New features, version 7.5.2, 7.5.3, 8.1
Program MUSC, User Security Maintenance, is used to enter and maintain user security data, including application and program security data for both users and user groups. Security criteria are defined by Application Password.
Synonym
users are not granted the privilege to alter the security table HAR_USER.
Changing Existing Application Passwords
When using the Sarbanes-Oxley (SOX) Compliance Features, when logging into NDS Applications, the system checks to see if the user's password is expired or will expire in a set number of days. If it is, then a message is displayed: "Your password expires on mm-dd-yyyy at hh24:mi". The user can select Change Now to change the password or Change Later to change it at a future time before their password expires. If Change Later is chosen, the menu is displayed.
The SOX_PASSWORD_COUNTDOWN parameter in program MURM, Initialization Parameter Maintenance, must be greater than 0. The message will only be displayed if the password expiration date/time is within SOX_PASSWORD_COUNTDOWN days of the expiration date.
When the user is changing the password, the new password must be the minimum length defined in program MUSC, User Security Maintenance, for the user. The new password must be different than the previous password and must contain at least one character from each of the four groups: capital letters, lowercase letters, numbers, and special characters.
SOX_PASSWORD_COMPLIANCE: Set to Yes to use the SOX compliance features.
SOX_PASSWORD_COUNTDOWN: number of days before the password expiration date for which the user receives a warning that the password will expire. This number should be less than the 'Password is valid for X days' value in program MUSC, User Security Maintenance.
For all users, verify the following:
Password Minimum Length value is set to 8 or higher.
Password is valid for X days value is greater than 0.
Allow User to Change Password flag is set to on.
Each user password contains at least one character from each of the four groups: capital letters, lowercase letters, numbers, and special characters.
When the Expire Password Now button is pressed, the Change Login screen is displayed to allow you to change the user's password and maintain the Force password change at next login flag.
On Change Login screen, the Force password change at next login flag is set to on automatically and cannot be modified if the SOX_PASSWORD_COMPLIANCE parameter is set to Yes in program MURM, Initialization Parameter Maintenance. When this flag is set to on, the expiration date is set 10,000 days before the current date. The user is then forced to change their password on the next log in.
1. In the User ID Field, enter the operating system log-in.
If you are not using the Log In with User ID feature, all users must have the User ID as 'nds' in this program. Since Windows does not pass the user ID, the program sets the User ID to 'nds'. Only a User ID of 'nds' will allow log-in for a Windows Client.
For other operating system client installations, this must match the user's operating system log-in.
If you are using the Log In with User ID feature, the user ID is case sensitive, for example, user ID nds is different from user ID NDS or Nds or nDs.
2. In the Application Password field, enter the application password. This field is encrypted and users cannot view their passwords in this program.
Security for the DBA (database administrator) Application Password should allow complete access to the system. Application Password 'nds' is initialized as such. The organization code can be specified for each user to personalize the menu display.
To create additional application passwords for users, make sure that the Unique User ID Code is different for each record.
Once the record is committed, the application password can be changed with the [Change Login] button in this program. Users cannot change their own passwords in this program.
In order for users to change their own passwords, the Allow User to Change Password flag must be set to on. The user can then change the password on the Password screen when logging into NDS.
Users with access to program MUSC, User Security Maintenance, can change application passwords in program MUSC, User Security Maintenance, for any user security record but their own.
The number of times a user can attempt to log in before the application automatically closes is entered in the Login Attempts Allowed field in program MUSM, System Parameter Maintenance.
If complying with the Sarbanes-Oxley (SOX) requirements, see the Sarbanes-Oxley (SOX) Compliance Features for Password Management section for information on password requirements.
3. The Password Expires On field indicates when this password will expire and a new password must be entered for the user. It will be entered automatically if a value is entered in the Password is valid for __ days field, calculated as the system date + the days entered. It cannot be change manually.
4. In the Password is valid for __ days field, enter the number of days for which this password is valid. The system date when the password was entered + the days entered here determine the Password Expires On date. When a new password is entered for the user, the Password Expires On date is recalculated using the date that the new password was entered.
If 0 is entered in this field, the password will never expire and no date will be entered in the Password Expires On field.
If complying with the Sarbanes-Oxley (SOX) requirements, you must enter a value greater than 0 in this field.
5. In the Password Minimum Length field, enter the minimum number of characters that can be entered as a password for this user. If a new password is entered with less than this number of characters, a message will be displayed, and the new password will have to have the minimum number of characters before it can be changed.
If complying with the Sarbanes-Oxley (SOX) requirements, you must enter a value of 8 or greater in this field.
6. Set the Allow User to Change Password field to the desired setting. If this flag is set to on, the user will be able to change his/her password on the Password screen when logging into NDS using the [Change Login] button. If this flag is set to off, the only the system administrator can change the user's password in this program.
If complying with the Sarbanes-Oxley (SOX) requirements, this flag must be set to on.
7. To force the user to change his password on the next log in, press the [Expire Password Now] button. The password expiration date is set 10,000 days before the current date. The user is then forced to change their password on the next log in.
8. Enter your Oracle User/Password and connect string.
Example: Oracle user = ndsdemo
Database Password = ndsdemo
Connect string = nds.world
Oracle User ID/Password field should read: ndsdemo/ndsdemo@nds.world
If the Oracle user ID and/or password do not match the application user in program MUSC, User Security Maintenance, Oracle displays the error message:
"ORA-01017: invalid username/password; log-in denied"
If the SQL*NET connect string does not match the application user in program MUSC, User Security Maintenance, Oracle displays the following error message and the Oracle log-on dialog box, where the correct values (as established by the application database administrator) can be entered. This error may also be displayed if there is a problem with the tnsnames file or the TCP/IP protocol implementation on the client. See your system administrator for assistance.
"ORA-12154: TNS: could not resolve service name
If the SQL*NET connect string is not defined in the application user in program MUSC, User Security Maintenance, Oracle displays the error message:
"ORA-03121: no interface driver connected-function not performed
The Oracle user is the user ID written into the transaction records. To create additional Oracle users, grants and synonyms must be used. NDS provides SQL scripts ndsmksyn.sql and ndsgrant.sql to complete the creation of synonyms and grants once the synonym user has been created. Refer to Oracle Server SQL Reference documentation to create Oracle users and NDS Installation documentation for instructions regarding the use of the scripts.
9. In the Employee field, enter the employee number for this user ID. The employee does not have to be entered when the security record is created. Once you have set up your employee records in program LREE, Employee Maintenance, you can return to this program to enter the employee number.
The employee number or initials will be automatically entered in the programs that require initials or employee number, such as program ICIA, Inventory Adjustments, and program ULEM, Universal Labor Entry.
If the initials are to be entered as part of the record entry process, tab through the Initials field or Employee field to have the information entered automatically, such as in program POEM, P.O. Entry/Maintenance.
10. In the Unique User ID Code field, enter a unique user-defined value for this security record.
To create additional Application Passwords for users, make sure that Unique User ID Code is different for each record.
11. In the Organization Code field, enter the organization code for this security record.
Organization codes are entered in program MUOM, Menu Organization Code Maintenance, and are used to define the user's organization. The default for new entries is 00.
12. In the Default Printer Name field, enter the default printer name from program MUPM, Printer Definition Maintenance for this user. This is the printer that appears as the default on the menu for this user.
13. In the Printer Group field, enter the printer group from program MUPG, Printer Group Definitions, that is the default for this user. The users that are assigned to a specific printer group can be viewed with the [Users] button in program MUPG, Printer Group Definitions..
14. Set the User Status pop-list to the desired setting.
If you set this pop-list to Inactive, the user ID will be temporarily disabled.
15. Setting the Log Menu Activity and enable Auto Job Restarts flag to on, will log menu activity for the user and will display a job restart option upon log in if a job was interrupted for the user.
This feature is designed specifically to work with synonym users. The job restart / menu logging feature is specific to Oracle users, not NDS users. This means that if all NDS users are linked to the same Oracle user, jobs would restart for every user and menu logs would be a compilation of all NDS users.
16. If this user is allowed to maintain drill down definitions and restart jobs, set the Drill Down & Restart Job Administrator flag to on.
17. In the Security User Group field , if the user belongs to a user security group, enter the group.
Security user groups are entered on page four of this program. For more information, see the Entering Security User Groups section.
18. Set the Query Only User flag to on, if this user can only query information in programs, but cannot maintain the information,.
Query only users have access to all programs except those that have the Query Mode Action Pop-list in program MUJM, Menu and Job Parameter Maintenance, set to No Query Users.
19. In the Default Menu to Display field, enter the default menu to display for this user upon log in.
When you assign the user to a user security group, the value in this field is overwritten by the default menu entered on program page four. For a user already assigned to a user security group, entries in the field on page one override the menu entered on program page four.
20. If all programs on the menus are to be displayed, set the Show All Menu Entries flag to on. If only those programs that the user is allowed to run are to be displayed, set the Show All Menu Entries flag to off.
21. If you have user menus set up in program UTUB, User Menu Maintenance, and you want to display a user menu on log in for this user, enter the user menu group in the Personal Menu to Display field.
If the menu that is entered in this field is deleted or does not exist, the menu in the Default Menu to Display field will be displayed for the user on log in.
Existing user menus can be displayed with the List of Values.
22. Set the Include/Exclude Application Access pop-list to the desired setting.
Security is defined as Application Access of Exclude or Include users.
Exclude users have access to all programs except for specifically specified applications or programs from which they are to be excluded. These are entered on page two or three of the program.
Include users have access only to the specific applications or programs included in their list which is entered on page two or three of the program. If a user is specified as include and no applications or programs are entered, they will be unable to run any programs. If this is the only user row created, once you have logged off the system, you will be unable to log back on.
23. In the Xephr Roles section, if you are using Xephr for some of your database applications, and you are using external authentication, these are the Xephr Roles that this user is assigned for the Xephr applications.
24. Press [Commit].
25. Go to the second page of the program to enter the application access for the user.
If the user is an exclude user, enter the application menus that the user cannot access on this page.
If the user is an include user, enter the application menus that the user is allowed to access on this page.
For any entries that are not part of the user's assigned security group, set the Personal Permission flag to on. This will prevent the entry from being overwritten when changes are made to the user's security group.
Press [Commit].
26. Go to the third page to allow and disallow access for the user to specific programs.
Enter the program to which you are allowing or disallowing access.
Set the Access pop-list to Allow or Disallow.
For any entries that are not part of the user's assigned security group, set the Personal Permission flag to on. This will prevent the entry from being overwritten when changes are made to the user's security group.
Press [Commit].
1. Query the user for which you wish to change the application password.
Users with access to program MUSC, User Security Maintenance, can change application passwords in program MUSC, User Security Maintenance, for any user security record but their own.
For information on changing the user application password from the Password screen upon logging in, see Changing Application Passwords on Login.
2. Press the [Change Login] button.
3. In the Enter New Password field, enter the new password for the user.
The new password must contain the minimum number of characters entered in the Password Minimum Length field.
4. In the Verify New Password field, reenter the new password for the user. This must be exactly the same as the password entered in the Enter New Password field.
5. Set the Force password change at next login flag to the desired setting. When this flag is set to on, the expiration date is set 10,000 days before the current date. The user is then forced to change their password on the next log in.
The flag is set to on automatically if the SOX_PASSWORD_COMPLIANCE parameter is set to Yes in program MURM, Initialization Parameter Maintenance, and cannot be changed.
6. Press the [Update Login] button to change the user's password.
You can press the [Cancel] button to cancel the password change. The user's password will not be updated.
7. If the passwords do not match, a message will be displayed, and they will have to be reentered.
8. Provided the passwords match and meet the minimum required length, the user's password will be updated with the new value.
1. Go to page four of the program.
2. Enter the user security group identifier and description.
3. Enter the default menu to display for members of the group upon user log in.
When you assign the user to a user security group, the user's default menu on page one is overwritten by the default menu entered for the user security group. For a user already assigned to a user security group, entries in the field on page one override the menu entered for the user security group.
4. Set the Include/Exclude Application Access pop-list to the desired setting.
Security is defined as Application Access of Exclude or Include users for the user group.
Members of Exclude user security groups have access to all programs except for specifically specified applications or programs from which they are to be excluded. These are entered in the lower block of this screen.
Members of Include user security groups have access only to the specific applications or programs included in their list, which is entered in the lower block of this screen. If a user security group is specified as include and no applications or programs are entered, members will be unable to run any programs.
5. In the lower block, enter the application access for the user security group.
If the user security group is an exclude user security group, enter the application menus that the members cannot access.
If the user security group is an include user security group, enter the application menus that the members are allowed to access.
Press [Commit].
6. Press the [Apply to all members] to apply the applications information in the lower block of the screen to all members of the user security group. This will replace the users' current security information. Any entries on page 2 or 3 without the Personal Permission flag set to on will be overwritten.
7. Go to page five to allow and disallow access for the user security group to specific programs.
Enter the program to which you are allowing or disallowing access.
Set the Access pop-list to Allow or Disallow.
Press [Commit].
8. Press the [Apply to all members] to apply the applications information on page five to all members of the user security group. This will replace the users' current security information. Any entries on page 2 or 3 without the Personal Permission flag set to on will be overwritten.
Press this button to apply the application security information to all members of the user group. This will replace the users' current security information. Any entries on page 2 or 3 without the Personal Permission flag set to on will be overwritten.
Press this button to cancel the user application password change. The user's application password will not be updated.
Press this button to open the Change Application Login screen to allow you to change the user's application password.
Press this button to force the user to change his password on the next log in. The password expiration date is set 10,000 days before the current date. The user is then forced to change their password on the next log in.
Press this button to change the user's application password to the new password entered in the fields on the Change Application Login screen. Provided the passwords match and meet the minimum required length, the user's password will be updated with the new value.