SSO Password Reset - best practices

Good afternoon,

At present, we have a number of User profiles that require bookmarks. I create the new User with a Lawson password, I then log on as the User to allocate the bookmarks and verify access.

We are in the process of going to SSO, which complicates this process significantly, as I obviously am not aware of the individual's Network/AD password.

I contacted Lawson to see what they suggested. Initially they suggested that we create multiple Portal profiles for all of our combinations of different bookmarks - we have over 100 bookmarks, and mutiple combinations of them. Therefore, this is not practical.

My Data Security Office is 'digging it's heels in', as to giving me AD password reset functionality; they are requesting best practice procedures/documentation for SSO password reset.

I subsequently contacted Lawson and submitted a CASE with this request, and they referred me to 'the community', as they have no further information!

Does anyone have a suggestion as to how I can overcome this?

Find more posts tagged with

Infor Lawson Technology Group - Discussion

Comments

moellerg

Bookmark access (for the most part here) is controlled through Group membership. You can have 1 user.xml file with all of the root bookmarks in it, and unless the individual user belongs to xyz group, they aren't going to even see the bookmark.

Not sure how "practical" that is, but we've got several "groups" configured that way here.

Just go into Bookmark manager and set the default access to 'Deny' and then configure Group access to 'Allow'.

unknown

We use separate Portal Roles and have about thirty of them. For example, a user who gets the APCLERK security role also gets the APCLERK group and the APCLERK Portal role. The APCLERK group and Portal role also include ESS access which everybody gets. The only other wrinkle is if they also get an RSS role in which case, we give them instructions to go to Portal Preferences/Content and drag the RSS bookmarks from the "Subscription" column to the the "Navigation" column and save. The advantage of using the Portal role is that the bookmark shortcuts can be "locked" and the users don't need to know how to configure their own.

[Updated on 10/28/2013 1:54 PM]

unknown

It is easier to create multiple groups associated with the bookmark groupings you want. Then assign those grouping to the individual. We use the Groups and Roles to limit a user. The portal role is used to limit access to certain User Preferences, menu drop downs, and the search box. For example, employee role to ESS and no access to search box. Thus, it will function under non-IE browsers.

Attachment_4253.zip

unknown

Thanks to everyobodys for your responses.

We do have three Portal profiles, one with no Search, one with Search and standard submission functionality, and one with Search box, standard submission functionality, and also User Form/Multi-Step Job access/functionality.

May I give you my understanding of the points raised:

1) We do determine which Bookmarks are available to each User, by allowing Groups on the Bookmark Edit Access; each User has Group(s) related, which in turn determine his Bookmark availability.

2) At present, I then logon as the User and select the Bookmarks to that User, from his available displayed Bookmark list.

3) If I understand the suggestions made, I can allocate Bookmarks to each/all of our Portal Roles (of which the NON-Search box Role has minimal Bookmarks), and allocate ALL of our Bookmarks to the other two Roles. This will then enable ONLY those Users that have the relevant Groups to see their corresponding Bookmarks - assuming the DENY/ALLOW Edit Access has been correctly set.

3) Points 1, 2 & 3 resolve (I think) the Bookmark issues, however I would still prefer to validate my Security access which I setup is correct, how do SecAdmins fulfil this requirement - or don't they?

unknown

We validate the access of particular groups, roles, portal roles, and bookmarks on the Test system using a test user id which has an AD account (we are bound to the AD LDAP). Once the access for a particular group of people is verified, it should work the same in production. We can't validate it in production using real id's, as that violates policy, but we also shouldn't have to.

unknown

I meant to add - we send instructions to the new backoffice users telling them how to add or remove bookmarks from their layout panel - and offer to remote their PC to do it for them if they prefer.

moellerg

We've tried your approach too, Barb... but either the user is not there or too busy to accommodate the request, or some other reason. We've found it much easier to just manually go in and edit their user.xml file.
I've got the root bookmark numbers memorized by now. Or you can just go out and look. ie rngdbdump -cnt logan lobkmark | grep "Bookmark Name"
Add the number under both the navigation (NAVLET tab) and bookmarks (BOOKMARK key tag) section accomplishes the same thing without any action by the user(s).

unknown

Or you can do what we do and use the Portal Role to "lock" the bookmarks in place. You might not want to do this for 100 different roles, but if, like us, you have 10,000 users with only ESS, it works well - don't have to call them or mess with their XML files.

Copyright © 2025 Infor. All rights reserved.