Hello, please consider endorsing ER 118663 for Landmark Security!
Summary: Restrict customers ability to assign additional security roles to system accounts and service user accounts.
When Actor.AT_SystemUser = TRUE or Actor.AT_ServiceUser = TRUE, restrict action AssignExistingRoleToActor (or something similar). When system accounts are created by Infor, Actor.AT_SystemUser should automatically be set to TRUE. Customers should have the ability to maintain Actor.AT_ServiceUser on the service accounts that they create.
Examples of system accounts:ClinicalBridge.ICSFSM.IDM-UserHCM.OAUTH-IDMlawsonOAUTH-MSCMIf this is implented, upon CU install Infor should run a script that removes unnecessary roles from system accounts and sets Actor.AT_SystemUser to TRUE.
Business Impact: While mass assigning security roles, it's easy to accidenally assign an unnecessary security role to a system account. In some cases, this can open up vulnerabilties.
Workaround: None
https://mingle-portal.us2.prd3.inforcloudsuite.com/v2/CONCIERGE_PRD/?LogicalId=lid://infor.cxp.1&Tab=ERS&ERId=118663
