
Locking and Unlocking Lawson Environments for Maintenance and Testing

Please note that the following is NOT an official Lawson sanctioned or
supported process.  It manipulates the GEN database and should only be
undertaken with full knowledge of the potential hazards that can be incurred
and when a complete and tested backup of the GEN database is available
should recovery be necessary.

Locking Users Out of an Environment

This process modifies the USER table in GEN.  When Lawson Security is ON a
user can only access a Lawson program, either from LID or WEB, if they have
an entry in the USER table.  We will remove all login IDs (and store them
for recovery) except for those matching our list of approved users.

The first step is to create the Access Control List.  It can be anywhere on
the system -  /tmp is always a good choice.  The list must be in a single
column, containing only user IDs.

Login or su to root (the programs are executable only as root) and run
/lawson/utils/la_lock_env.sh

It will make sure that you are  'cv'ed into an environment and ask you to
verify that this is the environment you wish to lock down.  Next it will
make sure the environment is running.  It cannot manipulate a non-running
environment.

It will ask you for the full path to your Access Control List.  Type it in
the format /complete/dir/path/filename

It now dumps all the current users and their settings out for comparison to
your ACL, then copies the USER and USER.i files to a backup in $LADBDIR/GEN
with the current date appended.  ie: USER.i.08122002.  That completed, it
removes the original USER and USER.i files.

Next it stops and restarts Lawson, thus flushing the cached user data from
memory.

Lastly it creates a new file in dump format containing all the login IDs
from your Access Control List that previously had access to the environment
and creates a new USER table with just those users.  It also reminds you to
run la_unlock_env.sh to restore the previous users.

Restoring Previous Access to a Locked Environment

Just like the process above, this program, /lawson/utils/la_unlock_env.sh,
will detect that it is 'cv'ed into an environment and the environment is
running.  It will remove the existing USER and USER.i tables (without
backing them up), then stop and start Lawson to clear the cached memory.

All that is left is to import the original dumped data to activate all user
accounts, which was stored as user.envname.dmp, so it can recognize it
automatically.  Note that any accounts added while in the "locked" state
will no longer exist.

It will also remove the original and "locked" dump files from the working
directory.  Admins are advised to review the $LADBDIR/GEN contents
occasionally and manually remove the USER table backups as they find it
prudent.