Changing All Records Except Current User's

Lawson users who perform tasks like updating payroll information and releasing journal entries have wide powers within their organizations.

Some customers might want to write rules that put in checks to make sure users are not able to sidestep approvals. For example, you could write a rule that would let a user have access to all payroll records in your system except his or her own. This would prevent a user from being able to make an inappropriate status change.

The subsections that follow explain how to do this using examples from the Human Resources / Payroll and General Ledger applications.

Payroll clerk: Ability to change status for all users except self

Suppose your organization has one payroll clerk who is responsible for all data entry related to salary and other status changes on HR11.1.

The following illustration describes the conditional rule you would need to write to create this rule.

This example assumes the following:

  • The customer uses the EMPLOYEE Self-Service application.

  • The customer has created groups, which are optional in Lawson Security.

There are other ways that this rule could be written. Because the customer uses groups and because HR workers are in a group, the rule can make use of the Lawson Security function isMemberof() to verify a user's status. In this example, the user's Process Level and membership in a group are used to verify the user's ability to access particular data. The EMPLOYEE agent verifies the user's ID. The rule states that if the user ID is the same as the record that the user is currently attempting to access, deny access. If the user is attempting to access any other record, grant access.

Illustration: Rule to give access to HR11.1 but deny access to current user

General Ledger clerk: Ability to release journal entries created by other users but not self

The rule described in this section prevents a person who is able to release journal entries from releasing an entry he or she created. The intent is to ensure that a user does not release an entry without acquiring all necessary approvals.

Only objects that appear on a form can be queried. The GetDBFields() function makes data from files (tables) in the database available to be queried in a rule. The function does this by locating data in files through key fields that are also referenced on a form. You must include all key fields associated with the object in the rule.

The reason for using the GetDBFields function in this case is to make use of security that is built into the GL application. The OPERATOR field in the GLCONTROL table contains a list of users who are allowed to access journal entry records. The rule uses OPERATOR data to determine if the user who is currently attempting to release a particular entry is the same person who created entry. If yes, user can perform all functions associated with the form except "R" (Release). If the entry was created by any other user, access is granted.

Illustration: Rule to allow the user to release journal entries except those that he or she has created