Managing Users and User Security

Configuration Process Managing Users Adding User Groups Adding Users Managing User security Modifying Individual User access Modifying User Group security User Group Master Security Copying User Security Copying User Group Security Controlling data and records Using Chart Group Security Using Revision Facility Security Using Document Category Security Using Quality Control Group Security Using Financial Statement Group Security Using Grid Layout Security Configuring User Restrictions Configuring Approval/Un-Approval Of Temporary Journal Entries Configuring individual points of control Configuring Work Flows Managing authentication methods Current Single Sign-On Options FAQ and Diagnostic Tips

Deacom ERP security enables companies to set security around almost all business data/transactions that maintain daily operations within the software. As a result, Deacom enables each person using the software to have their own unique login credentials and security profile to control access to not only specific transactions, but also information the user will have access to view. User security privileges exist on two different levels, group and individual. Group access is the best way to setup and maintain security settings, as new users can easily be added to a group, whose security has already been configured. Individual access allows for exceptions and/or specific situations including the need to temporarily grant a user permission for certain tasks. It is important to note that a user’s individual access will override their corresponding group access.

Configuration

The configuration process begins with identifying the different users, their roles or groups within the company, and the different facilities or companies that may require different security access. Facility records are usually created early in the implementation process and are handled via different process discussions and not discussed in detail here. User Groups will need to be setup prior to User records being added, and both need to exist prior to assigning security access.

Process

Managing Users

One User record should be created for each person using Deacom ERP software and each User record is assigned to a User Group during setup. These User Groups are used to lump the Users together and easily assign security levels based on job function. Follow the steps below to manage User Groups and Users.

Adding User Groups

1. Navigate to System > Maintenance > User Groups.
2. Click "Add New", enter a Name for the group, then click "Save" and "Exit".

To modify an existing record, in Step 2, highlight the desired group and click "Modify" instead.

Adding Users

1. Navigate to System > Maintenance > Users and click "Add New".
2. Enter the required fields (in blue) at a minimum. This form also controls the timeout limit for the user as well as if the User has access to the main application and/or the Warehouse Management System (WMS) application.
3. Once all information has been entered, click "Save" then "Exit".

Note: User Restrictions can be set by clicking the "Restrictions" button on the Edit User form or by following the instructions detailed under the User Restrictions section below.

To modify an existing record, in step 1, highlight the desired User in the Users form and click "Modify" instead.

Managing User security

During initial user security setup, there are generally two approaches to take:

1. Provide wide open access to all users and restrict as time passes.
2. Provide narrow access to all users and open as necessary.

Most companies prefer to limit access at go live, to prevent users from making changes in the system, which may have a negative impact on processes that user is not aware of. Prior to go live users can be given wide open access to learn their daily procedures and what transactions they will need access to in Deacom. Security groups can then be configured, and users will be able to easily identify when they need access to an area in the system, but their security does not allow it. As a best practice, security groups are set up and tested with a standard process prior to go live. Companies should aim to keep User and User Group security the same as often as possible. Otherwise, it may become cumbersome to manage.

Modifying Individual User access

1. Navigate to System > Maintenance > Users.
2. Locate the appropriate User and click the "Modify" button to display the Edit User form.
3. Click the "Edit Access" button to display the Edit User Access form.
4. Notice the system will display the User's individual settings as well as the settings for the group to which the User is assigned.
5. Navigate thru the list to find the security settings to be modified.
6. Double click on the row to cycle the individual user setting from "Yes" to "No" to “Blank”. Leaving a blank at the user level, will revert to the user group setting.
7. Once all the appropriate changes have been made, click the "Save" button to complete the process.

Modifying User Group security

1. Navigate to System > Maintenance > User Groups.
2. Locate the appropriate User Group and click the "Modify" button to display the Edit User Group form.
3. Click "Edit Access" to assign the appropriate security settings to the group. This can be done by copying security of another group, setting all securities to Yes or No, or double clicking each security individually. When finished, click "Save" then "Exit".
4. Once User Group security is assigned, navigate to System > Maintenance > Users.
5. Modify the appropriate User records and assign them to the User Group. On the Edit User form, click "Save" and "Exit".
6. Exceptions to group access may be assigned on an individual user level, as detailed in the next section.

User Group Master Security

User group master security is most useful when trying to evaluate which user groups have or do not have access to a specific security setting. When opened through System > Maintenance > User Group Master Security the User Group (listed horizontally along the top) and the Security (listed vertically along the left-hand side) will be displayed. Locate the intersection of the user group and security, then double click to toggle between Yes and No. User group security may be updated from user group master security, but as more user groups are added, managing security in this screen can be difficult.

Copying User Security

1. Navigate to System > Maintenance > Users.
2. Highlight the User to share the favorite with and click Modify.
3. Click Edit Access
4. Click Copy Security
5. On the Select a User screen, search for the user whose Security will be copied and double click.
6. Click Save to submit the changes.

Copying User Group Security

1. Navigate to System > Maintenance > User Groups.
2. Highlight the User Group to share the favorite with and click Modify.
3. Click Edit Access
4. Click Copy Security
5. On the Select a User Group screen, search for the user group whose Security will be copied and double click.
6. Click Save to submit the changes.

Controlling data and records

Data and record control is security that restricts Users to certain transactions and master record data within the system. An example is access to certain Chart of Account records within the system.

Using Chart Group Security

The Chart Group Security function is used to control users' ability to view and select accounts in search boxes when working with transactions in Deacom. After creating User Groups and Chart of Account Groups, navigate to Chart Group Security to specify which User Groups have access to which Chart Groups. The menu path is: System > Maintenance > Chart Group Security. Chart group security may be used to allow purchasing to enter expense orders, but limit which expense accounts the purchasing team will be able to use.

Using Revision Facility Security

Revision Facility Security is used to control which User Groups have access to view or modify specific Facility BOM revisions. This feature was added to allow certain users to add or modify Items and Formulas specific to their User Restriction (Formulator, Item Planner, Facility) while also allowing them to view only Items and Formulas anywhere else.

Accessed via System > Maintenance > Revision Facility Security, locate the intersection of the User Group (listed horizontally along the top) and the Facility (listed vertically along the left-hand side) and double click to toggle between View, Yes, and No - where Yes indicates that User Group has permission to view and modify BOM revisions linked to that Facility.

Using Document Category Security

Document Category Security is where Deacom User Groups are assigned to Document Categories. This allows companies to restrict certain User Groups from accessing certain types of documents. For example, one customer was storing credit check documents on the Bill-to Company record. The business wanted only the Accounting and Administrative teams to have access to these documents but their Sales Reps also had access to the Bill-to Company record. Restricting Document Category Security access to the User Group that the Sales Reps are part of prevents them from being able to access the documents uploaded under the specified Document Category to the Bill-to Company.

The Document Category Security grid is loaded via System > Maintenance > Document Category Security. To update, locate the intersection of the User Group (listed horizontally along the top) and the Document Categories (listed vertically along the left-hand side) and double click to toggle between Yes and No, where Yes indicates that User Group does have permission to view and select that Document Category.

Using Quality Control Group Security

Quality Control Group Security is where Deacom Security User Groups are assigned to Quality Control Security Groups. Accessed via System > Maintenance > Quality Control Group Security, locate the intersection of the User Group (listed horizontally along the top) and the Quality Control Security Group (listed vertically along the left-hand side) and double click to toggle between Yes and No, where Yes indicates that User Group has permission to see the tests in the selected QC group when opening QC Result Entry. Quality Control Group Security is used in conjunction with User Group and User security settings that allow users to view, enter, and approve qc tests. Setting up Quality Control Group Security would enable different user groups to view, enter and approve different tests on the same materials.

Using Financial Statement Group Security

Financial Statement Group Security is where Deacom Security User Groups are assigned to Financial Statement Security Groups. Financial Statement Security Groups are setup at Accounting > Maintenance > Financial Statement Groups, locate the intersection of the User Group (listed horizontally along the top) and the Financial Statement Group (listed vertically along the left-hand side) and double click to toggle between Yes and No, where Yes indicates that User Group has permission to generate and view Financial Statements assigned to that group.

Using Grid Layout Security

Grid Layout Security is where Deacom User Groups or Users are assigned to Grid Layouts. This allows companies to restrict certain Users or User Groups from accessing certain types of reports by restricting access to the Grid Layouts used to generate those reports. Users inherit the permissions of the User Group to which they are assigned. Exceptions to the group can be managed at the User level. For example, if one member of the Accounting department should not have access to a Grid Layout, permission to access the Grid Layout would be set to "Yes" for the Accounting User Group and "No" for the individual user. The steps to grant access to Grid Layouts, for both Users and User Groups, is covered on the Managing Grid Layout Security page.

Configuring User Restrictions

User restrictions limit user access to records and functions within Deacom. User restrictions are useful not only for security reasons, but also to clearly define or separate work responsibilities. The most common example is the Facility restriction. If a user has a Facility restriction, they may only view records and perform functions for their assigned Facility, usually the Facility in which they work. Specifically, when a user is restricted to one Facility, the Facility selection box will be grayed out in all pre-filters throughout the system, ensuring that a user may not select additional Facilities. In addition, when using the order search boxes throughout the system to view production, purchase, or sales orders, a Facility-restricted user will only see orders belonging to their assigned Facility. Even with Facility Restrictions, a user can still edit the "Cash Account" field in Accounting > Manual Checks, to ensure the proper account can still be selected regardless of location. User Restrictions may be accessed via two different ways.

1. Click the “Restrictions” button on the individual User’s record.
2. Navigate to System > Maintenance > User Restrictions, select the appropriate User record, and click the “Modify” button.

Configuring Approval/Un-Approval Of Temporary Journal Entries

Temporary journal entries can now be approved/un-approved via Journal Entry Reporting. Individual security settings also exist to control the ability to either approve and/or un-approve temporary journal entries.

Configuring individual points of control

Individual points of control reference security that restricts certain types of records from being posted throughout the system. An example is the accounting period restrictions that are configured through Accounting Options. The specific fields that enforce accounting period controls are as follows:

• "No Posting Before" - Before this date, users are not allowed to make transactions which will affect the general ledger. This includes shipping and invoicing of sales orders, receiving and invoicing of purchase orders, printing or receiving checks, issuing materials to production jobs or finishing products on jobs, all of which can otherwise be backdated.
• "Supervisor NPB" - Before this date, accounting supervisors are not allowed to make transactions which will affect the general ledger. Accounting supervisors are identified through user/group security, with the security item of "Accounting -- supervisor". This setting allows those users identified as accounting supervisors to continue to work in a prior period that is closed to normal users by the "No posting before" setting, to do month-end journal entries and other work to finalize the monthly data.
• "No Posting After" - After this date, no users are able to make transactions that will affect the general ledger. Setting this date prevents users from accidentally making GL entries in the future through errors in setting dates.

Configuring Work Flows

Work Flows give structure and visibility to tasks that are completed at different times and throughout departments within a company. Used in conjunction with Work Flow Reporting, Work Flows allow users to formalize approval processes and require specific steps to be completed before a transaction or a master data record can be completed.

Users can be prevented from approving Work Flows Sequences for records (jobs, sales orders etc..) they create via the "Approve By" field on Edit Work Flow Sequences form. In addition, beginning in version 17.02.008, the security setting "Tools-Un-Complete Work Flow Sequences" controls the ability to un-complete a sequence to provide additional security and control for audit purposes.

Version 17.02.003 offers the option to add Work Flows to both journal entries and temporary journal entries for additional control.

Managing authentication methods

Authentication means verifying the identity of someone (a user, device, or an entity) who wants to access data, resources, or applications. Deacom offers three different authentication methods: Whitelist, security questions, or email code.

Authentication methods are defined on the user level, with the defaults being provided by the settings defined in System Options. See the Managing Authentication Methods page for complete information.

Current Single Sign-On Options

Beginning in version 17.00 Deacom supports the ability to interface with [1]Okta and [2]CyberArk via SAML based authentication. Customers will most likely choose one of these options. For more information, visit Single Sign On (SSO) Integrations.

FAQ and Diagnostic Tips

If I am using a different web browser, will I still need to be whitelisted in web based versions of Deacom?

Yes, Deacom relies on cookies, so a different browser, or even reinstalling a browser will require a new whitelisting request. In addition, if you clear your cookies or enter by a different web address, this will also require a new whitelisting request.

What criteria is evaluated for whitelisting in classic versions of Deacom?

Motherboard, CPU, and hard drive.

Is there a way to bypass the Whitelist Security feature?

No, there is no way to bypass the Whitelist Security feature. If the Whitelist authentication method is selected, all devices must be approved before they can be used to log into Deacom.

After updating to 14.3, users can't log on to Deacom to approve machines on the Whitelist. How can I approve machines on the Whitelist?

When updating to 14.3 or higher for the first time, the device or machine where the update is run will automatically be set to "approved" on the Whitelist. Log on to Deacom on this machine and whitelist users.

How do I search for the exact permission I need to change?

Use the Advanced Filter. From the "Edit User Access" form, click on the "Advanced Filter" icon in the toolbar. Set the Field Name to Description or Notes, set the Operator to Contains, set the Type to Value, and in the Value field, enter a keyword such as "job." Click "Apply" and "Exit".

How do I remove a facility restriction?

Navigate to System > Maintenance > User Restrictions > select the user > click "Modify" > clear the "Facility" field > click "Save" and "Exit". If you are a Deacom administrator and you have a facility restriction, you will need another administrator to change or remove it.

Can a user be restricted to more than one facility?

Yes, create a facility group and add multiple facilities. Then, restrict the user to the Facility Group.

I'm getting a prompt that says "Access Denied" when I try to access a particular area of Deacom. What do I need to do to get access?

Note the description of the permission in the prompt. Contact your internal Deacom administrator with this information and ask them to grant access to you and your User Group, if necessary.

User is getting logged out of Deacom even though he is actively using Deacom. What is the problem?

Be sure that the user is not using an external. Externals do not affect the timeout settings. Increase time-out setting or set to zero for that user.

Tip: Beginning in version 15.03, when installing an update on a computer that has not yet been whitelisted the system no longer prompts the user that access is denied. Instead, the user is prompted that the computer has been added to the whitelist, pending approval. The update program checks to see if the system user exists. If it does, the system will use this ID. If not try Deacom Default User and let the user know whitelist must be done manually.