The overall Qbyte Metrix Security architecture incorporates access control, data security and auditing. Access control ensures actions that invoke functionality within Qbyte Metrix will execute with valid credentials. Auditing provides a comprehensive method to track changes over time.
Access control provides clients with the ability to control access to Qbyte Metrix at several levels ranging from very general to very granular.
System administrators will create users, grant Region access and assign security roles to users based on the specific privileges required for each user. Corporate level access provides overall access to view/edit data and run processes. Control Group access provides a specific level of access for screens and features that are related to a Control Group.
Seven pre-defined security roles have been seeded by P2 as a starting point. These roles can be changed and/or copied to allow clients to manage their specific security requirements.
Auditing takes two forms:
Data Change Auditing: The data change audit information is triggered within the application to capture creation date/time, creation program, creation user ID, last update date/time, last update program, last update user ID on many database tables. If tables are cleared and replaced during a processing run, the database tables will contain creation date/time, creation user ID and a job ID.
Audit Schema: Database triggers populate audit tables for Master and Monthly data tables with before and after records when data is added, updated or deleted. Audit tables are maintained in a separate database schema. Records in these tables are only added and no capability to delete or update them has been provided through the application.
This page will focus mainly on Access Control.
Each Qbyte Metrix user requires an Oracle database user (Oracle User Account). When a user inputs their credentials, those credentials are validated against that database user.
Qbyte Metrix supports password aging and password verification. This functionality is implemented by leveraging Oracle’s functionality in this area. It is accomplished by creating Database (DB) profiles and then assigning these profiles to DB users. Qbyte Metrix traps various Oracle messages and displays appropriate error messages to the user.
Note: Please consult Oracle documentation for information on how to setup Oracle profiles for this purpose.
Requiring a Qbyte Metrix user to first be setup as an Oracle database user provides the client with the ability to set customized password security rules to handle the following situations:
Password Expiry Period.
Password Strength. Password strength is the length of password and the requirement for combinations of numbers, letters and special character.
The special characters that are not valid for password use " ` ~ & | |
Lock out period after failed attempts. The lock out period is the number of failed attempts that will be allowed before a user is locked out and the length of time the user will be locked out.
Session time-out. Session time-out is the length of time the user can be inactive in Qbyte Metrix before the session times out and the user is forced to log back in. Logging in after a session time-out will return the user to the last screen they were on.
P2 hosts the Qbyte Metrix application for many clients. These clients use an application called Access Management to create and maintain all users. Additionally, users use the Access Management application to change their password as it is then synchronized for all P2 products. Hosted clients manage User Roles within Qbyte Metrix.
For non-hosted clients (the Qbyte Metrix application is in-house), clients configure users within Qbyte Metrix and users will maintain their passwords within Qbyte Metrix.
Within the Qbyte Metrix application, clients can access Qbyte Metrix Reporting through a link on the Main screen that will open the Optix Reporting tool in a new browser window. Logging into Optix is not required as authentication is shared.
User ID/Names are configured in the Administration --> Users --> Details tab. Clients can indicate if a user is active or inactive. Inactive users appear with brackets { } around the User Name and are displayed at the bottom of each dropdown list for User ID, PA Responsible and Individual Responsible. This allows easier selection of Active Users. User ID’s cannot be deleted once they are referenced as a PA or Individual Responsible.
A user is assigned Corporate level roles through the Administration --> Users --> Roles tab. Each user can be assigned multiple roles. If the user is assigned multiple roles, the role with the greatest level of permission (for the function) is used. User roles are not production date centric.
A user can be granted ‘All Control Groups Access’ which will allow the user to see all Control Groups in the Explorer screen for the Region they have access to. Once in Explorer, a user’s control group role, association to a control group and their corporate role will determine what they can see and do to each Control Group.
Users are granted access to Regions through the Administration --> User Region Maintenance screen. Users typically have a default region they access most of the time. Users can change their region in any session and they can set or change their default region at any time. Access to Regions is not production date centric. Users are only able to select/switch to a region they have access to (only regions the user has access to will appear in the drop-down list of available regions).
A users must have been granted access to at least one Region before they can see any Qbyte Metrix application screens.
Within the Administration --> User Profile screen, clients can:
Switch regions for their session
Set their default region
Set their home page (Explorer or Home or Sitemap)
Set their preference for expanding control groups on Explorer
Set their Default Explorer Production Date
Set their Default Explorer Control Group
Change Password
Many daily actions such as data entry, changing master data and running processes are done at a Control Group level so these functions are linked to Control Group Security Roles.
At the Control Group level, a user can either be granted a specific Control Group Role or they can be associated to a Control Group.
Control Group roles control what the user has permission to do in a specific Control Group. P2 provides three seeded Control Group roles for: 1) users who require the ability to inquire, 2) users who do monthly work and 3) users who both do monthly work and also need to update masters.
Associating a user to a control group is done by adding the user to the Control group in Control Group security but not assigning them a specific control group role. This will then apply their Corporate Role privileges to that Control Group. If a user is associated to a control group, they must either have a Control Group Role or have a Corporate Role.
Users that have been granted ‘All Control Group Access’ will see all Control Groups in the Explorer screens but their privileges within each control group depends on their control group/corporate role.
Qbyte Metrix currently has 125+ Secured Components that describe common activities, such as: Run Process, Well Maintenance, User Maintenance, Pricing Edit, Battery Balance Edit, Close Month End.
Each of these components can be assigned one of three Permissions: Full Access, View Only or No Access.
A combination of Secured Components and the associated Permission for each of them are grouped together to form a Security Role. Security roles are then assigned to users to determine everything a user can see or do within Qbyte Metrix, i.e. view data vs. edit, run processes, etc.
To simplify the security configuration for each client, P2 has created seven pre-defined roles with generic/common titles. Clients can change these seeded roles, copy them to create new roles or build new roles from scratch.
The following roles relate to Corporate level security:
ADMINISTRATOR: full access to most operations
SUPERVISOR: full access to many screens and view access to users/roles and system configurations
PRODACCOUNTANT: full access to many screens required for monthly work and no access to administration type screens and functions
INQUIRYONLY: inquiry only to most areas of the system and No Access to important screens and functions.
The following roles relate to Control Group level security.
CGINQUIRIESONLY – Control Group – Inquiry Only
CGMONTHLYWRK – Control Group – Monthly Work
CGMONTHLYWRKMSTR – Control Group – Monthly Work & Master Changes