Administrative Profile Securable Objects
In order to secure the Lawson Security Administrator, you can secure individual objects, such as profiles, security classes, or objects within a product line, or you can secure all objects of a certain type. If you define security on an individual object, that overrides any security you define for the type of securable object. For example, you can deny access to all profiles in general and then override that denial for a specific profile.
Securable Types
Securable Type | Description |
---|---|
TOKEN | Forms for application programs |
FILE | Database tables or files |
ELEMENT | Database elements. (Elements are the global definition of a field—that is, a field, such as COMPANY, wherever it appears, not just in one table.) |
ELMGRP | Element groups. (Element groups are sets of elements you can define in order to control access to forms that use that set of elements as the keys to the database records it accesses.) |
EXECUTABLE | Environment programs and utilities |
SERVER | The server for Lawson Security. You must include at least Inquire access to this for security administrators or they will not be able to access the Lawson Security Administrator. For security administrators who need to change Lawson Security server settings or parameters, you must give them all access to the server or the "Modify server configuration" access. |
ROLE | Roles |
PROFILE | Security profiles |
DATASOURCE | Data areas and data IDs |
SECCLASS | Security classes |
CATEGORY | System codes |
PROGRAM | Online and batch programs |
TYPE | Securable types |
PRINTER | Printers |
JOBQUEUE | Job queues |
RMOBJECT | Lawson-related objects and attributes stored in LDAP, plus access to the Schema Editor and to mass assignment options for user setup. |
Securable Objects
Securable Type | Description |
---|---|
Profiles | Any of the profiles defined on your system, including the administrative profile. For example, you might want to prevent access for security sub-administrators to the administrative profile so that they cannot change their administrative access privileges. |
Files | Within each profile, you can control whether the security administrators can write rules for specific files. |
Online programs | Within each profile, you can control whether the security administrators can write rules for online forms at the level of system codes, programs, and individual forms. |
Batch programs | Within each profile, you can control whether the security administrators can write rules for batch programs at the level of system codes and individual programs. |
Element groups | Within each profile, you can control whether the security administrators can write rules for element groups. |
Data sources | You can control whether the security administrators can write rules for specific data sources (data areas and data IDs). |
Roles | You can control which roles the security administrators are allowed to work with. For example, you might want to prevent security sub-administrators from assigning additional users (including themselves) to the role for the security super-administrator. |