AMS Parameters (ttams0100m000)

Use this session to configure Single Sign On (SSO). In case SSO is activated for LN, the User Data (ttaad2500m000) session shows a number of new fields which are used to map the Infor SSO User to the LN user and the OS user. For security reasons, an OS group (for example bsp) must be setup. This group only contains OS users as members who are allowed to do administrative tasks.

Note: If you use the Enterprise Modeler Content Pack with LN, consider using the MIT0050 (Enhanced Authorization Management System) wizard to set up enhanced AMS. You can execute this predefined wizard from the Wizards by Project Model (tgwzr4502m000) session after you specified the business function model for your company.
SSO Active

Default this field is not selected and the rest of the parameters cannot be changed. If this field is selected SSO becomes active and the Infor SSO Service Location and the Generic System User fields are enabled.

Infor SSO Service Location

This field is mandatory to fill in if SSO Active is selected. Fill in the URL towards the SSO Service location you have set up earlier.

This parameter is converted into the resource file $BSE/lib/sso_config as:

  • sso_location:<url>

This file must be assigned to and only be writable for the OS group with administrative tasks.

Windows Domain

Specify the windows domain where the user accounts and security information for the resources of your domain reside. This is usually <company name> for example: infor, or in case of a local account the machine name.

Generic System User

This field is mandatory to specify if SSO Active is selected. The supplied Generic System User will be used when ipc_boot is started. This user is used to login on the OS when ERP LN is started through SSO. However, for individual users this can be overruled by explicitly configuring another System User. Both the OS User and the SSO user are configurable in the User Data (ttaad2500m000) session. The specified data here becomes the default OS User identity that is used in SSO mode to run the binaries.

This parameter is converted into the resource file $BSE/lib/sso_config as follows:

  • generic_user:<Generic User>
Note: You must enter a user that resides in the domain specified in the Windows Domain field.
Password

The password of the user specified in the Generic System User field.

For Windows only. On Windows the plain password is required to switch to a certain user. The password that is specified is immediately crypted by a key-driven ciphering algorithm. This field is then (for Windows only) converted to runtime into the sso_config file as gu_passwd:<Crypted Password>.

Note: Be aware that now every user that enters via SSO Service runs as the same Generic System User on OS level.
Overrule System User Allowed

This check box is default selected. That means that the Generic System User can be overruled per user in the User Data (ttaad2500m000) session. Also the System Login field in the User Data (ttaad2500m000) session will become editable. If that field is left empty, the value of the SSO parameter Generic System User will be used during the convert to runtime.

If this check box is cleared, every user runs the binaries impersonated as Generic System User. Also, if the SSO parameter Overrule System User is not selected, the System Login field in the User Data (ttaad2500m000) session is not editable and the value of the SSO parameter Generic System User is shown.

Note: In a Windows environment, you cannot select this check box. You can only overrule the generic system user in non-Windows environments.
IFS Owner of Security User Data

This is a display field indicating whether IFS is the system of record (SOR) with respect to user data.

Automatic Convert to Runtime from IFS

This field indicates whether LN performs a convert to runtime upon receiving new user data from IFS.

Use UPN instead of SAM Account Name

This field is relevant for on-premises situations. It indicates whether the UPN instead of the SAM account name must be used when logging is from the LN UI.

Enhanced AMS
Enabled

If this check box is selected, the DE/ACTIVATE text button is disabled.

If this check box is cleared, the DE/ACTIVATE button is displayed.

The Activate action migrates data from the old AMS tables to the new ones. Afterwards, the parameter Enhanced AMS Enabled is set to Yes in ttams000.

Support Export of EM Roles to AMS

If this check box is selected, the export of Enterprise Modeler Roles to AMS is supported.

This simplifies the modeling of EM sub-applications. You do not need to define authorizations for sessions that users are not allowed to use. It suffices to specify the authorizations for the sessions that users actually require to perform a specific business task.

Automatically Start Actualization

If this check box is selected, the authorizations are automatically actualized during the export of EM Roles to AMS. That is, the Actual Authorization is directly overwritten by the Current DEM Authorization. Upon delete the role assignments are removed and not just detached.

Automatically Start Convert to Runtime

If this check box is selected, the changes are automatically converted to runtime after the export of EM Roles to AMS.

Role History

If this check box is selected, the Role History Data (ttams4175m000) session is shown in the AMS menu. The data is generated when a role is converted to runtime.