Page History: Security Changes 2018
Compare Page Revisions
Page Revision: 06/26/2018 01:32 PM
The Short Version
We made some positive changes to security, to make ComCept easier to lock down. Because of these changes, Security Administrators need to update their security data by August 22nd, 2018.
ComCept .Net checks permissions in more places now, so we temporarily gave your users these permissions. Doing so keeps everyone from losing functionality until you manually take them away. We did this by adding new groups with the new permissions to your data, and then we assigned the new groups to your users.
You must add these new permissions to your security groups before August 22nd, at which point we will remove the groups we added to your data.
While we were making security changes, we also added some features to the Security Maintenance page, so you will have an easier time managing all these permissions.
Details
ComCept made some essential changes to security. These changes allow you to better control which users can perform functions on the Point-of-Sale pages within ComCept .Net. We also diminished the importance of “Security Levels” in Point-of-Sale functions, which will require security administrators to act in the next few weeks.
Briefly, we:
- created new permission checks
- removed unneeded permissions
- consolidated redundant permissions
- removed dependencies on “Security Levels” in Point-of-Sale
- made security easier to manage
Security Levels vs. Roles
There are two ways to grant users access to functions in ComCept. You can either set the user’s Security Level, or you can grant Permissions through one of your many Security Groups.
Security Levels
Security Levels are assigned to users to indicate how much of the application they can access. Higher Security Levels allowed access to more functions.
A complete explanation of Security Levels can be found here:
Security Help Documentation
Groups and Permissions¶
ComCept needed a more granular way to assign permissions than with Security Levels, so we implemented role-based security using permissions and groups. You can define roles within your organization and assign those roles to your users. Many functions in ComCept .Net honor both Security Levels and Permissions. For example, users with Security Level 3 or users with the permission, “PurchaseOrder_New” in their roles can create new Purchase Orders.
No More Security Levels in Point of Sale
All the ComCept Point-of-Sale functions are now entirely dependent on Permissions, not Security Levels. This change means giving a user Security Level 1 will no longer provide them with access to Invoicing, for example. As you create new users in your data, you must assign them to groups that grant Point-of-Sale permissions, as Security Levels will no longer work.
Note: Purchasing functions, such as the Purchase Orders page are still responding to security levels, but we will be migrating these functions to Permissions over time as well. Eventually, all Security Levels will be removed entirely from ComCept.
Action Required
ComCept has added new security groups to your data, filled with Point-of-Sale permissions that will keep your users from losing any functionality. You will need to add these permissions to your groups, because we are taking the groups back out by August 22nd, 2018. Please read through the rest of this document for detailed information on what permissions changed.
New Groups
We have temporarily added some new security groups to your data, to keep users from losing functionality. We will be removing these temporary groups after August 22nd, 2018. Here’s why:
We added new permissions for actions that users could already perform so that you can now deny these permissions from users if needed. ComCept .Net will now check to see if a user has permission to perform these actions before allowing them to continue. To keep everyone from losing functionality after the code release, we automatically added the new permissions to new Security Groups and assigned those groups to your current users who were already allowed to perform these functions.
For example, users with Security Level 3 or higher were able to save work orders. For this reason, we will automatically place all your Security Level 3 (or higher) users in the “ComCept Level 3” group, which contains a permission called, “POS_WorkOrder_Save”.
ComCept will remove these new groups from your database on August 22nd, 2018. Therefore, Security administrators have until August 22nd to inspect the “ComCept” groups and assign the permissions within them to other groups. After August 22nd, ComCept will remove the new groups, and users will only be able to perform the actions listed within these groups after you place the permissions in your security groups.
Permission Changes and Consolidation¶
We have added permissions for the following actions:
DM_WorkOrderAdd: Upload a work order spreadsheet using data maintenance.
DM_CustomerUpdate: Upload a Customer Update spreadsheet using data maintenance.
DM_MasterInventoryUpdate: Upload a Master Inventory spreadsheet using data maintenance.
DM_MasterPricingUpdate: Upload a Master Pricing spreadsheet using data maintenance.
DM_LocalInventoryUpdate: Upload a Local Inventory spreadsheet using data maintenance.
DM_AttributeAssign: Upload an Attribute spreadsheet using data maintenance.
DM_TaxGroupExemption: Upload a Tax Group Exemption spreadsheet using data maintenance.
DM_PriceProfiles: Upload a Customer Special Pricing / Pricing Profiles spreadsheet using data maintenance.
DM_CustomerEmailAdd: Upload a Customer Email Add spreadsheet using data maintenance.
DM_CustomerAdd: Upload a Customer Add spreadsheet using data maintenance.
DM_InventoryAdd: Upload an Inventory Add spreadsheet using data maintenance.
DM_PricePro: Upload a Price Pro spreadsheet using data maintenance.
DM_VendorPart: Upload a Vendor Part spreadsheet using data maintenance.
POS_CustomerBillToDetails: Modify the name and address for the Bill-To customer.
POS_CustomerShipToDetails: Modify the name and address for the Ship-To customer.
POS_StandingPO: Indicate that the PO on this order is a standing PO, preventing the order from automatically closing.
POS_SalesmanCallIn: Indicate that the order was a salesman call-in, as opposed to customer-initiated order.
POS_ConsignmentCredit: Allow user to change a consignment to a Consignment Credit.
POS_LineItemDetailsView: Allow user to open the line item details and see gross margin, cost and pricing explanations.
POS_LineItemCanBackorder: Allow user to change the Backorder flag for line items.
POS_LineItemTaxable: Allow user to change the taxable status of a line item.
PurchaseOrder_TypePO: Allow user to save "PO" type purchase orders.
PurchaseOrder_TypeRGPO: Allow user to save returned goods purchase orders.
PurchaseOrder_TypeXfer: Allow user to save transfer POs.
PurchaseOrder_TypeQuickXfer: Allow user to save quick transfers.
The following permissions were deleted:
Permission
Invoice_CustomerMessage
Invoice_Delete
Invoice_LineItemAdd
Invoice_LineItemCost
Invoice_LineItemCostSave
Invoice_ShipTo
Invoice_View
Invoice_SelectCustomerOverCreditLimit
Credit_LineItemAdd
Credit_LineItemCost
Credit_ShipTo
The following permissions were renamed or combined:
New Permission: Replaces
POS_LineItemDescription: Credit_LineItemDescription, Invoice_LineItemDescription
POS_LineItemExtendedDescription: Credit_LineItemExtendedDescription, Invoice_LineItemExtendedDescription
POS_LineItemBasePriceGM: Invoice_LineItemBasePrice, Credit_LineItemBasePrice
POS_LineItemCost: Invoice_LineItemCost, Credit_LineItemCost, Invoice_LineItemCostSave
POS_LineItemDiscountAmountSavings: Invoice_LineItemDiscountAmount, Credit_LineItemDiscountAmount
POS_LineItemOrdered: Invoice_LineItemOrdered, Credit_LineItemOrdered
POS_LineItemSalesGLAccount: Invoice_LineItemSalesGLAccount, Credit_LineItemSalesGLAccount
POS_LineItemShipped: Invoice_LineItemShipped, Credit_LineItemShipped
POS_LineItemUOM: Invoice_LineItemUOM, Credit_LineItemUOM
POS_LineSalesAccount: Invoice_LineSalesAccount, Credit_LineSalesAccount
POS_BillingDate: Invoice_BillingDate, Credit_BillingDate
POS_Details: Invoice_Details, Credit_Details
POS_MoveNext: Invoice_MoveNext, Credit_MoveNext
POS_MovePrevious: Invoice_MovePrevious, Credit_MovePrevious
POS_PONumber: Invoice_PONumber, Credit_PONumber
POS_PricingProfile: Invoice_PricingProfile, Credit_PricingProfile
POS_Print: Invoice_Print, Credit_Print, WorkOrder_Print
POS_PrintNew: Invoice_PrintNew, Credit_PrintNew, WorkOrder_PrintNew
POS_SalesPerson: Invoice_SalesPerson, Credit_SalesPerson
POS_ShipVia: Invoice_ShipVia, Credit_ShipVia
POS_TaxModel: Invoice_TaxModel, Credit_TaxModel
POS_TermsCode: Invoice_TermsCode, Credit_TermsCode
POS_ChangeShipToAfterPost: Invoice_ChangeShipTo
POS_Invoice_View: Invoice_New
POS_Credit_View: Credit_New
POS_WorkOrder_View: WorkOrder_New
Offline_WorkOrder_Delete: POS_WorkOrder_Delete
POS_Credit_InvoiceCredit: Credit_InvoiceCredit
POS_PrintPickSlip: WorkOrder_PrintPickSlip
Security Level Dependency
The very first version of ComCept .Net implemented Security Levels. Assigning a user to Security Level 1 would allow them to perform some functions while placing them in Security Level 2 would allow them access to even more features.
ComCept has since added individual security permissions for specific actions and allowed you to bundle those permissions into groups. This addition allows for more role-based security, putting clusters of permitted functionality together and assigning them to users who perform those roles.
Security Maintenance¶
In addition to the many changes to permission names, we have added some usability features to the Security Maintenance page.
List Searches
In short, you can filter all lists quickly, so you will easily find the group, permission or user you seek.
For example, the list of permissions may be very long, so you can now quickly filter the permission lists. Just type a few letters in the “Search” box at the top-right of any list to instantly filter its contents, as shown here:
User Lookup
The list of users can grow quite long. For this reason, we have changed the User list to a type-ahead search, which allows you to jump straight to the users with a partial match, as shown here:
Permission List
We have added another tab to the Security Maintenance page, which contains a reference of all ComCept permissions, including a Description of how the permission is used in the system. The list can be searched quickly, to zero in on the permissions you want to inspect.