Hey, Gang! A co-worker of mine who does our DEM flows and grants user permissions asked me to post the following question:

I use session ttaad2131m000 to assign session permissions to users. Is there an easy way to grant permission for one session to 500 users all at once without having to add permissions individually? For instance, if a subsession is added to a main session in which 500 users have access I need an easy way to make sure everyone with access to the main session also has access to the new subsession without having to add permissions one at a time.



I'm not familiar with permissions, but I know what she is trying to do is add permissions to a group of users. I asked if users could be assigned to groups, and she said she was not sure how to do this... We are exercise strict security, so her job is very tedious.

Thanks!

Dee,

I am not sure about the DEM possibilities here. If you are using BaanERP, you can assign the extra session to a role which in its turn is linked to a group of users. Someone correct me if I am wrong.

Another option is to change some of the tools tables outside Baan:

[LIST=1] Dump the table ttaad231 (Session authorizations) and add all the records for the one extra session through a shell script. Then upload the table again.

Then add for each change you made in ttaad230 a corresponding record into the ttaad400 table which contains the runtime conversion flags. To know which values go into each field of ttaad400, you can do the authorization change for 1 user in regular fashion through ttaad2131m000 and then check the contents of ttaad4100 in GTM. Based on that you can then build yourself another little shell script to add all the required records the ttaad400 table.

You must convert the changed authorizations to runtime (-> ttadv999) by running Convert User Data to Runtime for the users that have been changed. Baan will automatically pick up the conversion flags from ttaad400 and convert to runtime for the correct users.[/LIST=1]

Note 1: all tables are in company 000 of course.
Note 2: this method is a hack, so be careful!

Sorry, forgot to mention version. Just dug around in the menus...does not appear to be any user groups, only users. So, I guess the only solution is a hack solution?

I have little experience with DEM on IVc4. I have used the 'hack' solution myself, although time consuming it is not that difficult if you have a good way with shell scripting. Umm, hope you are not running on NT :p

No NT. But, as a "Baan Developer", do not have the rights to do what is suggested. I'll have to pass this along to our DB Admin. Thanks!

OK, here it is an example on how I do that task.

NOTE: check if the dump of your tables look like my ones (BaanIV c4). Run everything below as bsp user and make sure what you are doing!

1. Run 'ttaad4226m000' (Create Sequential Dump of Table) and export table ttaad400 from company 000 (convert to runtime table) using:
- Fixed Length Records
- Separator '|' (without the quotes)
- All other defaults to No
- Specify a directory (I will allways assume /tmp)
This will generate a dump file /tmp/tttaad400000.S

2. Using same session export table ttaad231 from company 000 (session authorizations) using:
- Fixed Legth Records
- Separator '|' (without the quotes)
- All other defaults to No
This will generate dump file /tmp/tttaad231000.S

3. Do a backup of those files by copying them to /tmp/tttaad400000.S.org and /tmp/tttaad231000.S.org

4. Generate a list of users you want to add new authorizations, as example, /tmp/list.txt

5. Add users that will need to be converted to runtime by doing (now includes a removal of duplicate entries):

# cat /tmp/list.txt | while read LINE
> do
> echo $LINE | awk '{ printf ("a|u%-12s",$1) }' >> /tmp/tttaad400000.S
> echo "<session>|<ini_time><end_time>||" >>/tmp/tttaad400000.S
> echo "u|$LINE|||" >>/tmp/tttaad400000.S
> done
# sort -o /tmp/tttaad400000.S -u tttaad400000.S

Note: each user needs 2 entries, one for the authorization (a|...) and another for the user change (u|...). It seems that the 1st line needs an exact number of characters before the <session> (12 exactly, including the user_name), so I use awk to do the trick.

Replace <session> with you full session code and <ini_time> and <end_time> with your authorization access time. Notice that there are at least 4 spaces between the $LINE and the <session>!

As example, granting authorization to dummy from 0:00 to 21:00 to session tfpur0540s000 would mean adding the lines:
a|udummy tfpur0540s000|00002400||
u|dummy||||

6. Add users to table of authorizations by doing (now includes a removal of duplicate entries - table ttaad231 has a unique index based on session, so duplicate entries will make your maintenance of users painfull):

# cat /tmp/list.txt | while read LINE
> do
>echo '$LINE|1|<package>|<module>|<session>|<ini_time>|<end_time>|' >> /tmp/tttaad231000.S
> done
# sort -o /tmp/tttaad231000.S -u /tmp/tttaad231000.S

Replace the <package>, <module>, <session> by your authorization session. Replace <ini_time> and <end_time> by your allowed running session time.

As example, granting authorization from 0:00 to 21:00 to session tfpur0540s000 would mean using the above line as
echo '$LINE|1|tf|pur|0540s000|0|2400|' >> ...

7. Create a directory /tmp/import. Copy the /tmp/ttt*.S into it. Run ttaad4227m000 (Create Table from Sequential Dump) and import those tables using:
- Fixed Length Records
- Separator '|' (without the quotes)
- Delete existing tables to Yes
- Create rows before index to Yes
- Ignore referential integrity to Yes
- All remaining options to No
- Specify your directory /tmp/import

8. Run ttaad4200m000 (Convert User Data to RTD) and convert to all users, Session and database Authorizations set to Yes.

Be carefull and check the formats of those dumps before importing anything. The ....org tables are used as backup in case something goes wrong.
This is an example only to add inclusive authorizations and there is no responsability.

Victor,

Thank you so much for your time and the example. I won't be able to get to this for another week, but truly appreciate the attention!

Thanks so much,
Susan

In theory if you add the session to a business process so the role is changed and you regenerate the users (including generate session authorisations) should the new session authorisations not be added automatically? Are you generating authorisations this way? I've tested this in b2 and c4 and found it unreliable as not all the sessions and subsessions were granted permission. It also took ages to generate just one user getting DEM to generate the authorisations as well so it did not seem a practical solution. It seems that the hack would be much more effective. Has anyone else had more success generating authorisations in DEM?