AMS Parameters (ttams0100m000)

Use this session to configure Single Sign On (SSO). In case SSO is activated for LN, the User Data (ttaad2500m000) session shows a number of fields which are used to map the Infor SSO user to the LN user and the OS user. For security reasons, an OS group (for example bsp) must be set up. This group only contains OS users who are allowed to do administrative tasks.

Note: If you use the Enterprise Modeler Content Pack with LN, consider using the MIT0050 (Enhanced Authorization Management System) wizard to set up enhanced AMS. You can execute this predefined wizard from the Wizards by Project Model (tgwzr4502m000) session after you specified the business function model for your company.

Field Information

SSO Active

If this check box is selected, SSO becomes active and the Infor SSO Service Location and Generic System User fields are enabled.

Infor SSO Service Location

This field is mandatory to fill in if SSO Active is selected. Fill in the URL towards the SSO Service location you have set up earlier.

This parameter is converted into the resource file $BSE/lib/sso_config as:

  • sso_location:<url>

This file must be assigned to and only be writable for the OS group with administrative tasks.

Windows Domain

Specify the windows domain where the user accounts and security information for the resources of your domain reside. This is usually <company name> for example: infor, or in case of a local account the machine name.

Generic System User

This field is mandatory to specify if SSO Active is selected. The supplied Generic System User is used when ipc_boot is started. This user is used to login to OS when LN is started through SSO. For individual users, this can be overruled by explicitly configuring another System User. Both the OS user and the SSO user are configurable in the User Data (ttaad2500m000) session. The data specified here becomes the default OS User identity that is used in SSO mode to run the binaries.

This parameter is converted into the resource file $BSE/lib/sso_config as follows:

  • generic_user:<Generic User>
Note: You must enter a user that resides in the domain specified in the Windows Domain field.
Password

The password of the user specified in the Generic System User field.

For Windows only. On Windows, the plain password is required to switch to a certain user. The password that is specified is immediately crypted by a key-driven ciphering algorithm. This field is then (for Windows only) converted to runtime into the sso_config file as gu_passwd:<Crypted Password>.

Note: Be aware that now every user that enters via SSO Service runs as the same Generic System User on OS level.
Overrule System User Allowed

If this check box is selected, the Generic System User can be overruled per user in the User Data (ttaad2500m000) session. Also, the System Login field in the User Data (ttaad2500m000) session becomes editable. If that field is blank, the value of the SSO parameter Generic System User is used during the convert to runtime.

If this check box is cleared, every user runs the binaries impersonated as Generic System User. Also, the System Login field in the User Data (ttaad2500m000) session is not editable and the value of the SSO parameter Generic System User is shown.

Note: In a Windows environment, you cannot select this check box. You can only overrule the generic system user in non-Windows environments.
IFS Owner of Security User Data

This is a display field indicating whether IFS is the system of record (SOR) with respect to user data.

Automatic Convert to Runtime from IFS

This field indicates whether LN performs a convert to runtime upon receiving new user data from IFS.

Use UPN instead of SAM Account Name

This field is relevant for on-premises situations. It indicates whether the UPN instead of the SAM account name must be used when logging is from the LN UI.

User Company History

If this check box is selected, the User Company History (ttams4178m000) session is shown in the AMS menu.

The history data is generated when the user company data, as available in the User Companies (ttams4161m000) session, is converted to runtime.

Enhanced AMS
Enabled

If this check box is selected, the DE/ACTIVATE text button is disabled.

If this check box is cleared, the DE/ACTIVATE button is displayed.

The Activate action migrates data from the old AMS tables to the new ones. Afterwards, theEnhanced AMS parameter is set to Enabled.

Support Export of EM Roles to AMS

If this check box is selected, the export of Enterprise Modeler Roles to AMS is supported.

This simplifies the modeling of EM sub-applications. You do not need to define authorizations for sessions that users are not allowed to use. It suffices to specify the authorizations for the sessions that users actually require to perform a specific business task.

Automatically Start Actualization

If this check box is selected, the authorizations are automatically actualized during the export of EM Roles to AMS. That is, the Actual Authorization is directly overwritten by the Current DEM Authorization. Upon delete the role assignments are removed and not just detached.

Support Export of SEC Roles to AMS

If this check box is selected, Authorization and Security (SEC) roles can be generated in AMS. Consequently, roles that are created in SEC can be assigned to users in IFS.

This check box can be selected only if these conditions apply:

  • TheEnhanced AMS parameter is set to Enabled.
  • The IFS Owner of Security User Data check box is selected.
  • For AMS roles, the Maintenance Ownership field is set to Outside LN in the User Data Maintenance Ownership Parameters (ttaad2112m000) session.
Send SecurityUserMasterBOD to Infor LN Application

If this check box is selected, then AMS sends received user BODs to the LN application to create employees and assign permissions to employees for SEC authorization roles.

For new users, employees are created in the LN application based on the value of the Create Employee for forwarded User BOD field in the BOD Parameters (tcbod0100m000) session.
Automatically Start Convert to Runtime

If this check box is selected, the changes are automatically converted to runtime after the export of EM or SEC roles to AMS.

Role History

If this check box is selected, the Role History Data (ttams4175m000) session is shown in the AMS menu. The data is generated when a role is converted to runtime.

Data Admin Role

If a role is specified in this field, normal users with this role may perform table reconfiguration actions in these data admin role-enabled sessions:

  • Create Runtime Data Dictionary (ttadv5210m000)
  • Create Runtime Data Dictionary for Infor LN Server (ttadv5211s000)
  • Create Runtime Data Dictionary for Infor LN Server (ttadv5213m000)
  • Convert to Runtime Data Dictionary (ttadv5215m000)
  • Create Runtime Data Definitions without Ref. Integrity (ttadv5217m000)
  • Convert Runtime Directory to Runtime (ttadv5218s000)
  • Reorganize Tables (ttaad4225m000)

If no role is specified in this field, only super users can perform table reconfiguration actions in the data admin role-enabled sessions. However, normal users can still run the Create Runtime Data Dictionary (ttadv5210m000) session, but they cannot select the Reconfigure Tables check box.

Note: 
  • You can only specify a value in this field if theEnhanced AMS parameter is set to Enabled.
  • After changing the contents of this field, click Dump. As a result, the $BSE/lib/roles/ams.config file is updated or removed. In a cloud situation, you must not only dump the AMS parameters, but also dump all user files. Click YES to the question about also dumping the user files.

See Table reconfiguration by normal users.