Bxp R10SER1 - System Access Management
Contents
1 Overview
This document forms part of the bxp Release 10 Service Enhancement Release 1 suite of changes found here Bxp_Release_10_SER_1_prerelease_notes
1.1 System Access Management 
1.1.1 User tabs
Given the length of the user setup screens a more effective interface screen is being designed.
Borrowing from the tabs capability of forms the interface will follow this format.
| Structure | Presentation |
|---|---|
 |
|
The tab bar will contain the sections currently available but only show the fields when that tab is clicked
The Module title and counts bar will use module icons (with name and count of ticks on hover over)
Then upon clicking the module, the sections for the module appear for selection.
The module access tick box (overall access to the module) will be removed in favour of intelligent access if you have access to 1 or more sections in the module.
1.1.2 Password blacklist engine
This facility will allow clients and the bxp administration team to apply a list of weak known hack attempted passwords which may validate as strong. These password combinations are designed to reduce risk of security break-ins even if the password strength is flagged as strong.
A global list will be maintained by All n One, with clients able to control their own lists from inside System Settings.
The support article is available here Security_-_Password_Blacklist
1.1.3 Client table alterations
The client table will have a number of fields added to support numerous new functions
Attempting to logically group items without adding tabs unnecessarily, the Lister and Jotter and Reminders and Time Tracker options have been moved to a tab called Module Specific. This replaces the "Lister and Jotter" and "Reminders" tabs.
| Field | Use | Status | Available in Tab |
|---|---|---|---|
| strClient_3rdPartyEngine | to allow mapping to 3rd party system | Editable | Primary Security Details |
| strClient_3rdPartyUserId | the equivalent Id in the 3rd party system | Editable | Primary Security Details |
| strClient_IsUAM | to flag account is a UAM template | Editable | UAM Management |
| strClient_UAMTitle | to allow reporting and grouping of UAM permissions | Editable | UAM Management |
| strClient_LimitTimeTrackerCosting | to influence Time Tracker option display on day view. | Editable | Module Specific |
| strClient_LastEdited_LastDateTime | to make editing reporting easier | Read Only | Security Information |
| strClient_LastEdited_LastByWhom | to make editing reporting easier | Read Only | Security Information |
| strClient_Retired_LastDateTime | to make retired reporting easier | Read Only | Security Information |
| strClient_Retired_LastByWhom | to make retired reporting easier | Read Only | Security Information |
1.1.4 Security - Retired date time
Whilst this information is available through the audit logs it is not easily reported upon.
- When was a user retired?
- Who retired the user?
There will be the addition of two summary data fields to the Client table
- strClient_Retired_LastDateTime
- strClient_Retired_LastByWhom
The reason they have last is that the information will only be the last time an account was retired. So if it was retired multiple times, this field will only hold the last data. This also compensates for the fact that logs are only held for 6 months.
So if you go over the 6 months without manually backing up the logs the information is no longer auditable.
- So the fields will be added for future record changes only
- The columns of information will be made available in the retired functions search abilities
- A dedicated report in SAM will be provided to allow reporting on these fields.
The fields if a user is already retired will be initialised to.
- Last Date Time will be the date that the field is implemented
- By Whom will be associated with the Admin istrator account.
1.1.5 System Settings - Tabbed view
To reduce space on screen for very long screens with lots of settings, tabs, as used in KeyStats are being implemented system wide. The layout will change for the System Settings page with all the same sections and fields just tabbed.
1.1.5.1 Primary Interface Options
A new filed for "Table Styling" discussed later will be made available on this screen. Table_Styling
1.1.5.2 Form-BEMail SPAM
This new tab is for BEmail on arrival of an email to a bxp for SPAM checks to be performed. These values are used by all forms which are using the spam engine.
System_Settings#Form_-_BEmail_SPAM
1.1.5.3 Google Maps
This tab is for customisation and support of Google Maps options system wide.
1.1.6 System Keywords - Tabbed view
To reduce space on screen for very long screens with lots of settings, tabs, as used in KeyStats are being implemented system wide.
The layout will change for the System Keywords page with all the same sections and fields just tabbed.
There are no new fields on this page.
1.1.7 SAM - User Administration - Menu Changes
Every user in bxp can have a vast amount of information stored about them. As bxp provides more specialised Human Resources tools and expands user specific capability the amount of information available to security becomes cluttered and less secure. For this reason the HR details of a user referred to as "User Details" is being moved to the HR management module. All other security related functions will remain untouched.
As is good security and systems maintenance practice, consistent naming is being applied across bxp menus. One heavily changing is the User Administration menu.
As the "Send Welcome Email" engine for single user is full accommodated by the "Send Welcome Email" engine for multiple users to keep things as clear as possible, the single user engine has been removed.
- "User - Add" becomes the very clear title for the more obscurely named "Add User - Security Details Only"
- "Copy User - Includes selected security permissions" becomes the more appropriately titled "User - Copy (including content access permissions)"
- "Edit User - Security Details" becomes "User - Edit"
- As explained "Edit User - User Details" is removed to the HR manager module
- As explained "Send welcome email (with account details)" is removed
- "Mass Send welcome email (with account details)" becomes "Send welcome email (with account details)"
- "Release Lock Out" becomes "Security - Release Lock Out" in line with the naming convention
- The UAM functionality as discussed above now appears in the menu as options
- UAM - Template User - Add
- UAM - Template User - Edit
| Was | Becomes |
|---|---|
|
|
1.1.8 SAM - System Management - Menu Changes
A number of small changes are being applied to the System Management menu for house keeping and tidiness improvements. These are cosmetic name changes, no functionality has been altered to existing functions.
Consoles
- The two consoles are still at the top but slightly renamed to bring them inline with naming conventions used throughout
System level functions
- All System Wide functions have been grouped and moved to the top of the menu
- Module Names has been renamed to System Modules Names to improve menu option consistency
Group user functions
- The group user functions appear together next
Retired user functions
- Edit Retired Users has become Retired - Edit user
- Group User - Modify Details (Retired Users) has become Retired - Group User - Modify Details to help clarity of system use
Custom folder support
- These two new menu items area discussed above as the new function to manage the custom folder via sFTP
Security - Functional Access Matrix is a report not a modification tool. Therefore it has been moved to Security Reports instead.
| Was | Becomes |
|---|---|
|
|
1.1.9 System Information tab
With the new tab layout there is the addition of a specific new tab which is a reporting tab not an editing tab. This tab provides at a glance support information for System and Security Champions alike. The tab will take the following format and the layout is dictated by the system chosen layout (see 3.8 below)
1.1.10 SAM - Security Group - Menu Changes
Again making the naming of functions consistent system wide, some minor naming changes
| Was | Becomes |
|---|---|
|
|
1.1.11 User Status report
A new column has been added to the data of this report to reflect the UAM title of the user.
As per section 3.8, the user status report is now styled using the Table styling selected as per the system.
1.2 BEmail Interface rewrite
The BEmail accounts interface has been updated to use tabs. Full documentation updated in place BEMail_accounts
A log error during the tidy identified that quite a number of fields that should have appeared were not appearing. These now display and are documented properly above.
The search screen now includes the description and server fields to help identification of accounts.
A new delete function has been added to allow deletion of redundant accounts. Before deletion occurs:
- The system checks if the BEmail account chosen is actually connected to a form. If it is a link to edit the form is provided and deletion isn't allowed
- If the BEmail account is not linked to a form, the engine checks who the creator of the account is. If this isn't you a notice is displayed saying retire the user or ask that user to delete the account.
- If BEmail is not linked to a form, was set up by you or the user is retired, then deletion will be allowed to continue.
1.3 Custom folder via sftp
Access to the custom folder via the current web interface requires a “one by one” file approach. Where a client needs numerous file management access, sftp access will be provided to the file storage engine of bxp. This will in turn be managed on a scheduled or click request basis to kick off an audited and antivirus scanned transfer of the file storage to the live web infrastructure.
This should provide easier access for system administrators to mass manage their custom folder.
1.4 Login page - Username autocomplete
As part of security the password field has a feature which removes the auto-complete of the password. This is a reasonable security measure.
In order to further improve security the username field will now also have autocomplete removed. The reason being that if a machine is used in a public environment, the username is left in the box providing a valid account which could be attacked to force unwanted lock outs. This change means a user will need to type their name in regularly.
The_Custom_folder_through_sFTP_management
1.5 Client daily picture engine
This small change will allow clients to have their own 365 daily images run from the clients custom folder.
Currently using the keyword dailyPic in the background image of a user or a system will use the daily pic engine as their background.
By changing the word to customDailyPic, the engine will use the path 
folder. X is the name of the system currently being used and YYY is the 3 digit code for the day of the year, ie. 001 is 1st January of that year.
For more information The_dailyPic_engine