S3 LSF9 Securing User drops in Print Manager and on Jobs

 15 Replies
 2 Subscribed to this topic
 15 Subscribed to this forum
Sort:
Author
Messages
LeslieP
Basic Member
Posts: 7
Basic Member

    I have been unable to successfully secure the print files and user drop downs. I do not want an AP bookkeeper to see the check files created by a PR User. I do want supervisors in departments to see their group but do not want the members of the group to access other members. I have approached it with rules on gen tables, rules on My security is complex having multiple companies and multiple productlines and users with different hats for different combinations of prodline, company and process level.

    I have also tried this and variations on this but not been sucessful

    On Unix, in the GEN profile for the 'UserName' element write the rule:
    if(UserName==user.getHostServiceId()||isMemberOf('payroll',UserName))
       'ALL_ACCESS,'
    else
       'NO_ACCESS,'

    MattM
    Veteran Member
    Posts: 82
    Veteran Member
      I can see why the UserName==user.getHostServiceId() would work but, don't see how isMemberOf('payroll',UserName) would work. For the group piece, would
      user.attributeContains('Group','payroll') work?
      John Henley
      Posts: 3353
        if(UserName==user.getHostServiceId()||isMemberOf('payroll',UserName))
        'ALL_ACCESS,'
        else
        'NO_ACCESS,'

        What is your intention for that rule?
        Thanks for using the LawsonGuru.com forums!
        John
        LeslieP
        Basic Member
        Posts: 7
        Basic Member

          That rule was from a consultant. And was written on the UserName Element in GEN.

          The intention was to allow the user to see people in their group.

          John Henley
          Posts: 3353
            Well, then that rule should work for you. It's probably that you have another rule which is conflicting and has greater access.
            Thanks for using the LawsonGuru.com forums!
            John
            Kwane McNeal
            Veteran Member
            Posts: 479
            Veteran Member
              No it's not that......

              You need to write the rule in a few places. A few tips:
              1) GEN rules apply to GEN objects...ONLY
              2) There are TWO UserName ELEMENTS, one in GEN and one in the Productline. You have to have rules in BOTH places
              3) There are SIGNIFICANT bugs with the rules engine for this exact issue. Your ESP level matters here.
              4) Print Files cannot be secured in and of themselves

              With that said, it can be done, in *certain* ESPs.

              Give me a call, and I will help where I can,
              Kwane
              954.547.7210
              alincoln
              Basic Member
              Posts: 12
              Basic Member
                Thread... rise from your grave!

                I'm running into the exact same scenario here. I'm not so much concerned with securing individual print files, but I do need to grant the ability for users to view the print managers of people who are in the same group as they are.

                I tried borrowing the conditional rule from above (using my own group name of course):

                isMemberOf('payroll',UserName)

                But I'm not getting anywhere with it. I've tried with various other conditional statements without success.

                Did you ever get anywhere with this effort? Any help would be much appreciated! For reference sake, we're on Version 9.0.1.2.102 2008-02-20 04:00:00.
                LeslieP
                Basic Member
                Posts: 7
                Basic Member

                  Yes, I do have this working. Contact me at lesliep@britthaven.com for details or call 800 676 1191 x2302

                  Frank Z
                  Advanced Member
                  Posts: 32
                  Advanced Member
                    I am very curious about how this ended up working out as well.... Our Lawson consultant can't get it to work either using :

                    if(user.getUserName()==UserName)
                    'ALL_ACCESS,'
                    elseif(user.isMemberOf('PrintMgrPR2Group'))
                    'ALL_ACCESS,'
                    else
                    'NO_ACCESS,'
                    Chris
                    Advanced Member
                    Posts: 23
                    Advanced Member
                      I realize it's almost two years later, but has anyone been able to get this to work? We're still trying without success to grant access to jobs and reports to a group of users.
                      Chris
                      Advanced Member
                      Posts: 23
                      Advanced Member
                        Finally figured it out. In Windows (where username is the NT#) and in UNIX or IBM i when the RMID is not the same as the OS ID (as in our case), all the functions that evaluate group participation do not work. See KB #5427427.) The alternative solution is to create a structure in RM.
                        Patricia Mane
                        Basic Member
                        Posts: 24
                        Basic Member
                          Help Please.  We have been with Lawson for 2 years now and we need to put into place security around the Printer Manager and user changed the User name field to see reports.  Now that Payroll is part of the equation, what can we do to stop this.  A previous comment mentioned KB #5427427, and I wasn't able to find anything.
                          Brian Allen
                          Veteran Member
                          Posts: 104
                          Veteran Member
                            Have you looked at KB 1208815 - "How do I secure users so they can see only their own jobs and/or print files in the job scheduler and print manager".  This one also discusses env release levels.
                            Dave Amen
                            Veteran Member
                            Posts: 75
                            Veteran Member
                              A couple of thoughts with KB 1208815 . . .

                              First, here is the essential part of that KB:
                              Assign each user an environment user group that contains ALL users (example: the ALL user group). This can be done within the laua user profile OR in the Lawson Security Administrator, User Maintenance under Edit Lawson Environment Information.

                              Dave's note: you will probably need to first add the user through the usergrpdef command in LID. Then the system will let you attach them to the ALL user group.

                              In Lawson Security, under the GEN profile, create a security class with a conditional rule on the USERNAME Element as follows:
                              if(user.getUserName()==UserName)
                              'ALL_ACCESS,'
                              else
                              'NO_ACCESS,'

                              Make sure the security class is assigned to a valid security role that is assigned to the user.

                              Dave's note: attach that rule to the BatchRole, and everyone who sees batch jobs will be secured by it!

                              Regards,
                              Dave
                              (303) 773-3535
                              Russell E
                              Basic Member
                              Posts: 16
                              Basic Member

                                I have tried this and it does restrict users from seeing others print files, but I have found it also restricted the user from submitting any batch jobs.

                                 

                                Anyone have any idea?

                                LeslieP
                                Basic Member
                                Posts: 7
                                Basic Member

                                  I have a word document that shows my rules and the conditions I applied. It works for me and I would be happy to share what I used. Using the user group never did work for me.

                                  Contact me at

                                  Lesliep@principle-it.com