IntroducingSECURITY MIGRATION

Download Report

Transcript IntroducingSECURITY MIGRATION

Simplify the move to Lawson Security 9
Introducing
SECURITY MIGRATION
» Background
» LAUA Security Methodology
» LS9 Security Methodology
» Migration Process
Agenda
» Our Solution
» Deliverables
» Tips & Tricks
Thank you for taking to time to
view our presentation. I will be
walking you through each step
in our migration process. Just
remember to click after each
slide and we should be done
soon!
A little about us.
Our Background
Founded by Dan and Brad Kinsey, K&K has provided
software sales, implementations, support and
development for over 29 years.
Lawson reseller and implementation partner since
1996
Lawson Certified Systems Integrator Partner
Lawson Complementary Software Partner
Lawson’s “Go to” Reseller/Implementer for Public
Sector
2 time Partner of the Year
Focusing on the development of Lawson
complementary software products
Let me provide a
brief explanation
of how LAUA
security works.
LAUA Security Methodology
LAUA security is a structured Silo model built by creating Security Classes that restrict access to specific System Codes, Forms,
Function Codes and Tables. A major restriction of this model is that it fails to provide any ability to share security settings between
Security Classes. And since users can only be attached to a single Security Class, a slightly different job requirement requires an
entirely new Security Class.
LAUA Silo Structure
IC
Admin
IC01.1
IC01.2
IC10.1
IC10.2
IC11.1
IC11.2
IC11.3
IC11.4
IC11.5
IC11.6
IC12.1
IC12.2
IC15.1
IC20.1
IC20.2
IC06.1
IC07.1
IC08.1
IC200
IC201
IC202
IC240
IC241
IC242
IC246
IC260
IC262
IC280
IC20.4
IC21.1
IC
Super
IC01.1
IC01.2
IC10.1
IC10.2
IC11.1
IC11.2
IC11.3
IC11.4
IC11.5
IC11.6
IC12.1
IC12.2
IC15.1
IC20.1
IC20.2
IC06.1
IC07.1
IC08.1
IC200
IC201
IC202
IC240
IC241
IC242
IC246
IC260
IC262
IC280
IC20.4
IC21.1
IC
Clerk
IC01.1
IC01.2
IC10.1
IC10.2
IC11.1
IC11.2
IC11.3
IC11.4
IC11.5
IC11.6
IC12.1
IC12.2
IC15.1
IC20.1
IC20.2
IC06.1
IC07.1
IC08.1
IC200
IC201
IC202
IC240
IC241
IC242
IC246
IC260
IC262
IC280
IC20.4
IC21.1
IC
Assist
IC01.1
IC01.2
IC10.1
IC10.2
IC11.1
IC11.2
IC11.3
IC11.4
IC11.5
IC11.6
IC12.1
IC12.2
IC15.1
IC20.1
IC20.2
IC06.1
IC07.1
IC08.1
IC200
IC201
IC202
IC240
IC241
IC242
IC246
IC260
IC262
IC280
IC20.4
IC21.1
I call this the Silo
effect. Nothing about
your security is shared
from one class to
another making the
model difficult to
manage.
LAUA Silo Structure
IC
Admin
IC01.1
IC01.2
IC10.1
IC10.2
IC11.1
IC11.2
IC11.3
IC11.4
IC11.5
IC11.6
IC12.1
IC12.2
IC15.1
IC20.1
IC20.2
IC06.1
IC07.1
IC08.1
IC200
IC201
IC202
IC240
IC241
IC242
IC246
IC260
IC262
IC280
IC20.4
IC21.1
IC
Super
IC01.1
IC01.2
IC10.1
IC10.2
IC11.1
IC11.2
IC11.3
IC11.4
IC11.5
IC11.6
IC12.1
IC12.2
IC15.1
IC20.1
IC20.2
IC06.1
IC07.1
IC08.1
IC200
IC201
IC202
IC240
IC241
IC242
IC246
IC260
IC262
IC280
IC20.4
IC21.1
IC
Clerk
IC01.1
IC01.2
IC10.1
IC10.2
IC11.1
IC11.2
IC11.3
IC11.4
IC11.5
IC11.6
IC12.1
IC12.2
IC15.1
IC20.1
IC20.2
IC06.1
IC07.1
IC08.1
IC200
IC201
IC202
IC240
IC241
IC242
IC246
IC260
IC262
IC280
IC20.4
IC21.1
IC
Assist
IC01.1
IC01.2
IC10.1
IC10.2
IC11.1
IC11.2
IC11.3
IC11.4
IC11.5
IC11.6
IC12.1
IC12.2
IC15.1
IC20.1
IC20.2
IC06.1
IC07.1
IC08.1
IC200
IC201
IC202
IC240
IC241
IC242
IC246
IC260
IC262
IC280
IC20.4
IC21.1
When you set up a
new class full access is
provide by default.
You can then restrict
access to systems,
table, forms and
functions.
LAUA Silo Structure
IC
Admin
IC01.1
IC01.2
IC10.1
IC10.2
IC11.1
IC11.2
IC11.3
IC11.4
IC11.5
IC11.6
IC12.1
IC12.2
IC15.1
IC20.1
IC20.2
IC06.1
IC07.1
IC08.1
IC200
IC201
IC202
IC240
IC241
IC242
IC246
IC260
IC262
IC280
IC20.4
IC21.1
IC
Super
IC01.1
IC01.2
IC10.1
IC10.2
IC11.1
IC11.2
IC11.3
IC11.4
IC11.5
IC11.6
IC12.1
IC12.2
IC15.1
IC20.1
IC20.2
IC06.1
IC07.1
IC08.1
IC200
IC201
IC202
IC240
IC241
IC242
IC246
IC260
IC262
IC280
IC20.4
IC21.1
IC
Clerk
IC01.1
IC01.2
IC10.1
IC10.2
IC11.1
IC11.2
IC11.3
IC11.4
IC11.5
IC11.6
IC12.1
IC12.2
IC15.1
IC20.1
IC20.2
IC06.1
IC07.1
IC08.1
IC200
IC201
IC202
IC240
IC241
IC242
IC246
IC260
IC262
IC280
IC20.4
IC21.1
IC
Assist
IC01.1
IC01.2
IC10.1
IC10.2
IC11.1
IC11.2
IC11.3
IC11.4
IC11.5
IC11.6
IC12.1
IC12.2
IC15.1
IC20.1
IC20.2
IC06.1
IC07.1
IC08.1
IC200
IC201
IC202
IC240
IC241
IC242
IC246
IC260
IC262
IC280
IC20.4
IC21.1
A slightly different
role requires you to
set up a new class. In
this example black
represents full access,
red is no access, and
blue is inquiry only.
Lawson adopted a
new methodology
with Security 9
LS9 Security Methodology
Lawson has changed the security model to follow a role based structure. In this model Security Classes are created to group a
series of forms together to accomplish a specific task. (i.e. IC Setup). These Security Classes (tasks) are then assigned to Roles
within the organization (i.e. Inventory Manager). Security Classes can be shared between multiple roles and users can be
assigned to more than one role in the organization.
LS9 Structure
This example reflects
the same security
access as the LAUA
graphic only now
organized by Role and
Task. Some major
differences are listed
below.
IC
Admin
Inventory03
IC01.1
IC01.2
IC06.1
IC07.1
IC08.1
IC200
IC201
IC202
IC
Super
Inventory02
IC10.1
IC10.2
IC11.1
IC11.2
IC11.3
IC11.4
IC11.5
IC11.6
IC12.1
IC12.2
IC15.1
IC20.4
IC21.1
IC20.2
IC20.1
IC
Assist
IC Clerk
Inventory01
IC240
IC241
IC242
IC246
IC260
IC262
IC280
Inventory05
Inventory04
IC11.6
IC20.1
IC20.2
IC20.4
IC21.1
IC11.1
IC11.2
IC11.3
IC11.4
IC11.5
No User access is provided by default
Security Classes (Tasks) grant specific Form, Function Code and Table access
Conditional Logic can be added at any level
Objects are shared between Roles and Users
Multiple Roles can be assigned to a User
Complementing Lawson Solutions
So what are our
customers’ biggest
concerns?
Accuracy
Resources
Cost
Time
BUILDING LS9
At a high level these
» Define your organization’s Roles (AP Manager, AP Clerk)
are the steps you need
» Define a list of operational tasks (AP Invoice Entry, Check Processing)
complete when setting
up Security 9. Click to
» Assign form names to each Task (over 6000 forms)
see what our utility
» Assign table names to each Task
can do for you
automatically!
» Determine access Rules for each form (ACDINP+-)
» Build your Task (Security Classes)
» Build your Roles
» Determine which forms each user needs to access for proper class assignments
» Assign your Task (Security Classes) to your Roles
» Assign your Roles to your Users
» Implement form Rules
» Build conditional logic
» Perform positive and negative Testing
BUILDING LS9
» Define your organization’s Roles (AP Manager, AP Clerk)
Your Roles, Security
Classes and User
» Define a list of operational tasks (AP Invoice Entry, Check Processing)
assignments are
» Assign form names to each Task (over 6000 forms)
created automatically !
You’re well on you way
» Assign table names to each Task
to building a new
» Determine access Rules for each form (ACDINP+-)
model!
» Build your Task (Security Classes)
» Build your Roles
» Determine which forms each user needs to access for proper class assignments
» Assign your Task (Security Classes) to your Roles
» Assign your Roles to your Users
» Implement form Rules
» Build conditional logic
» Perform positive and negative Testing
So what’s the
challenge? Well,
how about these
thoughts….
Identifying and Validating the forms a User needs to access
Organizing over 6,000 forms and tables into Security Classes
Properly restricting function code access for each form
Building conditional Logic
Creating and assigning Roles to users
Verifying User security
Our 3 Step Approach
Analyze &
Tune
Build &
Load
Let’s explore
our 3 step
approach….
Customize,
Validate &
Deploy
STEP 1 - TUNE
Our process is based on
analyzing and tuning LAUA
before we build LS9. Let me
explain how these 3 steps
help us with that challenge.
» Use our Listener to find the forms that are being
accessed
» Analyze LAUA using our
SOD violation report
» Identity common access points between Security
Classes to
eliminate redundant classes
Analyze &
Tune
Over a period of a
few weeks we track
all form activity for
each user.
LISTEN
IC
Admin
IC
Super
IC
Clerk
Analyze &
Tune
IC
Assist
Lawson
Database
Lawson Applications
Listener Application
Listener
Database
Our Listener application will collect information on who, when and how every form has been used.
LISTEN
Analyze &
Tune
We then analyze
this data in many
different fashions
using pivot tables.
Use the Listener Pivot tables to analyze actual usage by Security Class/Form, User/Form,
User/System Code, or System Code/Security Class
TOKENS NOT USED
Analyze &
Tune
The listener results are
then compared to
your LAUA security
settings. You can
change LAUA straight
from Excel.
The Tokens Not Used report compares your actual usage to your security settings. For tokens
not being used simply drag and drop the word ‘DENY’ in any cell to change LAUA security.
ANALYZE - SOD
The next step involves
using our segregation
of duties module to
look for potential
problems in LAUA.
Segregation of Duties ensures an appropriate level of checks and balances upon the
activities of individuals.
Analyze &
Tune
ANALYZE - SOD
Our 192 policies use
over 2000 rules to
make sure you have
implemented the
proper checks and
balances.
Analyze &
Tune
ANALYZE - SOD
You can now use this
report to change LAUA
and prevent future
violations in LS9.
Analyze &
Tune
ANALYZE - REPORT
Analyze &
Tune
Next we want to
check for redundant
classes. This
comparison graph
highlights where we
might have similar
LAUA classes.
The LAUA Class Comparison Graph helps identify the security classes that may be similar.
Analyze &
Tune
ANALYZE
Our LAUA reporting
allows you to review
exactly how your
security is defined.
Using the LAUA Security Report allows you to evaluate specific security class settings and
differences. This report includes security settings for forms, tables, conditional logic, data security
and user profiles.
ANALYZE
Security classes are
lined up side by side
allowing you to easily
see any differences.
Analyze &
Tune
ANALYZE & TUNE
So now that we have
tuned LAUA based on
actual usage,
segregation of duty
violations and
redundant classes let’s
move on the Step 2.
Analyze &
Tune
STEP 2 - BUILD
Our utility will
do these steps
for you
automatically!
Conversion Utility
» Create Security Classes
» Create Roles
» Assign Security Classes to Roles
» Assign Roles to the appropriate Users
» Create LS9 profile using Lawson’s load utilities
Build & Load
LS9 Structure
Inventory01
IC240
IC241
IC242
IC
Admin
IC01.1
IC01.2
IC10.1
IC10.2
IC11.1
IC11.2
IC11.3
IC11.4
IC11.5
IC11.6
IC12.1
IC12.2
IC15.1
IC20.1
IC20.2
IC06.1
IC07.1
IC08.1
IC200
IC201
IC202
IC240
IC241
IC242
IC246
IC260
IC262
IC280
IC20.4
IC21.1
IC
Super
IC01.1
IC01.2
IC10.1
IC10.2
IC11.1
IC11.2
IC11.3
IC11.4
IC11.5
IC11.6
IC12.1
IC12.2
IC15.1
IC20.1
IC20.2
IC06.1
IC07.1
IC08.1
IC200
IC201
IC202
IC240
IC241
IC242
IC246
IC260
IC262
IC280
IC20.4
IC21.1
IC
Clerk
IC01.1
IC01.2
IC10.1
IC10.2
IC11.1
IC11.2
IC11.3
IC11.4
IC11.5
IC11.6
IC12.1
IC12.2
IC15.1
IC20.1
IC20.2
IC06.1
IC07.1
IC08.1
IC200
IC201
IC202
IC240
IC241
IC242
IC246
IC260
IC262
IC280
IC20.4
IC21.1
IC
Assist
IC01.1
IC01.2
IC10.1
IC10.2
IC11.1
IC11.2
IC11.3
IC11.4
IC11.5
IC11.6
IC12.1
IC12.2
IC15.1
IC20.1
IC20.2
IC246
IC260
IC262
IC280
Let’s go back to the
original LAUA diagram.
By identifying common
access for each system
code across all security
classes we Inventory03
can create
IC06.1
unique task.IC01.1
Click to
see
IC08.1
IC07.1
IC200
IC01.2
how.
IC08.1
IC200
IC201
IC202
IC240
IC241
IC242
IC246
IC260
IC262
IC280
IC20.4
IC21.1
The utility identifies common access between Security Classes and creates an
LS9 task.
IC06.1
IC07.1
IC201
IC202
Inventory05
IC11.6
IC20.1
IC20.2
IC20.4
IC21.1
Inventory02
IC10.1
IC10.2
IC11.1
IC11.2
IC11.3
IC11.4
IC11.5
IC11.6
IC12.1
IC12.2
IC15.1
IC20.4
IC21.1
IC20.2
IC20.1
Inventory04
IC11.1
IC11.2
IC11.3
IC11.4
IC11.5
LS9 Structure
Roles
IC
Super
IC
Admin
Inventory02
IC10.1
IC10.2
IC11.1
IC11.2
IC11.3
IC11.4
IC11.5
IC11.6
IC12.1
IC12.2
IC15.1
IC20.4
IC21.1
IC20.2
IC20.1
Inventory03
IC01.1
IC01.2
IC06.1
IC07.1
IC08.1
IC200
IC201
IC202
Your old security
classes become Roles,
the class are built
automatically and we
make the proper
connections including
tables.
IC Clerk
Inventory01
IC240
IC241
IC242
IC246
IC260
IC262
IC280
IC
Tables
IC
Assist
Inventory05
Inventory04
IC11.6
IC20.1
IC20.2
IC20.4
IC21.1
IC11.1
IC11.2
IC11.3
IC11.4
IC11.5
Inventory
ICTABLES
LS9 Structure
Roles
IC
Super
IC
Admin
IC Setup 01
IC10.1
IC10.2
IC11.1
IC11.2
IC11.3
IC11.4
IC11.5
IC11.6
IC12.1
IC12.2
IC15.1
IC20.4
IC21.1
IC20.2
IC20.1
IC Setup 02
IC01.1
IC01.2
IC06.1
IC08.1
IC07.1
IC Reports 01
IC200
IC201
IC202
If you need to be more
granular we can create
classes based on the
category list shown
here.
IC Clerk
IC Reports 02
IC240
IC241
IC242
IC246
IC260
IC262
IC280
IC
Tables
IC
Assist
IC Setup RO 01
IC Setup RO 02
IC11.6
IC20.1
IC20.2
IC20.4
IC21.1
IC11.1
IC11.2
IC11.3
IC11.4
IC11.5
Inventory
ICTABLES
Categories: Setup, Processing, Analysis, Update Batch
Job, Purge Batches, Reports, Interfaces, and
Miscellaneous.
STEP 3
» Compare and
tune form access rules
» Evaluate and
create conditional logic
» Validate User access
» Activate Security 9
You’re now ready for
the final phase where
we add special logic,
tune function codes
and get the users to
do some testing.
Customize,
Validate &
Deploy
OUTLIER REPORT
The Outliers report
identifies any special
function rules in LAUA
that we may want to
incorporate in the LS9
model.
Customize,
Validate &
Deploy
ANALYZE & TUNE
One you tweak your
function codes some
additional time may be
required to build special
rules based on your
organizations
requirements, but your
pretty much ready for
testing.
Analyze &
Tune
Security 9 Reports – Security Admin Reports
You’ll have access to
our security
dashboard to
evaluate any security
settings while
performing your test.
Security 9 Reports – Security Admin Reports
Our flexible user
interface makes it
simple to analyze
your model.
VALIDATE - SOD
You can continue to
use our segregation
of duties module to
check for any user
violations in LS9.
Segregation of Duties ensures an appropriate level of checks and balances upon the activities of
individuals.
Customize,
Validate &
Deploy
SELF SERVICE
We’re just about
done . If you need
help with self-service
we deliver a proven
set of templates for
ESS, MSS and RCQ.
SERVICES
» Security Overview and Kickoff
» Software Installation
» Technical Support
» Kinsey Project Manager
» Report Training
» Creation of Security Classes and Roles
» Security Class and Rule Analysis
» Assist with Data Element Security
» Assist with Conditional Logic
» Proof of Concept Workshop
» Security Testing
» Security Training
» Go Live Support
Here is a quick overview
of the services required
to complete the project.
We will do as much as
you want or let you take
the lead!
TOOLS
» Token Listener
» Security Builder
» Segregation of Duties
» LAUA Reporting
» LS9 Dashboard
You will have access
to all of these
products during the
project.
HIGHLIGHTS
» Takes advantage of the knowledge already put into LAUA security
» Utilizes actual form usage to fine tune security settings
» Re-engineers LAUA to automatically build your LS9 security
» Includes all Custom Forms created in your system
» Leverages Lawson’s utilities for building LDAP
» Takes significantly less time than other methods
» Requires less of your resources
» It’s built around your business practices
These
highlights are
model
what make us
different.
And as we like to think,
it’s not about
converting LAUA, it’s
about building a better
model!
Guy Henson
VP Business Development
cell: 757-621-8236
[email protected]
www.kinsey.com