Transcript Start Slide - Lawson User Association

Lawson M3 Function Security
Lawson Learning
[email protected]
Page 1
M3 Function Security by Authority
Agenda
 SES003 Methodology
 Role-based Security Methodology
 Summarised Comparison
Page 2
M3 Function Security by Authority
Function Security Options
From V13.1 of Lawson M3, two methods are provided through which security is
managed on the function level:
–
0 Authorities (SES003)
–
1 Permissions (SES400) – Role-based Security
The method to be used is determined by a new property in Movex.properties:
app.pgm.CAUTCHK.mode
Page 3
M3 Function Security by Authority
Function Security Using SES003
Function
CRS610
CRS610
CRS610
User
Authority
Full
update
capability
Display
only
Disallowed
Page 4
M3 Function Security by Authority
Using Groups with SES003
Function groups
User groups
A user cannot be in more than one group
A function cannot be in more than one group
A group cannot be in another group
Exceptions allowed
– Individual can be named in SES003 even if in a group, with a
contradictory setting
Page 5
M3 Function Security by Authority
Rules for Groups
Group “ACCOUNTS”
Correct
Incorrect
Incorrect
Group within a group
User is member of two
groups
Page 6
M3 Function Security by Authority
SES003 Security Mechanism – 4-Tier Model
USER
USER
GROUP
FUNCTION
GROUP
FUNCTION
PPS170
PPS180
Buying
Buyer
PPS200
Purch Admin
PPS235
PPS280
PurchMgr
APS100
Fin Funcs
ARS100
GLS047
Finance
MNS150
IT
Admin
Sys Admin
MNS204
MNS205
Page 7
M3 Function Security by Authority
Function SES003, “Function. Connect authority”
 SES003 entries can specify disallow as well as allow
Page 8
M3 Function Security by Authority
SES003 Security Mechanism – 4-Tier Model
USER
USER
GROUP
FUNCTION
GROUP
FUNCTION
PPS170
PPS180
Buying
Buyer
PPS200
Purch Admin
PPS235
PPS280
PurchMgr
APS100
Fin Funcs
ARS100
GLS047
Finance
MNS150
IT
Admin
Sys Admin
MNS204
MNS205
Page 9
Basic Options
Basic Options
appear in many -but
not all - Lawson M3
programs
Page 10
Basic Options can be secured in SES400
Option 1 - Create
Option 2 - Change
Option 3 - Copy
Option 4 - Delete
Option 5 - Display
Page 11
M3 Function Security by Authority
Using SES003 to Secure Standard Options
Page 12
M3 Function Security by Authority
Using SES003 to Secure Function Keys
Function keys
1-24 can be
controlled in
SES003
Page 13
M3 Function Security by Authority
SES003 Mechanism – Conceptual View
Function Definitions
MMS001
MMS002
MMS003
Company
100
Central division
(division blank)
MMS004
MMS006
MMS015
MMS020
Company
200
Central division
(division blank)
SES003
entries
secure
MMS025
Company
300
Central division
(division blank)
secure
secure
Division
A
MMS010
secure
Division
B
Division
A
secure
Division
B
Division
A
Division
B
Optionally lock some functions
Make allowing or disallowing entries in SES003
Optionally leave some companies unsecured
Page 14
M3 Role-based Security
Page 15
M3 Function Security by Authority
Function Security Options
From V13.1 of Lawson M3, two methods are provided through which security is
managed on the function level:
–
0 Authorities (SES003)
–
1 Permissions (SES400) – Role-based Security
The method to be used is determined by a new property in Movex.properties:
app.pgm.CAUTCHK.mode
Page 16
M3 Role-based Security
Function Access – The Need for Security
By default all functions are accessible to all users
– no permissions set-up is required to enable access
 Function definition attribute Authority Required
– determines whether the function is accessible
– unchecked - Implicit Permission
MMS006
MMS026
MMS025
 the function is “unlocked” – open for access to
users
MMS020
– checked - Explicit Permission
 the function is “locked” closed to users unless they
have permission
MMS015
MMS010
MMS006
MMS004
MMS003
MMS002
MMS001
All M3 function
definitions are
maintained by MNS110
Checking the Authority Required box is the only way to deny
access to a function
Page 17
M3 Role-based Security
Roles
 Roles
– define a set of authorizations in M3 Business Engine
– connect users to roles
– each connection of user and role can have validity dates
 for temporary cover during absence/vacation
– a user can be connected to several roles at the same time
Buyer
PurchMgr
Page 18
M3 Role-based Security
M3 Role-based Security Mechanism – 3-Tier Model
USER
ROLE
FUNCTION
PPS170
PPS180
Buyer
PPS200
PPS235
PPS280
PurchMgr
APS100
ARS100
Finance
GLS047
MNS150
IT
Admin
MNS204
MNS205
Page 19
Basic Options
Basic Options
appear in many -but
not all - Lawson M3
programs
Page 20
Basic Options can be secured in SES400
Option 1 - Create
Option 2 - Change
Option 3 - Copy
Option 4 - Delete
Option 5 - Display
Page 21
M3 Role-based Security
SES400 Permissions Setup - example
Specify the function/role
combination, and a
company/division
Specify the basic &
related options, and
function keys permitted
Page 22
M3 Role-based Security
The Rules of Permissions Setup
Set-up enables control of permissions for
–
all Basic Options (option 1 – 9)
–
all Related Options (option 10 - 99)
–
all function keys (F1 – F24)
If a user is connected to several roles with different permissions for a certain
function, the least restrictive permission applies
–
user receives all authorities added together
Each company/division has its own permissions settings
–
no dependency between companies/divisions
Page 23
M3 Role-based Security
The Rules of Permissions Setup
SES400 settings are passed to autostart job SES900 to process
–
SES400 settings are by function and role level
–
system expands roles to create individual user permissions
–
system expands functions that contain security-inheriting programs (see Program
Inheritance)
Permissions are automatically updated by the system, when necessary
–
deleting users
–
copying roles
–
maintaining roles membership
–
when role validity dates are passed
Permissions can be viewed using SES401
–
you see what the system sees during a security check
Page 24
M3 Role-based Security
Permissions. Display (SES401)
 In the permissions display you can view the results of the setup
Inquiry types:
Page 25
M3 Role-based Security
Permissions. Display (SES401) - Panel E
 In the permissions display E panel you can view the detail for each program/user
Displays all ‘possible’ options or
function keys in an M3 BE program.
(Options and function keys that do
not exist in the actual program are,
of course, obsolete in this panel)
Page 26
M3 Role-based Security
Copying Roles in MNS405
 When copying a role, options exist to copy
– connected users
– connected permissions
Page 27
M3 Role-based Security
Forcing Automatic Creation of Permissions
Peter
IT
Admin
Permissions
Marie
PPS008
CRS340
PPS173
PPS172
PPS171
OIS326
User
Program
Marie
Peter
Marie
Peter
Marie
Peter
Marie
Peter
Marie
Peter
Marie
Peter
Marie
Peter
Marie
Peter
Marie
Peter
Marie
Peter
PPS170
PPS170
OIS326
OIS326
PPS171
PPS171
PPS172
PPS172
PPS173
PPS173
PPS200
PPS200
CRS340
CRS340
PPS008
PPS008
MMS025
MMS025
MMS026
MMS026
Page 28
M3 Function Security by Authority
Role-based Security Mechanism – Conceptual View
Function Definitions
MMS001
MMS002
MMS003
Company
100
Central division
(division blank)
MMS004
MMS006
Division
A
MMS015
MMS020
Company
200
Central division
(division blank)
SES400
entries
secure
secure
MMS010
Company
300
Central division
(division blank)
secure
secure
Division
B
secure
Division
A
MMS025
secure
secure
Division
B
secure
Division
A
secure
Division
B
Lock all functions
Create permissions in SES400
All companies need permissions set up
Page 29
M3 Function Security by Authority
Company/division Comparison
SES003 Method
Role-based Method
Company
100
central division
(division blank)
Company
200
central division
(division blank)
secure
SES003
entries
secure
Division
A
secure
SES400
entries
secure
Division
C
Division
A
Division
C
Each company has its own policy
Each division must have its own policy
Divisions follow company policy
if no entries of their own.
E.g. Division C is secured.
Divisions without SES400 entries are
unsecured.
E.g. Division C is unsecured.
Page 30
M3 Function Security by Authority
Comparison between SES003 and Role-based Mechanisms
SES003 Method
*
*
*
*
*
*
*
*
*
*
Role-based Method
User can be in only 1 group
User can be in many roles
No time limits to group membership
Can set time limits to role membership
(temporary cover during absence)
Allow & disallow entries can be made
Only allow entries can be made
Exceptions can be made to group settings
(contradictory entries)
No exceptions can be made (must build up
roles from least to most permission)
Function groups allowed
No function groups allowed
“In-line” related options cannot be secured “In-line” related options can be secured
Divisions can use company security
All divisions must be individually secured (can
use LCM copy functionality)
No support for quick set-up
Can copy role membership and/or
permissions. Can quickly create “superusers”.
No easy way to determine individual
user/program permissions
Can view individual user/program permissions
Can leave some companies unsecured
If all functions are locked, security must be set
up for all companies.
Page 31
Page 32
M3 Role-based Security
USER
ROLE
FUNCTION
PPS170
LL0101
Buyer
PPS180
PPS200
PPS235
LL0102
PPS280
PurchMgr
APS100
LL0103
ARS100
LL0104
Finance
GLS047
MNS150
M3SRVADM
IT
Admin
MNS204
MNS205
MNS150
LL0105
IT
Support
MNS204
Plus all
MNS and
SES
functions
MNS205
Page 33