LN user authorizations (OP-CE)

Initially, Normal users cannot use LN. Therefore, you must define some authorizations for the various LN software components. The authorizations of an employee in a company are related to the employee’s functionality or role in that organization, some employees have more authorizations than others. Likewise, LN ’s Authorization Management System (AMS) also uses a role concept to define the authorizations of LN users.

In addition to these role-dependent authorizations, you can define some additional dependent authorizations that are not defined by the employee’s role. For example, the development parameters, device preferences, and other authorizations. These non-role-dependent authorizations are defined in templates, which you can connect to the user profile.

This diagram shows a schematic overview of how the user authorizations are split up into role-related authorizations and non-role-dependent authorizations:

Schematic overview of the authorization concept in LN

Schematic overview of the authorization concept in LN

Note

At minimum, users must have some sort of session authorization, table authorization, and library authorization to use LN. Some default roles are already automatically generated to ensure normal users have sufficient authorization to logon.

Session Authorization (DEM, AMS and Enhanced AMS)

Use these methods for defining employee roles:

  • Dynamic Enterprise Modeler (DEM)
  • Authorization Management System (AMS)
  • Enhanced AMS, that fully integrates with DEM
  • DEM

    In DEM you can model Business Processes. Business Processes contain activities to be executed. Those activities can be LN sessions.

    Roles are linked to Business Processes, activities and employees. This way the access to the LN sessions is controlled.

    On runtime the employee has a specific DEM menu, the Process browser. When an employee runs LN sessions from the Process browser, the modeled DEM authorizations are used for those sessions. The DEM authorizations are deduced from the modeling information and are not stored into static authorization tables.

    Note: If you launch sessions from the Process browser, LN ignores any roles and authorizations defined in AMS. The AMS authorizations are applicable if you launch sessions through the Run Program command.

  • AMS

    In AMS you can define roles for Session Authorization, Table Authorization and Table Field Authorization. Those roles can be linked to Normal users. By default Normal users do not have any authorization. Super users have Full authorization for all sessions and all tables.

    You can define different authorization types, for example Full authorization, Read Only authorization, and other authorizations.

    You can launch sessions from the Menu browser. The roles that are linked to your LN user account decide what is allowed to execute or not.

    The DEM roles and authorizations are not applicable if you launch sessions from the Menu browser.

  • Enhanced AMS

    This method is available to improve the management of authorizations. You must explicitly enable Enchanced AMS, otherwise the default, classic authorization model applies. You can activate the Enhanced AMS at AMS Parameters. Previously known as SSO Parameters. When Enhanced AMS is activated, the menu Tools/User Management/Authorization Management System contains the corresponding new sessions. For example, the classic sessions are removed from that menu.

    Activation of Enhanced AMS must involve a Convert to Runtime of all Roles and all Users.

    When using DEM, we recommend that you integrate Enhanced AMS with DEM. You can specify a parameter at AMS Parameters, to export the DEM roles to AMS. This simplifies the modeling of DEM subapplications.

    It suffices to specify the authorizations for the sessions that users must perform for a specific business task. The Aggregate DEM Authorizations for AMS (tgbrg9298m100) session aggregates DEM Authorizations and the explicitly modeled subapplications. When these Authorizations are exported, the corresponding AMS roles are generated. The Role Data (ttams4600m000) session provides an overview of the AMS roles and their origin. The AMS role modeler can still change or overrule a specific AMS role.

    For more details see DEM.

Customers require a clear overview of the authorizations of a certain employee for the LN applications. This is in connection with the Sarbanes - Oxley Act (officially titled the Public Company Accounting Reform and Investor Protection Act of 2002).

These sessions are available to print the session authorizations:

  • DEM
    Print DEM session authorizations (tgbrg8441m000)
  • AMS
    Print Session Authorizations by User (ttams3400m000)
  • Enhanced AMS
    No specific Print session exists. The preferred method is to export data to Excel using the Role Data (ttams4600m000) session.