infor.com
concierge
infor u
developer portal
Home
Groups
Lawson - Technology Customer Community [READ ONLY]
LS Security - HREMP element Group
unknown
We use the HREMP element group to enforce record level security in the HR modules. This lets us control which groups of employees a back office HR user has access to. Our users can have multiple logins depending on whether they need EMS access and back office access. We would like to combine accounts but we discovered that for a certain set of users the HREMP element group rule will deny access to their own information in EMS. Are there any suggestions for solving this without scrapping the HREMP rule and writing rules on all the forms ourselves?
Find more posts tagged with
Infor Lawson Technology Group - Discussion
Comments
unknown
We do the same thing. All HR and PR users have two IDs, one for their ESS access and another for their back office access. We were unable to find any other solution that allowed us to continue to use the HREMP record level security. We were extremely disappointed in the need for multiple IDs. It is a maintenance headache and inconvenient for the users.
unknown
We especially like that the batch reports honor the HREMP record level security. We can write rules for the forms that would work with a little work but we have no answer for the batch jobs.
jacob-jellison
All our employees use one id for EMSS and to access day to day lawson forms. We do not have any issue with users who also access HR for other stuff receiving any access denied errors.
We use a combination of HR09 security and isInChainOfCmdOfEmpHR() to lockdown who and what they can see.
unknown
awolf01 - It sounds like you do not use the HREMP element group in your back office security all then. Is that correct? I am trying to determine if there is a way to still use the HREMP element group, otherwise I have to write/rewrite a lot of rules for back office security.
jacob-jellison
We do use it. I'm attaching a screenshot showing one of our rules that resides in a role that is given to most HR admins.
unknown
I am not able to read that screen shot. It's been awhile so I don't remember all the details, however, we made extensive attempts to use record level security without success. The problem was that record level (programmatic) security always trumps LS rules. Our HR and PR users were not able to do ESS functions.
unknown
awolff01, do all of your HR employees have access to see all HR employees? For example, some members have no need to see other HR employees so we use the HREMP record rule to restrict that. For example, Sally can see only employees with a security of 9. Sally's position has a security of 2. When she tries to update her address in ESS she is not authrorized to change it.
jacob-jellison
No not all HR employees have access to see everybody elses HR data. Most if not all employess that work in HR have an HR09 record with a value between 1 and 9. Lawson's built in programmatic security will compare the value in HR09 against the value in HR11 for the employee that is being queried.
My value in HR09 is 5. I can only see other employees data if their HR11 value is 5 or above. Otherwise I get " Not authorized to access employee".
Hope that helps.
unknown
I'm a little confused. HR09 is data level security. My HR09 is set at 1. My HR11/position security level is 2. The HREMP record rule says I can see positions with a security level of 3 and higher. I can not update my address via ESS because my HR11 position security is 2, but I can not see HREMP records with a security lower than 3. The HR09 security allows me to see all data information on employees with an HR11 of 3-9, but does not allow me to see all employees. This is our specific problem.
unknown
We have the same problem. We do not use HR09 at all. The problem is the HR11 security level trumps any other security rules and prevents users from performing ESS functions on their own record. The Lawson security rules are additive but the HREMP programmatic security is not. If my security level is 3 and my HREMP rule only alows me to see 4 and greater, it doesn't do any good to have another rule that grants access to my own record.
We tried to implement functionality similar to the HREMP record level security in Lawson new security by creating a custom element HRSEC consisting of the HR11 security level and location fields but we were unable to replicate the functionality. I believe it was the reports that we were unable to secure.
jacob-jellison
I just switched my hr11 record to 2 (my hr09 level is 3)....although I get a "Not authorized to access employee" error in HR11 when I try to view my own record I can still go and view my information via EMSS. I was also able to change my marital status via EMSS.
cjandrle...can you provide an example of " an ESS function" that I should not be able to perform on my own record? The other rule we have in place in our ESS role is on HR11.1:
if isElementGrpAccessible('COEMP','','HR',form.EMP_COMPANY,form.EMP_EMPLOYEE)
all_access
else
no_access
and on the ElementGrp COEMP we have:
if (user.getCompany()==lztrim(COMPANY)&&user.getEmployeeId()==lztrim(EMPLOYEE)||user.isInChainOfCmdOfEmpInHR(COMPANY,EMPLOYEE))
all_access
else
no_access
0712131256598360.doc
unknown
Do you have rules written on the HREMP element group?
if(lztrim(SEC_LEVEL)>='1'&&((SEC_LOCATION)=='9999999999'))
'ALL_ACCESS,'
else
'NO_ACCESS,'
unknown
awolff01 could you please attached the image in a word doc so that it can be read? Thanks
0712131256598360.doc
Quick Links
All Categories
Recent Posts
Activity
Unanswered
Groups
Help
Popular Tags
Infor Lawson Human Resources Group - Discussion
Infor Lawson Technology Group - Discussion
General Discussions
VISUAL - Enterprise General Discussions
Infor Lawson Supply Chain Management - Discussion
Process Automation (IPA) - General Discussions
Pegasus - Partner General Discussions
Infor Lawson Supply Chain Group - Discussion
Infor Lawson Financials Group - Discussion
Infor EPM Discussions