Tools - Security
Role Simulator
The Role Simulator tool helps test the security for a given user. It allows a client to view the security for a particular role combination as it would appear for Table or Menu Access. The intent is to provide a method of not only seeing what a user would currently have access to by selecting their current roles, but to estimate what the impact of additional role assignments might be without actually granting access to that in the system.
User Security Audit Report
The software has a built-in method of checking on a user's security. While this report is unable to know what a user is supposed to have assigned, it does look for common security issues such as a user having no data access at all or the role output being outdated for that particular user. This report can be run from the tools panel of the "Manage Users" screen from the Administrative Console.
Tracing
If there appear to be problems in the way the software is handling security, there are some modules that can be used to track down the problems. Tracing for a particular module can be enabled using the Configure Local Server plugin in the Administrative Console on each of the Web servers.
Module | Usage |
---|---|
BT20NU | Used to generate the persisted versions of the XML Model and XSLT Roles. |
BT30NU | Used to handle requests for User Security XML and for individual security checks on Menu Masks and Application Functionality. This module is used to cache security information within BusinessPlus. Also, this module contains the user login logic for both CDD and BusinessPlus. |
BT30NU.Managed | This module is used to process the User Security XML into more complex information such as the specific filter on a table. |
BT70NU | This is the Utility module used by the "Rebuild Security" tool to populate the Role Output table. This is also the module used to create the User Audit Report. |
Role Output
To help ensure that many different aspects of the system can share the same security information easily, a significant amount of each user's security is saved in the US_ROLE_OUTPUT table. This way, BusinessPlus, CDD, and the software running on the application server can all share the same access information. However, it is possible for the information in this output table to become stale. One way to check for this is the User Security Audit tool on NU Manage Users.
To help ensure that this information is not outdated, the Rebuild Security tool should be run anytime a change is made to a user's security role assignments or whenever a security role is changed. The Rebuild Security tool is available on both the Manage Users and Manage Security Roles screens and can be run for the currently selected record.
Technically all the rows in the US_ROLE_OUTPUT table can be regenerated at any time and no setup or configuration information is stored in them. However, the process of regenerating all role output for all the users in the system can be time-consuming and should not be done while the system is in use.
Server Cache
Some of the security information is cached on the Web server to handle access requests without going back to the database with each request.
Just as the persisted BLOBs or Role Output tables can become outdated, so can the cached information on the Web servers themselves. The Rebuild Security tools make an attempt at flushing the cache on the Web servers in the server farm, but if a client is experiencing network issues or there is a problem with the server group setup, it is possible that the server's cache will need to be manually flushed. The Monitor Servers plugin in the Administrative Console provides a method of remotely connecting to a Web server and running the Flush Server Cache tool against that server.
In the event that a client still does not believe the server's cache has been flushed properly they may find it necessary to take that server out of Network Load Balancing and restart services in order to be sure the cache has fully been cleared. This is not considered to be a normal requirement of the software.
It is important to note that flushing the server cache will have an adverse impact on the performance of the software. Obviously, if the software is not performing correctly at all this is a necessary interruption for users. Otherwise, it would be best if this is done outside of peak usage times.