Introduction to Security and Controls > Implementation Summary > Establishing a Security Plan
  
Establishing a Security Plan
Every user must be identified in the system, given access to a domain and at least one entity in the domain, and associated with at least one role in the domain in order to gain system access.
A number of roles are supplied with the system. These roles can be used for notification when a new customer, supplier, employee, or end user is created. These roles are provided to enable system setup; for details see the section System-Supplied Roles.
Use the set of checklists provided in this section as a starting point for determining the focal points to consider when establishing a security plan. See Planning, Policies, and Procedures Checklist.
You should consider both internal and external requirements when planning such security elements as password protection. For example:
Does your organization have specific internal controls-related requirements that may require the implementation of segregation of duties or update restrictions?
Important: By carefully planning how you will integrate your defined SOD policy with your setup of user roles, role permissions, and role membership, you may avoid SOD policy violations that require configuration rework.
Does your organization have specific requirements regarding password aging for all its systems?
Do external regulatory agencies set standards for password complexity, or whether the logged-in user ID should always display on the screen?
Does your environment require database or operating system security controls implemented outside your QAD applications?
Other planning considerations apply if you are setting up security for a multiple-domain database.
For example, user profiles defined in User Maintenance (36.3.1) apply to all domains in the system. However, profiles include several generalized codes that are domain specific such as access location and user type. To prevent validation errors, you should ensure that these codes exist in all domains.
If you determine how you will use such system-wide data as part of your security planning effort, you can prevent duplication of effort by having basic information in place when you create new domains. For more information on this topic, see QAD Financials User Guide.