Authorization by roles - Settings
Settings in (MNS405)
Roles are defined independently of company in 'Roles. Open' (MNS405), and the same roles apply for all companies in the database.
On (MNS405/E), it is possible but not mandatory to automatically create authorization by roles setup records (see SES400), and authorization by users (see 'Authorization by User. Display' (SES401)) for a specific company and division.
Authorization by roles 'Authorization by User. Display' (SES401) will be created for all users connected to the role. Only functions where authorization is required, as defined in 'Function. Open' (MNS110), will be considered and only new combinations will be generated. Existing authorization by roles will not be changed or removed.
If you only want to restrict access in a specific division, or some divisions in a single company, you should deactivate the 'Authorization required' field on (MNS110/E).
Settings in (MNS410)
In 'Roles per User. Connect' (MNS410), roles per user are defined independently of company with or without validity dates. A user can be connected to several roles at the same time. Each connection of user and role can have validity dates to enable temporary authorization by roles, such as vacation replacements.
Authorization by role in (SES400)
In the authorization by roles setup in 'Function. Connect Authorization by Role' (SES400), you define which functions are permitted per role and per company and division.
A role can have different authorization by roles for the same functions in different companies.
Only active records (status 20) create authorization by roles. Direct setup to programs is possible (the function does not need to exist in MNS110).
In the authorization by roles setup details, you define the basic options, related options, and functions keys that will be permitted.
Buttons are provided to select or clear check boxes for all options or function keys before fine-tuning the setup.
If, instead of deleting a function record, you deactivate it to status 10 (SES400/E), then you do not need to select option 2 for the remaining function/role records. They will continue to be activated.
Authorization by user in (SES401)
You can monitor records in the authorization by roles table by viewing the result of the setup by 'Authorization by User. Display' (SES401). Although the setup is done by function and role, authorization by roles are created per program and user to gain system performance and to enable special setup per user interaction programs. The authorization by roles table contains one record for each combination of program, user, company, and division.
- A record is created, changed, or deleted in the authorization setup 'Function. Connect Authorization by Role' (SES400).
- A record is created, changed, or deleted in 'Roles per User. Connect' (MNS410).
- A record is deleted in 'Roles. Open' (MNS405).
- System date changes - The authorities by roles are rebuilt, including the validity date check, when auto job (SES900) is started.
On (SES401/E), you can view the details for displaying authorization by roles as a result of the authorization by roles setup.
Authorization by roles are valid per user and program, whereas the permission setup in (SES400) is maintained per role and function.
Creating a new role
When creating a new role, it can be useful to copy the connected users and to also copy the connected authorization by roles.
Recreate authorization per user in (SES990)
'Authorization per User. Re-Create' (SES990) allows you to correct or update CMNPUS in 'Authorization by User. Display' (SES401) according to the entries in MNS110/MNS112/MNS150/MNS151/MNS405/MNS410/SES400.
Mass update in (MNS905)
'Function. Mass Update' (MNS905) can be run to update authorization required in (MNS110) as per the specified selection criteria:
- 01 - Sets field Authorization required in (MNS110) to Selected
- 02 - Sets field Authorization required in (MNS110) to Not Selected
- 03 - Updates (MNS110) with all available APIs. This option can be used if API security through roles has been selected in (MNS090).
Restrictions to functions for limited license users
The limited license user type controls what functions are accessible to a user, and how many predefined programs they can run. The default is 10.
To set up a limited licensed user, follow these steps:
- Define which user is to be a limited license user type in (MNS150).
- Set up a role in (MNS405) to be a limited type.
- Connect the limited license type user to the relevant role in (MNS410).
- Define the programs to be allowed in (SES403).
When starting a program or API, the authority check first checks if the user is of a limited system license type. If true, a check is made against (SES403) based on the limited system role the user is connected to. If the program is found, the normal authorization checks are carried out. If the program is not found, the user is not allowed to run the program. This is carried out regardless of the authorization parameter in (MNS110).
Limited license user limitations
- A limited system role can only include an equivalent license type user.
- A limited system user can only be connected to one limited system role.
- API programs are part of the maximum number of programs for a limited role. For example, OIS100 and OIS100MI count as two programs.
- API transactions used at sign in etc., (global API transactions) are not part of the maximum number of programs. These types of transactions are always allowed to be used.
- The maximum number of records cannot be overridden by the customer without advice from Infor.