Infor Landmark Security Classes (ST) explained

This is a more in-depth look at the security classes assigned to Landmark Security Roles. To find a better overview of Landmark Security Roles, see our article on “Infor Landmark Security Roles (ST) explained


Delivered Class Access Details
BasicProductLineAccess_ST In conjunction with ProductLineAccess_ST, provides general product line access that all Landmark actors need.
InbasketUser_ST Access to user’s own Inbasket for reviewing and taking action on work items.
Lpa_ST Access to the Infor Process Automation system, including menus in Infor Rich Client. All IPA users need this.
LpaAdmin_ST Access to Infor Process Automation administration menu options in Infor Rich Client.
JobQueueAccess_ST Access to the Landmark job queue.
ProcessAutomationProxy_ST Access to business classes related to proxy assignments
ProcessDesigner_ST Access to the business classes that the Infor Process Designer tool needs.
ProcessSchedulingAllAccess_ST Provides read, write access to IPA triggering features.
ProcessServerAllAccess_ST Provides read, write access to all IPA features.
ProcessServerReadAccess_ST Provides read access to all IPA features
ProductLineAccess_ST In conjunction with BasicProductLineAccess_ST, provides general product line access that all Landmark actors need.
ScheduledActionsAccess_ST Provides the ability to schedule Landmark actions.
ConfigConsoleSecurityAdmin_ST Provides all access to the Landmark Configuration Console.



Infor Landmark Security Roles (ST) explained

From time to time you may get inquiries from a client’s audit team about Landmark Security Roles. This overview table helps explain their uses assuming no modifications were made to them by the organization or Infor. To see a more in-depth understanding of Landmark classes, see our article: “Infor Landmark Security Classes (ST) explained


Delivered role Intended for use by Contains these security classes
InbasketUser_ST Normal end-users who receive work items in the Inbasket BasicProductLineAccess_ST

ProductLineAccess_ST InbasketUser_ST

Lpa_ST ProcessSchedulingAllAccess_ ST

JobQueueServer_ST Users who must perform actions on the Landmark job queue. BasicProductLineAccess_ST

ProductLineAccess_ST JobQueueAccess_ST

ProcessDesigner_ST Process developers BasicProductLineAccess_ST ProductLineAccess_ST


ProcessDesigner_ST ProcessSchedulingAllAccess_ ST

ProcessServerAllAccess_ST IPA system administrators BasicProductLineAccess_ST ProductLineAccess_ST


LpaAdmin_ST ProcessServerAllAccess_ST ProcessSchedulingAllAccess_ ST ScheduledActionsAccess_ST

ProcessServerReadAccess_ST IPA assistant administrators, power users, developers (depending on policies at

your site)



Not delivered through a role. Assign the class to any role for users who need to assign proxies. Users who need to assign Tasks to other users to cover for them. ProcessAutomationProxy_ST
ConfigConsoleSecurityAdmin_ST Users who need full access to the Configuration Console. ConfigAdminAccess_ST


ConfigConsoleSecurityAdmin_ ST


Generating a simple approval level report from the Landmark database

Lawson natively supports requisitions and a hierarchy requisition approval system within organizations. Some use both the approval strings found in RQ02 and setup filters within Lawson Rich Client (An application in Lawson Landmark). More info on this can be found in another one of our articles titled: “A Brief Overview into the Lawson Requisition and Approval Process”


To generate a database dump of all approvers and their levels using my method, you’ll need read access rights to the LSL, IPA, and GEN databases and must be using SQL.


    1. Login to your TEST or PROD database application.
    2. Create a new query window and paste the below SQL code in, one is a screenshot to show syntax highlights and the other is the raw code for your convenience.

      Run the query and your results should show as so:
    3. Copy and paste with headers into Excel to filter down the data or edit the query.

I’ve included an Active Status to show which locations are active or inactive. This can be changed in RQ01 per company and location.

Feel free to optimize the query to your likings if you see any inefficiencies. Remember, this is only for approval levels on the landmark side, not the RQ02 strings themselves.

Landmark Application Configuration Overview

The Landmark Configuration Console allows you to effect system-wide changes with no downtime for your users.  You can personalize your Landmark applications in a multitude of ways:

  • Add custom fields
  • Move fields or remove them from forms
  • Set fields to required
  • Modify list columns (add/remove/rearrange)
  • Create new
    • User interfaces (pages, lists, etc)
    • Business classes (data, objects, etc)
  • Security
    • Use the Security Configuration tool to modify security classes, rules, and roles
  • Web Services
    • External systems communication with Landmark business classes using SOAP, HTTP, WSDL, or REST

The Infor-delivered role what will allow users to access Configuration Console is GlobalUIConfigAccess_ST.  The role that will allow users to access Security Configuration is SecurityConfigAccess_ST.

Get Business Class and Field Names for Landmark Applications

When setting up Landmark queries for IPA or Spreadsheet Designer, it helps to know which business class and field you are working with.  You can get these values in any Landmark application form (web-based or in Rich Client) by typing ctrl+shift and clicking on the field.

Landmark Security Access

To maintain Landmark Security (classes and roles), in the Gen environment in Rich Client, go to Start > Configure > Security.  If you don’t see the Security or Configure, you will need to have your Security Administrator give you access to it.  The Infor delivered role for this is “ConfigConsoleSecurityadmin_ST”.  Have that role added to your account and wait about 30 minutes for the sync to complete.

Setting up PGP Encryption in Landmark

There may be multiple applications for PGP encryption keys at your organization.  It is very simple to create and use the keys using the secadm tool on your Landmark server.

  1. On your Landmark server, open a command line tool and set your environment
  2. Type command secadm -m, then enter the security utilities password if prompted
  3. Select option “Key management” (in later versions, this is found under Service Management)
  4. Choose option “Generate PGP Key Pair for a service”
  5. Enter the service (such as SSOPV2)
  6. Open the Service in Rich Client and validate that the PGPPrivateKey and PGPPublicKey properties were added

How to Resolve Workunits Sitting in Ready Status

Problem: Workunits for Infor Process Automation are sitting in Ready Status and not processing.

1.  Via LmrkGrid (Grid Management), determine how many workunits may simultaneously process in your system. (see attached “DeterminingSimultaneous.docx”)

  1. Determine how many workunits are currently in a processing state.

NOTE:  Please refer to attachment “DeterminingSimultaneous.docx” for instructions on determining simultaneous processes.  In case you will need to engage support, you should screenshot this information to provide when you open the support incident.


– Command to count records in Ready Status:  dbcount <DATAAREA> -f Status=\”1\” PfiWorkunit

– Command to count records in Processing Status:  dbcount <DATAAREA> -f Status=\”2\” PfiWorkunit

– Command to count records in Completed Status:  dbcount <DATAAREA> -f Status=\”4\” PfiWorkunit


It is a good idea to monitor and take counts of these records periodically. Are the number of workunits in Ready status growing? Are the number of workunits in Completed status growing? Is the number of workunits in Processing status equal to the maximum number workunits that can simultaneously process?

NOTE: If the number of workunits in Ready Status is growing and the number of workunits in completed status is not, then either:

  1. You have workunits that processing for a very long time holding up the system; use the Grid Management UI to determine which workunits are processing so long and determine if those are stuck in a loop; or if they are just processing normally large jobs. Consider cancelling the long running workunits, and scheduling them to run in off business hours.
  2. If you are on Landmark 10.1.0.x, there was a bug in this version of Landmark that periodically caused Async to stop picking up new workunits. This issue was resolved by a re-write of Asnyc and LPA nodes in 10.1.1.x Landmark versions. If you are on Landmark 10.1.0.x you should restart the Async Node, and the IPA node.

NOTE: The workunits that were already queued to an LPA node will not automatically start back up;  the workunit polling frequency (default 30 minutes) will need to trigger before they are requeued to a new LPA node.

Troubleshooting: Rich Client workunit log too large to extract

Depending on the process run, Rich Client workunit logs can grow extremely large. So large in fact that you may not be able to extract the full log from the Landmark Rich Client.

If a workunit log grows too large you may not be able to extract the full log from the Landmark Rich Client,  in this case you can use the following command to extract the log from a Landmark Command Prompt.

What Is the Landmark Command Prompt?
The Landmark administrator will perform many tasks from a command prompt. When you are instructed to use a Landmark command prompt, you should be sure you are in the Landmark Environment that you want to use, and that all environment variables are set correctly.

Setting Environment Variables
Before you startBefore you perform this procedure, be sure that the /etc/lawson/environment/environmentName/ file contains the appropriate settings for environment variables.


Use this procedure to export the appropriate environment variables for your Landmark Environment before issuing commands from a Landmark command prompt.

To set the Landmark Environment variables

At a command prompt, type

. cv landmark-env-name

Where landmark-env-name is the name of the Landmark Environment.


dbexport -C -f “PfiWorkunit=####” -o . -n <dataarea> PfiWorkunit


dbexport -C -f “PfiWorkunit=7000” -o . -n prod PfiWorkunit

Adding a custom field to a form using Configuration Console

Find the name of the Form and the Business Class that you want to add the field to (Ctrl-Shift-Click on any field on the form)

Log into Rich Client and go to Start > Configure > Application (make sure that you have been granted access to Configuration Console)

Find your Business Class, and click “User Fields” under the class

Click the “blank paper” icon to add a new user field

Give your user field a meaningful name (no numbers or special characters allowed, and the field name must begin with an upper-case letter)

Next, go to configured forms and find the form name that you noted earlier

If this form has never been customized, you may need to click the blank paper icon to add it to the Configured Forms list

Once the form has been added as a configured form, click on the form name, then click “Configure”

Navigate to the location where you want to add the user field

Click the blank paper and select “User Field”

Configure the user field for the form

Click “Save” and verify that the user field is now on your screen