Database access
Sage XRT Common Services administration console enables you to define the management of user access rights for Sage XRT applications.
Access rights management
Two modes to grant access rights are available:
- Select [Access permissions are granted by a security administrator] if you want a simple access permissions management in which only one Security Administrator intervenes.
- Select [Access permissions are granted by a level 1 security administrator and validated by a level 2 security administrator], if you want every action taken by Security Administrator to be validated by a second one.
Selection of authentication strategy
According to the authentication type used by the Database Administrator (DBA) to connect to the database server, you can select:
- Use Windows NT integrated security: the DBA is authenticated by its NT account (we recommend this authentication level).
- Use a specific username and password: the DBA is authenticated by a username and a password.
Definition of security policy through Sage XRT Common Services
Audit functions for access and identities management
On top of providing the obvious functions, the identity and access management must prove its efficiency.
The evidence must be remitted to auditors upon request and in written to be archived.
The proof must cover the frequently audited areas, i.e.:
- Administrator actions
- Create User
- Delete User
- Change User Password
- Change management strategy of passwords
- Change access configuration to LDAP directory
- Access granted
- Access denied
- Final user actions
- Login
- Logoff
- Specific messages from the application
- Tests for compliance with security policy
- User account locked after n failed tries log on
The Users Audit table describes all actions executed by the users.
The System Audit table describes all actions executed at time t.
Security Reporting
Sage XRT Common Services administration console enables you to edit reports listing the authorized/denied functions for each profile and each product from the platform.
Compliance with Sarbanes Oxley Act
The Sarbanes Oxley Act imposes security rules to get access to operating systems and applications.
Below is the list of security issues regarding access and use of Sage XRT applications for a standard user.
Sage XRT password policy complies with the requirement of the Sarbanes Oxley Act.
| Security issues | Sage XRT Advanced | Sage XRT Treasury | Sage XRT Comm/Sign | Sage XRT Business Exchange (rich client) | Sage XRT Business Exchange (web module) |
|---|---|---|---|---|---|
| The application manages profiles. |
|
|
|
|
|
| Passwords are mandatory. |
|
|
|
|
|
| A standard password is given to everyone or to a group upon account creation. |
|
|
|
|
|
| The password must be changed upon first connection. |
Customizable |
Customizable |
Customizable |
Customizable |
Customizable |
| Passwords must contain at least 6 characters, among which 1 uppercase letter and 1 digit. |
Customizable |
Customizable |
Customizable |
Customizable |
Customizable |
| Passwords must be changed every 42 Days. |
Customizable |
Customizable |
Customizable |
Customizable |
Customizable |
| The application keeps the passwords history. The four last passwords cannot be used. |
Customizable |
Customizable |
Customizable |
Customizable |
Customizable |
| Passwords are not kept to avoid new entry in later connections. |
|
|
|||
| The password is locked after 3 unsuccessful entries. It is automatically reactivated after 10 minutes. |
Customizable |
Customizable |
Customizable |
Customizable |
Customizable |
| The account is not locked if not used for several days. |
|
|
|
|
|
| The session is locked after 10-minute inactivity. |
|
|
|
|
Period customizable |
| Security rules cannot be modified from user work station. |
|
|
|
|
|
| Every access to application must be logged. |
|
|
|
|
|
| For short-term contract users, the specification of an end date of validity is mandatory corresponding to the end date of contract. |
Customizable |
Customizable |
Customizable |
Customizable |
Customizable |
