May 6, 2015
By Vinuta Hosur, Senior Software Engineer Product Development
Today most of us work and connect with multiple devices. With concepts such as bring your own device (BYOD) and anytime-anywhere becoming the norm, the need for business applications to be available over the internet is inevitable – users like to be able to access the business applications from any of their devices without having to login to a virtual private network (VPN). Infor Lawson Applications are no exception to this.
Exposing the business applications to the internet increases productivity, however results in the need for added security. Infor Security Services (ISS) achieves this for Infor Lawson Applications by providing the Domain Authorization feature. This feature not only provides the additional layer of security to the business applications but also the ability to selectively expose only certain parts of the business application to the internet – and it is configurable by the administrators as per their business/information security needs.
Figure 1: Domain Authorization for External Domain
Domain Authorization layer acts in addition to User Authorization and not in lieu of it. Once the user credentials are validated, domain of the user is determined. Depending on the domain from which the user is accessing the application, an additional layer of access control comes into play – if the user is accessing the application from an external domain (internet), before proceeding to User Authorization, Domain Authorization check is performed based on the rules set by the administrator, which determines whether the object (form, data or executable) being accessed is visible to the external domain. Once it is determined that the application is accessible to the external domain, the system proceeds to check User Authorization.
Domain Rule File Structure
Domain Authorization check is performed based on XML based Domain Rules files. The default rule files for each Infor Lawson Application are bundled with the application. They can be customized as per customer needs.
Figure 2: Sample domain rule file
Rule files are designed to secure various object types such as forms, data and executables with fine grained access control rules at the Domain level. Rule file structure allows for exclusive, inclusive and composite rules to be defined.
Rule File Management from ISS
Once the domains are configured in the system, rule file assignment to domains can be managed using Infor Security Services admin console.
Figure 3: Manage Domain rules from ISS admin console
Rules can be changed, enabled and disabled using the same ISS user interface during runtime – restart of the application is not necessary for changes to take effect. Multiple rule files are assigned per domain, per data area. The XML rule files provided by the applications and assigned to a domain should be placed under the directory $LAWDIR\security\domainauth\<domain-name>\.
- Infor Lawson System Foundation (LSF) – 126.96.36.199 or higher and 10.0.5.0 or higher (fully patched)
- Infor Lawson Portal – 188.8.131.52 or higher
- Infor Lawson for Ming.le 10.0.5.0 or higher
- Applications supported as of today:
- Infor Employee and Manager Self-Service (EMSS) – 10.0.5.16
- Infor Lawson Mobile Employee – 10.0.0.0
Further information on Internet Facing Applications feature can be found in –
- Infor Employee and Manager Self-Service Administration Guide 10.0.5.0, 10.0.6.0
- Infor Employee and Manager Self-Service Technical Documentation 10.0.x
- Mobile Employee Reference Guide 10.0.6.0
- Infor Security Services Configuration Guide 10.1.0.0
Using this feature, Infor Lawson customers can securely expose the required parts of Infor Lawson Business Applications to their users on the internet without requiring a VPN.