> SYSPRO Security Introduction

SYSPRO Security Introduction

SYSPRO incorporates a number of facilities aimed at securing the system from unauthorized access.

The various levels at which security within SYSPRO can be defined enable you to implement internal controls according to your own business requirements.

Security measures range from login authentication to access levels configured per operator against programs, transactions, activities and fields.

Benefits

  • Tailored security measures

    You can configure your system security to be as simple or as finely tuned as your operating environment requires.

  • Segregation of duties

    You can ensure a method of working whereby tasks are split between different members of staff in order to reduce the scope of error and fraud.

    For example: Clerks who post invoices in Accounts Receivable should not be the same people who process the payments of these invoices. Security allows you to make sure that this does not happen.

  • Controlled access

    External access to data is controlled through the SYSPRO integration framework and e.net business objects, thus maintaining the SYSPRO business rules and security integrity.

    Standard security features include password control, as well as group and operator maintenance facilities.

    Administrators can also control access down to certain business processes, companies, modules, menus, program functions and activities.

  • Data visibility

    You have visibility down to transactional data for key codes such as warehouse, bank, salesperson, ledger, etc.

  • Audit trails

    Master data amendment journals and transactional audit trails provide records of data changes and the users responsible.

    The job logging facility provides an audit trail of user access and processing activity.

    Additionally, the Electronic Signatures system can be configured to maintain a detailed transaction log for auditing purposes (which can be retained indefinitely).

  • Transaction level security

    Electronic Signatures enable administrators to secure transactions by authenticating the operator who is performing the transaction. This can be configured at system, company, group, role, or operator level.

    You can also configure the system to activate triggers for integration with third party systems or notification via e-mail.

Access

SYSPRO provides a number of facilities that ensure security and authentication across various levels:

Access level Description
SYSPRO level An operator ID and password is required to access SYSPRO.
Company level Access to a SYSPRO company can be restricted in a number of ways:
  • Create a company password to limit access to specific companies.

  • Configure your settings to prevent further operator logins into a company.

  • Lock out an operator from the system.

Program level Access to SYSPRO programs can be restricted in a number of ways, some of which include:
  • preventing operators from running a program using the File Run facility from the main SYSPRO menu.
  • defining custom menus for operators.
  • configuring certain Electronic Signatures with prohibited access to certain programs.

  • defining program access for an operator group.

    Operators must belong to a group and these groups can then be configured to prevent unauthorized access to SYSPRO.

Transaction level Transactions in SYSPRO can be secured in a number of ways:
  • Restrict access to transactions.

    You can secure access to certain transactions in SYSPRO at company, role, operator group and operator level using eSignatures.

  • Define valid business processes against general ledger account codes using the General Ledger Codes program.

Activity level You can restrict access to specific activities in SYSPRO at operator level, as well as by assigning passwords to specific activities.
Field level You can restrict access to specific fields in SYSPRO by denying operator access to the editing of fields and viewing of sensitive company data.

Controls

Company-wide setup options enable you to tailor SYSPRO to suit a company's control requirements.

Source Description
Operators The basic control entity in SYSPRO is through the operator ID.
[Note]

An operator is any person in an organization who requires access to the company data to perform tasks.

Operators are typically configured by system administrators, where a login name is assigned to each individual and access rights are configured according to the function the operator performs within the organization.

The configuration of operators enable system security to be controlled at an individual level, regulating the type of tasks and activities that individuals can perform, as well as certain field access based on the authority granted to them.

Other features of operator security control include:

  • Number of login attempts

    This indicates the number of times the operator can enter a password incorrectly before being locked out of the system.

  • Operator locked out

    This indicates whether a lock has been set against the operator (e.g. used when the operator's password has expired, or the operator has left the organization).

Groups and subgroups In SYSPRO, security groups refer to a collection of operators who have access to company data.

Groups are typically configured by system administrators and access rights are then configured according to the function the group performs within the organization.

Subgroups enable operators to be assigned to multiple groups, which accommodates the need for certain operators to inherit the program access settings of a number of different groups, without the need to configure additional groups.

[Note]

When establishing an operator's level of access to a program, access is denied only if all the groups to which the operator belongs deny access to that program.

Roles In SYSPRO, roles enable security and user-interface customization to be configured by organizational role.

These provide a simplified means for a system administrator to pre-configure and control the user interfaces, settings, program access, access control and access to activities and fields presented to SYSPRO operators.

By default, a set of roles based on the SYSPRO Business Process Management System are imported to a SYSPRO company. This includes a sample organogram which is a visual representation of roles and hierarchies within the company.

Passwords In SYSPRO, passwords form an integral part of establishing system security and enabling the restriction of unauthorized access to companies, modules, programs and functions.

Passwords and password rules can also be configured against operators to improve the integrity of their use in the system.

Operators can be compelled to change their passwords at prescribed intervals and rules that must be adhered to when defining passwords can be specified (e.g. a minimum number of characters, forcing combinations of word and numbers, preventing the recycling of operator passwords, etc.).

Setup During implementation, setup options must be configured for each SYSPRO module.

These enable the company-wide settings to be tailored to suit a company's operational environment and requirements.

For example: You can configure how requisitions for purchase orders, stores and capital assets must be managed and processed; how variances during a stock take must be detected and reported; or how various transaction items must be numbered.

Electronic Signatures Electronic Signatures provide security access, transaction logging and event triggering; enabling you to increase control over your system changes.

This facility enables the securing of transactions by authenticating the operator performing the transaction, and implements access control at transaction level rather than only at program level.

Electronic Signatures also assist with the implementation of the effective segregation of duties. They are commonly used in companies where Sarbanes-Oxley compliance is required because they control access to the processing of specific transactions, as well as provide a trace of who performed each transaction and when it was performed.

Electronic signature triggers also enable the timely identification of abnormal events which may potentially point to fraudulent activity.

Monitoring

Monitoring allows observers to be aware of the state of a system so that action can be taken if any changes or irregularities occur.

SYSPRO's monitoring functions therefore include dashboards that provide a visual indication of what is happening, as well as systems which can be automated, so that continuous control monitoring can be implemented.

Source Description
Event Management You can configure events to be monitored in SYSPRO as they occur, and invoke third party applications when this happens (e.g. if stock falls below zero).
[Note]

Events monitor the values of certain fields within SYSPRO and can be configured to perform tasks when predefined levels are met.

The actions that can be associated with an event include launching programs, sending email messages to specified persons, or writing the occurrence of the event to the Event Log.

With an event you can perform one task, but you can have multiples of the same event configured. Whereas a trigger can be configured to perform up to nine tasks (called Programs) but you can't configure multiples of the same trigger.

Triggers Triggers are similar to events, but where events are typically when certain criteria are reached; triggers are typically around specific tasks being performed.

Triggers are used to invoke third party applications when a particular trigger is activated in SYSPRO (e.g. after adding a customer).

Several of the available triggers can be used to highlight potentially abnormal transactions that may indicate fraudulent activity.

Electronic Signatures Electronic Signatures can be configured to maintain a transaction log for auditing purposes, as well as activate triggers for integration to third party systems or notification via email.

These trigger options enable the configuration of multiple actions to be executed automatically when an electronic signature transaction is successfully completed.

Electronic Signatures also enable the configuration of VBScripts that can be invoked when a trigger is fired. This caters for almost unlimited triggering capability, since virtually any type of application can be invoked using VBScript.

Additionally, Electronic Signatures enable SYSPRO Reporting Services (SRS) reports to be invoked when a trigger is fired.

Dashboards SYSPRO Dashboards provide an interactive visual presentation of realtime data in the ERP system. They allow managers and executives to see current status and trends of specific organizational metrics and to gauge how business operations are performing.

Auditing

Together with risk and compliance management, the role of auditing is to analyse and assess business data, transactions and processes, as well as to provide insight and recommendations for changes. In addition, auditing provides notification of breaches of policies and procedures.

Source Description
System Audit Log System audit logs enable the company to track any changes made to the system that affect system security.

In addition to enabling more effective system security maintenance, the audit log traces logins which allow system administrators to make more accurate recommendations about the purchase of additional licenses.

Job logging The Job Logging Setup program maintains a log file of all programs that have been accessed by operators.

This log file stores information regarding the program accessed, the date and time that the program was accessed, the length of time that the program was in use, the operator who loaded the program, as well as the computer name and process ID (PID) from which the program was run.

Amendment Journals Amendment journals track changes made to master files, company setup and operator information.

You can also report on these changes using SYSPRO Reporting Services.

SQL Diagnostics The SQL Server Diagnostic program identifies potential problems with the SQL Server database used by SYSPRO companies.

It also identifies any differences between the existing database and the standard SYSPRO tables, columns and indexes that should exist; as well as missing user-defined tables, columns and indexes.

Reporting A wide range of reports can be used to audit the security and integrity of an installation by control account reconciliation.

SRS Report Archiving enables reports to be electronically archived in the version that was produced at the time that they were run. This provides secure electronic access to transaction audit trails and financial statements.