We had are auditing Baan access to specific critical Baan sessions. As a result of this audit, we found several users where the authorizations listed in Resulting Session Authorizations by User matched ttaad231 (table session authorizations) However, the user was able to run sessions that they did not have access to.

For instance, powelll did not have session authorizations for tfgld0108m000 (Maintain Chart of Accounts). This user also did not have access through Module Authorizations. He was defined as a Normal user in Maintain Users and /baanc/bse/lib/user/upowelll was set as "N" as well. There was no convert to runtime indicators for this ID. However, this user was able to run the session. I first tried giving powelll authorizations for tfgld0108m000, converting to runtime, deleting the access and converting to runtime again. powelll was still able to access the session. Then I went into Maintain Module Authorizations by User, added tfgld, converted to runtime, deleted tfgld and converted to runtime. Finally, his authorizations worked.

I am very concerned that there are other IDs like this. Is there a way to rebuild authorizations so that runtime DD matches authorizations? How could this have happened? How can we prevent it from happening again? I cannot at this time rely on Resulting Session Authorizations by User to give me a valid audit of authorizations on our system.

My observation (from our BaaN-5.2) is that Convert Changes to Runtime DD - ttams2200m000 from the specific user data session does not always convert well as you have seen.

Hence, we prefer to use - Convert to Runtime DD - ttams2201m000 for all the users with all options on and for all the roles.

These 2 sessions are similar to Convert and Create Runtimes for the Tables.

I am not sure if your BaaN-4 version have these sessions or not.

BaanIVc4 has ttaad4200s000 - Convert to Runtime Data Dictionary. It would be nice if there was one for Create Runtime Data Dictionary for Users.