Using IPA to Update SSOP Identity after AD FS Configuration

Once your AD FS configuration is done, you’ll need to update the SSOP identity with userPrincipalName for all of your users in Lawson Security.  IPA is a great tool for this task.

Some nodes that you’ll need include:

  • System Command – get AD users
    • Run a powershell command to get the samAccountName and userPrincipalName from Active Directory
    • powershell “Get-ADUser -Filter * -SearchBase ‘<OU Path (i.e. OU=Users,DC=company,DC=org)>’ | Select-object SamAccountName,UserPrincipalName | ConvertTo-Csv -NoTypeInformation”
  • Data Iterator to iterate through the results from the AD query
  • Resource Query
    • Get User by querying on SSOP value
  • Resource Update
    • Using the ID from your Resource Query, Update the SSOP service

Nogalis Soars at the 15th Annual West Coast Mega Conference

Kicking off 2018, the Lawson user group community held its first event, the 15th Annual West Coast Mega Conference. Bringing together the Pacific Lawson User Group (PLUG), Southern California, Arizona, Nevada Lawson User Group (SCANLUG), and Northern California User Group (INCLU), 19 vendors and over 100 attendees gathered at the Pacific Life building in Newport Beach, California for a 2-day conference on January 23rd and 24th. Attendees chose from over 60 educational sessions covering topics from upgrading to the latest Lawson version, to migrating from on premise to the cloud. Nogalis hosted 2 sessions (Payroll Automation – How we pay 100,000 employees weekly using IPA with no user interaction & How Several Lawson Clients have cut Operational Costs by 35%) with almost 40 attendees, among the largest turnout of any other vendor session.

In recent years, Nogalis introduced their new security product, LSFIQ . The 2018 West Coast User Conference was the first for attendees to see the latest version of LSFIQ. People who visited the booth were given quick demos of the product, signing those interested up for a free version to test out. In return, they would be entered in a drawing for a chance to win a bitcoin wallet valued at over $100. And just for visiting the booth, attendees were given phone hook clips branded with the Nogalis logo to attach to their mobile phones as a handy phone stand and holder. The bitcoin wallet gathered interest; however, the grand prize was the talk of the event. Those who attended either of the Nogalis sessions were automatically entered in a drawing for a chance to win a FREE helicopter ride from local flight school, Revolution Aviation. The ride would include an introductory lesson, a 40 minute – 1 hour tour of Orange and Los Angeles County, and an opportunity to take control of the aircraft in the pilot’s seat! With many of the attendees being Southern California residents, there was no doubt they wanted to get their hands on this amazing experience.

As gold sponsors once again, Nogalis hosted the evening  event at the Marriott hotel, where attendees and vendors enjoyed great food, played casino games, networked with one another, and won raffle prizes.

Batch Error

When Lawson batch jobs are not running, they return the following error:


User: lawson Job: C Queue: **********


BEGIN: Job Submitted: Wed Dec 6 11:30:01 2017

Step 1: CU201 Started. . . . . .: Wed Dec 6 11:30:01 2017

Token Command. . . . . .: D:\lsfprod\law\prod\obj\CU201.gnt

Executable Command . . .: D:\COBOL\bin64\run.exe D:\lsfprod\law\prod\obj\CU201.gnt prod NT00000002 C 1 Process ID . . . . . . .: 11996

Running as Account . . .: \lawson

Program Messages:

Load error : file ‘lacobrts.dll’

error code: 173, pc=0, call=1, seg=0

173 Called program file not found in drive/directory

Elapsed Time . . . . . .: 00:00:00

ERROR: Stopped On Exit 32. Elapsed Time: 00:00:01

END: Job Ended: Wed Dec 6 11:30:02 2017 

The error message from the job log indicated a problem with lacobrts.dll.  The actual problem was related to the local security policy.  This error was resolved by reviewing the setup for the lawbatch id.  The LSF system in this example had a secured ldapbind.  The domain lawbatch id should be added to the Local Security Policy under User Rights Assignment for “Log on as a batch job” and “Allow log on locally.”

Security Violation

When applying a patch to the LSF environment, we saw Security Violation errors on environment utilities even though security was turned off.  In the below example, the error was returned from trying to run ldunivtkns (to load environment tokens) and also on envrelease (to show the environment version.)  This issue was resolved after contacting the network team to replicate file system permissions from an older Lawson server.  While it was not shared exactly which permissions were changed that were not already in place, once the new permissions were applied, the Security Violations were replaced in the logs with the appropriate responses from the commands.

Initial Error


Error Resolved


Environment Security Settings

Exporting LAUA Security Classes

You may be upgrading a client from LAUA to 901+ and will need to view their existing security classes in LAUA.  Whatever the reason, this is how you dump LAUA security.

Login to your server through LID.

Type LAUA >> Press Enter and you’ll be in Lawson User Security screen.

Press F7 >> D (Form Security)

Follow these parameter settings:

Now press F8 and sent to A. File, B. Printer, C. Screen

Your output should look something similar to this:


That’s it!  Now you can maneuver through LAUA screens and view/dump other useful data such as security class assignments, etc.


Installing CTPs in Lawson

Here is a quick reference to Install CTPs in Lawson.

  1. Download and save CTP to LSF Server
  2. Extract .tar (unzip) on LSF server to folder (d:\patch\CTPXXXX)
  3. Log on LID as Lawson
  4. Change directory to extracted CTP location:
    cd d:\patch\CTPXXXXX)
  5. Run command: perl %gendir%/bin/lawappinstall preview <PRODLINE> (make sure it completes successfully)
  6. Rename/Save Preview.log
  7. Run command: perl %gendir%/bin/lawappinstall update <PRODLINE> (make sure it completes successfully)
  8. Run command: perl %gendir%/bin/lawappinstall activate <PRODLINE> (make sure it completes successfully)
  9. Go to the Lawson application and perform general testing to make sure everything is up and running.


During the ACTIVATE mode if it stops at dbreorg, this is likely do to activity in DB (“database in use”) or “No such file or directory” Perform the following:

On the LSF Server

Window Services:  Stop the IBMWASXXService – LSFAPP – This prevents users from accessing Portal

Window Services:  Stop Lawson.insightEnvironment “PRODLINE” –  stops LID to disconnect LID users

Task Manager:  End all java processes

Windows Services:  Start Lawson.insightEnvironment “PRODLINE” – starts LID

In LID, run the reorg manually:  dbreorg PRODLINE

Run the ACTIVATE step again


Increase Security Employee Search Limit in Lawson Portal

While using Previous/Next on a record in Lawson portal, you may eventually stumble upon a pesky error message of:

Security search limit of X employees exceeded” (X being anywhere from 1-100+)

 Commonly this could happen when restricting user access via process level, department, etc.

What happens when you click next or previous while inquiring on employees is that Lawson is searching in blocks of records based on your specified search limit.

For example:

If the Employee Security Search limit is set to 10 and we click next to inquire on the next employee record in HR11.

Lawson searches the next 10 employee records to see if the user has access to them.  If they do not, you will get the error message: “Security search limit of 10 employees exceeded”.

When we get the error, we should be on employee record number 10 – meaning if we click next again, we will be on employee number 20 if we do not have access the next 10 records again.


Ideally we’d like to reduce clicking next 10+ times by increasing the search limit.



Don’t forget to click CHANGE after adjusting Employee Search Limit

As seen above, changing the search limit to something higher like 100 or more can dramatically reduce the amount of clicks to get to the next record that the user has access to.

If we change it to 100 and the next employee record is #200, it will only take 2 NEXT clicks to get to that record.

Introducing A Free Tier of LSFIQ Lawson Security Reporting

Today we are introducing a free tier of our super popular security reporting application.

LSFIQ is the only cloud-based application that enables you to upload and analyze your Lawson Security data with ease and with no software to install. Simply upload two easy-to-create files into your LSFIQ account and get access to dozens of incredible reports that give you instant, detailed view into your security data. And now there is a great new free version.

It has taken us a while to make the freemium vision come to life but we are proud to announce that as of 2017, you can use our application completely free with no obligation to ever buy.

Learn More About LSFIQ and Sign up for your Free Tier today!

PR160 ACH Output Format

If you upload the ACH file generated by PR160 to your bank, chances are you will need to fix the formatting after your upgrade to version 10. Some banks require the 94-character fixed width format, rather than the sequential format that is the Lawson default. Here are the steps to update your ACH file format.

  1. In LID, type in the command workdef
  2. Search for your product line and the File name TAPEpr160-ach-output-format-1
  1. File Media should be “Tape”
  2. The default “Value” for file name is PR160-ACHTAPE. If you need to drop the file under a custom name, you will enter it in the “Value”. If you want to keep the default, leave that field blank.pr160-ach-output-format-2
  1. Click enter twice to save your changes
  2. The PR160-ACHTAPE file is defaulted to save in the user’s print directory. If you want it saved somewhere else, you can supply the filename on the PR160 job. If you supply a file path on PR160, make sure the file name matches the “Value” field in workdef.pr160-ach-output-format-3
  1. In Lawson Security, make sure that your Batch role has access to the cnvexp development token

Copy User Jobs/Reports to Another User

This scenario may be familiar for you if you’ve been living in the Lawson world.

Let’s say Sarah got promoted or transferred to a new position. The first thing we do is assign Sarah her new security access, but all the Lawson jobs/reports that she used to run no longer pertain to her new position. Rather, Sarah needs a new set of jobs to run and instead of creating them one by one from another user in her new department, we can simply copy them over from another user.


By the name of the command, you may think we are deleting users, but nope, there is a hidden gem inside.

First, lets login to LID and then type the delusers command and press enter

Copy User Jobs Reports to Another User_1

You’ll now see a list of your users >> Press F8

Copy User Jobs Reports to Another User_2

You’ll now be able to Copy reports and jobs:

Copy User Jobs Reports to Another User_3

Make sure you select “Yes” for Reports and/or Jobs.

Any existing jobs/reports that have the same name from the user you’re copying from will be prompted to rename the jobs/report before continuing.

Enjoy your new jobs/reports!