Infor LN Authorization Model: Deep Dive Configuration Guide
The Infor LN authorization model controls what every user can see, do, and access across the entire ERP system. It operates on four levels: session access (which screens a user can open), function access (which operations they can perform within a screen), data access (which records they can view based on company, site, or warehouse), and field access (which fields are visible or editable). A misconfigured authorization setup either locks users out of required functionality or exposes sensitive data to unauthorized personnel. This guide provides a complete configuration walkthrough.
Role-Based Access Control (RBAC) Architecture
LN authorization is role-based. Users are assigned to one or more roles, and roles define the aggregate set of permissions. Each role contains a collection of authorized sessions, functions, and data scopes. When a user logs in, LN computes the effective permission set by combining all roles assigned to the user—permissions are additive (union of all roles), and there is no explicit deny mechanism. This means role design must follow the principle of least privilege, starting with minimal access and adding permissions incrementally.
- Define roles: navigate to Role Management (ttaad1100m000); create roles aligned to job functions, not individuals: 'ROLE-SALES-REP' (order entry, customer inquiry), 'ROLE-PURCHASING' (PO creation, vendor maintenance), 'ROLE-FINANCE' (GL posting, AR/AP management), 'ROLE-PLANT-MANAGER' (production control, capacity planning)
- Assign sessions to roles: in Role Authorization (ttaad1500m000), add each session the role needs access to; set the access level: Full (create, read, update, delete), Read-Only (view and print only), or No Access (session is hidden from the menu for this role)
- Assign users to roles: in User Management (ttaad1000m000), select the user and add role memberships; a single user can have multiple roles (e.g., a small-company controller might have ROLE-FINANCE + ROLE-PURCHASING); the effective permission is the union of all assigned roles
- Role hierarchy: create composite roles that include other roles; for example, ROLE-PLANT-MANAGER includes ROLE-PRODUCTION (base production access) + additional sessions for capacity planning and schedule override; this reduces maintenance when base permissions change
- Test role configuration: use the Authorization Test tool (ttaad1600m000); select a user and a session to see the effective access level computed from all assigned roles; this tool also shows which role grants the access, aiding troubleshooting
Company, Site, and Warehouse Data-Level Security
LN supports multi-company, multi-site, and multi-warehouse environments where users should only see data relevant to their organizational scope. Data-level security is configured through Company Authorization (which companies a user can log into), Site Authorization (which manufacturing sites within a company are visible), and Warehouse Authorization (which inventory locations are accessible). These authorizations filter data automatically in every session and report—users never see records from unauthorized companies or sites.
- Company authorization: navigate to User Company Authorization (ttaad2100m000); grant each user access to one or more companies; the 'Default Company' setting determines which company the user logs into automatically; users can switch companies from the LN toolbar without re-authentication
- Site authorization: in User Site Authorization (ttaad2200m000), define which sites the user can access within each authorized company; site authorization filters production orders, inventory transactions, and capacity planning data; a user with sites 'PLANT-A' and 'PLANT-B' will never see data from 'PLANT-C'
- Warehouse authorization: in User Warehouse Authorization (ttaad2300m000), restrict inventory visibility; a shipping clerk authorized for warehouse 'WH-SHIP' cannot view or transact in warehouse 'WH-RAW'; this prevents unauthorized inventory movements
- Financial company authorization: for consolidated financial reporting, grant users access to the financial company (holding company) in addition to their operational companies; this enables cross-company financial reports without granting access to operational data in other companies
- CRITICAL: test data-level security with a non-admin account; admin accounts (role ROLE-ADMIN) bypass all data-level authorization by default; create a test user with the same roles as a real user to validate that data filtering works correctly before go-live
Field-Level Security and Audit Logging
Field-level authorization controls visibility and editability of individual fields on session forms. This is used to protect sensitive data like cost prices, margins, employee salaries, and customer credit limits from users who need access to the session but should not see specific fields. Audit logging tracks every data change (who changed what, when, and from what value to what value) for compliance and forensic investigation. Both features are configured through the LN administration interface.
- Configure field-level security: navigate to Field Authorization (ttaad3100m000); select the session and field; set the authorization level per role: Visible+Editable, Visible+Read-Only, or Hidden; for example, hide the 'Unit Cost' field on the Item Master for ROLE-SALES-REP while showing it for ROLE-PURCHASING
- Sensitive field masking: for fields like customer credit card numbers or employee SSNs, use the LN field masking feature that displays partial values (****1234) for unauthorized roles while showing the full value for authorized roles; configure in Field Properties > Masking tab
- Enable audit logging: navigate to Audit Configuration (ttaad5100m000); select the table and fields to audit; LN writes every change to the audit log table (tcaud001) with before-value, after-value, user, timestamp, and session name; audit logging has a ~5% performance overhead per audited table
- Audit log retention: configure retention policy in System Parameters > Audit Settings; financial audit data should be retained for 7+ years for SOX compliance; operational audit data for 2-3 years; implement automated archival to move old audit records to an archive database
- Compliance reporting: use the Audit Report session (ttaad5200m000) to generate compliance reports showing all changes to sensitive data within a date range; filter by user, table, or field for targeted investigation; export to PDF for external auditor submission
Secure your Infor LN environment with confidence—let Netray's AI agents perform a comprehensive authorization audit and identify security gaps.
Related Resources
Infor LN Workflow Automation Setup Guide
Configure Infor LN workflow engine for approval routing, escalation rules, and automated business process orchestration with step-by-step setup instructions.
Infor LNInfor LN Session Creation and Modification
Learn to create and modify Infor LN sessions including form design, field triggers, choice fields, zoom sessions, and session-to-session communication patterns.
Infor LNInfor LN Performance Tuning: Deep Dive Guide
Optimize Infor LN performance with database tuning, BShell code optimization, session profiling, and server configuration for maximum throughput and response time.