Qbyte Metrix Security

Back to Security

Overview

The overall Qbyte Metrix Security architecture incorporates access control, data security and auditing.  Access control ensures actions that invoke functionality within Qbyte Metrix will execute with valid credentials.  Auditing provides a comprehensive method to track changes over time. 

Access control provides clients with the ability to control access to Qbyte Metrix at several levels ranging from very general to very granular. 

• System administrators will create users, grant Region access and assign security roles to users based on the specific privileges required for each user.   Corporate level access provides overall access to view/edit data and run processes.  Control Group access provides a specific level of access for screens and features that are related to a Control Group. 

• Seven pre-defined security roles have been seeded by P2 as a starting point.  These roles can be changed and/or copied to allow clients to manage their specific security requirements. 

Auditing takes two forms:

• Data Change Auditing: The data change audit information is triggered within the application to capture creation date/time, creation program, creation user ID, last update date/time, last update program, last update user ID on many database tables.  If tables are cleared and replaced during a processing run, the database tables will contain creation date/time, creation user ID and a job ID.

• Audit Schema: Database triggers populate audit tables for Master and Monthly data tables with before and after records when data is added, updated or deleted.  Audit tables are maintained in a separate database schema.  Records in these tables are only added and no capability to delete or update them has been provided through the application.

This page will focus mainly on Access Control.  

Users

Each Qbyte Metrix user requires an Oracle database user (Oracle User Account). When a user inputs their credentials, those credentials are validated against that database user.  

Password Aging and Validation

Qbyte Metrix supports password aging and password verification. This functionality is implemented by leveraging Oracle’s functionality in this area. It is accomplished by creating Database (DB) profiles and then assigning these profiles to DB users. Qbyte Metrix traps various Oracle messages and displays appropriate error messages to the user.

Note: Please consult Oracle documentation for information on how to setup Oracle profiles for this purpose.

Requiring a Qbyte Metrix user to first be setup as an Oracle database user provides the client with the ability to set customized password security rules to handle the following situations:

• Password Expiry Period.

• Password Strength. Password strength is the length of password and the requirement for combinations of numbers, letters and special character.

• Lock out period after failed attempts. The lock out period is the number of failed attempts that will be allowed before a user is locked out and the length of time the user will be locked out.

• Session time-out. Session time-out is the length of time the user can be inactive in Qbyte Metrix before the session times out and the user is forced to log back in. Logging in after a session time-out will return the user to the last screen they were on.

P2 hosts the Qbyte Metrix application for many clients.  These clients use an application called Access Management to create and maintain all users.  Additionally, users use the Access Management application to change their password as it is then synchronized for all P2 products.  Hosted clients manage User Roles within Qbyte Metrix. 

For non-hosted clients (the Qbyte Metrix application is in-house), clients configure users within Qbyte Metrix and users will maintain their passwords within Qbyte Metrix.

Within the Qbyte Metrix application, clients can access Qbyte Metrix Reporting through a link on the Main screen that will open the Optix Reporting tool in a new browser window.  Logging into Optix is not required as authentication is shared.

User Security Configuration in Qbyte Metrix

User ID/Names are configured in the Administration --> Users -->  Details tab.  Clients can indicate if a user is active or inactive.  Inactive users appear with brackets { } around the User Name and are displayed at the bottom of each dropdown list for User ID, PA Responsible and Individual Responsible. This allows easier selection of Active Users.  User ID’s cannot be deleted once they are referenced as a PA or Individual Responsible.

User Roles:

A user is assigned Corporate level roles through the Administration --> Users --> Roles tab.  Each user can be assigned multiple roles.  If the user is assigned multiple roles, the role with the greatest level of permission (for the function) is used.  User roles are not production date centric.

A user can be granted ‘All Control Groups Access’ which will allow the user to see all Control Groups in the Explorer screen for the Region they have access to.  Once in Explorer, a user’s control group role, association to a control group and their corporate role will determine what they can see and do to each Control Group. 

User Regions:

Users are granted access to Regions through the Administration --> User Region Maintenance screen. Users typically have a default region they access most of the time.  Users can change their region in any session and they can set or change their default region at any time.  Access to Regions is not production date centric.  Users are only able to select/switch to a region they have access to (only regions the user has access to will appear in the drop-down list of available regions).  

A users must have been granted access to at least one Region before they can see any Qbyte Metrix application screens.

User Profile:

Within the Administration --> User Profile screen, clients can:

• Switch regions for their session

• Set their default region

• Set their home page (Explorer or Home or Sitemap)

• Set their preference for expanding control groups on Explorer

• Set their Default Explorer Production Date

• Set their Default Explorer Control Group

• Change Password

Control Group Security

Many daily actions such as data entry, changing master data and running processes are done at a Control Group level so these functions are linked to Control Group Security Roles. 

At the Control Group level, a user can either be granted a specific Control Group Role or they can be associated to a Control Group.

• Control Group roles control what the user has permission to do in a specific Control Group.  P2 provides three seeded Control Group roles for:  1) users who require the ability to inquire, 2) users who do monthly work and 3) users who both do monthly work and also need to update masters. 

• Associating a user to a control group is done by adding the user to the Control group in Control Group security but not assigning them a specific control group role.  This will then apply their Corporate Role privileges to that Control Group.  If a user is associated to a control group, they must either have a Control Group Role or have a Corporate Role.

Users that have been granted ‘All Control Group Access’ will see all Control Groups in the Explorer screens but their privileges within each control group depends on their  control group/corporate role.

Security Roles

Qbyte Metrix currently has 125+ Secured Components that describe common activities, such as: Run Process, Well Maintenance, User Maintenance, Pricing Edit, Battery Balance Edit, Close Month End. 

Each of these components can be assigned one of three Permissions:  Full Access, View Only or No Access.

A combination of Secured Components and the associated Permission for each of them are grouped together to form a Security Role.  Security roles are then assigned to users to determine everything a user can see or do within Qbyte Metrix, i.e. view data vs. edit, run processes, etc. 

To simplify the security configuration for each client, P2 has created seven pre-defined roles with generic/common titles.   Clients can change these seeded roles, copy them to create new roles or build new roles from scratch.

The following roles relate to Corporate level security:

The following roles relate to Control Group level security.