We have an IT guy who wants to enhance our audit and user security capabilities related to Lawson. So, I have a few-fold question for you all.

We are currently on Win2K, 8.0.3ESP7 Portal 3.x (current anyway), ADAM2000. HOWEVER, we are in process of migrating to Win2K3 LSF9.

So, the questions are:

1) Anyway to currently know who has logged in to Lawson via Portal? I know there are .log files with date/time when you login via LID, but I know of nothing via portal.

2) Anyway to force a user's password to expire and pick up on that in portal, to force them to change their password after login? We do have a way for the user to change their password voluntarily, but not to expire and force them to.

3) Assuming "no" on the above, anything different in LSF9 / Portal 4.0?

Thanks!

I can't answer #1 yet.. I'm still working on it, but with the new session management in 9.0 I expect it's now possible - just now sure how yet.

Lawson doesn't know diddly about passwords - it's all in the hands of your authentication system. On 9.0 you can bind to Active Directory and use your normal network password expiry and password change options

So, related to #2, do you know if portal 4.0 will be able to "detect" the password expiratin and prompt the user (similar to LID?). Or should I expect to have to write something custom via Javascript or something to detect the password expiration and prompt the user before going on to the main portal home page?

No, Portal won't detect anything other than the fact that the user is not authorized.

But I would assume they would be notified of password expiry when they logged into the network, before they ever got to Portal (assuming an AD bind)

David,

I know you avoid code from Redmond at all costs, but I have to chime in on this one.

In LSF 9 on Windows, unfortunatley Lawson does know a little about passwords. In fact, they know way too much.

Because execjob challenges for a valid pw on Windows, it is necessary for the OS identity to contain the correct user pw (at this point Lawson is storing and using the users Windows pw).

If the OS identity does not contain a valid Windows pw, batch jobs fail and the user has no idea why.

If the user then tries to recover the job, or submit subsequent jobs in excess of the allowed number of invalid logon attempts setup by the network admins, the user runs a very good chance of locking themselves out of the network.

Execjob on UNIX does not challenge for a valid pw in the OS identity. (I love UNIX)

The only "solution" to this is to make available to all users, a specific htm file written to update their OS identity pw, and make sure users are ALL educated on the necessity to update Lawson anytime they change their network password.

What's missing is a mechanism to inform them that their SSOP pw's and their OS identity passwords are not in sync at the time they login to Portal, reminding them to update the OS indentity.

Re #1, I hear Websphere has excellent session management utils, I don't know what IIS offers.