Setting up the Security System

Chapter Topics
Tracking the Actions of Employees
Restricting Access to the System
Activating Security
Creating Employees in the Employee Catalog
Creating Security Groups
Assigning Employees to Security Groups
Assigning Permissions to the Security Groups
How the Security Works
Deactivating Security

There are two fundamental aspects to any good security system. The first one is keeping track of which users have access to the system, at what time, and to do which transactions. The second one is being able to restrict certain parts of the system to certain users. XpertMart covers both of these aspects. Security is configured exclusively at the Main and is synchronized out to the Remote stations. Security settings cannot be modified at the stores.

Tracking the Actions of Employees
The best inventory control system can not prevent mistakes or fraud, but it can uncover these in a timely fashion and accurately identify those responsible. To do this, it is imperative that the system know at all times which user is operating the system. Therefore XpertMart requires a user to Login before he or she can make any kind of transaction. While you can launch XpertMart (assuming the security system has not yet been activated) and even browse the catalogs XpertMart will not let you open a transactions screen until you have logged in. Therefore, before making your first transaction, you must create a minimum of one employee in the Employee Catalog, although obviously creating an entry for every employee in the company is highly recommended.

Any time a new document is created, XpertMart automatically records the date and time of its creation and the user who was logged on at that date and time. If questions should arise about a specific transaction the document in question can be looked up and the employee responsible can be determined, so that management can take appropiate action. In the example below, Invoice #10000008 was created by Employee Number 123 on November 9, 2001. Note that the Audit Table records the time in addition to the date.

The security system built into XpertMart will only work as intended if complimented by management policies. Being able to accurately track the actions of employees depends on each employee having a unique and randomly generated (hard to guess) password and never sharing that password with other employees. Therefore strong penalties are recommended for employees found sharing their password and even stronger penalties for any employees using another employee's password.

Restricting Access to the System
There are 4 steps to setting up the Security System in XpertMart:

1.    Creating Employees
2.    Creating Security Groups
3.    Assigning Employees to Security Groups
4.    Assigning Permissions to the Security Groups

Activating Security
IMPORTANT NOTE: The security system becomes activated the moment you create your first security group. Once the security is activated there is no turning back, i.e. it can not be deactivated. The security system is exclusive, meaning it does not let you access a module unless you have specifically been granted permission to do so (By contrast, an inclusive security system assumes you have permission unless specifically denied). Since XpertMart's security system is exclusive, it is very important to carefully assign the desired permissions to the security groups, because the default option is for each group to have NO PERMISSION.

Creating Employees in the Employee Catalog
The first step in setting up the security system is to add every employee in the company to the Employee Catalog. If you are not already familiar with the basic layout of a catalog, you should read the Catalogs topic before reading further.

There needs to be one entry in the Employee Catalog for every user who is going to be accessing the system. At a bare minimum, the record needs to have the Number, Password, Name and Last Name fields filled out so that the employee can do a Login to the system and be identified.

IMPORTANT NOTE: The Login window asks for the Employee Number and not what has been entered in the "Login" field. Therefore, you should either repeat the Employee Number in the Login field (4876 in the example above) or keep it blank.

Both the Employee Number and the Password can be alphanumeric entries with no limit to the number of characters. The information you enter in the password field is encrypted and you will see a string of asterisks displayed instead of what you entered. Note that there is no way to retrieve a password in XpertMart so be sure to keep an external record of your password if you think you might need it later.

The other fields in the Employee Catalog or optional and allow you to capture the employee's Tax Number (such as the Social Security number in the U.S.), address, telephone number as well as a photo which could be useful in large companies. There are no restrictions in the number or type of characters entered into these fields. There is an open Notes text area at the bottom of the catalog that can be used to capture information on an ongoing basis.

If you capture an employee's email address you can send an email to that employee directly from the Employee Catalog by pressing the email button on the toolbar. For more information, see the Email topic.

Creating Security Groups
Once you are done entering employees into the Employee Catalog you are ready to create Security Groups. A Security Group is used to assign the same permissions to employees with a similar role. For example cashiers typically enjoy one level of access, while store managers usually have additional access. All employees in a Security Group have the same level of access and permissions. An employee can be added or subtracted to a Security Group without affecting the permissions that the group enjoys. There is no limit to the number of Security Groups you can create.

Before you begin creating Security Groups, you should map out what groups you require and what permissions they will need. Think about the current departments in your organization and all the different employees to make sure you have all the relevant functions covered. Consider consolidating groups wherever you can to keep the number of groups manageable.

To create a security group, open the Configure Security Menu found in the Configure Menu in the Main Menu as shown below:

This will launch the XpertSecurityManager module:

In the Groups tab, type the name of the security group you wish to create in the Add New Group Field and click the Add button on the right . Once you create a group it will automatically appear in the list below this field. In the example above, the user is adding the "Corporate" security group. All groups are listed in alphabetical order. (XpertMart does not come with any pre-created list of groups).

To remove a group simply select it from the list and click on the Remove Button . Before you remove a group, you must make sure that there are no employees assigned to that group. If you try to remove a Security Group that still has employees assigned to it, you will see an error message like this one:

The error message displays the name of one employee (though there may be more) using the the Security Group you are trying to eliminate. You must go to the Assign Employee tab and make sure no employees are assigned to the Security Group you wish to remove.

Assigning Employees to Security Groups
When you click on the Assign Employees tab (shown below) you will see a list of all employees on the left, and a list of all Security Groups available on the right. If you add a new employee, or create a new security group, while using the XpertSecurityManager you may need to click the Update view button for these lists to be refreshed.


To assign an employee to a security group, click on the employee from the list on the left and click on the group from the list on the right. The employee and group you selected will appear shaded in blue. If the selection is corrent, click the assign button . The employee will dissappear from the Employees list and appear at the bottom of the window along with the Group he o she belongs to now. In the example above, the user is about to assign Ellen Cuevas to the Marketing group. You can select multiple employees at once by holding down the control key.

When an employee has been assigned to a security group, he or she appears at the bottom of the screen, along with the security group he or she now belongs to. To unassign an employee from a security group, select the employee from the list appearing on the bottom of the window and click the unassign button . The employee will reappear in the Employees list in the left-hand side of the window. Again, excercise caution when unassigning an employee as you are momentarily denying them access to the system until you reassign them to a new group. Making these changes during off peak hours, when other users are out of the system, is highly recommended.

To change the group an employee belongs to, you must first Unassign the employee from their existing group. The employee will then be listed in the Employees list on the left-hand side of the screen and you are free to assign that employee to any new group.

Note that an employee can only belong to only one Security Group. However, since there are no limits to the number of groups you can create, and employee can belong to a security group of his own when necessary. For example, if David Roberts needs to belong to both the Accounting and the Marketing Security Groups you would need to create the “David Roberts” Security Group which would have the same permissions as do both groups.

Assigning Permissions to the Security Groups
The final step is to assign permissions to the Security Groups you have created. To do this, click on the Assign Modules tab and you will see a drop-down menu of Security Groups on the left and a list of every module in the system on the right. At the bottom of the window is are eight Permissions the Security group can be granted or denied. The eight Permissions are explained below:

Can use: Members of the Security Group can enter the module and use all functions not specifically denied.

Can add: If the user is in a Catalog, he or she can add new records.

Can make global changes: Allows members of the Security Group to use the Replace Where tool to make mass changes in a Catalog.

Can see costs: Allows the user to see costs in any Catalog or report tha might include costs.

Can edit: Allows the user to make modifications to Catalogs, configurations and processes.

Can delete: If the user is in a Catalog, he or she can delete existing records.

Can discount: Allows the user to make discounts when making transactions or when modifying prices.

Can run reports: Allows the user to run reports within the module being used. If the user is in a Catalog, he or she can use the  reports button on the tool bar.

To begin, select a group from the Groups drop down menu and you will see the list of Modules on the right side of the window become active. Select a module and choose those permissions you wish to grant within that module by clicking on the checkbox next to each of the eight permissions. Those Permissions you do not select will be denied to the members of the Security Group. When you are finished, click the Apply button . As you work on the different Modules, you can click the Apply button as many times as you want as way of "saving" the permissions you have assigned so far.

In the example below, the user has selected the Store Manager group and is assigning Permissions in the Transactions: Sales module. The Store Manger group will have permission to use the Sales module, as well as: add, make global changes, delete, discount and run reports in the Sales module. The Store Manager group will not have permission to see costs or edit when using the Sales module.

There are over 160 modules listed in the XpertSecurityManager, which can make assigning permissions a long process. However, you can select more than one module at a time as shown below by holding down the <Ctrl> key while you click on the module, or you can select an entire block of modules (for example, all Transactions), by holding down the <Shift> key. You can use the Select All button at the bottom of the screen to quickly assign all eight permissions at once.

For those Security Groups that will have access to the entire system such as MIS and General Managers, you can select every module at once holding down the <Shift> key and click on the Select All button to very quickly give them full access. For other Security Groups with a very limited role, such as Cashiers, you only need to concentrate on the handful of modules they will be using such as Transactions, Documents and Reports and not worry about the other modules.

In spite of these time savers, setting up a robust security system is a time consuming process. However, it is worth the initial investment to carefully map out the permissions the different Security Groups will be needing. Once the security sytem is up and running, it will require little maintenance, namely adding and removing employees as the situtation arises.

How the Security Works
Once the security system has been activated, all users will have to Login to be able to use the system. When a user enters an incorrect password when logging in,  
XpertMart will not give an error message. However, if the user then tries to access any module they will see the same error message you see when a user does not have permission to access the module:

Every time the Login window is opened it erases the security access the prior user enjoyed, even if nothing is entered in the Employee Number and Password fields and the Login window is closed. If the store manager wanted to make sure the cashier would not be able to use the system under his security clearance, all he would have to do is launch the Login window once and access would once again be restricted. So in a sense launching the Login window functions as an "off switch" of the current user.

If a user has permission to use a module but does not have other permissions, the graphical user interface (GUI) will change to reflect those restrictions. Take the Items Catalog as an example. A user with every permission activated, would see the Items Catalog as follows:

However, if a user did not have permission to see costs nor to use reports, then the Items Catalog would look as follows:

Notice that only the List Price field appears; the Order Cost, Inventory Cost, Margin and % Margin fields do not appear as they would reveal the cost. The reports button on the tool bar appears grayed-out since the user does not have permission to run reports.

Deactivating Security
There is no easy way to deactivate the security system if you forget your password or accidentally unassign yourself permissions. If you have "locked the keys in the car" so to speak, the best thing you can do is borrow somebody else's password (in fact, it makes sense to set up a pair of dummy employees for exactly this purpose) and either enter the Employee Catalog to change your own password or enter the XpertSecurityManager to assign yourself new permissions as the case may be.

If it is impossible to recuperate anybody's password which will allow you to enter the XpertSecurityManager to then there is an extreme measure that you can take but it requires deleting the entire Employee Catalog and the Security Groups you've created. This action is irreversible and you will have to begin from scratch when you setup the security system again. Obviously, this action should be your last resort.

The delete the security system, you need to enter IB Console and go to the Interactive SQL screen. In the SQL screen, you need to enter the following SQL statements:
    "drop table employees"
    "drop table groups"
    "drop table xsecurity"

When you are done, press the execute button :

When you reenter XpertMart the Employees Catalog will be blank and you will not be able to do a transaction until you create an employee.

If you are worried about somebody being able to use the IB Console "back door" to eliminate your security, you can periodically change the password for the user you setup in InterBase. To do this, go to User Security under the Server menu (shown below) and enter the new password.

Copyright © 2002 XpertMart

* Return to Table of Contents*