Two security classes one allows the other does not

Jim, are you using LAUA or LS security?

I am testing LS security. Sorry should have noted that. Thank you.

Ok, you will have to go inside the roles and check the security classes assigned to them. Assuming your security classes are setup by system code, you would need to go to the RQ security class for that role and see what the form access is allowed there. You should also check that the file security required has been granted. Are you just beginning to use LS security? Or do you have other security classes you could use as examples?

Wade, are you working with Jim on this issue? If it looks like the access is allowed in that security class, you need to check all other security classes in that role to make sure the access to RQ12 was not explicitly denied in any of the other classes. If the user is assigned multiple roles you need to check all the security classes assigned to other roles as well. Make sure there wasn't a universal deny all access applied to the system code somewhere.

I got into the wrong discussion. sorry.

Hello,
Sorry, I should have given more information. I have two security classes the first one is RQRequester the second one is RQApprove. RQApprove inherits from RQRequester. The only difference between the two is that in RQRequester I deny access to RQ12 and RQ13. In RQApprove I give access to them. I have assigned roles BatchRole and RQRequester to security class RQRequester and roles BatchRole and RQApprove to RQApprove. I have also assigned roles BatchRole and RQRequester to one user and roles BatchRole and RQApprover to a second user. I want RQ12 and RQ13 to be denied to the first user and I want them allowed to the second user.(the role names are the same as the security class names) Hope this helps and thank you for your help.

Jim,
I believe with LS security the most restrictive rule wins so you will not be able to have RQApprove inherit from RQRequester. You can do a security class dump and load to create a copy of the RQRequester class using LSdump and lsload. That would save you a lot of check boxes and you could just change the access to RQ12 and RQ13. You can verify the inheritance is the problem by changing RQRequester to have access to RQ12 and RQ13.

Hi riegerj,
I thought I read where the most generous rule applies so I would think that the user assigned to the parent where it is denied would have access. I have tried them separately and I had the problem where the first one was accessing. I will try your suggestion though and see if that works. Thank you.

When using lsdump and lsload will I have to modify the file created by lsdump and change the security class name before loading it? Thank you

If you use the -s option it will prompt you for a new name for the security class and you will not have to modify the contents of the dump file.

Ok now the second user has access to RQ12 and RQ13, but now so does the first user. What will I need to do to deny access to the first user and allow it for the second user. I have the same setup in roles assigned as I described above the difference is the security class RQApprove is no longer inherited from RQRequester. Earlier I turned on auditing and it looks at both security classes to determine access. I thought that it would only use the security class where the roles assigned to the user are the same as the one you want to use. In both users the only role that is assigned to both that is in both security classes is BatchRole. Thank you.

I believe I found the problem. I had the role BatchRole assigned to both security classes and I also had it assigned to both users. I removed it from the security class RQRequester and from the first user and I now get access denied for the first user and it allows for the second user on RQ12 and RQ13(which is what I wanted). If you have any other thoughts let know. Thank you for your help.

Jim, I would not use the batchrole to assign security classes. My personal preference is to leave that specific role pretty vanilla since it deals with the ability to run jobs and access job queues and print managers. I would recommend creating a role for each business user role you will be creating. I know it seems like a lot of layers and takes some getting used to in the beginning but if you keep everything compartmentalized it is easier to reuse pieces and decipher who has what access. Good luck!

I am just curious that you should be able to override the rule that you inherited from. I thought we can re-grant the access previleage that are prohibited from parent. Also, if you don't want the RQRequester to access RQ12 and RQ13, why you need to add these forms to this parent's class? I'm confused.

Hi Wintergreen,
In the end I changed the second security class not to inherit from the first one. My idea was that the parent class would have the access that was needed in the child with the exception of RQ12 and RQ13. I would just deny access in the child to those two. Probably the other way around would have been better.

Kinda defeats the purpose of inheritance, doesn't it? ;)

Hi, Jim, I was told from lawson training, if there is more than one rule wirrten on the object, the most generous rule will win. I tested it and it is right. So, not sure about your case. Just FYI. Thanks!

In relation to Lawson Security I need to get a Web user id setup which works by company and process level. Does anyone know how to set that up. Thanks.

I'm not sure if i'm totally understanding your question. I'm thinking you want to set up a new user that has only access to certain company and process levels. If that is what you are asking, then you can go into the processlevelcontrol and companycontrol in the RM information and set the user record to the ones they are allowed to access. Then you need to make sure that whereever you want that access limited that you set the security classes that the user has access to to have conditional rule access on every file and form that you are trying to limit. The conditional access would look something like this - "user.attributeContains('CompanyControl',form.ACM_COMPANY)" and set it to all access. This is our access to control company in AR10.1.