Hello Everyone,

I have a question related to Baan 5 Authorization. I have created a user say XYZ. I have a company called say 500. I have given the following authorization for the user XYZ.

=> Full Tables access for Company 500 (using session ttams3144m00 - Table Auth. for Company).

=> Full Authorization for Package TD (using session ttams3130m00 - Session Auth. by Package).

And then what I did was give the following authorization :-

=> NO AUTHORIZATION for session tdsls4500m000 (using session ttams3132m000).

Now all these 3 authorization has be done in 3 different roles and the user has been attached these 3 Roles.

Now , the problem is that , the user is able to run tdsls4500m000 w/o getting any errors. I am assuming that the user shld not be able to run this session (like what use to happen in Baan IV under the same scenario).

Am I missing anything here ?

Thanks for the help.

Regards,

RM.

Rajiv,

The AMS is different in BaaN-4 to 5 series.

Refer to the BaaN Administrator's Guide.

Ultimately, the employee¡¦s role is a combination of all the authorizations defined in the user¡¦s roles and subroles. Recursive role structures are not allowed. For example, a junior software engineer cannot have the authorizations of a senior
software engineer in a subrole. Figure 7.2 shows an example of the combined authorizations of two different roles.
Figure 7-2 An example of combined authorizations for more than one role
For example, a department manager has more responsibilities than the employees in the department and therefore has more database authorizations. Consequently, the manager has two roles:
􀂄ƒnThe role of the employee with the appropriate restricted authorizations.
􀂄ƒnThe manager¡¦s role with additional authorizations, which are only relevant for the manager.
The restrictions on the database authorizations of the two roles are combined for the department manager. However, if the database authorizations are restricted for one role but not for the other role, the department manager will ultimately have permission to carryout the database actions.

So role has the authorization after the cumulation of all the authorizations. It depends on the company policy about security, you can move all authorization set to one role or have different roles for tools and functional.

Hi NP,

Thanks for the reply.

Does this mean that if a user has been attached conflicting( If I can call it so) authorization i.e. one giving access and other restricting it. He/She will be able to do execute the sessions ?

If the answer to the above question is Yes, then how do we restrict the user from running only a few sessions from TDSLS ??

Hello Everyone,

I found the way to do what I wanted to achieve.

If you have to give authorization to all the sessions under one package and take away a few sessions from that package. Instead of making a new Role to Take away the authorization. Use the same Role to give and to take away the authorization and that works.

Thanks again NP.

Regards,

RM.