Lawson Security – The Theory of Greatest Privilege Access Explained

When Lawson left LAUA security, it redesigned its hierarchical security as so:

  • Roles
    • Classes
      • Tokens (or rules)

These all followed the theory of the greatest privilege access since v9


What does this mean?

In the simplest form, it means that if there is an ALL_ACCESS and a DENY_ACCESS rule within the same class or role, the ALL_ACCESS wins and grants access to the rule.


Real world example:

Problem: Say you wanted to grant a user access to view an AP form but noticed that the form itself shows a vendor’s number under the TAX ID field.


If the vendor does not have a vendor number, typically they use their social security number and this is added to the TAX ID field which is a field on the APVENMAST table.


If we set DENY_ACCESS on the TAX ID field within APVENMAST as shown below:

When the user loads the AP form up again, that field will appear blank or greyed out.


Let’s say this user eventually takes on newer tasks and gets a new role assigned to them to submit requisition orders and this newly assigned access inadvertently grants ALL_ACCESS to the APVENMAST table.

This new access now overrides the DENY_ACCESS set on the TAX ID field and the user can now once again see the TAX ID field and reveal sensitive information such as a vendor’s social security number.


I hope this helps when designing your security for employees.

How to Analyze a Cloud-based Log Quickly in Lawson

In a Lawson Cloud environment, its difficult to get logs off the server since now you’re likely restricted to FTP access and the latest logs are currently being written to by the server itself, thus throwing a deny exception when trying to download the latest logs from FTP.

I previously made another article on this explaining a work around for this but that takes a few extra steps and time. This is a quicker command line method if you need to test something immediately.


  1. First login to Lawson Interface Desktop
  2. Go to the directory in which the logs exist
  3. Type this command: tail -500 <name of log file being written to> | lashow
  4. Example: tail -500 ios.log | lashow

As you see above, this uses the tail command combined with -500 parameter which returns the last 500 lines written to the log. You can change -500 to whatever amount of lines you want to return (the more the longer it takes to load)

The optional piped LASHOW command is to open this in a separate scrollable and searchable window within LID.

This becomes especially useful when testing live forms or code in Lawson.


Good luck!

IP Designer Series – Landmark Admin Node

The Landmark Admin Node can be used to run command line utilities on the Landmark Server.  In the node properties, select the command you wish to run.  Then click Build and provide the parameters to be used in your command.


Resolving the “Operator Not Authorized to Change Unit Cost” error

This is one of those Lawson errors that could waste a morning of work looking through the Infor knowledge base, analyzing/changing security, and or reviewing logs.


So, you’re on PO20.1 and want to make a change to a PO entry and get this error:

To resolve this is actually incredibly simple and can be changed on PO04.1 at the bottom of the Buyer Information Tab (your settings may be different based on your needs):

If you happen to get a similar issue for a requisition cost change “Requester not authorized to change unit cost”, simply go to RQ04 and allow unit cost override for the specific requester (your settings may be different based on your needs):

How to find a Lawson user ID from an HR11 Employee ID

Some Lawson Security systems are setup with a form of the user ID being a combination of the last name with middle initials / first name initials.

Something like DoeJ for John Doe. Often users get their names updated due to a marriage or divorce and their user ID never gets updated along with their last name.

  1. To find the user by employee number, we need to first go to HR11 and find the user by their new last name to uncover their Employee ID.
  2. For this example, let’s say we search John Doe and it returns an employee ID of 264
  3. Now open Lawson Security Administrator and go to User Management >> Manage Identities
  4. Once in Manage Identities under “Services”, select the employee identity service, ours is named TEST10_EMPLOYEE:
  5. Select employee = <employee ID> and click Add Criteria
  6. Once the criteria is added, Execute Query
  7. You’ll be put to the results tab and if that user exists in Lawson security, it will show as so:

That’s all there is to it!


How to load email devices into LBI

  1. In LBI, open Reporting Services Report Administration
  2. Under Server Administration click on Email and Printer Settings:
  3. Select All Devices to see current list of devices and note the device type (important for loadfile):
  4. Now lets build the loadfile in CSV format:

    From left to right, the columns are <ownername>, <username>, <user email>, <Device Type>

    If it’s a printer, replace username and user email with <printername> and <\\networkprinter>

  5. Now lets import the file with Import Devices:

If there are any errors, it will let you know, if not, you can check All Devices section to see if your device loaded in.

How to Stop an IPA Schedule

There are a couple of different ways to disable an IPA schedule to stop it from running.  One way is to disable the process itself.  To do that, open User Defined Processes (Start > Process Server Administrator > Configuration > Process Definitions > User Defined Processes).  Select the process being disabled and clear the “Is Process Enabled” flag.  It is important to note that this method will cause the schedule to go into an error mode, and will have to be cleared and requeued when you are ready to start the schedule back up.

The other way is to set the Latest Time to Run on the schedule.  I like to set it to some date in the past (like yesterday) to make absolutely sure the schedule won’t run again.  When you click Save, the next time to run dates will clear.  To start the schedule back up again, simply clear out the Latest Time To Run and save the schedule.

View IPA Schedules in Async Administrator

To view/edit your own schedules, log into Rich Client and navigate to Start > My Actions.

To view/edit ALL schedules, log into Rich Client and navigate to Start > Applications > Async Framework Components > Requests.  From there, you will be presented with a list of all Async Action Requests.  The IPA process schedules are under module “pfi”.




Triggering an IPA Process Manually

To trigger a process manually, you first have to set up a trigger.  From Rich Client, navigate to Start > Process Server Administrator > Scheduling > By Process Definition.  Click Actions > Create to create a new trigger.  For Process Name, select the IPA process that you want to run.  Enter a descriptive Work Title (the trigger will fail if it doesn’t have a Work Title).  Click Save.  Then, click Actions > Start.  Check the Work Unit log to see that your process has run!  If you want to delete your trigger, you will first need to delete the work units associated with it.

Activating Landmark Time Zones in Configuration Console

To activate the time zones available in your Landmark applications, from the GEN data area, go to Start > Configure > Application.  Under “Data Area” in the left panel, select “Time Zones”.  Find the Time Zone(s) that you want to activate, and double-click to edit.  Set the “In Use” flag.  Now that Time Zone will be available to select in your Landmark applications.