8.1 Lawson Security Overview

Del DehnProduct Manager

Agenda

• Security domains• Upgrade considerations• Summary• 8.1 Technology project update• Questions and answers

Lawson Security Domains

8.1.0 Technology Security Domains

• User management

• Authentication

• Authorization

Lawson Security

AuthorizationAuthentication/Single sign-on

ResourceManagement

Lawson Security

• Business process focused security

• Central repository for security administration (Resources)

• Organizational modeling (Roles)

• Rules builder (Rules)

• Single sign-on

• Additive security paradigm

• Database auditing (front-end, back-end sign-on)

Lawson Security: Design Features

• Designed as a centralized service – Callable by all Lawson layers

• Roles and Rules based – An industry prevalent approach

• Driven by user and corporate information – Flexible security to accommodate the customer’s business

structures

• Administration tool for policy modeling– Test new structures or security policies

• Attribute based security– Same concept as attributes in LDAP structures

• Fine grained securable objects– For example, field level security

User Management

User Management Domain

Lawson Resource Management

• Central repository for globally interesting data– user name, email address and roles

• Create custom attributes

• Structure – organizational chart modeling

• Non-organizational chart structures allowed

Organizational Modeling: Changes for Individuals

S m a ll C o m p a n y, In c.

P ro je ct M an a g er S e n io r P ro g ram m er

C IO

C o n tro lle r

C F O

C E O

Project Manager is promoted to CFO

“Roles” domain

LDAP ServerMicrosoft

ADAM 2003

Changes to structures can be made in a “drag and drop” fashion

Organizational Modeling: Changes for Groups

B ig C o m pa n y, In c.

M a rke tingM a na g er

M a rke tingM a na g er

M a rke tingM a na g er

M a rke tingM a na g er

D ire c to r o f M arke ting

S a lesM a na g er

S a lesM a na g er

S a lesM a na g er

S a lesM a na g er

D ire c to r o f S a les

V P o f S a les V P o f M a rke ting

C E O

Director of Marketing with all of his/her directly reporting Marketing Managers is moved to the direct supervision of the newly created position of VP of Marketing

LDAP ServerMicrosoft

ADAM 2003

“Roles” domain Changes to structures can be made in a “drag and drop” fashion

Resource Management: Structure

Authentication

Authentication Domain

Lawson Authentication 8.1.0

– Single Sign-on

– Database (DB) user authentication

– Session management

– Secure credential storage

– Identity management

Single Sign-on for End Users

Authorization

Authorization Domain

The new Lawson Security model

• Business process focused• Rules and Roles based• Granular security checking• Object oriented• Flexible policy modeling

– Allows organizational modeling for security

– Allows attribute driven policies

– Element based policies

• Allows for distributed administration

Authorization: Roles and Rules

• Roles– Organizational roles

– Organizational structures

• Rules– Rules builder

– Simple or complex

• Rules written for Roles govern the security privileges

of end-users assigned to a Role(s)

Benefits of Role-Based Security

• Transparency– User’s roles are defined by business needs– Security classes and privileges are defined by business tasks

• Stability– Access needs for a task do not change often– User’s roles change more frequently

• Efficiency– Changing access for a given task accomplishes changes for

all affected users

Lawson Security: New Rules

• Rules apply to “securable objects”– Product lines– System codes– Forms and their fields– Drill Around®– Tables and the columns in a row– Environment objects – printers, etc.

Security Rules

• Rules can be unconditional– Grant All Access/Deny Any Access– Builds fast, efficient access control lists

• Rules can be unconditional but allow limited access– Inquire only, for example

• Example– ADD_EMPLOYEE class:

EMPLOYEE table: ALL_ACCESS

(users that are employees can view their own information)

Conditional Rules

• Data can be secured based on attributes of the user– If (user.getAttribute(‘Department’)== ‘HR’) then ‘IACD’ else ‘I’

(if user is in HR Department, then can change information)

• Data can be secured based on the data values– If (table.EMPLOYEE == user.getEmployeeId()) then ‘IACD’ else ‘I’

(user can change own information and see all others)

• Data can be secured using other kinds of functions– Time of day, database reads, etc.

New Security Model

Rules express security policies- Rule execution allows or denies access to a securable object

Security Classes group rules for common tasks- Constitutes a task oriented privilege pack

Multiple security classes to Roles- Easy creation of Roles with overlapping functionalities

Multiple Roles to users- Allows for multiple responsibilities

A Security Policy Illustration

Users Roles SecurityClasses

SecurableObjects

Jane

John

Steve

Mary

Employee

HR Manager

Payroll Manager

Payroll Clerk

Employee Info

Manager Info

Payroll Access

Form HR11

Check Printer

Note: Users can be assigned multiple Roles simultaneously

Lawson Security Securable Objects

Deny Access to a Form Field

Security “Off” – All Form Transfers are Available

*

Secured: Form Transfers are Hidden

Upgrade Considerations

Lawson Security: 8.1 release

• Provides security for all Lawson Portal based products– LAUA security – not required

– Security extensions (Ex. HR security) - not required

• Lawson Security and LAUA security can operate

concurrently– Lawson Security – Lawson Portal Users ONLY

– LAUA security – Lawson Portal Users and LID users

– Each end user must be secured by only one security mechanism,

not both

Transitioning to 8.1 Lawson Security

• Security mechanism assignment per end user

• Enables phased migration from LAUA security to

Lawson Security

• Migration from LAUA to Lawson Security by:– End user

– Role

– Group

– Structure

– Etc.

• Not a “Big Bang” approach

Lawson 8.1 Technology Release

• 8.1 Technology = Environment, Internet Object

Services (IOS) and Lawson Portal

• 8.1 Technology will support:– 8.1 Applications

– 8.0.X Applications

• Existing or upgrading 8.0.X Applications customers

are not “cut off” from implementing 8.1 Technology

• 8.0.X Applications customers can utilize 8.1

Technology features without needing to upgrade to

8.1 Applications

8.1 Lawson Security: Summary

• Flexibility and power to create security policies based on how your organization does business

• Major components:

–Resource Management and LDAP (roles, structures)

–Authorization (rules engine)

–Authentication and Single sign-on (SSO)

8.1 Technology Project Update

The scheduled release of Lawson 8.1 Technology has been moved to Lawson’s Q1FY06 (June – August 2005) after a recent review of the project’s milestones and metrics.

This release is being measured against the quality standards and milestones of Lawson’s CMMI methodology and whole company readiness metrics. The review indicated that an adjustment to the proposed schedule would not only deliver much improved performance, usability and security, but also a quicker time to benefit for Lawson clients.

Questions?