What Is the Build Security Utility?

The bldora11sec, bldora12sec, and bldora18sec utilities will duplicate Lawson table level security in the Oracle database.

Security constraints and privileges placed on database tables are enforced when users attempt to use Lawson applications to access those tables. When non-Lawson applications or tools access Lawson data stored in the Oracle database, they do not encounter any Lawson security restrictions or privileges.

When you make changes to any of your table-level security constraints, depending on your Oracle verson, run bldora11sec, bldora12sec, or bldora18sec to implement the changes in the Oracle database. When you drop and recreate any tables either by using the utility or by reorganizing the Lawson database, you also drop all security constraints on those tables in the Oracle database. Depending on your Oracle version, run bldora11sec, bldora12sec, or bldora18sec again to reinsert your table-level constraints.

If you use Oracle's operating system user authentication, the user running the bldora11sec, bldora12sec, or bldora18sec utility must have the CREATE ROLE system privilege.

For more general information on security planning and implementation, see

  • Administration guides provided by your database vendor

  • Lawson Security and Resource Management Administration Guide

Using the Utility with Lawson Security and Resource Management

In Lawson Security, data level security and user information may be stored in LDAP. The bldora11sec, bldora12sec, and bldora18sec utilities use Lawson Security APIs to retrieve security data from LDAP, based on security rules and the specified database service. Grant and revoke SQL statements are generated from this information.

Database drivers use database services to connect to the RDBMS. If your system uses Lawson Security, you must specify a database service for this utility using the DatabaseService parameter. RMIds and their permissions on tables in a product line are determined, and access to the database service is validated. If the RMId has access to the service, bldora11sec, bldora12sec, and bldora18sec resolve the database login and generates the grant or revoke SQL statement.

Note: The checkLS flag must be set to ON for a user (RMid) in order for grant or revoke SQL statements to be generated for that user.
Note: 

The bldora11sec utility only resolves designated database logins for RMIds. It does not retrieve privileged database logins. This means that the service specified by the DatabaseServices argument must have a USE_USER_ID or USE_USER_AND_PRIVILEGED_ID LoginProcedure assigned to it.

Database Time Stamp Considerations

The bldora11sec, bldora12sec, and bldora18sec utilities check the table version stamp, with the following results:

  • If the table version stamp is missing, the utility returns an error.

  • If the utility finds the table version stamp, it checks the Lawson repository to see which security classes have access to which tables in the given data area.

  • If a security class has full access to a table, the utility grants the matching Oracle role permission to select, insert, update, and delete rows in the table.

  • If a security class has read-only access to a table, the utility grants the matching Oracle role permission only to select rows in the table.

  • If a security class has no access to a table, it revokes all permissions on the table from the matching Oracle role.