LN user authorizations
The authorizations of an employee in a company are related to the employee’s functionality or role in that organization. Some employees have more authorizations than others. Likewise, LN ’s Authorization Management System (AMS) also uses a role concept to define the authorizations of LN users.
In addition to these role-dependent authorizations, you can define some additional dependent authorizations that are not defined by the employee’s role. For example, the development parameters, device preferences, and other authorizations. These non-role-dependent authorizations are defined in templates, which you can connect to the user profile.
This diagram shows a schematic overview of how the user authorizations are split up into role-related authorizations and non-role-dependent authorizations:
Session Authorization (Enterprise Modeler, AMS, and Enhanced AMS)
Use these methods for defining employee roles:
- Infor LN Enterprise Modeler (EM)
- Authorization Management System (AMS)
- Enhanced AMS, that fully integrates Enterprise Modeler with AMS
Enterprise Modeler
In Enterprise Modeler, an organization can be modeled, including Enterprise Modeler Business processes. Enterprise Modeler Business processes contain activities that should be executed, such as paying an invoice, or raising a sales order. These activities can be LN sessions.
An LN user is linked one-to-one to an Enterprise Modeler employee. This employee has one or more Enterprise Modeler Roles. These Enterprise Modeler Roles are linked to one or more Enterprise Modeler Business processes. This way the access to the LN sessions is controlled from user login to LN session.
At runtime, an employee has a specific Enterprise Modeler menu, the Process browser. When an employee runs LN sessions from the Process browser, the modeled Enterprise Modeler authorizations are used to authorize all sessions in the menu. The Enterprise Modeler authorizations are deduced from the modeling information and are not stored in any static authorization tables.
If Enhanced AMS is activated and the Support Export of EM Roles to AMS check box is cleared in the AMS Parameters (ttams0100m000) session, then the Enhanced AMS roles are ignored by LN when starting sessions from the Process Browser.
The Enterprise Modeler roles and authorizations are not applicable if you start sessions from the Menu browser. They are only applicable if you use the Process browser.
AMS
In AMS, you can define roles with authorizations for sessions, tables, table fields, libraries, and companies. The roles can be linked to Normal users. By default, Normal users do not have any authorization. Super users have Full authorization for all sessions and all tables.
You can define several authorization levels, such as Full, Read Only, or Not authorized.
The roles that are linked to an LN user account determine the authorizations. For example, what is allowed to execute in the LN Menu browser and what is the authorization level.
The AMS authorizations are applicable if you start sessions through the Run Program command.
Enhanced AMS
This method is available to link Enterprise Modeler and AMS, or Autorization and Security (SEC) and AMS. You must set the Enhanced AMS parameter to Enabled in the AMS Parameters (ttams0100m000) session.
Enhanced AMS with Enterprise Modeler
If you use the Enterprise Modeler modeler, then we recommend that you use Enhanced AMS with Enterprise Modeler.
To enable Enhanced AMS with Enterprise Modeler:
- Select the Support Export of EM Roles to AMS check box in the AMS Parameters (ttams0100m000) session. Now, Enterprise Modeler is used to model the organization and business activities, and AMS is used to control authorizations.
- Run the Aggregate Authorization Data (tgbrg9298m100) session. This session gathers the data from the selected Enterprise Modeler version and project model, and exports the data to AMS.
If a session appears multiple times in the selected Enterprise Modeler version and project model, then the widest authorization is used when aggregating the data. This table shows an example:
| Enterprise Modeler session occurrence 1 | Enterprise Modeler session occurrence 2 | After aggregate |
|---|---|---|
| No authorization | Display | Display |
| Full | Display | Full |
If you use Enhanced AMS with Enterprise Modeler, then subapplications are handled differently than if you use only Enterprise Modeler. See this list:
- If you use only Enterprise Modeler, then a subapplication that is not specifically modeled has the same authorization level as the main session it is part of. That is, the authorization level is inherited. Not specifically modeled means not given an authorization level in the Enterprise Modeler module.
- If you use Enhanced AMS, then a subapplication that is not specifically modeled is not included in the AMS authorizations.
When the menu for the user is created using the Process browser, the most restrictive authorization of Enterprise Modeler and AMS is used. This table shows an example:
| Enterprise Modeler | AMS | Runtime |
|---|---|---|
| Display | Full | Display |
| Full | Display | Display |
| NA or blank | Full | NA |
| Full | NA or blank | NA |
Suppose, a subapplication is not specifically modeled in Enterprise Modeler, and no authorization is granted in AMS. In an environment that uses Enhanced AMS, the user does not have any authorization to run this subapplication.
Using Enhanced AMS might look more complicated than using Enterprise Modeler authorizations, but it gives huge advantages in reporting and controlling the authorizations. The authorized sessions and subapplications are all clearly specified if they are required. This results in much less unnecessary authorization settings.
Enhanced AMS is required for the integration with Infor Governance, Risk and Compliance (GRC) Authorization Insight. The data that is shared with GRC only has AMS as its source.
The AMS role modeler can still change or overrule a specific AMS role. To activate Enhanced AMS, you must run a Convert to Runtime of all roles and all users.
You can actualize the Enterprise Modeler data and convert these to Runtime data in one go, without any action or authorization required in the AMS environment. To achieve this, use a parameter setting in the AMS Parameters (ttams0100m000) session.
Enhanced AMS with Authorization and Security (SEC)
- Select the IFS Owner of Security User Data check box in the AMS Parameters (ttams0100m000) session.
- For AMS roles, set the Maintenance Ownership field to Outside LN in the User Data Maintenance Ownership Parameters (ttaad2112m000) session.
- Select the Support Export of SEC Roles to AMS check box in the AMS Parameters (ttams0100m000) session. Now, authorization roles that are created in SEC can be exported to AMS and then assigned to users in IFS.
- In the Authorization Roles (tcsec0120m000) session, click on the menu to generate role data in the Role Data (ttams4100m000) session.
- To create employees and assign permissions to employees for SEC authorization roles
in the LN application, select the
Send SecurityUserMasterBOD to Infor LN
Application
check box in the
AMS Parameters (ttams0100m000)
session.
For new users, employees are created in the LN application based on the value of the Create Employee for forwarded User BOD field in the BOD Parameters (tcbod0100m000) session.
Printing session authorizations
Customers require a clear overview of the authorizations of a certain employee for the LN applications. This is in connection with the Sarbanes - Oxley Ac. Officially titled the Public Company Accounting Reform and Investor Protection Act of 2002.
These sessions are available to print the session authorizations:
-
Enterprise Modeler
Print Enterprise Modeler session authorizations (tgbrg8441m000) -
AMS
Print Session Authorizations by User (ttams3400m000) -
Enhanced AMS
No specific print session exists. The preferred method is to use the Authorization Workbench (ttams4300m000) session to view the AMS roles per user, role or session.