Administrative Profile Securable Objects

In order to secure the Lawson Security Administrator, you can secure individual objects, such as profiles, security classes, or objects within a product line, or you can secure all objects of a certain type. If you define security on an individual object, that overrides any security you define for the type of securable object. For example, you can deny access to all profiles in general and then override that denial for a specific profile.

Securable Types

Securable Type Description
TOKEN Forms for application programs
FILE Database tables or files
ELEMENT Database elements. (Elements are the global definition of a field—that is, a field, such as COMPANY, wherever it appears, not just in one table.)
ELMGRP Element groups. (Element groups are sets of elements you can define in order to control access to forms that use that set of elements as the keys to the database records it accesses.)
EXECUTABLE Environment programs and utilities
SERVER The server for Lawson Security. You must include at least Inquire access to this for security administrators or they will not be able to access the Lawson Security Administrator. For security administrators who need to change Lawson Security server settings or parameters, you must give them all access to the server or the "Modify server configuration" access.
ROLE Roles
PROFILE Security profiles
DATASOURCE Data areas and data IDs
SECCLASS Security classes
CATEGORY System codes
PROGRAM Online and batch programs
TYPE Securable types
PRINTER Printers
JOBQUEUE Job queues
RMOBJECT Lawson-related objects and attributes stored in LDAP, plus access to the Schema Editor and to mass assignment options for user setup.

Securable Objects

Securable Type Description
Profiles Any of the profiles defined on your system, including the administrative profile. For example, you might want to prevent access for security sub-administrators to the administrative profile so that they cannot change their administrative access privileges.
Files Within each profile, you can control whether the security administrators can write rules for specific files.
Online programs Within each profile, you can control whether the security administrators can write rules for online forms at the level of system codes, programs, and individual forms.
Batch programs Within each profile, you can control whether the security administrators can write rules for batch programs at the level of system codes and individual programs.
Element groups Within each profile, you can control whether the security administrators can write rules for element groups.
Data sources You can control whether the security administrators can write rules for specific data sources (data areas and data IDs).
Roles You can control which roles the security administrators are allowed to work with. For example, you might want to prevent security sub-administrators from assigning additional users (including themselves) to the role for the security super-administrator.