Skip to main content
Skip table of contents

Initial Configuration

In order to configure BusinessPlus security, a BusinessPlus user with full permissions must be available. This is necessary because the roles which control BusinessPlus security also control access to the security configuration tools. To resolve this situation during the initial installation and configuration phase, a BSI user has been included that is loaded when the BusinessPlus database is installed. The BSI user should be used for initial security configuration.

To perform these initial configuration steps, run the Administrative Console. Select the connection that was created during the install process and log in. The BSI user is recommended for this initial configuration, although this is not a requirement. The first time the Administrative Console is run, the following "Initial Setup Mode" prompt will appear:

Click OK to continue to the main console screen.

Initially, no security objects are defined, so all users effectively have no security access. To remedy this, the initial setup mode will bypass the security requirements and allow the security objects to be installed.

In the initial setup mode, the Manage Security Structure plugin will automatically start, presenting the following screen:

No security objects exist at this point. To install the security objects, click the "Rebuild" button in the bottom right corner of the screen. The default check boxes should be selected (Base structures, Menu choices, Table list, Remove obsolete functions).

The rebuild operations may take several minutes. After this, the security structure tree will reload and the current BusinessPlus user will be granted permissions to a FULL access role. This will allow the user to perform additional configuration steps as needed, including the creation of users and the management of security roles for those users.

Once the security objects are installed, close the Administrative Console for the changes to take effect. Upon exit, a "Resetting Security" dialog will appear. This process will attempt to contact the Web server. If the Web server is not running at this point, there will be a 30 second delay as the console attempts to locate the Web server. This is not a problem.

The next time the Administrative Console is accessed, additional administrative plugins will appear in the Options panel. The user who performed the initialization steps will have been granted a FULL security role which initially grants full access to all BusinessPlus functions and data. Additional security roles and restrictions may be defined in the Manage Security Roles plugin.

Column Level Security

Column Level security is designed to allow restrictions on individual fields on BusinessPlus pages. First choose which columns on each table will be controlled by security (by default, none are selected). In each Role, the user then will have the ability to restrict the column by Execute, Read, Write, Delete or Update access. The default is derived, meaning it inherits the security from its table. When evoking Read access, the corresponding field on the BusinessPlus page will be greyed out. When the user attempts to update or delete a record they will receive the following message: "You do not have security to update this record (Table and Field Name) (SY21)." When revoking Write access, the field will be disabled in Add mode. Revoking Update access will disable the field in Update mode. Any combination of Read, Write and Update access levels are permitted.

This security feature can be used to hide sensitive information from certain types of users, while allowing them to see the rest of the record. Column Level security can also restrict users from changing portions of the data displayed to them in BusinessPlus pages. This capability should be used sparingly, as many fields are required by BusinessPlus for proper business rule operation.

Setup

The following example shows how to hide the SSN on PEUPPE.

Run the Administrative Console and open the Manage Security Structure plugin.

Navigate to the Person/Entity subsystem and locate the PE_NAME_MSTR table. Column security is not enabled on any tables by default. Select each column to control from each role.

Select the Columns button. The Choose Columns dialog displays columns to control security on. For this example, select PE_SSN and click OK.

The Administrative Console automatically updates the security structure. The newly added column will be displayed under the PE_NAME_MSTR table.

Select the "Update Servers" button to update the Web servers with the new changes made to the security structure. If this button was not selected, the system will prompt the user to update the servers before closing the Manage Security Structure screen.

With the new security structure changes in place, the next step is to restrict access on PE SSN in a security role.

Open the Manage Security Roles plugin from the Administrative Console. Find the role that needs to be modified, then locate the PE_SSN column under the PE_NAME_MSTR. The default behavior for all columns is derived. Uncheck the Derived box and the Read, Write and Update permissions. This will restrict the user from viewing or modifying any data in this column.

Click the Save button to record the changes.

Update the Web servers with the changed role information. This may seem redundant because the same step was just performed in setting up the Managed Security Structure. If just changing the security role, and not the structure, then this step needs to be performed. It is also possible that a user has logged in since updating the Web server last and now their old role is cached and updating the server is again required to ensure the changes took place.

Next, log into BusinessPlus as the user assigned to the column-restricted role and open PEUPPE. The SSN field is now disabled. The user is not allowed to click in the SSN field. The field will also be disabled in Find Mode if the user does not have Read access. This will prevent the user from "guessing" at the value in the field.

To allow read-only access:

Use the Manage Security Role plugin to change the role to have only Read access on the SSN. Be sure to save the changes and update the servers from the Manage Security Structure screen.

Now when opening the PEUPPE page (first, close any open BusinessPlus pages and re-login to see the new changes), the user is able to view the SSN data, but not allowed to edit the field. This is because they still do not have Update access to that column. This is helpful if the client needs to protect data and only allow a few select individuals to make changes.

In general, any field on any BusinessPlus page can be restricted with Column Level Security. There are however some exceptions.

Limitations

Account Control

The Account Control that appears on many BusinessPlus pages (such as POUPPR and APOHBTUB) only works at a high level based on Ledger. If the ledger column on a table is restricted and it is part of the account control, then the entire account control will be disabled or enabled accordingly.

Security on the key/object is used to control whether or not the data is displayed to the user. It will not control the write/update security – that is handled by the ledger column. Below is a screen shot of the OHB_BATCH_DTL. This is the child records table on APOHBTUB. This setup will disable the entire account control.

Column Level security is not applied to the ability to display and enter account splits on POUPPR.

BusinessPlus Applications

Dashboard applications (portals) do not support Column Level security. Examples are Employee Online, Timecard Online, etc. BusinessPlus pages that are "Custom Controller" pages (meaning that they have special behavior to allow a richer user interface) do not support Column Level security for any of their displayed fields.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close