Prev
Next
Forums Human Capital Management Lawson S3 HR/Payroll/Benefits

ESS Security - Form access through URL

 8 Replies
 0 Subscribed to this topic
 68 Subscribed to this forum
Sort:
Author
Messages
jcooper
Basic Member
Posts: 5
Basic Member
3/8/2011 4:15 PM
    We found that a logged in user who has access to the PA67.1 screen for ESS can get the XML data for any employees by going through the /servlet/Router/Transaction/Erp url and entering in the proper url parameters which would include the desired employee number.

    I've found other posts on this site which seem related to getting data from this URL, but none which clearly state how this can be locked down.

    This user is an ESS only user, no admin roles/security. They just have Inquiry access to the PA67.1 screen which appeared to be required for ESS to work.

    Is there a way to lock this down so that the user either can't see the xml data for that screen at all, or else can only see the xml data for their employee number, while still allowing ESS to work?

    Thanks
    Jay Riddle
    Veteran Member
    Posts: 191
    Veteran Member
    3/8/2011 5:30 PM
      Are you using the newer Lawson Security or are you still on LAUA?
      jcooper
      Basic Member
      Posts: 5
      Basic Member
      3/8/2011 5:56 PM
        We are still on LAUA
        Jay Riddle
        Veteran Member
        Posts: 191
        Veteran Member
        3/8/2011 8:05 PM
          "We are still on LAUA" Ouch. It has been quite awhile since I have delt with that issue so hopefully my memory is correct.

          When we were on LAUA we actually had to create two users accounts. There is a flag on the employee I think called "Access" for the ESS user we had to set the flag to 'N' however once the flag was set to 'N' then managers in Lawson could not view requisitions created by other employees.

          At the time we were on 8.1 and we were able to use a trick to create an upper case and lower case user. Active Directory is not case sensitive so the users could log into either account using Active Directory authentication. I believe this trick will not work in 9.x.x. Lawson. The trick also made us kind of nervous as the possiblity of a patch breaking the behavior.
          jcooper
          Basic Member
          Posts: 5
          Basic Member
          3/9/2011 1:02 PM
            How would we go about securing the Transaction URL in LSF9 security?
            Roger French
            Veteran Member
            Posts: 549
            Veteran Member
            3/9/2011 7:06 PM
              [quote]
              Posted By jcooper on 03/09/2011 08:02 AM
              How would we go about securing the Transaction URL in LSF9 security?
              [/quote]
              In a nutshell, you would do it by, at first, securing the EMPLOYEE table in LS Security, then securing the PA67 to only allow it to access the user.

              This is only the tip of the iceberg; to secure ESS properly, you should really look at the security documentation which addresses ESS, but again, it does not include everything you 'need' to know.

              Just remember, that to securing forms (e.g.inquire/add/change/delete) is different than securing data on the forms (which records on the form you can see or do a inq/add/chg/del).

              Good luck,
              Roger
              jcooper
              Basic Member
              Posts: 5
              Basic Member
              3/10/2011 2:23 PM
                Can you confirm that the Transaction/Router/Erp URL method of retrieving data will also be locked down by this security modeling in LSF9? This isn't going to just "hide" the data from showing up on the portal screens, it's actually going to prevent the searching for the data from the URL as well as from within portal?

                Thanks,
                Joel
                Roger French
                Veteran Member
                Posts: 549
                Veteran Member
                3/10/2011 3:51 PM
                  [quote]
                  Posted By jcooper on 03/10/2011 09:23 AM
                  Can you confirm that the Transaction/Router/Erp URL method of retrieving data will also be locked down by this security modeling in LSF9? This isn't going to just "hide" the data from showing up on the portal screens, it's actually going to prevent the searching for the data from the URL as well as from within portal?

                  Thanks,
                  Joel
                  [/quote]

                  When you type in that URL, if the form is secured properly, you will get a 'Security Violation' message in the browser. This is for FORM security.

                  For DATA security, if you try to type in within the URL your search parameters for data you've properly secured (for example, Employee ID's you're not supposed to see), it will still go through the process of searching, but first it has to pass the security checking (i.e. LS Security) and it will not return that data if you've properly secured it. You will either get a 'Security Violation' message or blank data when you type in the URL and hit 'Enter'. If the data is properly secured, it will work for Portal and URL access, as well as Add-Ins (if they have addin access).

                  Also, not to explicitly add complexity to this, but you also can keep in mind that if you've got more than one security role for this user, and the other security role has more wide/open access for your PA67, then that is the role that takes effect . Just something to keep in mind.
                  jcooper
                  Basic Member
                  Posts: 5
                  Basic Member
                  3/10/2011 4:37 PM
                    Thanks. This answers my questions.