490 likes | 2.29k Views
Lawson M3 Function Security. Lawson Learning education@lawson.com. M3 Function Security by Authority. Agenda. SES003 Methodology Role-based Security Methodology Summarised Comparison. M3 Function Security by Authority. Function Security Options.
E N D
Lawson M3 Function Security Lawson Learning education@lawson.com
M3 Function Security by Authority Agenda • SES003 Methodology • Role-based Security Methodology • Summarised Comparison
M3 Function Security by Authority Function Security Options From V13.1 of Lawson M3, two methods are provided through which security is managed on the function level: • 0 Authorities (SES003) • 1 Permissions (SES400) – Role-based Security The method to be used is determined by a new property in Movex.properties: app.pgm.CAUTCHK.mode
M3 Function Security by Authority Function Security Using SES003 Function Authority User Full update capability CRS610 Display only CRS610 Disallowed CRS610
M3 Function Security by Authority Using Groups with SES003 Function groups User groups A user cannot be in more than one group A function cannot be in more than one group A group cannot be in another group Exceptions allowed • Individual can be named in SES003 even if in a group, with a contradictory setting
M3 Function Security by Authority Rules for Groups Group “ACCOUNTS” Correct Incorrect Incorrect User is member of two groups Group within a group
Buying Buyer Purch Admin PurchMgr Finance Fin Funcs IT Admin Sys Admin M3 Function Security by Authority SES003 Security Mechanism – 4-Tier Model USER USER GROUP FUNCTION GROUP FUNCTION PPS170 PPS180 SES003 PPS200 PPS235 PPS280 APS100 ARS100 GLS047 MNS150 MNS204 MNS205
M3 Function Security by Authority Function SES003, “Function. Connect authority” • SES003 entries can specify disallow as well as allow
Buying Buyer Purch Admin PurchMgr Finance Fin Funcs IT Admin Sys Admin M3 Function Security by Authority SES003 Security Mechanism – 4-Tier Model USER USER GROUP FUNCTION GROUP FUNCTION PPS170 PPS180 PPS200 PPS235 PPS280 APS100 ARS100 DISALLOW GLS047 DISALLOW MNS150 MNS204 MNS205
Basic Options Basic Options appear in many -but not all - Lawson M3 programs
Basic Options can be secured in SES400 Option 1 - Create Option 2 - Change Option 3 - Copy Option 4 - Delete Option 5 - Display
M3 Function Security by Authority Using SES003 to Secure Standard Options
M3 Function Security by Authority Using SES003 to Secure Function Keys Function keys 1-24 can be controlled in SES003
secure secure secure M3 Function Security by Authority SES003 Mechanism – Conceptual View Function Definitions MMS001 MMS002 MMS003 MMS004 MMS006 MMS010 MMS015 MMS020 MMS025 Company 100 Central division (division blank) SES003 entries Company 200 Central division (division blank) Company 300 Central division (division blank) secure secure Division A Division B Division A Division B Division A Division B Optionally lock some functions Make allowing or disallowing entries in SES003 Optionally leave some companies unsecured
M3 Function Security by Authority Function Security Options From V13.1 of Lawson M3, two methods are provided through which security is managed on the function level: • 0 Authorities (SES003) • 1 Permissions (SES400) – Role-based Security The method to be used is determined by a new property in Movex.properties: app.pgm.CAUTCHK.mode
MMS006 MMS026 MMS025 MMS020 MMS015 MMS010 MMS006 MMS004 MMS003 MMS002 MMS001 M3 Role-based Security Function Access – The Need for Security • Function definition attribute Authority Required • determines whether the function is accessible • unchecked -Implicit Permission • the function is “unlocked” – open for access to users By default all functions are accessible to all users • no permissions set-up is required to enable access ------------------ Function definitions ------------------ • checked - Explicit Permission • the function is “locked” - closed to users unless they have permission All M3 function definitions are maintained by MNS110 • Checking the Authority Required box is the only way to deny access to a function
Buyer PurchMgr M3 Role-based Security Roles • Roles • define a set of authorizations in M3 Business Engine • connect users to roles • each connection of user and role can have validity dates • for temporary cover during absence/vacation • a user can be connected to several roles at the same time
Buyer PurchMgr Finance IT Admin M3 Role-based Security M3 Role-based Security Mechanism – 3-Tier Model ROLE USER FUNCTION SES400 PPS170 PPS180 PPS200 PPS235 PPS280 APS100 ARS100 GLS047 MNS150 MNS204 MNS205
Basic Options Basic Options appear in many -but not all - Lawson M3 programs
Basic Options can be secured in SES400 Option 1 - Create Option 2 - Change Option 3 - Copy Option 4 - Delete Option 5 - Display
M3 Role-based Security SES400 Permissions Setup - example Specify the function/role combination, and a company/division Specify the basic & related options, and function keys permitted
M3 Role-based Security The Rules of Permissions Setup Set-up enables control of permissions for • all Basic Options (option 1 – 9) • all Related Options (option 10 - 99) • all function keys (F1 – F24) If a user is connected toseveral roles with different permissions for a certain function, the least restrictive permission applies • user receives all authorities added together Each company/division has its own permissions settings • no dependency between companies/divisions
M3 Role-based Security The Rules of Permissions Setup SES400 settings are passed to autostart job SES900 to process • SES400 settings are by function and role level • system expands roles to create individual user permissions • system expands functions that contain security-inheriting programs (see Program Inheritance) Permissions are automatically updated by the system, when necessary • deleting users • copying roles • maintaining roles membership • when role validity dates are passed Permissions can be viewed using SES401 • you see what the system sees during a security check
Inquiry types: M3 Role-based Security Permissions. Display (SES401) • In the permissions display you can view the results of the setup
M3 Role-based Security Permissions. Display (SES401) - Panel E • In the permissions display E panel you can view the detail for each program/user Displays all ‘possible’ options or function keys in an M3 BE program. (Options and function keys that do not exist in the actual program are, of course, obsolete in this panel)
M3 Role-based Security Copying Roles in MNS405 • When copying a role, options exist to copy • connected users • connected permissions
Peter MMS006 Marie MMS026 MMS025 MMS020 MMS015 PPS200 MMS006 MMS004 MMS003 PPS170 MMS006 MMS001 MMS001 GLS040 IT Admin M3 Role-based Security Forcing Automatic Creation of Permissions Permissions UserProgram Marie PPS170 Peter PPS170 Marie OIS326 Peter OIS326 Marie PPS171 Peter PPS171 Marie PPS172 Peter PPS172 Marie PPS173 Peter PPS173 PPS008 CRS340 PPS173 PPS172 Marie PPS200 Peter PPS200 Marie CRS340 Peter CRS340 Marie PPS008 Peter PPS008 PPS171 OIS326 Marie MMS025 Peter MMS025 Marie MMS026 Peter MMS026
secure secure secure M3 Function Security by Authority Role-based Security Mechanism – Conceptual View Function Definitions MMS001 MMS002 MMS003 MMS004 MMS006 MMS010 MMS015 MMS020 MMS025 Company 100 Central division (division blank) SES400 entries Company 200 Central division (division blank) Company 300 Central division (division blank) secure secure secure secure secure secure Division A Division A Division A Division B Division B Division B Lock all functions Create permissions in SES400 All companies need permissions set up
secure secure secure secure M3 Function Security by Authority Company/division Comparison SES003 Method Role-based Method Company 100 central division (division blank) Company 200 central division (division blank) SES400 entries SES003 entries Division A Division C Division A Division C Each company has its own policy Each division must have its own policy Divisions follow company policy if no entries of their own. E.g. Division C is secured. Divisions without SES400 entries are unsecured. E.g. Division C is unsecured.
M3 Function Security by Authority Comparison between SES003 and Role-based Mechanisms * * * * * * * * * *
Buyer PurchMgr Finance IT Support IT Admin M3 Role-based Security ROLE USER FUNCTION SES400 PPS170 MNS410 LL0101 PPS180 PPS200 PPS235 LL0102 PPS280 APS100 LL0103 ARS100 LL0104 GLS047 MNS150 MNS150 MNS204 MNS204 LL0105 M3SRVADM View only MNS205 MNS205 Plus all MNS and SES functions