8.1 Lawson Security Overview Del Dehn Product Manager

Agenda Security domains Upgrade considerations Summary 8.1 Technology project update Questions and answers

Lawson Security Domains Technology Security Domains User management Authentication Authorization

Lawson Security Authorization Authentication/ Single sign-on Resource Management

Lawson Security Business process focused security Central repository for security administration (Resources) Organizational modeling (Roles) Rules builder (Rules) Single sign-on Additive security paradigm Database auditing (front-end, back-end sign-on)

Lawson Security: Design Features Designed as a centralized service –Callable by all Lawson layers Roles and Rules based –An industry prevalent approach Driven by user and corporate information –Flexible security to accommodate the customer’s business structures Administration tool for policy modeling –Test new structures or security policies Attribute based security –Same concept as attributes in LDAP structures Fine grained securable objects –For example, field level security

User Management

User Management Domain Lawson Resource Management Central repository for globally interesting data –user name, address and roles Create custom attributes Structure – organizational chart modeling Non-organizational chart structures allowed

Organizational Modeling: Changes for Individuals Project Manager is promoted to CFO “Roles” domain LDAP Server Microsoft ADAM 2003 Changes to structures can be made in a “drag and drop” fashion

Organizational Modeling: Changes for Groups Director of Marketing with all of his/her directly reporting Marketing Managers is moved to the direct supervision of the newly created position of VP of Marketing LDAP Server Microsoft ADAM 2003 “Roles” domain Changes to structures can be made in a “drag and drop” fashion

Resource Management: Structure

Authentication

Authentication Domain Lawson Authentication –Single Sign-on –Database (DB) user authentication –Session management –Secure credential storage –Identity management

Single Sign-on for End Users

Authorization

Authorization Domain The new Lawson Security model Business process focused Rules and Roles based Granular security checking Object oriented Flexible policy modeling –Allows organizational modeling for security –Allows attribute driven policies –Element based policies Allows for distributed administration

Authorization: Roles and Rules Roles –Organizational roles –Organizational structures Rules –Rules builder –Simple or complex Rules written for Roles govern the security privileges of end-users assigned to a Role(s)

Benefits of Role-Based Security Transparency –User’s roles are defined by business needs –Security classes and privileges are defined by business tasks Stability –Access needs for a task do not change often –User’s roles change more frequently Efficiency –Changing access for a given task accomplishes changes for all affected users

Lawson Security: New Rules Rules apply to “securable objects” –Product lines –System codes –Forms and their fields –Drill Around® –Tables and the columns in a row –Environment objects – printers, etc.

Security Rules Rules can be unconditional –Grant All Access/Deny Any Access –Builds fast, efficient access control lists Rules can be unconditional but allow limited access –Inquire only, for example Example –ADD_EMPLOYEE class: EMPLOYEE table: ALL_ACCESS (users that are employees can view their own information)

Conditional Rules Data can be secured based on attributes of the user –If (user.getAttribute(‘Department’)== ‘HR’) then ‘IACD’ else ‘I’ (if user is in HR Department, then can change information) Data can be secured based on the data values –If (table.EMPLOYEE == user.getEmployeeId()) then ‘IACD’ else ‘I’ (user can change own information and see all others) Data can be secured using other kinds of functions –Time of day, database reads, etc.

New Security Model Rules express security policies - Rule execution allows or denies access to a securable object Security Classes group rules for common tasks - Constitutes a task oriented privilege pack Multiple security classes to Roles - Easy creation of Roles with overlapping functionalities Multiple Roles to users - Allows for multiple responsibilities

A Security Policy Illustration Users Roles Security Classes Securable Objects Jane John Steve Mary Employee HR Manager Payroll Manager Payroll Clerk Employee Info Manager Info Payroll Access Form HR11 Check Printer Note: Users can be assigned multiple Roles simultaneously

Lawson Security Securable Objects

Deny Access to a Form Field

Security “Off” – All Form Transfers are Available *

Secured: Form Transfers are Hidden

Upgrade Considerations

Lawson Security: 8.1 release Provides security for all Lawson Portal based products –LAUA security – not required –Security extensions (Ex. HR security) - not required Lawson Security and LAUA security can operate concurrently –Lawson Security – Lawson Portal Users ONLY –LAUA security – Lawson Portal Users and LID users –Each end user must be secured by only one security mechanism, not both

Transitioning to 8.1 Lawson Security Security mechanism assignment per end user Enables phased migration from LAUA security to Lawson Security Migration from LAUA to Lawson Security by: –End user –Role –Group –Structure –Etc. Not a “Big Bang” approach

Lawson 8.1 Technology Release 8.1 Technology = Environment, Internet Object Services (IOS) and Lawson Portal 8.1 Technology will support: –8.1 Applications –8.0.X Applications Existing or upgrading 8.0.X Applications customers are not “cut off” from implementing 8.1 Technology 8.0.X Applications customers can utilize 8.1 Technology features without needing to upgrade to 8.1 Applications

8.1 Lawson Security: Summary Flexibility and power to create security policies based on how your organization does business Major components: –Resource Management and LDAP (roles, structures) –Authorization (rules engine) –Authentication and Single sign-on (SSO)

8.1 Technology Project Update The scheduled release of Lawson 8.1 Technology has been moved to Lawson’s Q1FY06 (June – August 2005) after a recent review of the project’s milestones and metrics. This release is being measured against the quality standards and milestones of Lawson’s CMMI methodology and whole company readiness metrics. The review indicated that an adjustment to the proposed schedule would not only deliver much improved performance, usability and security, but also a quicker time to benefit for Lawson clients.

Questions?