Policies
 		Previous Topic  Next Topic 

Description



Security Configuration


Security involves finding the optimal balance between protection and usability. Higher security typically means less convenience, and this balance point varies for each customer based on their specific requirements and tolerance for security measures.


Secwin addresses this challenge through runtime configuration capabilities, allowing each customer to implement the features and policies that best match their security needs. To access and modify these security settings, users must have Administrator or SysAdmin privileges in the system.


Overview


DEXIT Security Framework


DEXIT's security system is designed with flexibility to function across both desktop and web platforms, supporting either single-tenant or multi-tenant deployments. The system integrates with external communication services like email and SMS to enable modern security features including two-factor authentication, password reset workflows, and self-service account registration.


Database security is a critical concern, as unauthorized database access could compromise DEXIT's security features. For example, if someone tampers with user records, affected users may lose system access. To mitigate these risks, physical database access should be restricted using appropriate mechanisms (such as table ownership in DEX). Even if unauthorized access occurs, the system is designed to protect data from exposure, with damaged data recoverable from backups without compromising data integrity.


Logins


User Login System


The DEXIT login system balances security with usability through a comprehensive set of configurable options. This runtime-configurable approach allows each customer to tailor the security features according to their specific needs, whether they're using the desktop or web platform.


Features


• Loginless option - System can operate without user authentication if desired

• Secure password storage - Implements salted-hash values rather than encrypted text

• Second Factor Authentication - Configurable via SMS or Email with customizable policies (every login, new devices only, or time-based)

• Active Directory integration - Supports password or password-less authentication with optional In-Group verification

• Guest account support - Pre-defined accounts with limited access rights requiring no password

• Customizable password policies - Options to prevent password reuse and reject commonly used weak passwords

• Flexible lockout settings - Customer-defined policies for account locking duration after failed login attempts

• Self-service options - Password resets via SMS/Email and self-registration with default access rights

• Multi-tenant capabilities - Supports both unique-user and company/user login structures


Security Tables


DEXIT employs comprehensive encryption for all sensitive information within data tables, preventing unauthorized programs from deciphering or altering protected content. The system is designed with multiple security layers:


Key Features


• Full encryption of sensitive data - All private information is stored in encrypted format

• Tamper resistance - Even unencrypted fields are protected against unauthorized modification

• Four-secret security system - Data can be bound to specific program, table, or customer

• Extensible security architecture - New security policies can be implemented without file structure changes

• Privacy law compliance - User data encryption conforms with relevant data protection regulations


User Groups


User Groups provide an efficient method for managing access rights across multiple users. This system simplifies administration by allowing rights to be assigned once at the group level rather than repeatedly for individual users.


Key Features


• Centralized rights assignment - Standard access rights are assigned to groups rather than individuals

• Cumulative permissions - Users in multiple groups inherit all rights from each group membership

• Individual exceptions - Group rights can be overridden at the user level, allowing specific rights to be denied to individual users regardless of their group memberships


Doors


"Doors" Approach to Access Management


The "Doors" concept represents a structured approach to access management where collections of procedures and controls are bundled together under a single access identifier. This system simplifies permission management by creating logical groupings of related functionalities.


Key Features


• Unified access control - Multiple elements (fields, reports, procedures) are consolidated under one access point

• Programmer-defined - Doors are intrinsically defined during development and locked in at compile time

• Contextual organization - Related items are naturally grouped (e.g., a "Salaries" door controlling all salary-related access)

• Simplified assignment - Users receive access to multiple related functions through a single permission assignment

• Reduced administrative complexity - The pre-defined nature eliminates customer burden of identifying all places where specific data appears in the system


User and User Levels


Users


In the DEXIT system, users represent individuals who access the program with varying levels of privileges. Each user has a unique profile with login credentials and optional contact information for security functions.


User Elements


• Login and Password - Basic authentication credentials

• Email and Phone - Used for second factor authentication and password reset

• Group Memberships - Users can belong to multiple groups

• Individual Rights - Can override group-assigned rights


User Levels


• No Level - Basic user with minimal access

• Guest - Similar to Operator but logs in without password

• Operator - Has limited access based on group memberships and rights assigned by higher-level users

• Supervisor - Has unlimited program access and can assign rights to Operators and Groups

• Administrator - Complete system access with ability to manage users, groups, and company-specific security settings

• SysAdmin - Administrator with cross-company control; the first user must be SysAdmin and cannot be deleted if other users exist


Default Rights


The Default Rights setting determines baseline access privileges for different user types in the DEXIT system. This setting establishes the foundation for access control, with specific rules based on user classification.


Application by User Level


• SysAdmin, Administrator, and Supervisor - Always have complete access to all program functions appropriate for their level; Default Rights setting does not apply

• No Access Users - Cannot access the application at all; Default Rights setting does not apply

• Operator and Guest Users - Default access determined by the Default Rights setting


Default Rights Options


• All - Most permissive setting; grants access to all program functions except where explicitly denied at user or group level

• Group - User inherits access rights from their assigned group(s), including any default access rights of those groups

• None - Most restrictive setting; user only receives access explicitly granted to them individually or through group membership


Unlocking a User


When users exceed the allowed number of incorrect password attempts, they may become locked out of the system. The DEXIT platform provides administrative solutions to restore access when needed.


Lock Types


• Temporary Lock - System automatically restores access after a predetermined time period

• Permanent Lock - Requires administrative intervention to restore access


Unlocking Process


• Administrator accesses the user record through the system interface

• Locates and clicks the "Unlock User" button within the user's record

• This action immediately restores the user's ability to authenticate

• Works for both temporarily and permanently locked accounts


Deleting A User


In the DEXIT system, user records are preserved for logging and auditing purposes rather than being completely removed from the database. This approach maintains system integrity while preventing unauthorized access.


Deletion Process


• When a user is "deleted," their record remains in the system but is marked as deleted

• Deleted users appear in the users list with a deleted status indicator

• Deleted users cannot log into the system

• Historical actions performed by deleted users remain properly attributed in system logs


User Self Signup


DEXIT provides a self-registration capability that allows users to create their own accounts within the system. This feature brings web application convenience to both desktop and web environments.


Requirements


• Only available with Program Login or Windows Login authentication types

• Not compatible with Active Directory authentication

• Requires either SMS or Email functionality to be configured in the system

• New user passwords are delivered via the configured communication method


Process


• User clicks the "Register" button on the login window

• System presents a registration form requesting:

  - Login name

  - Full name

  - Email address

  - Phone number

• Upon form submission, system generates a secure password

• Password is sent to the user via email or SMS

• User can then log in with their new credentials


User Login Type


DEXIT offers flexible authentication options to accommodate different organizational needs through its Security Policies configuration.


Login Types


• Multiple authentication methods available, including:

  - Program logins (internal authentication)

  - Active Directory integration


Special Accommodations


• Additional users can be added outside Active Directory when needed

• SysAdmin users can be configured to bypass Active Directory authentication to prevent login paradoxes


User-Specific Settings


• Individual users can be assigned different login types than the system default

• This configuration is available on the "Other" tab of the Update User form

• Allows for mixed authentication environments within the same system