In order to fully document our internal controls and Baan application security, it is necessary to determine all subsessions that can be activated from Baan sessions.

Is there any documentation on sessions and subsessions that can be activated from the session?

We implemented the safe option -

the default package level authorization is print/display and the actual authorizations are defined at session level.

So even if a end-use zooms or gets into other sessions directly/indirectly, it isnt bother us.

Having used two implementation partners for Baan we now have a varied user authorization setup. At times, it appears the partners got tried of following the method you mentioned and simply authorized every session and sub session with the menu determining which main sessions could be executed.

The problem for use lies in the fact that authorization for a particular session should not allow the user to execute certain maintain sub sessions. It's now our task to determine where these holes in our Baan security exist and plug them.

Well, our approach is using atleast 2 templates. A default tools Role authorization template, which we, the BaaN Administrators are responsible and the other is a functional authorization template.

So I give the print/display authorization at the package level. It is later the responsiblity of our Deployment Team/Business Analysts and Functional Consultants to determine the authorization levels on those sessions/subsessions etc. If they miss any authorization settings on any session, the end user will end up having only print/display authorization and they ask for a change request to get it fixed.

This was our methodology, we faced issues in the beginning but now everyone is used to it and our role templates are stable.

All the role template changes have to documented, developed on DEV environment, migrated to QA, tested if it works fine, then migrated to the actual Production environment.

:p