Difference between revisions of "Introduction to opentaps Security Controls"

General Security Controls

Because opentaps is intended for business operations management and teamwork coordination within the enterprise, it is essential that the system be very secure and reliable. In the opentaps system security is controlled at several levels, including these:

• Access by users to the system is controlled by a unique ID and password for every user, which should never be shared.

• Access for users to act within business processes is controlled by permissions assigned for each functional step throughout the system.

• Security groups are used to gather permissions commonly used together so that these can be assigned to people as needed.

• The steps within each transaction are recorded to the database only when completed successfully. If errors occur the steps are not recorded. Errors are reported to the Users immediately.

• The database into which all system activity and data are recorded is made secure and accessible only by the specific opentaps system belonging to your company (the “internal organization” you define during configuration).

• The system facilitates recording a database backup that is can be restored to any system with a working copy of the computing environment software.

• The system implements transmissions of all system transactions and data using encryption before exposure to the internet when so configured.

• Physical security and access control should be practiced at the location of the physical system operations center, at the discretion of the owners.

• Owners and administrators must practice good management of the Users and their computers, IDs, passwords, and the access and authority permitted to the opentaps system. (opentaps stores no enterprise data on the User’s computer.)

Process Access-Controls

Because the opentaps system is concerned with executing and recording the enterprise business processes and associated transactions, access to the process execution is controlled by “security groups” having specific “permissions” for each process subsection. This provides fine grained access control to the processes for those people who are assigned to use them.

Security (Control) Groups

To make management of permissions easier, the process permissions are grouped into job related subsets and named for easy reference. These groupings are called Security Groups. Security Groups can be assigned in the Party Manager User Profile. They can also be edited, and created to suite business needs.

The User Login is linked to the relevant security groups. When the User Login is granted only the Security Groups required for that person’s job and the roles they play in the company’s business processes then the security exposures are minimized. When the User is ready to login to the system they will only be presented with access to the authorized areas of the system.

For example, if the User is an order processing person who works with purchase orders only, they will need the Security Group called ORDERPURCH. To see permissions included in this group look at Party Manager – Security – ORDERPURCH—Permissions which displays the 15 permissions for this group.

In addition to this security scheme, opentaps CRM implements a security group for each team working together on an account. That is, each assigned team role in CRM also assigns a specific team security group as well which applies to all of the team members. The team member’s permissions consist of the personal permissions plus the team role permissions.

Example, Using Security Groups

The opentaps CRM system has several Security (permission) Groups defined. As usual, each Security Group points to a list of security Permissions which allow specific operations by assigned Users.

These are recommend uses of the CRM standard Security Groups:

1. Use SALES_MANAGER for a full set of manager permissions
2. Use SALES_REP for a full set of account team member permissions
3. Use SALES_REP_LIMITED, SALES_REP_TRAINEE, and CSR for limited permissions for team members
when they are supporting team members but not assigned to any particular account.

Managing "admin" User Logins

By default, an opentaps administrative person has several user login names, including “admin”, “flexadmin”, “ltdadmin”, “1”, and “2”. User logins “admin”, “flexadmin”, and “ltdadmin” are by default configured with password “ofbiz”. User logins “1” and “2” are for use with the Point Of Sales terminal and are by default configured with passwords “1” and “2”.

These user logins and passwords are loaded during installation to allow for initial access, and they must be managed during initial configuration for security.

To secure your system for production, the opentaps administrator will (using the Party Manager) disable the admin logins that aren’t needed and change the password of the ones that you do intend to use.

The “system” user is special

The User ID called “system” is a special one used for automated system functions, and it should not be modified or used by anyone for another purpose. Never login with this ID or edit its information.