Cloud Security

M3: v13x Administering Security for the
Cloud Training Workbook
Infor M3
May 08, 2018
Course code: 01_0111340_IEN1745_M3O
Legal Notice
Copyright © 2018 Infor. All rights reserved.
Important Notices
The material contained in this publication (including any supplementary information) constitutes and
contains confidential and proprietary information of Infor.
By gaining access to the attached, you acknowledge and agree that the material (including any
modification, translation or adaptation of the material) and all copyright, trade secrets and all other right,
title and interest therein, are the sole property of Infor and that you shall not gain right, title or interest in
the material (including any modification, translation or adaptation of the material) by virtue of your review
thereof other than the non-exclusive right to use the material solely in connection with and the furtherance
of your license and use of software made available to your company from Infor pursuant to a separate
agreement, the terms of which separate agreement shall govern your use of this material and all
supplemental related materials ("Purpose").
In addition, by accessing the enclosed material, you acknowledge and agree that you are required to
maintain such material in strict confidence and that your use of such material is limited to the Purpose
described above. Although Infor has taken due care to ensure that the material included in this publication
is accurate and complete, Infor cannot warrant that the information contained in this publication is
complete, does not contain typographical or other errors, or will meet your specific requirements. As such,
Infor does not assume and hereby disclaims all liability, consequential or otherwise, for any loss or
damage to any person or entity which is caused by or relates to errors or omissions in this publication
(including any supplementary information), whether such errors or omissions result from negligence,
accident or any other cause.
Without limitation, U.S. export control laws and other applicable export and import laws govern your use
of this material and you will neither export or re-export, directly or indirectly, this material nor any related
materials or supplemental information in violation of such laws, or use such materials for any purpose
prohibited by such laws.
Trademark Acknowledgements
The word and design marks set forth herein are trademarks and/or registered trademarks of Infor and/or
related affiliates and subsidiaries. All rights reserved. All other company, product, trade, or service names
referenced may be registered trademarks or trademarks of their respective owners.
Table of contents
About this workbook .................................................................................................................................. 6
Course overview ......................................................................................................................................... 8
Course description and agenda ................................................................................................................ 9
Lesson 1: Infor M3 security model .......................................................................................................... 13
Infor M3 security model ........................................................................................................................... 14
Infor M3 general security features ...................................................................................................... 15
Locating Infor M3 security ................................................................................................................... 16
Check your understanding ...................................................................................................................... 17
Lesson 2: Infor M3 user enrollment ........................................................................................................ 19
Enrolling users in home companies and divisions .................................................................................. 20
Company and division structure – enrolling users .............................................................................. 20
Creating and copying enrollments for users ........................................................................................... 23
Difference between Create and Copy when enrolling a new user ...................................................... 23
Working with user groups ........................................................................................................................ 25
User groups ......................................................................................................................................... 25
Creating user group records ............................................................................................................... 25
Placing users in a group ..................................................................................................................... 25
Exercise 2.1: Log in to Infor M3 .......................................................................................................... 26
Exercise 2.2: Using the Infor M3 function User. Open (MNS150) ...................................................... 27
Lesson 3: Infor M3 role-based security .................................................................................................. 31
Overview ................................................................................................................................................. 32
Need for function security ................................................................................................................... 32
Roles ................................................................................................................................................... 33
Permissions setup per role and function ............................................................................................. 33
Rules for permissions setup ................................................................................................................ 35
Relationship between company and division ...................................................................................... 35
Processing permissions ...................................................................................................................... 37
Working with permissions – Function. Connect Authority by Role (SES400)..................................... 37
Program security inheritance .................................................................................................................. 38
Infor M3 function and program structure ............................................................................................. 38
Using program security inheritance – Function. Connect Program (MNS112)................................... 39
Authority by User. Display (SES401) .................................................................................................. 41
Process of setting up role-based security ............................................................................................... 42
Dependency between permissions tables .......................................................................................... 43
Roles. Open (MNS405) ....................................................................................................................... 43
Copying roles in Roles. Open (MNS405) ............................................................................................ 43
Roles per User. Open (MNS410) ........................................................................................................ 44
Setting permissions ................................................................................................................................. 46
Function. Connect Authority by Role (SES400) .................................................................................. 46
Overriding program security inheritance ............................................................................................. 47
Forcing automatic creation of permissions ......................................................................................... 48
Deleting roles ...................................................................................................................................... 49
Deleting role/user connections ............................................................................................................ 49
Exercise 3.1: Set up role-based security ............................................................................................ 51
Implementing role-based security ........................................................................................................... 58
Defining a role ..................................................................................................................................... 60
Assessing users’ requirements – security feedback forms ................................................................. 61
3
Assessment of the requirements by process owners ......................................................................... 61
Additional information .............................................................................................................................. 63
Infor M3 role-based security files ........................................................................................................ 63
Mass changes to function definitions .................................................................................................. 63
Query on CSYSTR – User Preferences table ..................................................................................... 64
Lesson 4: Infor M3 data security ............................................................................................................. 67
Concept of data security ......................................................................................................................... 68
Structure – simple example ................................................................................................................ 68
Structure – complex example ............................................................................................................. 69
Process of setting up data security ......................................................................................................... 71
Exercise 4.1: Set up Object Access security ...................................................................................... 72
Lesson 5: Infor M3 field security ............................................................................................................. 75
Objective of field security ........................................................................................................................ 76
Controlling access to individual fields ................................................................................................. 76
Field security concepts ............................................................................................................................ 77
Field security concepts overview ........................................................................................................ 77
Field security – field groups ................................................................................................................ 77
Connecting fields to field groups ......................................................................................................... 77
Connecting users to field groups ........................................................................................................ 78
Scope of field security ............................................................................................................................. 79
Overview ............................................................................................................................................. 79
Process of setting up field security.......................................................................................................... 82
Field security – overview of the process ............................................................................................. 82
Exercise 5.1: Set up field security ....................................................................................................... 85
Course summary ....................................................................................................................................... 89
Appendix .................................................................................................................................................... 90
Appendix A: User accounts ..................................................................................................................... 91
4
5
About this workbook
Welcome to this Infor Education course! We hope you will find this learning experience enjoyable and
instructive. This Training Workbook is designed to support the following forms of learning:
• Classroom instructor-led training
• Virtual instructor-led training
• Self-directed learning
This Training Workbook is not intended for use as a product user guide.
Activity data
You will be asked to complete some practice exercises during this course. Step-by-step instructions are
provided in this guide to assist you with completing the exercises. Where necessary, data columns are
included for your reference.
Your instructor will provide more information on systems used in class, including server addresses, login
IDs, and passwords.
Self-directed learning
If you are taking this course as self-directed learning, there may be instructor-recorded presentations
and/or simulations available to assist you.
If instructor-recorded presentations are available, a hyperlink to the recording will be included on the first
page of each corresponding Lesson.
If simulations are available, the demos and exercises throughout this Training Workbook will include
hyperlinks that allow you to view and/or practice the execution of the demo or exercise in a simulated
training environment.
Learning Libraries
Learning Libraries in Infor Campus include learning materials that are available to you online, anytime,
anywhere. These materials can supplement instructor-led training, providing you with additional learning
resources to support your day-to-day business tasks and activities.
Please note that if you accessed this Training Workbook directly via a Learning Library, you will not have
access to the Infor Education Training Environment that is provided with all instructor-led and most self-
directed learning course versions, as referenced above. Therefore, you will not be able to practice the
exercises in the specific Training Environment for which the exercises in this Training Workbook were
written.
6 About this workbook

© 2018 Infor Education. All rights reserved. No part of this Training Workbook may be reproduced or transmitted in any form, without written permission.
Symbols used in this workbook
Hands-on exercise
For your reference Question
(“Exercise”)
Instructor demonstration
Your notes Answer
(“Demo”)
Can be used for either

Important note Task simulation
(“Scenario” or “Discussion”)
M3: v13x Administering Security for the Cloud Training Workbook 7

Course overview
Estimated time
.25 hours
Learning objectives
Upon completion of this course, you should be able to:
• Describe aspects of the Infor M3 security model.
• Explain the process of maintaining Infor M3 users.
• Describe how role-based security can be used to secure your Infor M3 environment.
• Describe how to secure particular records within Infor M3 database tables.
• Describe how to protect specific fields within Infor M3 tables from unauthorized access.
Topics
• Course description and agenda
8 Course overview
Course description and agenda
This course covers how Infor M3 controls end user and system administrator access to the system. The
course contains how to log on to OS Portal (Xi), securing access to various environments, access to Infor
M3 companies and divisions, authority to perform individual functions, and ultimately into protecting data
and even controlling access to individual fields on a screen. Administering security at individual or
group/role level will be discussed. Hands-on exercises are provided to practice course topics.
This training is applicable for the following Infor M3 version: 13.4.
Infor Federated Services (IFS) is an authentication component of the Xi Platform in

both cloud and some on-premise installations. It is the component that allows
authentication across multiple products that are integrated via the Xi Platform. It is
used for most M3 Core installations, both cloud and on-premise, from version 13.3
onwards. SAML authentication is achieved by IFS working together with the SAML
session provider and an identity provider, often ADFS.
IFS will not be covered in this course.
Prerequisite courses
• M3: v13x Administering the System – Introduction
Course duration
8 hours
Audience
• Technical Consultant
• Support
• System Administrator
System requirements
• Infor M3 13.4 Tech v2 Training Environment
Reference materials
Infor M3 reference materials are available from the following locations:
• Infor Documentation Infocenter
• Infor Xtreme®

Course agenda
The agenda below details the contents of this course, including lesson-level learning objectives and
supporting objectives.
Lesson Lesson title Learning objectives Day
Course overview Review course expectations 1
1 Infor M3 security model Describe aspects of the Infor M3 1

security model.
• Describe the two fundamental
types of security in Infor M3.
• Describe the various types of
general security in Infor M3.
2 Infor M3 user enrollment Explain the process of maintaining 1

Infor M3 users.
• Describe how to grant users
access to Infor M3.
• Describe how to restrict users
access to the various companies
and divisions defined in Infor M3.
• Explain the difference between
manually creating new users and
copying them from existing users.
• State the purpose of user groups
in field security.
3 Infor M3 role-based security Describe how role-based security can 1

be used to secure your Infor M3
environment.
• Explain the key concepts in setting
up role-based security.
• Explain program security
inheritance.
• Explain the process flow of setting
up role-based security.
4 Infor M3 data security Describe how to secure particular 1

records within Infor M3 database tables.
• Define Object Access groups.
• Define Object Access user groups.
10 Course overview
Lesson Lesson title Learning objectives Day
• Describe how to protect Infor M3

data objects from access by users
with functional access.
5 Infor M3 field security Describe how to protect specific fields 1

within Infor M3 tables from
unauthorized access.
• Explain field-level security.
• Identify field-level security
limitations.
• Explain how to set up the different
levels of field security.
Course summary Debrief course. 1
Appendix
This section contains information that is not part of the instructional content of this course, but provides
additional related reference information.
Appendix Appendix title Content description
Appendix A User accounts This appendix provides a reference for student and instructor
login credentials.

12 Course overview
Lesson 1: Infor M3 security model
Estimated time
.5 hours
Learning objectives
After completing this lesson, you will be able to describe aspects of the Infor M3 security model. In this
lesson, you will:
• Describe the two fundamental types of security in Infor M3.
• Describe the various types of general security in Infor M3.
Topics
• Infor M3 security model

Infor M3 security model
Infor M3 security applies at different levels:
• General security
• Application security
Here are the definitions and responsibilities of each:
Level Definition Responsibility
General General security is applied over the The system administrator or the
application to control areas such as access security officer maintains general
to Infor M3 functions and individual fields. security.
Application Application security is built in, and exists as Managers maintain security
an integral part of the logic flow in some applicable to their own
areas of the system, such as in the financial department’s functionality.
accounts and purchasing modules.
Note: Although this course only deals with general security, it is important to recognize the distinctions
between the two in case of a security problem outside of your area of responsibility.
General security vs. Application security
14 Lesson 1: Infor M3 security model

Infor M3 general security features
Infor M3 general security is comprised of the following features:
• Role-based function security
o This feature provides the ability to allow or deny access to all Infor M3 programs, and to
control the level of update within programs.
• Display-only controls (viewable but not editable)
o This feature is available at the program or individual field level.
• Password verification (user authentication)
o This feature of password verification is required for entry to Infor M3. Password verification
can additionally be attached to individual Infor M3 functions.
• Company/division responsibility
o This feature is customized at the user level. User movement within the Infor M3 business
model can be controlled in user enrollment. For example, users might be allowed to process
transactions in one division but not in another.
• Data security
o This feature consists of how Infor M3, in many areas, can be configured to recognize data
ownership, restricting unauthorized access to particular records in a table.
• Field security
o This feature allows individual fields to be protected from unauthorized update on many
displays, or to be completely hidden from view.
• Field Audit Trail
o This feature tracks data changes at the individual field level. The audit trail can be displayed
in the Infor M3 programs.
• System administration controls
o This feature of system administration controls consists of system administration tasks such
as starting and stopping processes, and changing settings and configuration, and is
controlled by Infor M3 Grid security.

Locating Infor M3 security
Many functions related to Infor M3 security can be found in the M3 Application Foundation menu.
Infor M3 Application Foundation menu
Other functions related to Infor M3 security can be found on various menus in LifeCycle Manager (LCM).

Check your understanding
What are the two fundamental types of security in Infor M3.
_________________________________________________________________________
_________________________________________________________________________
_________________________________________________________________________
_________________________________________________________________________
Restrictions are required on who can access various Infor M3 programs. Restrictions are also
required on who has update access to a program versus read-only access. What part of Infor
M3 security resolves this?
_________________________________________________________________________
_________________________________________________________________________
_________________________________________________________________________
_________________________________________________________________________
Restrictions have been put into place to allow only a few users the ability to change a
customer’s credit limit. However, management needs to be able to determine who changed
the customer’s credit limit and when. What part of Infor M3 security resolves this?
_________________________________________________________________________
_________________________________________________________________________
_________________________________________________________________________
_________________________________________________________________________

Lesson 2: Infor M3 user enrollment
Estimated time
1 hour
Learning objectives
After completing this lesson, you will be able to explain the process of maintaining Infor M3 users. In this
lesson, you will:
• Describe how to grant users access to Infor M3.
• Describe how to restrict users access to the various companies and divisions defined in Infor M3.
• Explain the difference between manually creating new users and copying them from existing
users.
• State the purpose of user groups in field security.
Topics
• Enrolling users in home companies and divisions
• Creating and copying enrollments for users
• Working with user groups

Enrolling users in home companies and divisions
User. Open (MNS150) displays user enrollment, which includes the default company and division.
Company and division structure – enrolling users

Users are assigned (or enrolled in) a default, or home company and division by a system administrator. At
logon, users will have access to the data and information related to their assigned home company and
division.
In addition to their default company and division, each user’s enrollment can contain a list of other
companies and divisions that the user may access.
System administrator user enrollment tasks

System administrators provide user authority to the appropriate companies and divisions on the user’s
enrollment list. A system administrator can:
• Add user access by adding a company and/or division to the user’s list.
• Deny user access by removing a company and/or division from the user’s list.
• Change user defaults such as start menu and any user groups.
Maintain company/division access for a user

To maintain companies and/or divisions a user may access, a system administrator uses the program
User. Access per Company & Division (MNS151). This program is available from User. Open
(MNS150). Highlight a user row in User. Open (MNS150), and choose Related > User Permissions to
Cmp/Div (CTRL+11) to arrive at User. Access per Company & Division (MNS151), displaying the
current companies and divisions the users may access. On this page, companies and/or divisions may be
added or deleted.
Add all companies and/or divisions for a user

To grant access to all companies and divisions for a specific user, a system administrator uses the related
option Update User Access all Cmp/Div (CTRL+21). This option is available from User. Open
(MNS150). Highlight a user row, and choose Related > Update User Access all Cmp/Div (CTRL+21) to
add access to all company and divisions.
The Update User Access all Cmp/Div (CTRL+21) program does not display a confirmation
screen. Instead, all relevant companies and/or divisions are added to the user’s enrollment
list.
20 Lesson 2: Infor M3 user enrollment

Examples of user enrollment
The following example shows a business structure and how the user, JSMITH, has access (or
restrictions) within the organization.
Company and division structure – controlled user access

The example in the image above shows user JSMITH with a default company and division. It also
indicates that this user has access to other companies and divisions, and can switch between the two
companies and associated divisions. However, the user doesn’t have access to two divisions—Company
1, Division B, and Company 2, Division H.
The next example is a continuation of what was described above. The list of authorized companies and
divisions is not a simple list of company numbers and division IDs. Each record may contain variations to
the normal user settings. These apply when the user switches into that company and/or division.
Authorizing users

Note: If a setting is left blank at the division level User. Access per Company & Division (MNS151), the
setting in the user record (MNS150) will be used.
The User grp object field accessed from User. Access per Company Division (MNS151)
is used in Object Access group security (also known as, data security). This field should not
be confused with the User group field, which is used for field security.
_________________________________________________________________________
_________________________________________________________________________
_________________________________________________________________________
_________________________________________________________________________
_________________________________________________________________________
_________________________________________________________________________
_________________________________________________________________________
_________________________________________________________________________

Creating and copying enrollments for users
Difference between Create and Copy when enrolling a new user
In User. Open (MNS150), clicking Create to enroll a new user will enable access only to the default
company and division specified for the user. Additional company/division access can then be enabled
using User. Access per Company & Division (MNS151).
Enrolling a user using Create
However, when using Copy to enroll a new user, the new user is given access to the same companies
and divisions as the based-on user.
Enrolling a user using Copy

When copying a user, there is an option to also copy the user’s program preferences. Additionally, there
is an option to copy the user’s report preferences.

_________________________________________________________________________
_________________________________________________________________________
_________________________________________________________________________
_________________________________________________________________________
_________________________________________________________________________
_________________________________________________________________________
_________________________________________________________________________
_________________________________________________________________________

Working with user groups
User groups
User groups reduce the administration required to implement field security. User groups are not used in
role-based function security.
Note: Groups cannot be nested or placed inside another group. Also, a user cannot be a member of
more than one group. An exception to this is overriding the user’s enrollment at the division level, using
program User. Access per Company & Division (MNS151). See the section on controlling access to
companies and divisions.
Creating user groups
Creating user group records

User. Open (MNS150) maintains both individual users and user groups. The field User type determines
which type of entry you are creating:
• *USER indicates an individual (normal) user.
• *GRPPRF indicates a user group.
Placing users in a group

To place users in groups, the group must be created first. Next, the group name must be specified in the
User group field for the user’s enrollment record located in User. Open (MNS150).

Exercise 2.1: Log in to Infor M3
In this exercise, you will log in to Infor M3 through the OS Portal.
Notes:
• If you are taking this course as classroom or virtual instructor-led training, observe as
your instructor first demonstrates this exercise.
• If you are taking this course as self-directed learning, complete the steps below.
Exercise steps
Verify you are logged in to the Training Desktop (m3app-2013 (Landing Server)). If not, log in
following instructions provided by your course instructor.
Note: If you are taking this course as self-directed learning, follow the instructions on the
course Lab On Demand screen.
Part 1: Log in to Infor M3

1. Double-click the folder labeled Infor Education on your training desktop.
2. Double-click the M3_v13x_Administering_Security folder. A list of program shortcuts displays.
3. Highlight all program shortcuts within the M3_v13x_Administering_Security folder.
4. Drag and drop the program shortcuts to your training desktop.
5. Close the M3_v13x_Administering_Security window.
6. Double-click the OS Portal shortcut on your training desktop. The GDE ADFS login screen
displays.
7. Type [email protected] in the [email protected] field.
8. Type Infor123 in the Password field.
9. Click Sign in. The Infor Education page displays.
10. Click App Menu (the nine white squares in the upper-left corner). A menu of applications
displays.
11. Click the Infor M3 icon. The Infor M3 Start Page displays.
Part 2: Review a list

1. Start User. Open (MNS150). Panel B displays a list of users.
There are multiple ways to start an Infor M3 program, including links in the Menu,
Shortcuts, and Recent widgets. You can also use the Search and Start feature by
completing the following steps:
• Press Ctrl+R. The Search and Start dialog box opens.
• Type <the program name or number> in the Search and Start field.
Notes:
o The program name in this step would be User. Open, and the program
number is MNS150.

o If you enter only part of the program name (e.g., User), a list of related
programs displays, and you can select the correct program from the list.
• Click OK. The program window opens.
2. Click Close. The Infor M3 Start Page displays again.

Note: To close any program in the application, click the X in the upper-right corner within the
open program tab. If all Infor M3 programs have been closed, the Infor M3 Start Page displays
again. If there are one or more programs running, Ctrl+R will still work within a program panel, to
start another program if desired.
_________________________________________________________________________
_________________________________________________________________________
_________________________________________________________________________
_________________________________________________________________________
Exercise 2.2: Using the Infor M3 function User. Open (MNS150)

In this exercise, you will use the Infor M3 function User. Open (MNS150) to deny your own
user ID access to some companies and divisions in your environment.
Notes:
Exercise steps
Note: Ensure you are logged in to Infor M3. If not, refer to Exercise 2.1, part 1.
Part 1: Change to company 330 division AAA in the environment and verify your user’s access
1. Start Item. Open (MMS001). Panel B displays.
2. Write down the value in parentheses that displays in the lower-right corner of the status bar:
__________________. The first value in the parentheses is your default company and the
second value is your default division.
3. Click Close. The Infor M3 Start Page displays.
4. Press Ctrl+R. The Search and Start window opens.
5. Type cmp330AAA in the Search and Start field. Note: This is just a temporary change and will
reset when you log off. It will ensure you have access.

6. Click OK. A message, “You have changed to company 330 (Infor M3 Standard) and division AAA
((330/AAA))” displays. Note: If you did not have access, you would have received an error
message that the company and division do not exist.
7. Click OK.
8. Start Item. Open (MMS001) again. Panel B displays.
9. Write down the company number and division that display in the lower-right corner of the status
bar: __________________.
11. Press Ctrl+R. The Search and Start window opens.
12. Type cmp330BBB in the Search and Start field.
13. Click OK. A message, “You have changed to company 330 (Infor M3 Standard) and division BBB
((330/BBB))” displays.
14. Click OK.
Part 2: Remove your user’s access to company 330 division AAA

1. Start User. Open (MNS150). Panel B displays.
2. Type M3M01 in the User field.
3. Press Enter. The record for your M3M01 user displays at the top of the list.
4. Highlight the row related to your user.
5. Select Related > User Permissions to Cmp/Div (CTRL+11). The User. Access per Company
Division (MNS151/B1) program opens.
6. Scroll down.
7. Highlight the company 330 division AAA row.
8. Select Options > Delete (CTRL+4). A message, “Confirm deletion of responsible M3M01”
displays.
9. Click OK. Panel D displays.
10. Click Next. Panel B1 displays.
11. Click Close. The User. Open (MNS150/B) program displays.
12. Click Close. The Infor M3 Start Page displays again.
13. Press Ctrl + R. The Search and Start window displays.
14. Type cmp330AAA in the Search and Start field.
15. Click OK. A message, “The company 330 and division AAA does not exist” displays.
Note: To further clarify the error message, as you know, the current company and division does
exist, however the company/division is not included in the current user’s list of permitted
company/divisions.
16. Click OK.
Part 3: Reinstate your user’s access to company 330 division AAA

3. Press Enter. The record for your user displays at the top of the list.
4. Highlight the row related to your user.
6. Type 330 in the Cmp field.
7. Type AAA in the Div field.
8. Select Options > Create (CTRL+1). Panel E displays.
9. Click Next. Panel B1 displays again.
10. Click Close. The User. Open (MNS150/B) program displays again.
As an alternative to Part 3, steps 3-9 above, you could select Related > Update User
Access all Cmp/Div (CTRL+21) to give access to all company and division combinations in
the environment.

User groups defined in User. Open (MNS150) are used only for data security.
a) True
b) False
The User grp object field defined in User. Access per Company & Division (MNS151) is
used only for data security.
a) True
b) False

Lesson 3: Infor M3 role-based security
Estimated time
2 hours
Learning objectives
After completing this lesson, you will be able to describe how role-based security can be used to secure
your Infor M3 environment. In this lesson, you will:
• Explain the key concepts in setting up role-based security.
• Explain the program security inheritance.
• Explain the process flow of setting up role-based security.
Topics
• Overview
• Program security inheritance
• Process of setting up role-based security
• Setting permissions
• Implementing role-based security
• Additional information

Overview
Need for function security
By default, all functions are accessible to all users; no permissions setup is required to enable access.
All Infor M3 function definitions are maintained by Function. Open (MNS110).
The function definition attribute, Authority Required (Auth Required) determines whether the function is
accessible.
• If the Authority Required check box is not selected, it means implicit permission, i.e. the function
is unlocked—open for access to users.
• If the Authority Required check box is selected, it means explicit permission, i.e. the function is
locked—closed to users unless they have permission.
Selecting the Authority Required check box is the only way to deny access to a function.
Function definition: Authority Required
32 Lesson 3: Infor M3 role-based security

The table below lists the permissions and their corresponding descriptions.
Setting for Authority Description

required field
Implicit permission When the Auth required field is not selected, the default is that all users
and roles will have full access to that Infor M3 function unless otherwise
defined in Function. Connect Authority by Role (SES400).
Explicit permission When the Auth required field is selected, the default is that no users will
have access to the Infor M3 function unless otherwise defined in
Function. Connect Authority by Role (SES400).
Roles
Roles are introduced to manage permissions for large numbers of users. Roles define a set of
authorizations in the Infor M3 Business Engine. By connecting a role to a user, the set of authorizations
that the role defines for the user is also added. A user can be connected to several roles at the same
time. Each connection of user and role can have validity dates to enable temporary permission, such as
vacation replacements.
Users can be connected to multiple roles
Permissions setup per role and function

In the permissions setup program Function. Connect Authority by Role (SES400) the functions a role
is permitted to use in different companies and divisions, are defined. The permissions setup enables
control of permissions for all options (options 1-99) and for all function keys.

A role can have different permissions in different companies and divisions. Example: The role
SALESCLERK can have different permissions in Company 100 and 200 or different permissions in
division AAA and BBB within the same company.
Infor M3 role-based security is a three-tier model, with users on one side and Infor M3 functionality on the
other. In the middle are the roles, which connect lines of access between users and functions.
Three-tier model: users, roles, and functions

It is not possible to give access to individual users; all access must be made at the role level. There is no
mechanism for disallowing a role from having access to a function, other than by locking a function, i.e. by
checking the function’s Auth required field.
Role-based security allows authorization of standard options individually for a role/function permission
record. This is done via a set of standard option icons that appear in most (but not all) Infor M3 programs.
In some programs, the B panel (list) allows direct updates to be made without the need to drill down to
another level. In those programs, there is no authority checking of the standard options.
Icons for Infor M3 standard options

Function. Connect Authority by Role (SES400) permissions setup
Rules for permissions setup

Permissions define the functions a role is permitted to use. Setup is done in Function. Connect
Authority by Role (SES400) by linking a function to a role. Setup enables control of permissions for:
• All basic options (options 1-9)
• All related options (options 10-99)
• All function keys (F1-F24)
If a user is connected to many different roles with varying permissions for a given function, the least
restrictive permission applies. The user receives all the authorities added together.
Relationship between company and division

It is possible to set up permissions at both the company level (blank division) and the division level (non-
blank divisions).
When checking authority for users working in a non-blank division, the system first carries out the security
check against that non-blank division’s settings. If the combination of user/program is found, those
permissions are applied and the security check ends. If the combination of user/program is not found in
the division’s settings, the system carries out the search against the company’s (blank division) settings.

This enables customers to specify all their security settings at the company level (blank division), and
specify only the divisional exceptions in each non-blank division. This has benefits in reducing the number
of records required in tables CMNPSU (SES400) and CMNPUS (SES401).
Note that with this approach, for any given role it is impossible to deny access in a non-blank division to a
function to which the same role has company-level access.
Security permission settings at company and division level

The following examples illustrate the way company and divisional security settings are used to evaluate a
user’s authority to a requested function.
Assume all requests are made by a user running in division AAA.
• Role FINANCE requests function MMS001. Access is allowed at display only. The reason is that
the combination of FINANCE/MMS001 does not exist in division AAA so search at the company
level.
• Role SALES requests function CRS610. Access is allowed at display only. The reason is the
same as above.
• Role STOCK requests function MMS001. Access is allowed at display only. The reason is that
the combination exists in division AAA.

Processing permissions
Function. Connect Authority by Role (SES400) settings are passed to autostart job SES900 to
process. Settings are at the function and role level. The system expands roles to create individual user
permissions. It also expands functions that contain security-inheriting programs (see the Program security
inheritance section).
Determining individual user permission by expanding role entries

Permissions are automatically updated by the system when necessary. The circumstances necessitating
the updates include deleting users, copying roles, maintaining roles membership, and whenever role
validity dates are passed. Permissions can be viewed using Authority by User. Display (SES401). This
function shows the information that the system uses when it performs a security check.
Working with permissions – Function. Connect Authority by Role (SES400)

Permissions are set up for role and function. Functions where Auth required is selected must have a
permission setting in Function. Connect Authority by Role (SES400) to grant access to roles.
Functions with the Auth required check box clear (not selected) are open to all roles (users). There is no
need to set up a permission in Function. Connect Authority by Role (SES400), unless to restrict
functionality inside the function such as to limit access to display only. Display only means without the
ability to update. Other limited access may entail restricting the Related options in the function.
_________________________________________________________________________
_________________________________________________________________________
_________________________________________________________________________
_________________________________________________________________________
_________________________________________________________________________

Program security inheritance
Infor M3 function and program structure
Unlike functions, programs do not have a definition. Instead they have no Authority Required setting;
are openly accessible to all users; and cannot be locked.
Programs can be linked to a parent function. The program assumes the security setting of the parent
function:
• If authority to the parent function is allowed, so is the program.
• If authority to the parent function is denied, so is the program.
In the image below, the programs OIS326, PPS171, PPS172, and PPS173 are shown to be linked to
parent function PPS170, while CRS340 and PPS008 are linked to PPS200. Without the link, the child
programs would be openly accessible to all users, and the security administrator would be unable to
prevent access to them.
Program to function connection (maintained in MNS112)

Using program security inheritance – Function. Connect Program (MNS112)
Programs can be set to inherit the same security as a function, regardless of the function’s Authority
Required setting.
Using program security inheritance
It is only possible to attach programs that are not functions, i.e. a function cannot be linked to
another function.

Program/function connection: Function. Connect Program (MNS112) vs. Function. Open (MNS110)
Permissions showing inherited security

Authority by User. Display (SES401)
In the permissions display, results of the permissions setup can be viewed. The permissions file contains
one record for each combination of program, user, company, and division. Note: Programs that inherit
function security (see Function. Connect Program (MNS112)) are included in the permissions file.
The permissions file is automatically updated when:
• A record is created, changed or deleted in Function. Connect Authority by Role (SES400).
• A record is created, changed or deleted in Roles per User. Connect (MNS410).
• A record is deleted in Roles. Open (MNS405).
• There are system date changes (the permissions are rebuilt, including validity date check, when
auto-job SES900 is started).
Permissions are updated in a background job (SES900). There may be a delay before the
permissions are updated as it is dependent on the sleep time of the autostart job.
_________________________________________________________________________
_________________________________________________________________________
_________________________________________________________________________
_________________________________________________________________________
_________________________________________________________________________
_________________________________________________________________________
_________________________________________________________________________
_________________________________________________________________________

Process of setting up role-based security
Once a role has been created, users and functions can be connected to the role. It does not matter which
connections are made first. The process often involves alternating repeatedly between the two types of
connections as the permissions are built up. At any time, the inquiry Authority by User. Display
(SES401) can be used to check individual program or user authority settings.
Process of setting up role-based security
Tables and programs used in role-based security

Dependency between permissions tables
There is a fundamental relationship among the following role-based security tables:
• CMNUSR (maintained by MNS150)
• CMNROL (maintained by MNS405)
• CMNRUS (maintained by MNS410)
• CMNPSU (maintained by SES400)
• CMNPUS (maintained by SES401)
The SES900 autostart job is responsible for maintaining this synchronization. The graphic above (tables
and programs used in role-based security) illustrates that a number of different transactions can send
trigger records to the autostart job SES900. SES900 will primarily deal with updates made directly in
Function. Connect Authority by Role (SES400). However, it is also used to follow up on other security-
related transactions such as when a user is deleted in User. Open (MNS150), a record is sent to SES900
triggering the deletion of that user’s permissions. When a user is removed from a role in Roles per User.
Connect (MNS410), SES900 must re-evaluate the user’s permissions. If a role is copied in Roles. Open
(MNS405) the user permissions must be set.
Tables used in role-based security must never be changed from outside the Infor M3
application, e.g. using structured query language (SQL) tools. Any inconsistencies that do
arise can be resolved by running Authority per User. Re-create (SES990), available on
menu MSF>AUX>Special Occasion Run>SEC. Be aware that SES990 begins by deleting all
records in CMNPUS, then runs a complete rebuild of that table, which can take hours. It
should be run only when no users are using the system.
Roles. Open (MNS405)

The first step in the process is to create roles using Roles. Open (MNS405). Roles are defined
independently of the company. The same roles apply to all companies in the database.
Copying roles in Roles. Open (MNS405)

When copying a role, options exist to copy:
• Connected users
• Connected permissions
If the Copy attached users check box is selected, all users connected (in Roles per User. Connect
(MNS410)) to the role being copied from will also be connected to the new role.
If the Copy attached permissions check box is selected, all permissions (in Function. Connect
Authority by Role (SES400)) for the role being copied from will also be created for the new role.

Copying roles in Roles. Open (MNS405)
Roles per User. Open (MNS410)

Users are connected to roles using Roles per User. Open (MNS410). Roles per user are defined
independently of company, with or without validity dates.
Roles per User. Open (MNS410)

_________________________________________________________________________
_________________________________________________________________________
_________________________________________________________________________
_________________________________________________________________________
_________________________________________________________________________
_________________________________________________________________________
_________________________________________________________________________
_________________________________________________________________________

Setting permissions
Permissions are created using Function. Connect Authority by Role (SES400).
Function. Connect Authority by Role (SES400)

In Function. Connect Authority by Role (SES400) permissions are set up per company and division.
Note: If functions with the Auth Required setting enabled need to be made accessible to users, they will
need to be defined here.
A role for the same function can have different permissions in different companies or divisions. Only
active records (status = 20) will have their permissions created. Permissions can be created for programs
that do not exist in Function. Open (MNS110).
The Function. Connect Authority by Role (SES400) panel E allows the basic options, related options,
and function keys to be assigned permission. Buttons are provided to select or clear check boxes for all
options or function keys before fine tuning the setup. Note: The status must be set to 20 (Active) to create
permissions.
Function. Connect Authority by Role (SES400)

Overriding program security inheritance
If a program is called by more than one function, it may be necessary to override inheritance settings.
Overriding program security inheritance
Function. Connect Authority by Role (SES400) settings can applied to programs as well as functions.
When permissions are applied directly to programs that inherit permissions, the direct setup will override
the inheritance.
Function. Connect Authority by Role (SES400) settings for program or function

Forcing automatic creation of permissions
When a role is edited in Roles. Open (MNS405), it is possible to force automatic creation of permissions
for a specific company and division. However, this will only be possible if it has at least one user attached.
Permissions will be created only for functions that have the Authority Required check box selected.
If the Full authority check box is not selected, permissions will be created with only basic option 5
permitted, (display only). If the Full authority check box is selected, permissions will be created with all
basic and related options, and all function keys permitted. When the Full authority check box is selected
the following considerations apply:
• If the Include SES400 check box is not selected, existing permissions, if any exist, will not be
changed.
• If the Include SES400 check box is selected, existing permissions that are less than full authority
will be changed to full authority.
Forcing automatic creation of permissions

Permissions created for all locked functions
Full authority not selected vs. full authority selected
Deleting roles
When a role is deleted in Roles. Open (MNS405), there is a warning indicating that the existing setup will
also be deleted, including all user and function connections to the role.
Deleting role/user connections

When deleting a user from a role, the user’s permissions may not be deleted. There may be instances
where the user needs them because of membership to other roles.

Deleting a role
When deleting the last user connection to a role, a Deletion of existing setup prompt will appear requiring
a decision whether the associated function connections should also be deleted. Choose from Yes, No or
Cancel.
• Cancel implies you made a mistake and want to cancel out of the delete request.
• No indicates the deletion of the user connection should continue, but the function connections to
the role should remain in the system. Use this reply when the role needs to be reused along with
its function connections at a future date.
• Yes indicates the deletion of the user connection should continue and function connections to the
role should also be deleted.
Deleting the last remaining user in a role – option Yes

Deleting the last remaining user in a role – option No
Exercise 3.1: Set up role-based security

In this exercise, you will create a role and assign your user to the role. In addition, you will:
• Assign permissions to the role.
• View the resulting permissions per user.
• Set authorization required for those functions and test.
Notes:
Exercise steps
Notes:
• Ensure you are logged in to Infor M3. If not, refer to Exercise 2.1, part 1.
• The SES900 auto-job is set for 10 seconds, so there could be a delay of up to 10 seconds before
any changes are processed.
Part 1: Check your current authority in function Item. Open (MMS001)

2. Highlight the row related to item 000101.
3. Select Options > Change (CTRL+2).
4. Write down whether panel E displays: _______________.

Note: If panel E displays, this indicates you are capable of making changes, otherwise, you
would have received an error message.
Part 2: Check your current authority in function Customer. Open (CRS610)

1. Start Customer. Open (CRS610). Panel B displays.
2. Highlight the row related to customer 10001.
Part 3: Lock the functions Customer. Open (CRS610) and Item. Open (MMS001) and try to run both
functions
1. Start Function. Open (MNS110). Panel B displays.
2. Type CRS610 (in uppercase) in the Function field.
3. Press Enter. The function CRS610 displays at the top of the list.
4. Highlight the row related to CRS610.
5. Select Options > Change (CTRL+2). Panel E displays.
6. Select the Auth Required check box.
7. Click Next. Panel F displays.
9. Type MMS001 (in uppercase) in the Function field.
10. Press Enter. The function MMS001 displays at the top of the list.
11. Highlight the row related to MMS001.
13. Select the Auth Required check box.
Part 4: Test your access

1. Start Item. Open (MMS001).
2. Write down whether you were you able to run Item. Open (MMS001) and why.
______________________________________________________________________
______________________________________________________________________
______________________________________________________________________
3. Click OK. The Infor M3 Start Page displays.
4. Start Customer. Open (CRS610).
5. Write down whether you were you able to run Customer. Open (CRS610) and why.
______________________________________________________________________
______________________________________________________________________
______________________________________________________________________
6. Click OK. The Infor M3 Start Page displays.
Part 5: Create a role, attach your user to the role, and give permissions to the role to run MMS001
and CRS610
1. Start Roles. Open (MNS405). Panel B displays.
2. Type ITADMIN in the Role field.
4. Type IT Administration in the Description field.
5. Type IT Admin in the Name field.
6. Click Next. The M3 Text panel displays.
7. Click Next. Panel B displays again.
9. Start Roles per User. Connect (MNS410). Panel B displays.
14. Click Next. Panel B displays.
16. Start Function. Connect Authority by Role (SES400). Panel B displays.
17. Type MMS001 (in uppercase) in the Function field.
20. Type BBB in the Div field.
22. Select 20-Active in the Status field.
23. Click Select all in the Basic options section.

24. Click Select all in the Related options section.
25. Click Select all in the Function keys section.
31. Select the check box to the right of 5 in the Basic options section.
32. Ensure the other Basic options check boxes are clear.
33. Ensure all Related options check boxes are clear.
34. Ensure all Function keys check boxes are clear. Note: F1, F3, and F12 are selected and cannot
be cleared.
38. Start Authority by User. Display (SES401). Panel B displays.
39. Type CRS610 (in upper case) in the Program field.
40. Press Enter. Panel B displays again with the CRS610 program at the top of the list.
41. Review the list of permissions for individual programs and users. Did it match your expectations?
Why? Is your user ID listed for CRS610 and MMS001?
______________________________________________________________________
______________________________________________________________________
______________________________________________________________________
Part 6: Test your access to both functions, Item. Open (MMS001) and Customer. Open (CRS610)
2. Highlight the row related to item 000101.
11. Select Options > Display (CTRL+5).
Part 7: Create a new role

1. Start Roles. Open (MNS405). Panel B displays.
2. Type FINANCE in the Role field.
4. Type Finance Department in the Description field.
5. Type Finance Dept. in the Name field.
Part 8: Give the new role permission to run function Item. Connect Warehouse (MMS002)
2. Type MMS002 (uppercase) in the Function field.
5. Type BBB in the Div field.
15. Type MMS002 in the Program field.
16. Press Enter.
17. Review the list of permissions for individual programs and users.

18. Did you see permissions for Item. Connect Warehouse (MMS002)? Why?
______________________________________________________________________
______________________________________________________________________
______________________________________________________________________
Part 9: Connect users to the new FINANCE role

1. Start Roles per User. Connect (MNS410). Panel B displays.
10. Press Enter.
11. Review the list of permissions for individual programs and users.
12. Did you see permissions for Item. Connect Warehouse (MMS002)? Why?
______________________________________________________________________
______________________________________________________________________
______________________________________________________________________
Part 10: Give your user ID full access to CRS610 to avoid problems with subsequent exercises
3. Press Enter.
4. Highlight the row containing function CRS610 and role ITADMIN.

12. Start Function. Open (MNS110). Panel B displays.
14. Press Enter. The function Customer. Open (CRS610) displays at the top of the list.
15. Highlight the row related to CRS610.
17. Clear the Auth Required check box.

Implementing role-based security
To implement role-based security, complete the following:
Step Step description
1 If possible, create a separate environment for

security set up, so as not to interfere with a user
running live or test functions.
2 Run a functional test and encourage end user

participation.
3 Copy the security setup to the Live environment

when testing is completed and approved.
Note: Function definitions exist at the environment level and not at the company/division level. So, any
function locked for the security test will be locked for users of all the companies and divisions in that
environment.
Security policy for each company/division

One optional way to approach the effort is to use the facility to force automatic creation of permissions; do
this repeatedly for each role. Clear the Authority Required check boxes in Function. Open (MNS110)
after each forced creation.

Force creation of permissions

Defining a role
In every company, it is important to determine if a role means one of the following:
• A job description – fewer roles, many users in each role, not very flexible
• An end user – more roles, fewer users per role, more flexible
• A narrowly defined process, such as order management, booking in, pricing – many roles, each
user has multiple roles, most flexible
It is also important to consider what role changes are needed when people are not at work:
• When user A goes on holiday, does user B get all of user A’s permissions or just those for user
A’s transaction processes?
• Are user A’s roles (transaction processes) shared among a number of colleagues?
In the graphic below, the roles are based on transaction processes. This method can be flexible if a user
is sick or goes on holiday. Example: An absent user’s roles can be shared among several colleagues.
Setting roles for specific processes

In the graphic below, the roles are based on the job description. This is less flexible. For example, if the
user is sick or goes on holiday, reassigning that user’s role may give too much authority to a colleague.
This approach would most likely need more entries in Infor M3 to accommodate exceptions to the widely-
scoped roles.
Setting roles for job descriptions

Assessing users’ requirements – security feedback forms
To match the appropriate user to the function or functions, feedback from each process owner will need
to be combined. This will result in a list of the functions requested for the owners’ users. At the end of the
process, a composite spreadsheet with a column of Infor M3 functions in alphabetic sequence could be
generated. Additional columns, one for each role with an indicator of whether the function is required or
not, can be added.
Collating authorization feedback from process owners

Note: The left side column values come from the CMNFCG table, and the Roles along the top come from
CMNROL.
Assessment of the requirements by process owners

The image below shows the composite spreadsheet with a single list of all Infor M3 functions and the role
columns. These columns indicate whether the user requires access to the function. In this example, F
means full access, D means display access, and blank means users do not require access.

Publish the consolidated authorization feedback to process owners
This may be the first time process owners are shown the list of requirements to Infor M3
functions for all the user groups/roles. At this stage, it is advisable to publish the consolidated
spreadsheet for all the process owners for verification against what their own groups should
have exclusive access to. Process owners should ask, “Why does that group want one of our
functions?” Any conflicts of function ownership can then be discussed and resolved before
keying the data into the system.
Agreement on the function requirements is the final step, and indicates all the relevant information
needed to update permissions using Function. Connect Authority by Role (SES400).
_________________________________________________________________________
_________________________________________________________________________
_________________________________________________________________________
_________________________________________________________________________

Additional information
The following SQL statements are given as examples of making mass changes to the Infor M3 security
files from outside the Infor M3 application:
• Always ensure a file is copied before updating it.
• Work on a test version of Infor M3.
• Only use these functions if you are confident in your ability to use the i6 database and SQL.
Infor M3 role-based security files

• CMNFNG
o Infor M3 function definitions maintained by Function. Open (MNS110)
• CMNFNP
o Function-to-program links (MNS112)
• CMNUSR, CSYUSR
o Infor M3 user enrollments
o CMNUSR maintained by User. Open (MNS150)
o CSYUSR maintained by User. Access per Company & Division (MNS151)
• CMNROL
o Roles maintained by Roles. Open (MNS405)
• CMNRUS
o Roles per user maintained by Roles per User. Connect (MNS410)
• CMNPSU
o Role setup, maintained by Function. Connect Authority by Role (SES400)
• CMNPUS
o Permissions per user maintained by SES900 (via SEMNGPER)
Mass changes to function definitions

The following is an SQL statement for updating all executable function definitions to have Authority
Required set to locked.
Update m3edbxxx/cmnfng set jfauty = ‘1’
Where jffnt3 <> ‘GRP’
And jffnt3 <> ‘TXT’
And jffnt3 <> ‘MNU’

Query on CSYSTR – User Preferences table
CSYSTR (System Start Values & Parameters) contains a record for every program that each user has
run. It can be used to help process owners assess which functions are required by users by retrieving a
list of programs (functions) for each user, or selected users. The data is stored per company/division.
The following is an SQL statement for listing all interactive programs run by individual users:
Select distinct cspgnm, csresp from csystr order by csresp
Use a join to the function definition table, CMNFNG, to filter out any low-level programs, selecting only the
programs that are functions.
Select distinct cspgnm, csresp from csystr where cspgnm in (select jffnid
from cmnfng)
order by csresp
_________________________________________________________________________
_________________________________________________________________________
_________________________________________________________________________
_________________________________________________________________________

Which of the following is the only way to deny access to a particular Infor M3 function?
a) Select the Auth required check box in the function definition in program
Function. Open (MNS110).
b) Add the function to Function. Connect Authority by Role (SES400) with no
options selected.
c) Add the function to Function. Connect Authority by Role (SES400) with
Status set to “10.”
d) Add the function in Function. Deny Access (SES350).
How many roles can one user be in?
_________________________________________________________________________
_________________________________________________________________________
_________________________________________________________________________
_________________________________________________________________________
_________________________________________________________________________
_________________________________________________________________________
_________________________________________________________________________
_________________________________________________________________________

Lesson 4: Infor M3 data security
Estimated time
1 hour
Learning objectives
After completing this lesson, you will be able to describe how to secure particular records within Infor M3
database tables. In this lesson, you will:
• Define Object Access groups.
• Define Object Access user groups.
• Describe how to protect Infor M3 data objects from access by users with functional access.
Topics
• Concept of data security
• Process of setting up data security

Concept of data security
Data security recognizes the idea of data ownership in Infor M3, and allows data and tasks to be
restricted to specific groups of users. It operates independently from function security.
Unlike Infor M3 function security and field security, the restrictions introduced by data security depend on
the Infor M3 application context. For example, in function security, setting permissions results in
controlling whether a function can or cannot be run. In field security, the result is that a field can or cannot
be seen. In data security, there is not such a simple result. The restriction is more closely related to the
process flow in each specific area of the application.
Data security works by considering specific data entities as objects. Objects in this context can be bank
accounts, facilities, approval identities, Infor M3 Financial Accounts Management (FAM) functions, budget
definitions, cost center models, cash flow models, chart of accounts, warehouses, purchase agreements,
supply models, customer agreements, bonus agreements, customers, customer order charge models,
campaigns, discount models, basic sales prices per item, and price lists. Note: Not all areas of Infor M3
can be protected by data security.
The means of protecting data objects in Infor M3 is by an Object Access group. Multiple groups may be
created. An Object Access group can be thought of as a barrier behind which individual data objects are
placed. Next, the users are organized into user groups. Finally, specific user groups are connected to
Object Access groups, giving those users access to the data. Any users whose group is not connected to
the Object Access group will not be authorized to access the data it protects.
Note: The user MVXSECOFR is not affected by Object Access group security. This is hard coded in the
software. To take advantage of this, a user must be created in the Active Directory, enabling that user to
log on to Infor M3 to resolve any data security issues.
The restrictions applied in data security are varied, and can be explained best by an Infor business
consultant.
Structure – simple example

The following is an example of how the structure of data security enables individual data objects to be
protected from unauthorized access.
The problem: There are sales representatives operating from two sales offices, a northern office and a
southern office. All sales representatives have identical functional authority, including the authority to
update customer master data. One of the rules at this company is that some customer records can only
be accessed by sales representatives from their local office. So permissions need to be set up to prevent
the southern sales representatives who should not have access to the northern customers, as well as for
the northern sales representatives who should not have access to the southern customers. This is true
only for a section of the population as there are many customers whose records can be accessed by
sales representatives from either office.
The solution: The following steps are required to protect the customer records in the customer master
table.
1. Create two user groups to enable identification of the users: northern and southern office users.
2. Since there are two cases for protection—northern and southern—there is a need to create two
Object Access groups that will be used to protect customers.
3. Establish lines of access by linking user groups to objects access groups.
68 Lesson 4: Infor M3 data security

4. Protect individual customer records by typing the name of an Object Access group into the field in
their master records. In this example, use Customer. Open (CRS610) to change individual
customer records. Set the Object Access group field to the required name.
Structure - simple example of using Object Access groups
Structure – complex example

The problem: In addition to the scenario discussed in the previous example, there are some high priority
customers who will only interact with sales managers, regardless of the office location.
The solution: The following changes are required to extend the protection to high priority customers.
1. Create two new user groups to enable identification of the users. Two new groups for sales
managers are needed, one for each location. This will help identify the users’ office location.
2. There is an additional case for protection: high priority customers. A third Object Access group
will need to be created.
3. Establish lines of access by linking user groups to Object Access groups.
4. Protect individual high priority customer records by typing the name of the new Object Access
group into the field in their master records.
Structure - complex example of using Object Access groups

The example above indicates the importance of having two levels of groupings between the users and the
Infor M3 objects. Using two levels allows complex relationships between the user groups and the object
groups, to allow for a one-to-many link running in either direction. This means one user group can be
linked to many information groups or one information group can be linked to many user groups.
_________________________________________________________________________
_________________________________________________________________________
_________________________________________________________________________
_________________________________________________________________________
_________________________________________________________________________
_________________________________________________________________________
_________________________________________________________________________
_________________________________________________________________________

Process of setting up data security
The process of setting up Object Access group security is done by the following:
Step Step description Program/Description
1 Create user groups Create user groups in function User Group. Open (CRS004).
• User Group. Open (CRS004) defines user groups only for
data security.
• Do not confuse these groups with user groups created in User.
Open (MNS150), which are used only for field security.
2 Create Object Create Object Access groups in function Object Access Group.
Access groups Open (CRS006).
3 Connect User Connect User groups to Object Access groups in function Object
groups to Object Access Group. Connect User Group (CRS007).
Access groups
4 Assign users to Assign users to Object Access groups in function User. Open
Object Access (MNS150).
groups • User groups for Object Access security must be assigned to
users at the division level.
• Use option Related > User Permissions to Cmp/Div
(CTRL+11).
• User group can be different in various divisions in which the
user is allowed access.
5 Use the appropriate Use the appropriate function to set the Object Access group against
function to set the the data object in Infor M3 that needs to be protected.
Object Access group • Examples
against the data
object in Infor M3 o MMS001 to protect items
that needs to be o CRS610 to protect customers
protected.
In User. Access per Company & Division (MNS151), do not confuse User grp object
(used with Object Access groups) with User group (used with field security).
In User. Access per Company & Division (MNS151), when changing the user’s authority
within a specific company/division, only the user groups belonging to this company can be
specified.

Exercise 4.1: Set up Object Access security
In this exercise, you will create an Object Access group. In addition, you will:
• Protect customer records by the Object Access group.
• Create a user group with access to data protected by the Object Access group.
Notes:
Exercise steps
Part 1: Create a user group and an Object Access group, connect the user group to the Object
Access group
1. Start User Group. Open (CRS004). Panel B displays.
2. Type NORTHSALES in the User grp o field.
4. Type Northern Sales Personnel in the Description field.
5. Type North Sales in the Name field.
8. Start Object Access Group. Open (CRS006). Panel B displays.
9. Type NORTHCUSTS in the Access grp field.
11. Type Northern customers in the Description field.
12. Type North Custs in the Name field.
13. Click Next. The Object Access Group. Connect User Group (CRS007/B) program displays for
Object Access group NORTHCUSTS.
14. Type NORTHSALES in the User grp o field.
17. Click Close. The Object Access Group. Open (CRS006/B) program displays.
Part 2: Protect a customer


4. Click Next twice to navigate to panel G.
5. Type NORTHCUSTS in the Obj access grp field.
6. Click Next. Panel H displays.
7. Click Previous four times to return to the B panel.
9. Select Options > Change (CTRL+2). A message, “Not authorized” displays.
10. Click OK.
Part 3: Connect your user ID to the user group that has access
3. Press Enter.
4. Highlight the row related to your user ID.
7. Press Enter.
8. Highlight the row related to 330 division BBB.
10. Type NORTHSALES in the User grp object field. Note: Do not mistake this with the User group
field directly above it.
12. Click Close. The User. Open (MNS150) program displays again.
Part 4: Test your access to the protected customer

2. Highlight the customer 10002 row.
3. Select Options > Change (CTRL+2). Panel E displays; proving that you now have access to the
previously protected customer.

All tables in Infor M3 can be set up for data security.
a) True
b) False
An Infor M3 user can only be assigned to one Object Access user group.
a) True
b) False

Lesson 5: Infor M3 field security
Estimated time
2 hours
Learning objectives
After completing this lesson, you will be able to describe how to protect specific fields within Infor M3
tables from unauthorized access. In this lesson, you will:
• Explain field-level security.
• Identify field-level security limitations.
• Explain how to set up the different levels of field security.
Topics
• Objective of field security
• Field security concepts
• Scope of field security
• Process of setting up field security

Objective of field security
The objective of field security is to give a finer level of control than that given by function security. Users
with identical functional authority can be given different levels of access to individual fields.
Controlling access to individual fields

There are three levels of field security:
• Level 0: hidden state – hidden from display (including the field headings)
• Level 1: protected state – displayed but protected from change
• Level 2: normal state – displayed and allowed to be changed
Examples of three levels of field security
76 Lesson 5: Infor M3 field security

Field security concepts
Field security concepts overview
Field security uses field groups to control access, even if only a single field needs to be secured. The field
group attributes include, name, description, and default public access level. A field can be attached to
only one group.
Field security – field groups

A field group has a default access level, defined in Field Group. Open (SES100). This is the default
policy for public access to the fields. A field group can be thought of as a barrier between users and
fields. Users’ access is determined by the default access level for the Field group.
Field group attributes

A field group is always required, even if only one field is being secured.
Connecting fields to field groups

Fields to be secured are connected to the field group. User access for all fields in the group is determined
by the field group’s default access level.
Fields are connected to a field group

Connecting users to field groups
Individual users or user groups can be connected to field groups with their own access level. This
provides the mechanism for overriding the default access level for certain users (or user groups).
User access is determined by the default public access level for the field group if no override is found.
Users view the fields through the field group with either the public level of access or their individual level
of access.
In the example below, the individual user has level 2 access, and can see and change the fields.
Members of the user group Accounts can see but not change the fields. Members of the group
Warehouse cannot see the fields at all.
Users and user groups are connected to field groups

Scope of field security
Overview
Not all fields can be secured. Those that have field security built in are commonly required to be given
this extra level of protection. The Infor Research and Development group designs security for the most
commonly requested fields.
Securing a field does not need to be done in every program in which it appears. The purpose of Infor M3
field security is to track the field to its root in the database, and effectively apply the security at that level.
Then, other programs that allow maintenance to the table containing that field will automatically follow the
security specifications made.
Field security is a feature of the Infor M3 application. It does not protect fields from access using other
database maintenance tools such as SQL, Open Database Connectivity (ODBC), querying tools, etc.
Within a company, a field can be in only one field group. In other words, a field cannot be connected to
two or more groups.
Field groups belong to the company even if created at the division level; the group’s structure is shared
by all divisions in the company. For example, it is not possible for different divisions of the same company
to have different fields connected to the same group. Also, the default access level must be the same
across all divisions.
Users are connected to a field group at the division level. This allows users different authority to the same
field group in different divisions.
A field group structure (square in the center of the page and the three fields on the right (A-C) in the
illustration below) belongs to the company and applies to all divisions. All the other information, i.e. the
user groups, user accounts, the access levels, and the company and divisions can be changed.
Field group structure is shared by all divisions

User connections are made at the divisional level (including the blank division).
User connections are made at divisional level – example A
User connections are made at divisional level– example B

User connections are made at divisional level– example C
User connections are made at divisional level – example D

Process of setting up field security
Field security – overview of the process
The field security process is comprised of four steps:
Step Step description Program
1 Identify the fields Field. Display per Program (SES200)

and confirm that
the fields can be
secured.
2 Create new Field Group. Open (SES100)

group.
3 Attach fields to Field Group. Connect Fields (SES102 or option 11 from

field group. SES100)
4 Attach users to Field Group. Connect Authority (SES010)

field group.
Note: SES200 is based on Infor M3 metadata and Infor M3 programming conventions. Consequently, the
information below is of a technical nature.
Before reviewing the steps, it is important to note that there are three credit limit fields in panel J of
Customer. Open (CRS610).
Step 1: Identify the fields and confirm that the fields can be secured.
The first part of step1 is to identify the fields to be secured. This is accomplished by running any Infor M3
function that includes the fields to be secured and pressing F1 for each field. For each field three pieces
of information are needed: the program name, the panel in which it is displayed, and the name of the field
used in the program.
The second part of step 1 is to determine whether the fields are capable of being secured. To accomplish
this, it is important to search for the field in all programs using Field. Display per Program (SES200).
The field name used in the program is not the name in the Infor M3 database table. Programs use a work
field name similar to the proper name. Usually the last four characters of these two field names will match.
To find the work field name, navigate to the program panel in which it appears. In our example, the
information is in CRS610 on panel J.
After locating the field in Field. Display per Program (SES200), check the Ind Protect and Ind Non-
display attributes. Note: Only fields with non-blank values for Ind Protect and Ind Non-display can be
secured. If the field can be secured, the value in Ref field will be the name of the field in the Infor M3
database table.

Finding the working field name
To find a field in SES200, type the program name, the panel identifier, then the part of the field name from
the online help (e.g., CRLM for Credit Limit) preceded by an asterisk.
Use the Position to fields to bring the program and panel to the top of the list. For the field name, use the
asterisk to filter the list to include only fields matching the last four characters you found in the field help.
Locating and finding the field in Field. Display per Program (SES200)

Confirming whether the field can be secured
Step 2 – Create new group

Field Group. Open (SES100) is used to create a field group. When creating a field group, the
appropriate default public access level must be selected in the Field selection drop-down box.
Step 3 – Add fields to field group

Fields are added to the group under Field Group. Connect Fields (SES102). Note: Any number of fields
can be added to a field group. Other programs, including the field or fields being secured are visible here.
Step 4 – Attach users to field group

Field Group. Connect Authority (SES010) is used to attach a user to the field group. This can be done
by selecting a level under Field selection.

Exercise 5.1: Set up field security
In this exercise, you will set up a field group to control access to two fields in the Item Master
file, available for update in Item. Open (MMS001), and possibly other programs.
Notes:
Exercise steps
Part 1: Discover the four-character field name of two fields that require field security
2. Highlight the row related to <any item on the list>.
4. Click anywhere in the Name field (the second field under Basic Information).
5. Press the F1 key. A pop-up window displays information about the Name field.
6. Write down the four-character name of the field as displayed in the bottom-right corner of the help
box: _________________________.
7. Click Close. Panel E displays again.
8. Click anywhere in the Description field.
9. Press the F1 key. A pop-up window displays information about the Description field.
10. Write down the four-character name of the field as displayed in the bottom-right corner of the help
box: _________________________.
11. Click Close. Panel E displays again.
In this example the name of the fields as used in the program’s view definition,
MMITDS and MMFUDS, are the same as their proper names in the database table.
However, this is not always the case, so the steps in this exercise should be
followed in all cases when checking whether fields can be secured.
Part 2: Confirm whether the fields ITDS and FUDS can be secured and, if they can, discover their
true names in the database
1. Start Field. Display per Program (SES200). Panel B displays.
3. Type *ITDS in the Field field.
4. Type E in the Pan (Panel) field.

5. Press Enter. The record for MMS001, MMITDS, panel E displays near the top of the list.
6. Highlight the row relating to MMS001, MMITDS, panel E.
7. Select Options > Display (CTRL+5). Panel E displays. Note: The fields Ind Protect and Ind
Non-display contain numbers, indicating that the field is securable.
8. Write down the name of the field as it appears in the Ref field field: ___________________.
9. Click Previous. Panel B displays again.
10. Repeat steps 3-7, typing *FUDS in the Field field.
11. Write down the name of the field as it appears in the Ref field field: ___________________.
Part 3: Create a field group for the fields MMITDS and MMFUDS
1. Start Field Group. Open (SES100). Panel B displays.
2. Type ITEMDESCS in the Fld sec gr field.
4. Type Item descriptions in the Name field.
5. Select 1-Display in the Field selection drop-down list.
6. Click Next. The Field Group. Connect Fields (SES102/B) program opens.
7. Type MMITDS in the Field field.
9. Click Next. The B1 panel displays.
10. Type MMFUDS in the Field field replacing MMITDS.
12. Click Next. The B1 panel displays.
13. Click Close. The Field Group. Open (SES100/B) program displays again.
Part 4: Test the default public access to the secured fields

3. Select Options > Change (CTRL+2). Panel E displays. Note: The Name field and the
Description field are protected from editing. This is the default public access level to these fields.
Part 5: Connect your user ID to the field group; specify an access level of non-display, then test
your access to the secured fields
1. Start Field Group. Connect Authority (SES010). Panel B displays.
2. Type ITEMDESCS in the Fld sec gr field.
3. Type <your user ID> in the User field.
5. Select 0-No display from the Field selection drop-down list.
10. Select Options > Change (CTRL+2). Panel E displays. Note: The Name field and the
Description field are not visible on the display.

Match each of the following field security setting to its numeric setting. The possible settings
are 0, 1, and 2.
Field security setting Numeric setting
The field is displayed and can be changed.
The field and its headings are removed

from the display.
The field is displayed, but cannot be

changed.
If you only want to secure one field, you do not have to create a field group.
a) True
b) False
If a field is found on multiple panels in various M3 programs, field security needs to be set
up for each of the programs.
a) True
b) False

Course summary
Estimated time
.5 hours
Learning objectives
Now that you have completed this course, you should be able to:
• Describe aspects of the Infor M3 security model.
• Explain the process of maintaining Infor M3 users.
• Describe how role-based security can be used to secure your Infor M3 environment.
• Describe how to secure particular records within Infor M3 database tables.
• Describe how to protect specific fields within Infor M3 tables from unauthorized access.
Topics
• Course review

Appendix
The following are included in this section:
• Appendix A: User accounts
90 Appendix
Appendix A: User accounts
Your instructor will assign you a student user ID from the table listed below to use for class exercises.
Note: If you are taking this course as self-directed learning, refer to the Training Desktop Login
Instructions on the Lab On Demand page.
M3: v13x Administering Security for the Cloud - 01_0111340_IEN1745_M3O
Training ID User name Password

Environment entry
point (VM)
M3 13.4 Tech v2 All gdeinfor2\m3m01 Infor123

m3app-2013
(Landing Server)
Applications ID User name Password
Instructor login (for All [email protected] Infor123

course demos):
OS Portal
Infor M3 (H5)
Student logins (for All [email protected] Infor123

course exercises):
OS Portal
Infor M3 (H5)


Cloud Security

Uploaded by

Copyright:

Available Formats

Cloud Security

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Cloud Security

Uploaded by

Copyright:

Available Formats

M3: v13x Administering Security for the

Cloud Training Workbook

6 About this workbook

Can be used for either

M3: v13x Administering Security for the Cloud Training Workbook 7

Infor Federated Services (IFS) is an authentication component of the Xi Platform in

M3: v13x Administering Security for the Cloud Training Workbook 9

Lesson Lesson title Learning objectives Day

Course overview Review course expectations 1

1 Infor M3 security model Describe aspects of the Infor M3 1

2 Infor M3 user enrollment Explain the process of maintaining 1

3 Infor M3 role-based security Describe how role-based security can 1

4 Infor M3 data security Describe how to secure particular 1

• Describe how to protect Infor M3

5 Infor M3 field security Describe how to protect specific fields 1

Course summary Debrief course. 1

Appendix Appendix title Content description

M3: v13x Administering Security for the Cloud Training Workbook 11

M3: v13x Administering Security for the Cloud Training Workbook 13

Level Definition Responsibility

General security vs. Application security

14 Lesson 1: Infor M3 security model

M3: v13x Administering Security for the Cloud Training Workbook 15

Infor M3 Application Foundation menu

16 Lesson 1: Infor M3 security model

What are the two fundamental types of security in Infor M3.

M3: v13x Administering Security for the Cloud Training Workbook 17

M3: v13x Administering Security for the Cloud Training Workbook 19

Company and division structure – enrolling users

System administrator user enrollment tasks

Maintain company/division access for a user

Add all companies and/or divisions for a user

20 Lesson 2: Infor M3 user enrollment

Company and division structure – controlled user access

M3: v13x Administering Security for the Cloud Training Workbook 21

22 Lesson 2: Infor M3 user enrollment

Enrolling a user using Create

Enrolling a user using Copy

M3: v13x Administering Security for the Cloud Training Workbook 23

24 Lesson 2: Infor M3 user enrollment

Creating user groups

Creating user group records

Placing users in a group

M3: v13x Administering Security for the Cloud Training Workbook 25

Part 1: Log in to Infor M3

Part 2: Review a list

26 Lesson 2: Infor M3 user enrollment

2. Click Close. The Infor M3 Start Page displays again.

Exercise 2.2: Using the Infor M3 function User. Open (MNS150)

M3: v13x Administering Security for the Cloud Training Workbook 27

Part 2: Remove your user’s access to company 330 division AAA

Part 3: Reinstate your user’s access to company 330 division AAA

M3: v13x Administering Security for the Cloud Training Workbook 29

30 Lesson 2: Infor M3 user enrollment

M3: v13x Administering Security for the Cloud Training Workbook 31

Function definition: Authority Required

32 Lesson 3: Infor M3 role-based security

Setting for Authority Description

Users can be connected to multiple roles

Permissions setup per role and function