SPS Security Utility
The SPS Security utility allows for the management of all the users who will have access to the applications found in the SPS. All users must be organized into groups. Creating groups is important and convenient for at least three reasons. First, groups provide a method to classify users into categories, much like employees are classified into various company departments. In fact, it would be convenient to name SPS groups along the same lines as the company’s organizational chart. For example, groups may be named “Sales and Marketing”, “Developers”, or “Technical Support”. Second, users assigned to a group may inherit certain characteristics from their parent group, including the data ownership principals of the SPS. Finally, certain users may be given the ability to create any sub-groups and users within those groups through the use of the Security utility. In this manner, the user serves as a sort of “administrator” of all that belong to his group or any groups below his level. Any users created by this “administrator” may only have application permissions UP TO the level of the parent group. Each individual user can then be modified to have less permissional powers than the group, but can ONLY be given greater powers by users of groups who have that power to give.
One added benefit of utilizing groups to classify users is the ability to define attributes to groups using the Attribute Editor program for Groups. In this manner, additional information may be designated to allow better organization and reporting of users on a system. For example, a group’s supervisor or cost-center may be listed as an attribute so that reports can be filtered on this data.
Choose “Groups” from the combo-box found in the upper-left corner of the Security utility to receive the application necessary to modify groups. Choose New to create a new group under the highlighted group (if no groups exist, only the name of your company will appear in the tree). Remember that the highlighted group becomes the parent group and thus will have the ability to give to the new group only those powers that have been defined to it.
Provide a Name for your new group and then allow access to any desired applications listed under the “Permissions” tab. Establishing application permissions for a group (and users as shown below) requires checking the check box next to each application and service listed in the Permissions tab. The group may have various levels of access to each application. If the application allows for multiple levels of permissions, you can check the check box next to each sub-level (service) after checking the application. For example, you may want a group to have the ability to view contact information about the customers in your database, but not be able to add, edit or delete those customers.
You can check all of the categories, along with any sub-categories using the “Check All” button, but beware that this may provide the user with unlimited access to the system (based on your ability to give the power). You should use the “Check All” to quickly select all items then uncheck those items in which you do not wish to grant access powers. You can uncheck all categories by choosing the “Clear All” button.
Once you have saved your changes, your group now appears in the group tree under the parent that was chosen.
You may view and edit the group by choosing the group from the group tree and then clicking the Open button. You will receive the same screens that were used to add the group with the addition of any saved information. After making any changes, choose Save to write the data to the system.
You may delete a group by choosing the group from the group tree and then clicking the Delete button. If a group has any users assigned to it, you may NOT delete the group until you have either (1) deleted the users of that group or (2) assigned a different group to the user by using the “Group” tab of the User’s application (see discussion below).
The Inherit button causes the highlighted group from the group tree to be configured with the same “type” ownership as its parent group. Types represent system-wide definitions such as “Customers” or “Employees”. By inheriting type ownership, a group can have access to much of the same information as its parent. See the section titled “Type Definitions” for more information.
All SPS groups have certain built-in attributes pertaining to the maintenance task of password management. Specifically, the required minimum length of user passwords and the expiration periods of passwords provide an administrator the ability to ensure that only authorized users access the SPS. By default, these password attributes are turned on and can be found in the Attributes tab of the Security utility for Groups. Attributes for Groups can be modified from the Attribute Editor – Groups application found in the SPS Main Menu under the Users tab. As discussed above, additional useful attributes that can be defined for groups may include “Department Supervisor” or “Cost center”. See the SPS AttributesTM section of this manual for more information on creating new attributes or modifying existing attributes found in the Attributes tab of the Security utility.
SPS provides the ability to designate on a group-by-group basis the specific contact category that is displayed upon access to the SPS Contact Manager application. If no category has been selected, then the first contact category listed in the contact category selection combo box of the Contact Manager is displayed. For example, for ease of use, you may wish for users of the group “Human Resources” to access the “Employees” contact category upon accessing the Contact Manager.
To choose a contact category, click the “people” icon at the right-hand corner of the “Preferred contact category” section of the Group editing screen. You will receive a category selection dialog. Choose the appropriate category to complete the selection.
Once a group has been established, you may add users to that group by selecting the group from the group tree and choosing the “Users” combo box option. You will receive the application necessary to modify users of that group.
The process of modifying users resembles that of modifying groups. You must provide a name for your user remembering that the best user names are generally written in all lower-case letters without symbols. Do not include spaces for your user names as this name will also be the email address for your user and the Internet mail system does not accommodate spaces. You may use an underscore (“_”) or period to separate first and last names. For example, you may create a user named “joethomas” or “joe.thomas” or “joe_thomas”.
The user permission scheme found in the “Permissions” tab will contain all of the checked items that their parent group has checked. The key difference between group and user permissions is the ability of a user to have MORE or LESS access to applications than their parent group. Of course, if a user is to have more permissional powers that their parent group, the user that is granting that power must possess the power – typically, this is the admin user performing this function.
Once the user has been added to the system, the user name will appear under the parent group in the user tree.
You may edit a user by double clicking the user from the user tree or by choosing the user and clicking the Open button. You will receive the same application used to add the user with the addition of any saved information. In addition to being able to modify the user name and permissions, you can manage the user’s password (see discussion below) or re-assign the user to a different group from the “Group” tab. Simply choose the new group for the user and save your changes.
You may also delete a user by choosing the Delete button. Deleting a user does not remove any history of the user (such as emails sent and received). If a user does not need to be permanently deleted from the system, you may consider simply making the user password “Invalid” in the “Password” tab (see discussion below).
SPS system users may also be linked to contacts found in the SPS Contact Manager application. This feature allows the ability to provide contacts such as customers a permissionally controlled login into the system in order to perform such tasks as creating trouble tickets or running an account report.
To link a user with a contact, simply click on the “people” button next to the “Related contact” field. You will receive a contact selection popup. Choose the appropriate contact to complete the “Related contact” field.
As noted in the User Login section of this manual, the user’s initial password will be the lower-case word “password”. The user has a limited amount of time to change his password to something other than the word “password”. This time period is established by the system administrator in the Attribute Editor – Groups application.
Besides the ability to modify given user permissions, you may also control user access to the system through access control of the user’s password. If you wish to invalidate or reset a user’s password, choose the user from the user tree and click Edit. Next, choose the “Password” tab and set the radio button option to the desired action. Use “Reset” if a user forgets his password and you wish to force him to re-establish the password by using the word “password”. The “Invalid” choice temporarily inactivates a user, as would be the case if the user were to be on vacation. Once the user is to become active again, you must force a password reset, as the previous password cannot be reactivated.
Each user may also be assigned up to five email aliases from within the Password tab. An email alias represents an email address that is to correlate to the user’s SPS email address (essentially the user name @ the company domain). For example, the user “joe.thomas” in our above example will have the SPS email address of joe.thomas, but may also have an email account set up under the name jthomas If the user wishes to receive all of his email through the SPS Mail Server, then an alias will need to be set up in order to cross-reference the external email address to the correct SPS user. See the section under the “Email Console” section of this manual for more information.
Once a user has been added to a group, the user may be re-assigned to a different group through the Group tab, but only to those groups that the user performing the assignment has the ability to assign. For example, while the system administrator (the “admin” user) can assign users to any group in the system, a user that belongs to the Finance sub-group and has edit privileges in the Security utility can only assign users to the Finance group or any group that falls under the ownership of the Finance group.
ã 2003 – Root Systems LLC – http://www.idcs.info/