Custom rule files
An administrator who is knowledgeable in XML markup and the Infor Lawson system must accomplish the task of writing custom rules.
Before you start, ensure to save copies of the delivered rule files found under the GENDIR/assembly/products/shr/rules directory. See the Configuring Internet-facing Applications section of the Infor Security Services Configuration Guide for examples on how to customize rule files.
You can customize the delivered rule file templates for EMSS, as needed. You can enable full external access to the entire EMSS product, then use the delivered templates. If you restrict some subsets of EMSS externally, then you must customize the templates.
Each template rule file contains rules for a subset of the EMSS product. You can enable only the rule files for the subset that you want accessible to the Internet. For example, to allow external access to Employee Self-Service tasks, you will only run the emss_gen.xml and ess_app.xml rule files. To restrict access further to a subset of the ESS tasks, you should modify the ess_app.xml file to remove rules for any ESS tasks/modules that you do not want accessible on the Internet.
You can identify the rules for an EMSS task by a comment containing the task name in the XML rule file. Tasks are listed in alphabetical order by task name. Any modules that a task depends on are also listed in a comment. This diagram shows the rules for the Adoption/Birth tasks in the ess_app.xml rule file.
<!–- Adoption/Birth Life Events -->
<!–- Dependency Modules: Dependents, Beneficiaries, Life Events Enrollment, Tax Withholding, emss_gen.xml -->
<system name="BN">
<table name="BENEFIT" />
</system>
<system name="HR">
<program name="ES10">
<token name="ES10.1" />
</program>
<table name="EMPLOYEE" />
<table name="FAMSTSHIST" />
<table name="PAEMPLOYEE" />
</system>
Remove rules for any task or module that should not be accessed externally. For example, to restrict the Adoption or Birth Life Events from being accessible on the Internet, edit the ess_app.xml file and remove or comment out the above rules entirely. Do the same for any dependency modules that you also do not want accessible. Search the rule file to find any other tasks or modules that you want to remove. Continue this process, removing rules for any tasks or dependency modules you do not want accessible on the internet. Only the EMSS tasks remaining in the XML file are accessible externally.
If a dependency module is required for another task that you want to be available externally, then the rules for the dependency module must not be removed from the rule file.
After your rule files are defined, you can run each one by following the steps in the Activating the Rule File section of the Infor Security Services Configuration Guide. You should only run the rule files for modules of EMSS that users can access outside the firewall. The emss_gen.xml rule file is needed for any EMSS access, and should always be assigned to the GEN data source. You can then assign the other desired rule files to the application data source.
Follow the steps in the Activating the Rule File section of the Infor Security Services Configuration Guide when activating rule file examples here:
Example 4: Partial access to Employee Self-Service
Perform these steps to only allow external access to a subset of Employee Self-Service. For example, you will only allow access to the ESS Pay Rate History and Personal Profile tasks.
- Edit the ess_app.xml rule file. Remove rules from the file until
only the rules for Pay Rate History and Personal Profile remain. Save your changes.
<xml version="1.0" encoding="ISO-8859-1" <domainaccessvalidator> <!–- Pay Rate History --> <system name="PA"> <program name="PA67"> <token name="PA67.1" /> </program> </system> <!–- Personal Profile --> <!–- Dependency Modules: emss_gen.xml --> <system name="HR"> <table name="EMPLOYEE" /> <table name="HRCTRYCODE" /> <table name="PAEMPLOYEE" /> <table name="PCODES" /> </system> </domainaccessvalidator> </xml>
- Assign the emss_gen.xml rule file to the GEN data source.
- Assign your custom ess_app.xml rule file to the APPS data source.
Example 5: Partial access to Employee Self-Service and Manager Self-Service
Perform these steps to only allow external access to a subset of Employee Self-Service. For example, you will only allow access to the ESS Pay Rate History and Personal Profile tasks and MSS Employee Dates and Pay Rate History tasks.
- Edit and update the ess_app.xml rule file following the first bullet in Example 4.
- Edit the mss_app.xml rule file. Remove rules from the file until
only the rules for Employee Dates and Pay Rate History remain. Save your
changes.
<xml version="1.0" encoding="ISO-8859-1" <domainaccessvalidator> <!-– Employee Dates --> <system name="HR"> <program name="HS10"> <token name="HS10.1 /> </program> </system> <!-– Pay Rate History --> <system name="HR"> <program name="HS10"> <token name="HS10.1 /> </program> </system> <system name="PA"> <program name="PA67"> <token name="PA67.1" /> </program> </system> </domainaccessvalidator> </xml>
- Assign the emss_gen.xml rule file to the GEN data source.
- Assign your custom ess_app.xml and mss_app.xml rule files to the APPS data source.