User Access Rights

This Help File Page was issued on 09/30/2017

<< Click to Display Table of Contents >>

Navigation:  Security & Access Management >

User Access Rights

This Help File Page was issued on 09/30/2017

The User Access Rights Form allows the System Administrator to assign individual rights, on a User by User basis, to specifically selected Data Entry and Look Up Forms, each with its own Form Name. as well as defining (in some cases) Field by Field User Access Rights.

These Forms Based Access Rights (CRUDA) are Create, Read, Update, Delete, and Audit.

If entries are to be tracked by the Internal Auditing System's Audit Report, be sure to Check the Audit box.

A User attempting to exceed their User Access Rights on any Form will see a message similar to the one illustrated below explaining the reason for the denial.

 

HelpFilesUserRightsExceededMessage

Insufficient security rights to edit a record

 

UL® Requirements: As part of properly implementing the Third Edition UL® 1981 Standard, specifically for compliance with section 6.2 Sign-on Security and 6.3 (1-7) Five Security Levels of the Third Edition UL® 1981 Standard:

6.2.1 - The Employee's Password (i.e., Passcode) shall consist of the following:

a)A Username of at least six (6) characters

b)A Password which shall consist of a minimum of six alpha-numeric characters with at least one alpha and one numeric character

6.2.3  - Any modification made to the database shall be logged with a unique personal identification (Employee ID) belonging to the person performing the modification).

i.To comply with 6.2.3 of theThird Edition UL® 1981 Standard, the Audit box must always be Checked for All Form Names when User Access Rights are assigned to any Employee or Employee Group  

ii.Users cannot turn auditing off when the UL® Version is Registered (i.e., Active).

iii.In the User Access Rights and the Employee Groups Forms - when the UL® Version is Active -, the Audit option box will always be Checked on all Form Names.

iv.No User will be able to remove that Check Mark.

6.2.6 - The automation system shall prevent:

a)Repeated passwords, used within the last six changes;

b)Passwords that are a derivative of the user name(s); and

[e.g., Password cannot contain 50% of a Username so a User "Stacy" cannot have a Password of "STA3841"]

c)Passwords that are simply letters or numbers in order (e.g.: abcd, 1234, etc.).

[e.g., any type of sequence is prohibited such as 'ab', '34', '89', 'xy']

6.3 (1-7) - A minimum of Five Security Levels must be defined and the appropriate one assigned to each specific Employee based on that Employee's Need for Access.

 

Audit - Setting the Audit Access Rights for Form Names - Access Rights that are established using the User Access Rights, and/or the Employee Groups, and/or the Security tab on the Employee Forms for assigning Access Rights to Forms, must Check (turn on) the Audit Access Right for the All Form Names which have access granted to any Employee using those User Access Rights, and/or the Employee Groups, and/or the Security tab on the Employee Forms.

This will occur automatically when the UL® Version is active.

Specific Audit Reports are used to comply with 6.2.3 - (relating to Tracking User Changes) of theThird Edition UL® 1981 Standard (i.e., Any modification made to the database shall be logged with a unique personal identification (Employee ID) belonging to the person performing the modification).

 

Normally, Employees (Users) are assigned to an Employee Group - thus granting those Employees access to, and therefore specified Access Rights for, a Set of Forms the Access Rights to which have been granted to that Employee Group (see the Form Names, Employee Groups and Information Processing Forms chapters for more information about Forms).

The appropriate Form Names and associated Access Rights should be based on what needs to be accomplished by (the tasks typically assigned to) that Employee Group.

 

Sometimes a specific Employee needs additional (or fewer) Access Rights than those established in the Employee Group to which they've been assigned.

To accommodate this situation, the User Access Rights Form provides the means to individually grant Access Rights, further limit or remove Access Rights, to specifically selected Form Names, an/or Fields within those Forms.

In the example illustrated below, we have a set of Forms and Access Rights for an individual who needs to create Invoices for Sales, Post Receipts and Allocate those Receipts to specific Invoices.

The Accounting Information Form in the example shown below has a list of Field Names that may be selectively granted or denied by Checking or Un-Checking those individual Access Rights.

 

HelpFilesUserAccessRightsExample

User Access Rights Form - Accommodating various Invoice entry, Receipt Posting and Allocation responsibilities

 

To assign User Access Rights to specific Form Names,

a.Access the Backstage Menu System and Select the Security Menu which will display the General option, then Click User Access Rights.

b.Access the Quick Access Menu System and Select the Security Menu which will display the General option, then Click User Access Rights.

 

These User Access Rights entries are intended to supplement and/or reduce existing Access Rights to Form Names which have been granted to the Employee as a result of being a Member of an Employee Group.

If the Employee has been assigned to an Employee Group on the Security tab of the Employee Form, and if the Access Rights granted to that Employee Group are sufficient for that Employee, no additional entry needs to be made here, for that Employee.

The User Access Rights assigned here are intended to supplement and/or reduce existing Access Rights to Form Names which have previously been granted to an Employee as a result of being a Member of an Employee Group.

 

There are three sections on this User Access Rights Form:

1.Available Forms - Lists all Available Form Names, for Forms, Procedures and Reports within the MKMS and MKMSCS applications.

2.Assigned Forms - Lists all Form Names for Forms, Procedures and Reports that have User Access Rights specifically and individually Assigned to the selected Employee.

The Assigned Forms on the User Access Rights Form override any Access Rights assigned to this Employee as a result of being a Member of an Employee Group.

3.Field List - Many of the Form Names listed in the Assigned Forms section have individual Field Names to which Access Rights may be specifically Granted or Denied.

By default, when Field Names are listed, each will be Checked indicating that Access Rights are Granted.

By removing the Check, Access Rights to that Field Name are Denied.

 

Why Assign User Access Rights - Customize the Forms - and in some cases the Field Names - that an Employee is permitted to access, and specify the Access Rights to be granted when viewing those Forms:

CRUDA - Assigning Access Rights sets the User's ability to Create, Read, Update, Delete, and/or Audit (i.e., C.R.U.D.A.) information on any data entry Form that accesses and/or reports information in the database.

Form Names - A Form is any screen within the program that allows for data entry, look-up, retrieval or reporting.

 

HelpFilesUserAccessRights

User Access Rights Form - Available Forms, Assigned Forms, and Field List sections

 

Understanding the User Access Rights Form:

Employee - Using the Drop-Down Selection List provided, Select the Employee for whom you will be adding (or deleting) Access Rights.

Available Forms Column - Set the User Access Rights, Choose the Form(s), and transfer them to the Assigned Forms list:

Check the box(es) that represent the Access Rights that are to be assigned to the selected Employee for the selected Forms.

As noted earlier in this chapter, to comply with Section 6.2.3 - Track User Changes of the Third Edition UL® 1981 Standard [i.e., Any modification made to the database shall be logged with a unique personal identification (Employee ID) belonging to the person performing the modification]:

a)Users are not be allowed to turn auditing off when the UL® 1981 Version is Registered (i.e., Active).

b)In the Employee Groups Form. when the UL version is Active, the Audit option box will be Checked on all Form IDs.

c)No User will be able to remove the Audit Check Mark.

 

Check the box(es) for the desired Forms.

Click the Right Arrow HelpFilesRightArrow-Soft (in the vertical column separating Available Forms from Assigned Forms columns) to move the Checked Forms to the Assigned Forms column.

To move the all of the Forms to the Assigned Forms column, Click the Double Right Arrows >> (something that will rarely be done here).

 

Assigned Forms Column - Review what was transferred and, if appropriate, Remove the Check Mark from those Access Rights (as may be necessary) to fine-tune the Access Rights assignments.

You may also individually Select any of the Assigned Forms:

Click the Left Arrow HelpFilesLeftArrow-Soft (in the vertical column separating Available Forms from Assigned Forms columns) to remove it - and its related Access Rights - from the Assigned Forms column.

Click the Double Left Arrows HelpFilesDoubleLeftArrow-Soft to remove all the Assigned Forms - and their related Access Rights - from the Assigned Forms column.

 

Field List - Some Forms have a specific list of Fields within that Form to which access may be granted, and/or from which access may be taken away.

When an Available Form is added to the Assigned Forms section, and that Form has a list of individual Fields - access to which may be granted or taken away - that list of Field Names will be displayed in the Field List section.

 

HelpFilesUserAccessRights-AssignedFormsWithFieldList

Assigned Forms, and Field List sections

 

By default, All Field Names with be Checked.

To deny the selected User access to a specific Field, remove the Check Mark from that Field Name.

 

Users cannot turn auditing off when the UL® Version is Registered (i.e., Active).

In the User Access Rights Form. when the UL® Version is Active, the Audit option box will always be Checked on all Form Names.

No User will be able to remove that Check Mark.

 

Denying Access Rights - Identify any Forms to which the Employee's Access Rights should be restricted or denied as compared to what was granted by being a Member of an Employee Group.

If the Employee has been assigned to an Employee Group on the Security tab of the Employee Form, and if those Access Rights granted to that Employee Group are greater than that Employee actually requires (e.g., they should be restricted from accessing one or more Forms or Fields):

a)Using the Drop-Down Selection List provided, Select the Employee for whom you want to Deny certain or all Access Rights to one or more Forms.

b)In the Available Forms column, Locate and Check the Form(s) to which Access is (or selected Access Rights are) to be Denied.

 

However, when Access to a Form is to be completely Denied:

Check the Access Right of A (Audit)  - because at least one Access Right must be Checked to move this Form to the Assigned Forms column - all other Access Rights should have the Check Marks removed.

Ensure that you have Chosen only those Form(s) for which Access is to be completely Denied.

Click the Right Arrow HelpFilesRightArrow-Soft to move the selected Form(s) to the Assigned Forms column.

When the UL® Version is Active, you may not Un-Check the A (Auditable) box.

Click the HelpFilesNavigationMenuSaveIcon on the Navigation Menu to record the change.

This procedure will completely Deny Access by this Employee to the selected Form(s).

This is because the User Access Rights Form's assignments supercede the Employee Groups Form's assignments of Access Rights, so the selected Form(s) will now be inaccessible to that Employee.

 

When specific Access Rights assigned in the Employee Group are to be Denied: but other assigned Access Rights are to be permitted:

Check only the Access Rights that are to be permitted.

Ensure that you have Checked the correct Form(s) in the Assigned Forms column.

When the UL® Version is Active, you may not Un-Check the A (Auditable) box.

Click the Right Arrow HelpFilesRightArrow-Soft to move the selected Form(s) to the Assigned Forms column.

Click the HelpFilesNavigationMenuSaveIcon on the Navigation Menu to record the change.

This procedure will only Deny Access by this Employee for the Un-Checked Access Rights.

This is because the User Access Rights Form's assignments super cede the Employee Groups Form's assignments of Access Rights,

Therefore, the selected Form(s) will only allow the Employee those Access Rights assigned here, rather than what was assigned in their Employee Group.

 

HelpFilesUserAccessRightsAuditOnly

 

Another example (shown in the illustration above):

The Employee originally did have the Access Rights to the Place Accounts on Test Form through their assignment to an Administrative Employee Group with that access, but it was decided they did not need it.

That Form was located in the Assigned Forms column and all Checked Access Rights were removed.

Then, Click the HelpFilesNavigationMenuSaveIcon on the Navigation Menu to record this change.

The Employee is now completely blocked from accessing that Place Accounts on Test Form.

 

11/25/2017