)
    RMA = An attribute (like Role or Group) on an RMO
    ROL = a Resource manager ROLE
    ======================

    Roger, feel free to call some evening, or send me your rulesets in question, and I'll do what I can to help.

    Kwane
    Roger French
    Private
    Private
    Veteran Member
    (1304 points)
    Veteran Member
    Posts:542


    Send Message:

    --
    6/16/2011 3:21 PM
    Thanks much Kwane, 

    I did secure at the RMA level the role values like this:

    if(Role.ID=='Employee'||Role.ID='SuperAdminRole')
    'NO_ACCESS'
    else
    'ALL_ACCESS'

    but for the user, I can still see both roles on the already-granted-side. I don't see them on the left side (to-be-granted). 

    Roger
    Nathan Smith
    Systems Analyst
    City of Lee's Summit
    New Member
    (7 points)
    New Member
    Posts:3


    Send Message:

    --
    10/14/2011 2:02 PM
    Roger, were you able to resolve this issue? We have a subadministrator who should be able to manage the finance roles, but not the HR roles.
    You are not authorized to post a reply.