View Full Version: Ess/mss Security Plan

LawsonTalk > Security > Ess/mss Security Plan



Title: Ess/mss Security Plan
Description: Ess/Mss Security Plan


bgodwin - June 12, 2008 02:54 PM (GMT)
We are implementing Ess/Mss on 8.03 msp 7 enviro and 8.1 msp 5 apps.

I'm struggling with only one item on my security plan. I had planned to leave the login field in rd30 blank for all ess/mss users (portal application users will have a separate logon for their other access..so they are not an issue). The default users has to have wide open security for ess/mss to work, so I've grouped all ess/mss users and attached to a custom xml file that took away the search box. But, if we ever add an rd30 w/o the login info and forget to secure them with the custom xml file...they have WIDE OPEN SECURITY and that can't be good. So I either want to make the defaul.xml the locked down one or attach all ess/mss users to a different logon ('emssuser') and leave Mr. Default user with zero access.

Any ideas on this. I did research on the forums and could not locate the post, but one person stated that gsc did not recommend attaching mass users to a different login besides the default user but they did not state why. I also saw a post about a limitation to rmid of 1000 users and i'm not sure what that means or if it affects me).

I also have to consider that we will be going to lsf 9.0 next year and then apps 9.0 the following year and how my plan will convert over.

Any suggestions/advice is appreciated

trueblueg8tor - June 15, 2008 12:53 AM (GMT)
So if I'm understanding you correctly, you're leaving the login field blank. How then is the security class attached to the user? We has to create an id "essuser" (with a security class assigned to it) and entered that in all the login fields of ess users.

The 1000 rm ids issue does not apply to you. Even after you go to LSF if you have Service pack 2 I believe that problem goes away.

In regards to "WIDE OPEN SECURITY", even if a user has the search box they have to have the form in their security class so I'm not understanding what your issue is. Could you please elaborate?

bgodwin - June 16, 2008 02:08 PM (GMT)
In my research, for a user to use ess or mss, they have to have access to various HR and BN type screens. I've not found an exact listing of what the minimum is, but understand that you can just give them wide open security - access to everything and then lock down the search box so that they cannot go to hr11 (even though they have access to hr11). w/o the search box and with the bookmarks locked down to only those ess/mss related, they are not able to go anywhere but ess/mss.

From my extensive research..that seems to be the best plan. I've also asked GSC to see why they did not recommend hooking to a different user..but they said that it was o.k. to hook to a diff user, so I'm good.

When you leave the login screen blank...the sytem auto hooks them up to the DEFAULT user which is specified in logan.env (I think that is where it is shown)..but our default user is weblaw. I like for mr. default to have zero security for that rare occassion where I may add someone and forget to fill in the login field...for that person they would have no security, because mr. default has no security. So, I'm going to attach all my ess/mss to a diff user (essuser) or something. All ess/mss users have a modified role file that takes away the search box.


arvin - June 16, 2008 02:52 PM (GMT)
If you leave the Login field blank in RD30 the system will use the security class assigned for the default user (DFTUSER) in your servlet, you can see and modify this in http://<yourportaladdress>/servlet/servletsetup.

You may want to change the default.xml itself and disable the search box there, all users are using this default.xml, unless you specify a different xml file fo a particular user. This means that all user that gets added to your RD30 will have a disabled search box. I suggest you to make a backup copy of your defautl.xml before changing or commenting out the search box.

For all of your Lawson core users, add an Attribute called PORTALROLE on their user id in LX95 and assign the xml that has the search box.

You might also want to look at the Access flag in RD30 records. If this flag is set to "N" the user won't see any data aside from the data assigned in RD30. So, even if their security class is wide open if this flag is "N" they cannot see other people's informations, but if the employee is a manager, he will be able to see informations of hi/her direct reports. If you are using multiple companies in the Finance side and need to drill on EBroadcast reports this will cause an issue.

Arvin Ojales




Hosted for free by InvisionFree