Security Conditional Rule Expressions

Hi,

We are working on setting up a rule expression that will disable a users ability to view specific HR records via HR11 (among other screens). We have successfully tested the functionality with new security classes however, when we add the new classes to an existing role, any class that currently grants access over rules any that denies it.

To get around this, we had intended to write the expression into our current security classes but we already have an expression in there to limit access to executive account information. Does anyone know how we can include two separate rule expressions that differentiate the access for our end users?

We need to be able to continue to limit access to executive information, but we also want to be able to limit an end users access to a specific employee's information based off of familial relationships. To do this, we're hoping we can combine the 2 expressions used into a single security class that focuses on the same security token.

Please let me know if further detail is needed to clarify the situation described above.

Thanks, John

Find more posts tagged with

Infor Lawson Technology Group - Discussion

Comments

richardd

I believe the way to do this is to define an element group like COMPEMP (Company,Employee), write a security class on the element group that limits access as needed, assign that security class to the desired role(s), then write the conditional rules for each type of object that needs to be secured (online, batch, table) in the other security classes in the role(s) against the COMPEMP element group.

unknown

I think that is similar to what we have done.

We created 2 new security classes, one for the element group, and then the other for the online objects and files objects. When we assigned those 2 classes to a brand new role and tested, it did what we expected, but when we tried to add those classes to an existing role, they seem to be overwritten by the current rules.

Our struggle is we already have an expression used to limit access to specific users. Was wondering if it's possible to combine 2 expressions into one security class rule? Make sense?

richardd

You can't just add the new security classes to the role. Every security class in the role that references the resource that needs to be secured has to be changed to reference the element group. The least restrictive rules wins when each of the security classes in the role is evaluated.

Copyright © 2025 Infor. All rights reserved.