LN user authorizations (OP-CE)

Initially, Normal users cannot use LN. Therefore, you must define some authorizations for the various LN software components. The authorizations of an employee in a company are related to the employee’s functionality or role in that organization, some employees have more authorizations than others. Likewise, LN ’s Authorization Management System (AMS) also uses a role concept to define the authorizations of LN users.

In addition to these role-dependent authorizations, you can define some additional dependent authorizations that are not defined by the employee’s role. For example, the development parameters, device preferences, and other authorizations. These non-role-dependent authorizations are defined in templates, which you can connect to the user profile.

This diagram shows a schematic overview of how the user authorizations are split up into role-related authorizations and non-role-dependent authorizations:

Schematic overview of the authorization concept in LN

Schematic overview of the authorization concept in LN

Note

At minimum, users must have some sort of session authorization, table authorization, and library authorization to use LN. Some default roles are already automatically generated to ensure normal users have sufficient authorization to logon.

Session Authorization (DEM, AMS and Enhanced AMS)

Use these methods for defining employee roles:

  • Dynamic Enterprise Modeler (DEM)
  • Authorization Management System (AMS)
  • Enhanced AMS, that fully integrates DEM with AMS
DEM

In DEM, an organization can be modeled, including DEM Business processes. DEM Business processes contain activities that should be executed, such as paying an invoice, or raising a sales order. These activities can be LN sessions.

An LN user is linked one-to-one to a DEM employee. This employee has one or more DEM Roles. These DEM Roles are linked to one or more DEM Business processes. This way the access to the LN sessions is controlled from user login to LN session.

At runtime, an employee has a specific DEM menu, the Process browser. When an employee runs LN sessions from the Process browser, the modeled DEM authorizations are used to authorize all sessions in the menu. The DEM authorizations are deduced from the modeling information and are not stored in any static authorization tables.

If you start sessions from the Process browser, LN ignores any roles with session authorizations that are defined in AMS.

The DEM roles and authorizations are not applicable if you start sessions from the Menu browser. They are only applicable if you use the Process browser.

AMS

In AMS, you can define roles with authorizations for sessions, tables, and table fields. The roles can be linked to Normal users. By default, Normal users do not have any authorization. Super users have Full authorization for all sessions and all tables.

You can define different authorization levels, such as Full, Read Only, or Not authorized.

The roles that are linked to an LN user account decide what is allowed to execute in the LN Menu browser, and what the level of authorization is.

The AMS authorizations are applicable if you start sessions through the Run Program command.

Enhanced AMS

This method is available to link DEM and AMS. You must explicitly enable Enhanced AMS in the AMS parameters, previously known as SSO Parameters. If LN is installed as a new installation, this is the default. If Enhanced AMS is activated, the Tools > User Management > Authorization Management System menu contains the corresponding new sessions. The other sessions are removed.

If you use the DEM modeler, we recommend that you use the Enhanced AMS with DEM.

To enable Enhanced AMS with DEM:

  1. Select the Support Export of DEM Roles to AMS check box in the AMS Parameters (ttams0100m000) session. Now, DEM is used to model the organization and business activities, while AMS is used to control authorizations.
  2. Run the Aggregate DEM Authorizations for AMS (tgbrg9298m100) session. This session gathers the data from the selected DEM version and project model, and exports the data to AMS.

If a session appears multiple times in the selected DEM version and project model, the widest authorization is used when aggregating the data. This table shows an example:

DEM session occurrence 1DEM session occurrence 2After aggregate
No authorizationDisplayDisplay
FullDisplayFull

 

If you use Enhanced AMS, DEM subapplications are handled differently than if you use only DEM:

  • If you only use DEM, a subapplication that is not specifically modeled (that means, not given an authorization level in the DEM module) has the same authorization level as the main session it is part of. That is, the authorization level is inherited.
  • If you use Enhanced AMS, a subapplication that is not specifically modeled is not included in the AMS authorizations.

When the menu for the user is created using the Process browser, the most restrictive authorization of DEM and AMS is used. This table shows an example:

DEMAMSRuntime
DisplayFullDisplay
FullDisplayDisplay
NA or blankFullNA
FullNA or blankNA

 

Suppose, a subapplication is not specifically modeled in DEM, and no authorization is granted in AMS. In an environment that uses Enhanced AMS, the user does not have any authorization to run this subapplication.

Using Enhanced AMS might look more complicated than using DEM authorizations, but it gives huge advantages in reporting and controlling the authorizations. The authorized sessions and subapplications are all clearly specified if they are required. This results in much less unnecessary authorization settings.

Enhanced AMS is required for the integration with Infor Risk & Compliance Authorization Insight (IRC). The data that is shared with IRC only has AMS as its source.

The AMS role modeler can still change or overrule a specific AMS role. To activate Enhanced AMS, you must perform a Convert to Runtime of all roles and all users.

You can actualize the DEM data and convert these to Runtime data in one go, without any action or authorization required in the AMS environment. To achieve this, use a parameter setting in the AMS Parameters (ttams0100m000) session.

Printing session authorizations

Customers require a clear overview of the authorizations of a certain employee for the LN applications. This is in connection with the Sarbanes - Oxley Act (officially titled the Public Company Accounting Reform and Investor Protection Act of 2002).

These sessions are available to print the session authorizations:

  • DEM
    Print DEM session authorizations (tgbrg8441m000)
  • AMS
    Print Session Authorizations by User (ttams3400m000)
  • Enhanced AMS
    No specific Print session exists. The preferred method is to use Authorization Workbench (ttams4300m000) session to view the AMS roles per user, role or session.