LN user authorizations (OP-CE)Initially, Normal users cannot use LN. Therefore, you must define some authorizations for the various LN software components. The authorizations of an employee in a company are related to the employee’s functionality or role in that organization, some employees have more authorizations than others. Likewise, LN ’s Authorization Management System (AMS) also uses a role concept to define the authorizations of LN users. In addition to these role-dependent authorizations, you can define some additional dependent authorizations that are not defined by the employee’s role. For example, the development parameters, device preferences, and other authorizations. These non-role-dependent authorizations are defined in templates, which you can connect to the user profile. This diagram shows a schematic overview of how the user authorizations are split up into role-related authorizations and non-role-dependent authorizations: Schematic overview of the authorization concept in LN Hinweis At minimum, users must have some sort of session authorization, table authorization, and library authorization to use LN. Some default roles are already automatically generated to ensure normal users have sufficient authorization to logon. Session Authorization (DEM, AMS and Enhanced
AMS) Use these methods for defining employee roles:
DEM In DEM, an organization can be modeled, including DEM Business processes. DEM Business processes contain activities that should be executed, such as paying an invoice, or raising a sales order. These activities can be LN sessions. An LN user is linked one-to-one to a DEM employee. This employee has one or more DEM Roles. These DEM Roles are linked to one or more DEM Business processes. This way the access to the LN sessions is controlled from user login to LN session. At runtime, an employee has a specific DEM menu, the Process browser. When an employee runs LN sessions from the Process browser, the modeled DEM authorizations are used to authorize all sessions in the menu. The DEM authorizations are deduced from the modeling information and are not stored in any static authorization tables. If you start sessions from the Process browser, LN ignores any roles with session authorizations that are defined in AMS. The DEM roles and authorizations are not applicable if you start sessions from the Menu browser. They are only applicable if you use the Process browser. AMS In AMS, you can define roles with authorizations for sessions, tables, and table fields. The roles can be linked to Normal users. By default, Normal users do not have any authorization. Super users have Full authorization for all sessions and all tables. You can define different authorization levels, such as Full, Read Only, or Not authorized. The roles that are linked to an LN user account decide what is allowed to execute in the LN Menu browser, and what the level of authorization is. The AMS authorizations are applicable if you start sessions through the Run Program command. Enhanced AMS This method is available to link DEM and AMS. You must explicitly enable Enhanced AMS in the AMS parameters, previously known as SSO Parameters. If LN is installed as a new installation, this is the default. If Enhanced AMS is activated, the Tools > User Management > Authorization Management System menu contains the corresponding new sessions. The other sessions are removed. If you use the DEM modeler, we recommend that you use the Enhanced AMS with DEM. To enable Enhanced AMS with DEM:
If a session appears multiple times in the selected DEM version and project model, the widest authorization is used when aggregating the data. This table shows an example:
If you use Enhanced AMS, DEM subapplications are handled differently than if you use only DEM:
When the menu for the user is created using the Process browser, the most restrictive authorization of DEM and AMS is used. This table shows an example:
Suppose, a subapplication is not specifically modeled in DEM, and no authorization is granted in AMS. In an environment that uses Enhanced AMS, the user does not have any authorization to run this subapplication. Using Enhanced AMS might look more complicated than using DEM authorizations, but it gives huge advantages in reporting and controlling the authorizations. The authorized sessions and subapplications are all clearly specified if they are required. This results in much less unnecessary authorization settings. Enhanced AMS is required for the integration with Infor Risk & Compliance Authorization Insight (IRC). The data that is shared with IRC only has AMS as its source. The AMS role modeler can still change or overrule a specific AMS role. To activate Enhanced AMS, you must perform a Convert to Runtime of all roles and all users. You can actualize the DEM data and convert these to Runtime data in one go, without any action or authorization required in the AMS environment. To achieve this, use a parameter setting in the AMS Parameters (ttams0100m000) session. Printing session authorizations Customers require a clear overview of the authorizations of a certain employee for the LN applications. This is in connection with the Sarbanes - Oxley Act (officially titled the Public Company Accounting Reform and Investor Protection Act of 2002). These sessions are available to print the session authorizations:
| |||||||||||||||||||||||||||