Review all information about security documentation for both the system and Progress prior to installation (or software upgrade if applicable).

Review all application-related files to determine the appropriate permission and ownership settings.

Optionally, determine and document any segregation of duties policy requirement. Also document how application resources should be partitioned.

Setting Up Segregation of Duties

Document the users who should be permitted access to the system and the domains and entities to which they should have access. This step will require an in-depth knowledge of your organization’s security requirements.

Document the role or roles to which users should be assigned. This step will require an in-depth knowledge of your organization’s security requirements.

Determine if specific users will require access to individual fields, sites, general ledger accounts, or inventory movement codes for standard application programs.

Consider requirements for policies and/or procedures regarding the deactivation of old user accounts. To meet the requirements of many regulated environments, user accounts can be disabled, but not deleted, once they have been used to access the system.

Setting Up Users

Define policies and procedures to be used to assure that user/role information will be kept current.

 

Create a high-level overview of your business environment and use a top-down approach to define your segregation of duties requirements.

Determine procedures to be used to create new user accounts and communicate initial passwords (e-mail, personal contact, other).

Decide if a simplified access approach is sufficient. This lets users log in based on operating system-level security.

Determine if single sign-on will be enabled for users employing the .NET User Interface.

Single Sign-On Enabled

Define how often users are required to changed passwords, and update the corresponding system security setting.

Expiration Days

Define procedures for failed login attempts, including:

Define password policies and procedures, including password composition, length, expiration, and reuse of previous passwords.

Define appropriate policies and procedures for users requiring that application sessions be locked using a screen saver or comparable mechanism whenever the user leaves the session unattended.

Determine whether to implement Progress as well as user ID and password controls for your system.

Determine requirements for Progress-level schema security to control access to application database tables.

Progress-Level Database Schema Controls

Consider disallowing Progress-level table and field access for the blank user ID

Determine the period of inactivity after which a system session should be terminated. For each device used to access the system, ensure that a screen saver or comparable utility is set to activate after the defined period of activity, requiring reentry of the user’s password to unlock the application session.

Workstation-Level Security

Determine whether multiple users share a common workstation to access the system and whether appropriate operating system functionality exists to adequately support security.

Operating system documentation

Verify and update relevant system control program settings, especially those for security.

Define users assigned to the security administrator role, who will receive e-mail notification of security events such as failed logins exceeding a defined threshold.

Update system security settings regarding user IDs and passwords, including:

Determine how system security should be implemented to protect the integrity of database records. For each site, GL account, and so on, specify the appropriate users authorized to access data.

Review users and roles for potential segregation of duty issues and adjust assignments as appropriate.

Setting Up Segregation of Duties