Menu Security vs. Menu Filtering vs. Role Security

david.ruprecht

Member
My questions are itemized at the end of this post if background is not desired.

Background: I have read the documentation on User Roles and Profiles as well as many documents on security timeouts and cache purging but I cannot seem to find the explanation of what I am experiencing.
Motivation: I am researching security and security timeouts to give my users a better feel for the behavior they should experience after a security change is made.
Questions: After reading security documentation I seem to be experiencing different results from what is expected.

1) When I make a role change using the P95921 to a user and have them log out and log in to the system the change does not seem to instantly take affect. The permissions seem to have a slight lag between when they log on and when they take the new role security. Should the new role security be obtained upon log on?
2) Also when I assign a user two roles using the P95921, the user is given the ability to run all the applications within the union of those roles but the user only sees the menus allowed to the lower security role. Even when the user changes his/her role under the roles tab on the menu bar the user is only able to see the menu items allowed to the lower security role. Is there a timeout the user is waiting for?
3) The disconnect I am experiencing between the application security and the menu filtering makes me think they are used and resolved in different ways. Is this the case?

Note: My "Security Cache Purge Timeout" is set to "600000" in the Server Manager. What parts of "security" does this timeout influence? Is this a per-user instance timeout or does this start when services are started?

Thank you to anyone who can offer some explanation on this topic.
 
Hi David,

The F0092 and F95921 tables are stored in the Service Cache. When you make user profile or role relationship changes, this is the cache you need to clear through Server Manager. There is a separate cache for menus and finally, the Security Cache for F00950 items.

Matt
Team Lead, Security Solutions
ERP-One Consulting
www.erp-one.com
 
Matt,
Thanks for the information. A few more questions for you.

1) Does the Service Cache timeout mean that when I make a change to user profiles or role relationships the previous configuration is still in effect until the timeout expires or does the user log off and log in reset the cache timeout?

2) Is this the same behavior I will see with the Security Cache?

Thank you again for your help, Matt.
 
When logged in to the HTML instances the cache is active until the timeout expires or you manually clear the cache. This is the expected behaviour for both Service and Security cache.

Matt
 
Hi,

In older tools releases the role sequencer was used so users only ever saw one role's menus even if they signed on with *ALL. We have a tool that fixes this.

In more recent tools release the sequencer still gives problems when trying to work out which security to make effective, we have a tool that fixes this. (This issue is a prime cause of many managers liking the idea of testing security prior to putting it live).

To work out if your problem is caused by security or finecut, use Fastpath.
 
Back
Top