Implementing Lawson Security 9.0

1
Implementing Lawson Security 9.0

• Overview

Brian Hunter Lawson Professional
Servise Brian.Hunter_at_lawson.com
2
LSF 9.0 User Basics

• A Resource Management Record is required in LDAP
  for all users accessing the Lawson System.
  (Single Sign-on requires only one record.)
• The Resource Management Record attaches to
  Services controlling access to other
  subsystems, Agents or 3rd Party Products.
• SSOP Identity Authenticates user to Lawson
  Portal (An LDAP Bind can allow the password
  challenge for the SSOP ID to another source.)

3
LSF 9.0 User Basics

• OS Identity organizes the users information
  within the Operating System. A unique OS Account
  is required if the user is executing batch jobs.
• Agent Identities pass Lawson required
  information to the Self-Service Centers.
• Roles, Groups and Structures are established in
  RM.
• Resources are assigned Roles, Structure
  participation and Group membership.

4
(No Transcript)
5
Lawson Security 9.0 Basics

• Lawson Security is a Role Based Authorization
  System
• LID cannot be used with Lawson Security
  Authorizing.
• Lawson Security consists of Profiles
  representing all areas requiring Authorizations.
  (RM, ADM, LOGAN, APPS, ENV, GEN)
• Lawson Security Classes contain Authorization
  Rules. (Grant, Unconditional for Action,
  Conditional If/Then or Time/Date)

6
Lawson Security 9.0 Basics

• Lawson Security Classes are associated to Roles.
  Security Classes are not directly tied to a User.
• A User has no access unless specifically granted
  the Authorization through Role assignments.
• Must implicitly grant every Securable Object a
  Role needs. (On-line Form, Batch Program, File,
  Environment, Data Source.)
• Single Sign-on only works if the user is
  Authorized by Lawson Security.

7
Lawson Security Set-up

• A Role is established in Resource Management.
• A Security Class is established in Lawson
  Security 9.0. The Security Class contains access
  Rules for forms and files.
• One or More Security Classes are assigned to a
  Role creating the appropriate Authorizations.
• Users are assigned Roles.

8
Lawson Client Types

• A Existing Lawson Client migrating to LSF 9.0
  and Lawson Security
• LAUA Security Classes Established
• Web Records, LAUA Profiles Established
• PORTALROLES Established
• B New Lawson Client starting with LSF 9.0 and
  Lawson Security
• Users Identified
• Conceptual Authorizations requiring Lawson
  Definitions

9
Transitioning A Client

• LSF 9.0 allows for LAUA Security for
  Authorization
• Benefit
• Security variable removed in upgrading
• Transition User or Sets of Users to LS reducing
  risks
• Cost
• Continued Security limitations

10
Implementing Lawson Security 9.0

• Project Analysis (Applications, Self-Service
  Centers, General)
• Security Plan
• Resource Management Lawson Security Training
• Security Analysis (Detailed Requirements for all
  Applications and Areas)
• Lawson Security Modeling
• Proof of Concept Security Model
• Lawson Security Build Test
• Establish Users under Lawson Security Model

11
Critical for Lawson Security 9.0

• Proper Security Analysis!
• Gather ALL Application, Compliance, Audit
  requirements desired controls.
• Special focus on Data restrictions.
• An A client can use LAUA authorizations as a
  starting point of analysis however LS takes
  security functionality to a new level. To receive
  the benefit of Lawson Security, old product
  constraints or methods must be released. LS is
  Role based.

12
Lawson Security 9.0 Methodology

• Lawson Security (LS) is an Object Oriented
  Security Design.
• Create buckets of Authorizations.
• Authorizations can be connected differently to
  create the Unique Role Requirements without
  rebuilding Security Classes.
• Security Classes represent a single Task or set
  of indivisible Tasks. (Journal Entry, Employee
  Maintenance, Item Maintenance)
• An A client should just SAY NO to building LS
  Security Classes that mirror LAUA. There might
  not be a bigger mistake. This will eliminate the
  flexibility of LS and remove the efficiency of
  Maintenance.

13
Lawson Security 9.0 Methodology

• Security Rules should be driven from User
  Information not hard-coded data.
• Example Determine Users Data Span of Control
  from their Resource Record information, their
  HR Record Information, an Attribute
  associated, their Group participation or place in
  a Structure.

14
Lawson Security 9.0 Modeling

• There isnt just one way to build an
  organizations Lawson Security Design. There may
  be several ways to accomplish the same goal of
  Granting/ Controlling Access. There may be a
  best solution based on the maintenance or
  performance even though theres no right/wrong
  solution.
• Release all past constraints from Lawson or Other
  Systems.
• Create many Lawson Security Models. Narrow down
  the possibilities based on efficiency and
  maintenance.
• Shoot for capturing 95 of Users authorizations
  with Standard Roles and Security Classes.
• Avoid 1 to 1 Relationships between the Role and
  Security Class. Security Classes are task
  Authorizations connected to a Role.

15
Bad Model

• Contains Security Class Rules with hard-coded
  Data for controlling access. (Process Levels,
  Accounting Units, User Ids) Examine the qualifier
  and find a dynamic way of determining access.
• Multiple Security Classes covering the same Task
  or Securable Objects. Lawson Security allows for
  multiple conditional rule expressions. Security
  Classes should be reusable and adjust based on
  User information.
• If Past Security is being implemented. It may
  appear to reduce the Lawson Security effort but
  will eliminate the benefits.

16
(No Transcript)
17
(No Transcript)
18
A Mapping Example
19
Security Classes
Securable Objects
Roles
Users
A
Employee SS
Employee SS
Form HR11.1
Employee SS GL Clerk
B
Journal Entry JE Release
Form GL40.1 Form GL45.1
Employee Edit PA Entry Dependent Edit
Form HR11.1 Form PA52.1 Form HR13.1
Employee SS HR Manager
C
20
Facts

• Lawson Security assists organizations in areas of
  Compliance and Audit.
• Lawson Security Planning and Analysis is crucial.
• Lawson Security requires effort upfront in
  exchange for reduced maintenance.
• Lawson Security should be active throughout the
  Implementation. Lead Time is required.

21
Additional Documentation

• Various documents are available as follows
• http//support.lawson.com
• Lawson Administration Resources Security Guide

22
Questions?