Lawson Security 9.0.1: What's New d Wh t Y M N ... - Digital Concourse

Lawson Security 9.0.1: What’s Newand dWhat tYou May Not tK Know!BPP09Rob Narlockrob.narlock@us.lawson.comApril 3 - 6, 2011 • Boston, Massachusetts

Disclaimer regarding use of screen shotsin this presentationThis presentation has been prepared to demonstrate a variety of ways thatthe Lawson software applications, solutions and tools can be set up andutilized by customers. The screen shots provided in this presentation maynot be standard, out-of-the-box of the set-ups / reports and may require yourorganization to engage Lawson Professional Services in order for theapplications, solutions or tools to work as shown.The presentations provided by Lawson at CUE contain confidentialinformation and are not to be copied or distributed beyond the attendee’scompany without advance written permission from Lawson.CUE 2011 Copyright © 2011 Lawson Software All rights reserved. BPP09 This presentation is confidential andauthorization for use and reproduction are stated in the 2011 online CUE catalog.2

Agenda• Bring awareness to features that wehave added but that you may not beaware of.• Explain how these features can beused by you.• Show tips that will help you tomaintain and debug your system.CUE 2011 Copyright © 2011 Lawson Software All rights reserved. BPP09 This presentation is confidential andauthorization for use and reproduction are stated in the 2011 online CUE catalog.

Features• Using Drill Explorer to identify what tables security is needed for aform drill down or select. (Available in all supported service packs)• Support for LDAP Bind to Multiple LDAP Servers (Available9.0.1.3 and higher)• New Lawson security reports. Profile Rules and RM User Attributereport (Available 9006and9013andhigher)9.0.0.6 9.0.1.3 • Security reports can now be viewed in CSV format. (Available9.0.0.6 and 9.0.1.3 and higher)• Limiting the security log files to ensure system performance(Available in all supported service packs)• Additional attributes to People Object in RM. (Available 9.0.0.6and 9.0.1.3 and higher)• Timeout Parameter added to LHC.jar. (Available 9.0.0.5 and9.0.1.2 and higher)CUE 2011 Copyright © 2011 Lawson Software All rights reserved. BPP09 This presentation is confidential andauthorization for use and reproduction are stated in the 2011 online CUE catalog.4

Features• LoadUsers utility now supports role, group and user deletion. (Available9.0.0.8 and 9.0.1.5)• LSDump utility has been enhanced to help make the migration of securityinformation easier. (Available 9.0.0.8 and 9.0.1.5)• LSLoad utility has been enhanced to help make the migration of securityinformationeasier easier. (Available9008and9015)9.0.0.8 and 9.0.1.5)• LS Security can be turned on and off using the lsconfig utility. (Available9.0.0.8 and 9.0.1.5)• How to set options for authentication for the Security Administrators (Tip)• Why using inheritance is important when writing security classes. (Tip)• Why using rule overrides is important when writing security classes (Tip)• Why logging can help in resolving security issues. (Tip)CUE 2011 Copyright © 2011 Lawson Software All rights reserved. BPP09 This presentation is confidential andauthorization for use and reproduction are stated in the 2011 online CUE catalog.6

Using Drill Explorer to identify what tables security isneeded for a form drill down or select. (Available in allsupported service packs)• To determine which files you need to grant access to so that users can usethe Drill Around feature e and Select ect lists on a form, use the Drill Exploreraid. You access the Drill Explorer in the Object Selector by right-clicking onany form field that has a drop-down list associated with it.• Related Documents: See “Writing Simple Rules” in LawsonAdministration: Resources and Security• DEMO: Show Drill Explorer for HR11.1CUE 2011 Copyright © 2011 Lawson Software All rights reserved. BPP09 This presentation is confidential andauthorization for use and reproduction are stated in the 2011 online CUE catalog.7

20.3.1 *Qualitätssicherungssystem (QSS / *QS-System)20.3.1.1 GrundsätzeDas QSS muss alle wesentlichen Prozesse beimUmgang und bei der Abgabe von Heilmitteln in geeigneterWeise festlegen.Es muss formell durch die fvP in Kraft gesetzt sein.Das involvierte Personal muss Kenntnis vom QSShaben und entsprechend geschult sein.20.3.1.2 QualitätssicherungDurch ein für den Umgang mit und die Abgabe vonHeilmitteln geeignetes System der Qualitätssicherungmuss sichergestellt werden, dassa die *Beschaffung, *Freigabe, *Lagerung, Distribution(betriebsintern), *Zubereitung und Abgabe vonHeilmitteln und die dazugehörigen Abgabe- und Kontrollverfahrendetailliert beschrieben sind;bdie Regeln der Guten Abgabepraxis angewendetwerden;cdie Verantwortungsbereiche eindeutig festgelegtund in einem Organigramm abgebildet sind;d alle nötigen Kontrollen durchgeführt werden;e ein Verfahren der Selbstinspektion und/oder Qualitätsprüfungzur regelmässigen Bewertung der Wirksamkeitund Eignung des Qualitätssicherungssystemseingeführt ist.Für das Führen eines *QS-Systems sind der Inhaberder Betriebsbewilligung und die fvP verantwortlich.Ausgebildetes Fachpersonal sowie geeignete undausreichende Räumlichkeiten und Ausrüstung sindVoraussetzung.Kommentar:Siehe cPh.Helv. GMP für Arzneimittel in kleinenMengen Kapitel 21.1.120.3.1.3 Gute Abgabepraxis für Heilmittel (cGAP)Die „Gute Abgabepraxis“ ist der Teil der Qualitätssicherung,der gewährleistet, dass die Prozessegleichbleibend nach den Qualitätsstandards erfolgenund kontrolliert werden.Die grundlegenden Anforderungen der Guten Abgabepraxissind folgende:a Das Personal muss der Funktion angemessenqualifiziert und geschult sein. Verantwortlichkeitenund Zuständigkeiten müssen klar geregelt sein.bSämtliche betriebspezifischen und qualitätsrelevantenProzesse sind auf ihre Eignung zu prüfen und inAnweisungen und Verfahren zu beschreiben.c Die Prozesse beim Umgang mit und der Abgabevon Heilmitteln sind unter Einhaltung der Regeln dercGAP durchzuführen. Die Kennzeichnung der Heilmittelund die Dokumentation müssen die korrekteAbgabe oder Anwendung an den Patienten (*5R-Regeln) belegen (*Patientendossier, *Krankengeschichteetc.).d Die Heilmittel (verwendungsfertige und anwendungsfertige)müssen so gehandhabt und gelagertwerden, dass ihre Qualität bis zum Verfallsdatumbeziehungsweise bis zur Aufbrauchsfrist erhaltenbleibt.cGAP - KAV V1 - 14. September 2009Seite 8 von 44

New Lawson security reports. Profile Rules and RM UserAttribute report (Available 9.0.0.6 and 9.0.1.3 and higher)• Description: Lawson System Foundation now includes two additionalsecurity reports: Profile Rules report and RM User Attrib report.Their descriptions are as follows:– Profile Rules report - outputs all the security classes and rules thatbelong to the selected profile.– RM User Attrib report – This report displays user information based ona filter. The user information displayed is defined when the report iscreated. A dialog will be displayed with a list of attributes to choosefrom. Because this report takes in a filter, it will allow the displaying ofall users in the system.• Related Documents: See “Lawson Security Reports” in LawsonAdministration: i ti Resources and Security• DEMO: RM user Attrib report with output of CSV.CUE 2011 Copyright © 2011 Lawson Software All rights reserved. BPP09 This presentation is confidential andauthorization for use and reproduction are stated in the 2011 online CUE catalog.9

Security reports can now be viewed in CSV format.(Available 9.0.0.6 and 9.0.1.3 and higher)• Description: In addition to HTML and PDF output, the option to viewreports in CSV format is now available.• Impact: To be able to generate and view a report in a .csv format, theadministrator should run the Profile Rules Report, and select .csv as theoutput format.• Related Documents: See “Lawson Security Reports” in LawsonAdministration: Resources Resources and SecurityCUE 2011 Copyright © 2011 Lawson Software All rights reserved. BPP09 This presentation is confidential andauthorization for use and reproduction are stated in the 2011 online CUE catalog.10

Limiting the security log files to ensure system performance(Available in all supported service packs)• Description: To avoid having a large security log file affect systemperformance, the administrator can configure the maximum size for thesecurity log files.• Impact: The properties file is located inLAWDIR/system/ls_logging_properties.logging The administrator should edit the following file properties to control thesize of the log file:com.lawson.lawsec.sizeLimit and com.lawson.lawsec.numberOfFiles• Related Documents: See "Accessing and Configuring the LawsonSecurity Server Log File" in Lawson Administration: Resources andSecurity.CUE 2011 Copyright © 2011 Lawson Software All rights reserved. BPP09 This presentation is confidential andauthorization for use and reproduction are stated in the 2011 online CUE catalog.11

Additional attributes to People Object in RM.(Available 9.0.0.6 and 9.0.1.3 and higher)• Description: The people object in RM now contains four additionalattributes.• Impact: The following additional attributes tes can be used to map user entriesor to change a structural class for the Lawson People object:CompanyControl - This attribute enables the security administrator tocontrol access to multiple companies.ProcessLevelControl - Use this attribute to control access to processlevels for the following system codes: HR, PR, LP, PA, BN, AR or AP.AccountingUnitControl - The administrator can limit or specify the allowednumber of accounting units for a user. Previously, the user's defaultaccounting unit in the HR11 record had to be used.HRAuthorControl - This attribute enables the administrator to controlaccess rights of the HR Writer product.• Related Documents: See chapter 6, "People and Thing Resources" inLawson Administration: Resources and Security.CUE 2011 Copyright © 2011 Lawson Software All rights reserved. BPP09 This presentation is confidential andauthorization for use and reproduction are stated in the 2011 online CUE catalog.12

Timeout Parameter added to LHC.jar.(Available 9.0.0.5 and 9.0.1.2 and higher)• Description: This feature enables developers to set the timeout value forGET and POST requests. You might use this parameter if, for example, youare connecting to a server that processes time-consuming requests. In thissituation, you would set the timeout to a high value so that the API does nottime out prematurely.• Impact: This parameter is optional. Developers can add it to their API callsas needed.• Related Documents: See “Calling Lawson Authentication in APIs” inDoc for Developers: Internet Object Services APIs.CUE 2011 Copyright © 2011 Lawson Software All rights reserved. BPP09 This presentation is confidential andauthorization for use and reproduction are stated in the 2011 online CUE catalog.13

Idle Event Handler method to manage security server event(Available 9.0.0.5 and 9.0.1.2 and higher)• Description: Installations with large numbers of LID users (in the 1,200-1,500 range) might experience the LS Server shutting down. This symptommight point to the need to configure the Idle Event Handler as a way toprioritize events. By default, this handler is not configured. Lawsonrecommends configuring it only if you experience the symptoms describedin the manual.• Related Documents: See “Idle Event Handler: Overview” and “Configuringthe Lawson Security Server to Use Idle Event Source Management” inLawson Administration: Resources and SecurityCUE 2011 Copyright © 2011 Lawson Software All rights reserved. BPP09 This presentation is confidential andauthorization for use and reproduction are stated in the 2011 online CUE catalog.14

New privileged identity solves Windows password expirationissues when running batch jobs. This feature is valid forWindows only. (Available in all supported service packs)• Description: As a post-installation step for release 9.0.0.4 (and higher),Windows customers will configure a privileged identity to run batch jobs.This identity ensures that t Windows batch jobs run properly. Previously,some user jobs failed because passwords expired or had been changeddue to Windows automatic password expiration policies.• With9004andlater 9.0.0.4 later, whenanormalbatchjobuserrunsajob normal runs a job, ownershipof the job is temporarily assigned to the privileged user for execution.Immediately upon execution, ownership of the job returns to the normalbatch user so that the user can create print files and so that distributiongroups execute as intended.d• Impact: Windows customers must perform some simple configuration afterrelease 9.0.0.4 (or later) has been installed.• Related Documents: Lawson Core Technology Installation Guide, (forcustomers installing 9.0.0.4 for the first time), 9.0.0.4 Installation GuideAddendum (for customers installing 9.0.0.4 as an update to an earlierservice pack), Lawson Administration: Resources and SecurityCUE 2011 Copyright © 2011 Lawson Software All rights reserved. BPP09 This presentation is confidential andauthorization for use and reproduction are stated in the 2011 online CUE catalog.15

Conditional “by type" rules now available.(Available in all supported service packs)• Description: By type rules, that is assigning access to all securableobjects of a particular type — for example, all tables — is a powerful way toquickly open up the system for power users and administrators. In previousreleases of LSF 9.0, by type rules were so inclusive that they could only beassigned to very specific types of users who needed access to the entire,or nearly the entire, system and who did not need to be restricted out ofany data. For example, if you assigned access to all tables to a power userwho created system-wide reports, you would not be able to lock the userout of confidential data in the EMPLOYEE table.With release 9.0.0.4, you can write a rule that would assign access totables within particular system stem codes. That way the power user whocreates system-wide reports but who should not see confidential employeeinformation could have access to all tables except HR (which contains theEMPLOYEE table). Within HR, the user could be assigned only the specifictables needed.• Impact: Customers who want to make use of conditional by type rules canwrite them.• Related Documents: Lawson Administration: Resources and Security• Demo: Show sample security class and evaluation in Lawson Smart Office.CUE 2011 Copyright © 2011 Lawson Software All rights reserved. BPP09 This presentation is confidential andauthorization for use and reproduction are stated in the 2011 online CUE catalog.16

Attachments can be secured.(Available in all supported service packs)• Description: With Lawson System Foundation (LSF), it is now possible tosecure documents that have been attached to Lawson applications. Thismeans that, if you write the appropriate rule to secure an attachment, auser could have access to all or some parts of a form but be specificallysecured out of viewing a separate document that was attached to the form.• Impact: By default, you are secured out of attachments (as with allsecurable objects).If you want to secure attachments, write rules asneeded.• Related Documents: Lawson Administration: Resources and Security,Chapter 22, “Writing Simple Rules”CUE 2011 Copyright © 2011 Lawson Software All rights reserved. BPP09 This presentation is confidential andauthorization for use and reproduction are stated in the 2011 online CUE catalog.17

New global function: getDBFieldbyIdx.(Available in all supported service packs)• Description: This new function is similar to the existing getDBField exceptthat it allows you to reference an index by a specific name.• Impact: None.• Related Documents: Lawson Administration: i ti Resources and Security,Chapter 24, “Writing More Complex Rules Using Expression Builder”CUE 2011 Copyright © 2011 Lawson Software All rights reserved. BPP09 This presentation is confidential andauthorization for use and reproduction are stated in the 2011 online CUE catalog.18

Support for Multiple Web Servers.(Available in all supported service packs)• Description: With 9.0.0.2, Lawson System Foundation supports multipleendpoints, that is multiple web servers communicating with a singleapplication server. Lawson customers can configure endpoints in a varietyways. For example, you might want to dedicate one endpoint to internalusers and another endpoint, possibly outside the firewall, for externalusers. Typically, y in this situation, external and internal web servers wouldrun applications and retrieve data from the same application server, but allcommunication with the external web servers would be through a secureport using HTTPS.• Impact: Configuration is required through the Lawson ssoconfig utility tomake the SSOP authentication service aware of the additional servers.• Related Documents: See "Multiple Endpoint Configuration" in LawsonAdministration: Server Setup and Maintenance.CUE 2011 Copyright © 2011 Lawson Software All rights reserved. BPP09 This presentation is confidential andauthorization for use and reproduction are stated in the 2011 online CUE catalog.19

Default Environment / OS Identity(Available in all supported service packs)• Description: With LSF, it is now possible to make use of a default privileged identity thatautomatically links Lawson users to an operating system (OS) user. Any user who does not needa unique OS ID can be automatically linked to a privileged identity. This means that you do notneed to create Environment/OS service identities for some users.The following types of users still need unique OS IDs and must have identities on theEnvironment/OS service:– Users who run batch jobs– Users who need command line access– Users who require unique HR data item security (assuming that feature has been enabled).This is because these users are required to share a default OS identity and to have thesame HR data item security level.Users who run only online programs through the Portal (and do not require unique HR data itemsecurity) can make use of the default Environment / OS service identity.With previous releases of LSF, some customers faced an LDAP-determined requirement thatthey could link a maximum of 1,000 Lawson users to an OS user. With 9.0.0.2, thisrequirement is obsolete.To implement the Default Environment / OS Identity, you will run the loadusers utility as a postinstallationstep.• Impact: None. The default user feature is backward compatible and will not negatively impactexisting user configuration.• Related Documents: Lawson System Foundation Installation Guide Addendum, LawsonAdministration: i ti Resources and Security , See "Setting Up the Default Environment/OS ServiceIdentity" in Lawson Administration: LAUA Security.• DEMO: How to set up.CUE 2011 Copyright © 2011 Lawson Software All rights reserved. BPP09 This presentation is confidential andauthorization for use and reproduction are stated in the 2011 online CUE catalog.20

Multiple container support for ldapbind.(Available in all supported service packs)• Description: Customers who store user data across multiple LDAPcontainers can now use the Lawson ldapbind utility to send control ofLawson user passwords to their LDAP system.In previous releases of Lawson, the ldapbind utility supported only singlecontainerconfigurations.• Impact: None.• Related Documents: Lawson Administration: Resources and SecurityCUE 2011 Copyright © 2011 Lawson Software All rights reserved. BPP09 This presentation is confidential andauthorization for use and reproduction are stated in the 2011 online CUE catalog.21

logdir JVM property.(Available in all supported service packs)• Description: You can customize the output directory for security log filesgenerated by the servlet container. Customizing this location enables userswho do not have access to LAWDIR/system (a location often restricted tothe special user “Lawson”) to view security log files. Customizing might bebeneficial in a situation where, for example, SOX compliance requires tightpermissions on the LAWDIR/system directory. However, many Lawsoncustomers will find it useful to retain the default location of log files.• Configure the location by adding the JVP property, com.lawson.logdir, tothe Lawson environment variables section of the JVM.• Impact: None.• Related Documents: Lawson Core Technology Installation ti Guide,ProcessFlow Runtime Installation Guide, Lawson Administration:Resources and SecurityCUE 2011 Copyright © 2011 Lawson Software All rights reserved. BPP09 This presentation is confidential andauthorization for use and reproduction are stated in the 2011 online CUE catalog.22

LoadUsers utility now supports role, group and userdeletion. (Available 9.0.0.8 and 9.0.1.5)• Description: Customers will now be able to delete users, groups androles from the system based on a file using the loadusers utility.• Usage:usage: Load UsersLoadUsers [options]options:-f xmlFileName XML file that contains data-p defaultProductLine default productline if not set in xml file-d defaultDomain default windows domain, only required for windows-u deleteusers delete roles, groups and users-g username username that was used in the privileged ID-? print usage• Sample XMLCUE 2011 Copyright © 2011 Lawson Software All rights reserved. BPP09 This presentation is confidential andauthorization for use and reproduction are stated in the 2011 online CUE catalog.23

LSDump utility has been enhanced to make the migration ofsecurity information easier. (Available 9.0.0.8 and 9.0.1.5)• Description: The lsdump utility now provides a “-addRuleMapping” option.This options applies when either a profile or security class is beingdumped. When this option is used, it will not only dump the entire profile orsecurity class, but will also dump role mappings and the users assigned tothe roles.• Usage:Usage: To dump Lawson Security Data to standardOutput or file.Syntax: lsdump [-f filename] PROFILE [profileid] [-addRoleMapping]lsdump [-f filename] SECCLASS profileid [secclassname1,secclassname2,...] [-addRoleMapping]lsdump [-f filename] ELMGRP profileid [elmgrpname1,elmgrpname2,...]lsdump [-f filename] ROLE rolename [-p profileid] [-s secclassname1,secclassname2,...]addRoleMapping - Add role mapping for security class and users using it.CUE 2011 Copyright © 2011 Lawson Software All rights reserved. BPP09 This presentation is confidential andauthorization for use and reproduction are stated in the 2011 online CUE catalog.24

LSLoad utility has been enhanced to make the migration ofsecurity information easier. (Available 9.0.0.8 and 9.0.1.5)• Description: Three new options have been added to the lsload utility.These new options are:• -addRoleMappingThis option will be used when a profile is dumped using the sameoption. This option will then create a new profile, create new roles ifnot already on the system and create the role assignments. Sincelsdump utility also dumped the users assigned to the roles, it willalso update the first name, last name and role attribute on any userthat exists on the target system. For all users that do no exit on thetarget system, they will get written to an xml file. This xml file isformatted so that the loadusers utility can be run to add the users.• -d defProdThis option gives the administrator the ability to override the definitiondata source from the command line.• - a activeDataSrcThis option will automatically assign the profile to the product line. Itwill also find and change any data source rules in the profile to thenew active product line.CUE 2011 Copyright © 2011 Lawson Software All rights reserved. BPP09 This presentation is confidential andauthorization for use and reproduction are stated in the 2011 online CUE catalog.25

LSLoad utility has been enhanced to make the migration ofsecurity information easier. (Available 9.0.0.8 and 9.0.1.5)• Usage:Usage: To load an xml file into Lawson Security Persistence.Syntax: lsload PROFILE filename [-p newProfileId] [-d defProd] [-a activeDataSrc] [-addRoleMapping]lsload SECCLASS filename [-p ProfileId] [-s] [-o] [-addRoleMapping]lsload ELMGRP filename [-p ProfileId] [-e newElmgrp]lsload ROLE filename [-r Rolename] [-p ProfileId] [-s] [-o]d - Default Definition Productlinea - Assign to an Active Data SourceNote: The -a option will remove the assignment ofother Profiles to this Data Source.s - Add New Name for SecClasso - Destroy All Existing Data for SecClass prior to loadaddRoleMapping - Add role mapping for security class and users using it.CUE 2011 Copyright © 2011 Lawson Software All rights reserved. BPP09 This presentation is confidential andauthorization for use and reproduction are stated in the 2011 online CUE catalog.26

LS Security can be turned on and off using the lsconfigutility. (Available 9.0.0.8 and 9.0.1.5)• Description: Customers will now be able to turn security on or off usingthe lsconfig utility. This utility will require the security configurationcommand line password.• Usage:Usage: Configure or list security entries.Syntax: lsconfig [-uartl][-c password ON|OFF][instance_name]u - Print usage and syntax.c - Turn Security ON or OFF.a - Add or modify configuration entries.t - Manage C Tracing.r - User-role assignment.l - List configuration entries.CUE 2011 Copyright © 2011 Lawson Software All rights reserved. BPP09 This presentation is confidential andauthorization for use and reproduction are stated in the 2011 online CUE catalog.27

How to set options for authentication for the SecurityAdministrators (Tip)• How to set default protocol• How to enable client side logging• How to change timeouts• DEMO: How to show option screen from login page.CUE 2011 Copyright © 2011 Lawson Software All rights reserved. BPP09 This presentation is confidential andauthorization for use and reproduction are stated in the 2011 online CUE catalog.28

Why using inheritance is important when writing securityclasses. (Tip)• Re-use of security classes.• Minimize the number of rules• Sharing of common security classes• Decrease maintenance.• DEMO: Show example of security classes using inheritance.iCUE 2011 Copyright © 2011 Lawson Software All rights reserved. BPP09 This presentation is confidential andauthorization for use and reproduction are stated in the 2011 online CUE catalog.29

Why using rule overrides is important when writing securityclasses (Tip)• What is a rule override.• How do they get used within a security class.• DEMO: Show examples of rule overrides within security classes.CUE 2011 Copyright © 2011 Lawson Software All rights reserved. BPP09 This presentation is confidential andauthorization for use and reproduction are stated in the 2011 online CUE catalog.30

Why logging can help in resolving security issues. (Tip)• How to turn on logging.• How log files are created based on the JVM processes.• Where are the log files located.• How to log for a given user.• How to read the log files.• DEMO: Show turning on logging for a given users and how to view ruleevaluation in log files.CUE 2011 Copyright © 2011 Lawson Software All rights reserved. BPP09 This presentation is confidential andauthorization for use and reproduction are stated in the 2011 online CUE catalog.31

WE WANT YOUR FEEDBACK!DON’T FORGET TO COMPLETESESSION SURVEYSPlease complete a survey for each session youattend at CUE. You can take the survey either viathe CUE Mobile App or from the CUE Website,www.cue11.lawson.com.And if you complete the post conference survey(coming to your inbox on Monday) you will getentered into a drawing for one of 10 free passesto CUE 2012in Denver!CUE 2011 Copyright © 2011 Lawson Software All rights reserved. BPP09 This presentation is confidential andauthorization for use and reproduction are stated in the 2011 online CUE catalog.

Thank You!!See you in Denver next year!April 22 – 25, 2012CUE 2011 Copyright © 2011 Lawson Software All rights reserved. BPP09 This presentation is confidential andauthorization for use and reproduction are stated in the 2011 online CUE catalog.33