Prev
Next
Forums S3 Security

Securing Portal Drill around

Sort:
You are not authorized to post a reply.
Author
Messages
msjmg111
Veteran Member
Posts: 74
Veteran Member
10/9/2009 1:30 AM

    We would like to remove access to the drill around button on a form in portal.  First, is that possible in LS9?  We are trying to secure ESS and found an issue where a user was able to get access to other people data by drilling on the employee number.  We are working to close that hole, but it led to a discussion on the possibility of removing their ability to even select drill around.  Can anyone help me with this?

    MattD
    Veteran Member
    Posts: 94
    Veteran Member
    10/9/2009 11:59 AM
      You can secure the drill around by securing the files. You need to make sure you have rules written on your ESS file access that only allow a user to access their own record. Securing all drills is difficult because their are many files that need a rule written for each. Plus determining what table or tables is being used in a drill can be tricky. If you need assistance writing rules for the files please let me know and I can send some samples.

      Hope this helps.
      MD
      Wade-T
      Veteran Member
      Posts: 54
      Veteran Member
      4/8/2011 11:13 AM
        Hello Matt,

        This is a rather old post, but I was hoping you could forward a couple rules for locking down files.  We are fine with people having access to drill, but would like to restrict them to just their own information.  For instance we have a non-HR user that manages company property on the PA16 screen.  We removed the social security number brom the screen, but when she searches for people, the social security numbers are in the search window, plus she can drill on anyone and see everyone's info.

        Any help would be great.

        Thank you,

        Wade
        Wade-T
        Veteran Member
        Posts: 54
        Veteran Member
        4/13/2011 4:20 PM
          I have "if(user.getEmployeeId()==lztrim(table.EMPLOYEE)) 'ALL_ACCESS,' else  'NO_ACCESS,' " on many files that are accessed by the ESS bookmarks in case someone needs to access a particular screen outside of ESS. I also have a user who needs to access PA16.1 to enter company property and she needs to be able to drill on the user to get the process level and department but should not have access to anything below the assignment tab.

          When she drills on an employee, she can see everyone's data except her own. Shouldn't it be working the other way around?
          BarbR
          Veteran Member
          Posts: 306
          Veteran Member
          4/13/2011 4:32 PM
            It gets complicated for back-office user access when you implement ESS. For backoffice, typically they have access to everyone EXCEPT themselves. The ESS security rules should be the reverse, they have access to ONLY themselves. They will need full access to themselves in order to make changes through ESS.
            BarbR
            Veteran Member
            Posts: 306
            Veteran Member
            4/13/2011 4:55 PM
              Here are examples of our rules:

              ESS Employee table rule:
              If(isElementGrpAccessible('COMPEMP','','',lztrim(table.COMPANY),lztrim(table.EMPLOYEE)))
              ‘ALL_ACCESS,’
              Else
              ‘NO_ACCESS,’

              ESS form HR11 rule:
              if(isElementGrpAccessible('COMPEMP','','HR',form.EMP_COMPANY,form.EMP_EMPLOYEE))
              ‘ALL_ACCESS,’
              Else
              ‘NO_ACCESS,’

              Backoffice form HR11 rule:
              if((user.getCompany()==lztrim(form.EMP_COMPANY))&&(user.getEmployeeId()!=lztrim(form.EMP_EMPLOYEE)))
              ‘ALL_ACCESS,’
              Else
              ‘+,-,G,H,I,M,N,P,T,W,X,Y,Z’
              You are not authorized to post a reply.