GHR Security Puzzle

I have an extremely odd security issue that I am hoping someone has an idea about. I am BAFFLED and would appreciate any suggestions.

An HR user transferred from one team to another. Her security roles were changed for the new team. She can do all the things she needs to, except 1. When working her Inbasket, some fields do not appear for term actions. They do not appear when opening the inbasket item (which is the Employee.Terminate form), but they DO appear if she goes to resources and chooses the terminate action. All of her teammates CAN see these fields in the inbasket item. The issue is boiling down to a custom condition we have that restricts these fields unless the Actor has one of 4 roles (which she does), using a custom relation to ActorRole. The condition works fine from Resources/Terminate, but not from the Inbasket but ONLY FOR HER, again, others can see these fields. I have gone so far as to strip all her security yesterday, then we had a planned downtime last night so all systems were rebooted, and added them back this morning. No change.

She has access to PFIQueue and PFITask, and appropriate rights to the inbasket she is in. The custom relation/condition do not exist in these business classes, but her teammates see these fields in the inbasket. When opening an item from this inbasket, the displayed form is Employee.Terminate.

I would think if I needed to add the condition or relation to PFIQueueTask, her teammates would also not be able to see the fields. But they can.

I have compared her security roles to that of her teammates, and while there are some variations, there is one other person with identical roles. She can see the fields. Examples are in the included PDF.

Obviously we have cleared her cache for all time, restarted the browser, rebooted and tried a different computer that she had never used before. The problem follows her.

The Employee.Terminate form was last edited in July of 22. The LPL with condition, where you can see her lose fields is below:

visible when (IsCMCCompany1)

header4 of "EnterTheTerminationInformation"

visible when (IsHRStaff)

single column

RelationshipStatus

The LPL of the condition is (from the Employee business class, last edited in 2020):

IsHRStaff

when (first CMCHR exists

or first CMCITERPAnalyst exists)

And the LPL of the CMCHR relation is (from the Employee business class, I saved a change to it a few days ago just to see if that made a difference). She has the second role:

one-to-many relation to ActorRole

Field Mapping uses ByActorAndRole

related.Actor = actor

Instance Selection

where (related.ActorRole.Role = "Admin_ST"

or related.ActorRole.Role = "TM_GHRDataManagementNOHR"

or related.ActorRole.Role = "TM_GHRHRAdmin"

or related.ActorRole.Role = "TM_GHRBenefitsNOHR")

.[View:/cfs-file/__key/communityserver-discussions-components-files/60/ScreenShots.pdf:320:240]

Find more posts tagged with

Infor Lawson Technology Group - Discussion

Accepted answers

All comments

unknown

Did you check her Actor Agent records? Is the agent linked to the correct Actor.

apiazza

I had not, but I just did and she is. The correct agent has the correct actor applied.

2011-10-27_CH-Stammtisch_2.pdf

maphillips

Have you run a security session debug? If not, do that and post the results.

apiazza

Connecting with my sys admin monday to work on this.

robert-nevinger

Use a Chrome Incognito session and see if you have the same results.

Dr. Awesome

I wonder if this approach which removes the relation piece might help. It's 1. less pieces that might fail and 2. it's a net new approach to one that is baffling. A brief test showed this works.

So, you could have the following be your IsHRStaff Condition:

HROrganization is a BusinessClass

owned by hr

Conditions

IsHRStaff

when (actor has role "Admin_ST"

or actor has role "TM_GHRDataManagementNOHR"

or actor has role "TM_GHRHRAdmin"

or actor has role "TM_GHRBenefitsNOHR")

I recommend putting it on HROrganization, not Employee.

Your Terminate form config would then become:

...

header4 of "EnterTheTerminationInformation"

visible when (HROrganization.IsHRStaff)

single column

RelationshipStatus

....

apiazza

Thank you, I will try this.

apiazza

This WORKS! Thank you!

The fact that it did work points me toward what I was worried about, and that is something in the table structure has changed and the relation needs to be added to additional business classes and that her teammates should also not be able to see these fields, but can. Until some point in the future when it will stop for them too. Implementing your solution now will prevent that issue going forward. Thank you again for the suggestion!

Dr. Awesome

Well, I cannot see any real issue with your prior configuration approach and that relation to ActorRole that you had should be fine, nothing structuraly changed there.

My only pause for concern might be using "first CMCHR exists" in your condition. Only "CMCHR exists" is needed. Now, the two should be functionally equivalent, but perhaps interpretation subtly changed or something (if you are saying this has been in place and working for some time.)

Copyright © 2025 Infor. All rights reserved.