Copyright...4. Overview of the User Security Configuration Process Managing User Accounts... 8

Transcription

1

2 Contents 2 Contents Copyright...4 Overview of the User Security Configuration Process... 5 Managing User Accounts... 8 User Accounts in Acumatica ERP...8 To Create a Local User Account To Add a User Type...11 Integrating Acumatica ERP with Active Directory Integration with Active Directory...12 To Enable Active Directory Integration To Map Active Directory Groups to Roles in Acumatica ERP To Set Up Role Assignment for Domain Users...16 Integrating Acumatica ERP with AD FS...17 Integration with AD FS To Configure the AD FS Relying Party Trust...19 To Configure AD FS Claims To Enable AD FS Integration with Acumatica ERP...27 To Map AD FS Claims to Roles in Acumatica ERP To Set Up Role Assignment for Domain Users...29 To Enable Silent Logon Integrating Acumatica ERP with Azure Active Directory Integration with Azure Active Directory...31 To Register Your Acumatica ERP Instance on Windows Azure To Enable Azure Active Directory Integration for the Acumatica ERP Instance To Map Azure Active Directory Groups to Roles in Acumatica ERP To Set Up Role Assignment for Domain Users...39 To Enable Silent Logon Configuring Single Sign-On with Google Single Sign-On with Google...42 To Register an Acumatica ERP Instance with Google To Enable SSO with Google To Enable Silent Logon Configuring Single Sign-On with Microsoft Accounts...49 Single Sign-On with Microsoft Account...49 To Register an Acumatica ERP Instance with Microsoft Account To Enable SSO with Microsoft Account To Enable Silent Logon... 53

3 Contents 3 Managing Security Policies in Acumatica ERP Security Policies in Acumatica ERP Managing User Access Rights User Access Rights Role-Based Access...58 Access Rights for Roles...61 Levels of Access Rights...62 To Initially Configure Access Rights To Configure Access Rights for a Selected User Role...67 To Configure Access Rights to System Objects...68 To Reset Access Rights to a Suite or a Module To Delegate the Right to Create Users...68 Managing Data Encryption Data Encryption in Acumatica ERP To Import Certificates To Encrypt the Database...72 Integrating Acumatica ERP Forms on Your Website...73 User Security Form Reference...74 Access History Access Rights by Role...76 Access Rights by Screen Access Rights by User Certificate Replacement...80 Encryption Certificates Security Preferences User Roles...84 User Types Users User Security Reports Access Rights by Role...94 Access Rights by Screen Role List...94 User List Appendix Reports Report Form Report Form Toolbar Table Toolbar Glossary

4 Copyright 4 Copyright 2017 Acumatica, Inc. ALL RIGHTS RESERVED. No part of this document may be reproduced, copied, or transmitted without the express prior consent of Acumatica, Inc SE 6th, Suite 140 Bellevue, WA Restricted Rights The product is provided with restricted rights. Use, duplication, or disclosure by the United States Government is subject to restrictions as set forth in the applicable License and Services Agreement and in subparagraph (c)(1)(ii) of the Rights in Technical Data and Computer Software clause at DFARS or subparagraphs (c)(1) and (c)(2) of the Commercial Computer Software-Restricted Rights at 48 CFR , as applicable. Disclaimer Acumatica, Inc. makes no representations or warranties with respect to the contents or use of this document, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. Further, Acumatica, Inc. reserves the right to revise this document and make changes in its content at any time, without obligation to notify any person or entity of such revisions or changes. Trademarks Acumatica is a registered trademark of Acumatica, Inc. HubSpot is a registered trademark of HubSpot, Inc. Microsoft Exchange and Microsoft Exchange Server are registered trademarks of Microsoft Corporation. All other product names and services herein are trademarks or service marks of their respective companies. Software Version: 6.1 Last updated: July 20, 2017

5 Overview of the User Security Configuration Process 5 Overview of the User Security Configuration Process Acumatica ERP specializes in the collection, storage, and processing of sensitive corporate data that must be protected against unauthorized access, use, modification, and disclosure. To ensure that the system resources are used properly, Acumatica ERP uses reasonable security measures such as database encryption and access control. The User Security configuration process in Acumatica ERP includes the following actions: Administering user accounts: You configure and manage user accounts to provide your users with access to the system as a whole. Restricting access to information: You configure and manage access rights for users to parts of the system, such as suites, modules, and forms. Enforcing Site Security Policies: You set up security polices for the system as a whole and for each particular user and the auditing of user activities connected to system security. Encrypting Sensitive Data: You configure the encryption of sensitive information stored in the system. The sections in this topic provide descriptions of the main parts of the security configuration process in the module. Administering User Accounts To access Acumatica ERP, an individual must have a user account in the system. Each account includes a login, a password, and other required properties, such as the user's first and last name, address, password policy options, and applied roles. You can either create local user accounts that will be available only in Acumatica ERP or integrate Acumatica ERP with identity management systems such as Microsoft Active Directory (AD) or Microsoft Azure Active Directory (Azure AD) to allow users of your organization to sign in to Acumatica ERP with their domain accounts. You create local accounts directly in Acumatica ERP. For more information, see User Accounts in Acumatica ERP. Integration with AD can be used when your Acumatica ERP instance is installed in your organization's intranet. In this case, users will use their domain credentials to access your Acumatica ERP instance. For more information, see Integration with Active Directory. If your Acumatica ERP instance is deployed in the Internet but not in the intranet of your organization, you can integrate Acumatica ERP with Microsoft Active Directory Federation Services (AD FS), which provides a secure connection between AD and external sites. For more information, see Integration with AD FS. Azure AD is a cloud version of the Active Directory service. You can integrate your Acumatica ERP instance with Azure AD if your organization is subscribed to a Microsoft cloud service, such as Azure or Office 365. With such integration, users can use their Azure AD domain name and password to access your Acumatica ERP instance. For more information, see Integration with Azure Active Directory. Additionally, you can integrate Acumatica ERP with external identity providers, such as Google and Microsoft Account, using by the OAuth 0 standard to ease the sign-in process to Acumatica ERP for users of your organization. Such integration provides a single sign-on between Acumatica ERP and external identity providers, which means that your users can sign in once to access multiple applications. Single sign-on reduces the number of logins and passwords the user has to remember, thus reducing the risk of identity theft. Also, maintaining user identities becomes easier for the system

6 Overview of the User Security Configuration Process 6 administrators. For more information, see Single Sign-On with Google and Single Sign-On with Microsoft Account. Restricting Access to Information When users successfully log in to Acumatica ERP, they should see only the system resources they need for their daily work. In Acumatica ERP, you administer user access by using roles that specify user duties. Users belong to custom-configured, task-oriented roles, and you can manage the access each role has to suites, modules, forms and form elements. For more information, see User Access Rights. In addition to limiting access to system entities by using roles, Acumatica ERP provides restriction groups, which give you the ability to control the visibility of records or entities of multiple types, such as General Ledger accounts, subaccounts, subaccount segment values, budgets, and vendor and customer accounts. Membership in a restriction group controls the visibility of only the entities included in the group; meanwhile, the role may allow access to all the entities of a particular type. See the following graphic of the relationship between roles, users, and restriction groups. Figure: Users, Roles, and Restriction Groups Note that although each user has at least one role assigned, a user can be included in any number of restriction groups or not included in any restriction group at all. Users 1, 2, and 3, because they all have the Accountant role, have access to the same forms, but the entities they can view on this forms depend on the configuration of the restriction groups. (Notice that User 3 belongs to no restriction group.) For more information on restriction groups, see Restriction Groups in Acumatica ERP. Enforcing Site Security Policies By using Acumatica ERP, you can enforce security regulations used in your organization on the systemwide and the user account levels. You can configure account lockout and password policies, track and record security events, such as successful and failed login events and access to forms, as described in Security Policies in Acumatica ERP. When you integrate Acumatica ERP with AD or Azure AD, you maintain centralized account and password policies at the domain level.

7 Overview of the User Security Configuration Process 7 Encrypting Sensitive Data Acumatica ERP uses digital certificates to store sensitive information in the database encrypted and to sign documents (PDF files) shared or sent electronically. For more information, see Data Encryption in Acumatica ERP. Integrating Acumatica ERP Forms on a Website You can embed Acumatica ERP forms in another web application that your employees use to solve their work tasks. For example, you can embed the Tasks (EP ) form within your Office 365 page to view and access your Acumatica ERP task list directly in Office 365. For more information, see Integrating Acumatica ERP Forms on Your Website.

8 Managing User Accounts 8 Managing User Accounts To access Acumatica ERP, an individual must have a user account in the system. Each account includes a login, a password, and other required settings, such as the user's first and last name, address, password policy options, and access rights. In this chapter, you will read about creating and managing user accounts in Acumatica ERP. In This Chapter User Accounts in Acumatica ERP To Create a Local User Account To Add a User Type User Accounts in Acumatica ERP To access Acumatica ERP, an individual must have a user account in the system. Each account includes a login, a password, and other properties, such as the user's first and last name, address, password policy options, and access rights. User accounts in Acumatica ERP can be local (created and managed directly in Acumatica ERP) or created and managed in external identity management systems, such as Microsoft Active Directory and Microsoft Azure Active Directory. To use the user accounts of external identity management systems, you must set up integration in Acumatica ERP. For details, see Integration with Active Directory and Integration with Azure Active Directory. To make the authentication process easier for your users, you can configure single sign-on with external identity providers, such as Google and Microsoft Account. For details, see Single Sign-On with Google and Single Sign-On with Microsoft Account. In this topic, you can find information about local user accounts in Acumatica ERP. Initial Configuration of User Accounts When you configure access for users to Acumatica ERP after installation, you perform the following steps: You create each user account on the Users (SM ) form. Specify the login, password, user's first and last name, and address. For details, see To Create a Local User Account. If your organization uses specific security policies, you apply them to each user account on the Users (SM ) form. For more detailed information on security policies for user accounts, see Security Policies for a User Account. 3. You create user roles and assign user accounts these roles on the User Roles (SM ) form. For details, see Role-Based Access. 4. If employees of your organization and your customers and partners work with your Acumatica ERP instance, you segregate users that are internal to your company from external users, as follows: a. Create user types on the User Types (EP ) form. For details, see User Types. b. Assign each user account the appropriate user type on the Users (SM ) form. : If you assign a user type to an existing user, the collection of roles from the user type overrides any roles that have been explicitly assigned to the user.

9 Managing User Accounts 9 Security Policies for a User Account You can use the following capabilities of Acumatica ERP to apply your organization's security policies to individual user accounts on the Users (SM ) form: Specifying password policy settings for an individual user. You can do the following: Allow the user to recover the user name and reset the password through . If this capability is enabled, the user can click the Forgot Your Credentials? link on the Welcome page of Acumatica ERP and receive an with a link to the password reset form. For more information, see Access to Your Acumatica ERP Instance. Allow the user to change the password at will. Prevent the user from ever being prompted to change the password. Require the user to change the password on the next login. : User account password policy settings are not available for domain users. Limiting the range of IP addresses from which a user can sign in to your Acumatica ERP instance. If the user attempts to access the system from a computer with an IP address that is outside of the specified range, access will be denied. Disabling a user account to temporarily prevent the user from signing in to your Acumatica ERP instance. If you use the user types functionality (for details, see User Types) you can specify the following security settings on the User Types (EP ) form that will be applied to all users of this type: Allow users with linked contacts to use their s as their login to the system. Force new users to change their password at the first login. Force new users to activate their account. If you need to audit activity of a particular user, you can track the following information on the Users (SM ) form: The date and time of the last login. The most recent date when the account was temporarily locked out. The date and time of the most recent password change. The number of unsuccessful attempts the user made to sign into the account. For more information, see Security Policies in Acumatica ERP. Management of User Accounts During ongoing maintenance of Acumatica ERP, you may have tasks to add a new user account or to change settings of an existing user account. You perform the following steps to configure a user account on the Users (SM ) form: You specify or change the login, password, user's first and last name, and address. Optional: You assign the user account the appropriate user type. For details, see User Types. 3. Optional: You set up password policies for the user account. For details, see Security Policies for a User Account. 4. You assign the user account the appropriate user roles. For details, see Role-Based Access. For a detailed procedure of creating a user account, see To Create a Local User Account.

10 Managing User Accounts 10 User Types Your company may need to give your partners limited access to Acumatica ERP for instance, to facilitate the process of entering contacts or customer orders. In such a scenario, you may need some way to segregate users that are internal to your company from external users, or even to give your partners the means to create and manage their own users in Acumatica ERP, thus freeing your administrators of the responsibility to manage these users. You can address these requirements through the use of user types in Acumatica ERP. Each user type can be either employee-related or contact-related: An employee-related user type is associated with employees in your system. These user types are intended for users who are internal to your company (generally employees of your company and possibly consultants that you consider part of your company). A contact-related user type is associated with a contact in your system. These user types are intended for users who are external to the company for example, partners or contacts. As opposed to employee-related user types, you can use contact-related user types to delegate the right to create users, as described in To Delegate the Right to Create Users. For each user type, you need to specify the set of roles that can be assigned to users of this type. For the procedure to add a user type, see To Add a User Type. Ability to Track User Accounts You can use the following forms to track details on user accounts: Print or view a list of users in your Acumatica ERP instance by using the User List (SM ) report. View the access rights for each user to any system objects (suites, modules, forms, and form elements) by using the Access Rights by User (SM ) form. To Create a Local User Account To create local user accounts, you use the Users (SM ) form. For more information on user accounts in Acumatica ERP, see User Accounts in Acumatica ERP. This topic describes the steps you perform to create a local user account. To Create a Local User Account Navigate to Configuration > User Security > Manage > Users. On the form toolbar, click the Add New Record button. 3. In the Login box, type the login of the user, which should be unique within your Acumatica ERP instance. The login is used to authenticate the user in the system. 4. Optional: Clear the Generate Password check box and type a password for the user manually. Otherwise, the password will be generated automatically. The login information will be sent to the user's address when you save the user account. 5. Optional: If you want to assign the user a user type, in the User Type box, select the user type from the list. For more information about user types, see User Types. 6. Optional: In the Linked Entity box, select an employee or contact account that should be associated with the user. The user type you have selected determines whether this box can be left blank and what type of account you can select. If you have selected an employee-related user type in the User Type box or left it blank, you can select an employee account or leave the Linked Entity box blank. If you have selected a contact-related user type in the User Type box, you must select a contact account here or add a new contact.

11 Managing User Accounts Optional: Fill in the First Name and Last Name boxes. If you selected an employee or contact account in the previous step, these boxes will be filled in automatically. 8. Optional: In the box, type the user's address. If you selected an employee or contact account in the previous step, this box will be filled in automatically. If an is not specified in the employee or contact account you need to add it by using a corresponding form: the Employees (EP ) form or the Contacts (CR ) form. The will be used for sending information to the user, such as login information. 9. On the Roles tab, select the necessary user roles that will be assigned to the user. They will determine the user's access rights to the system objects. For more details about access rights, see User Access Rights. 10. On the form toolbar, click Save. To Add a User Type To add a new user type, you use the User Types (EP ) form. For more information on user types, see User Types. To Add a User Type Navigate to Configuration > User Security > Manage > User Types. In the User Type box, type the name of the user type you want to add. 3. In the Linked Entity box, select one of the following: Employee: To add an employee-related user type that is associated with employees in your system Contact: To add a contact-related user type that is associated with a contact in your system 4. Optional: In the box, type the description of the user type. 5. On the Allowed Roles tab, add the roles to be available for the user of this type. Do the following: a. On the table toolbar, click Add Row. b. In the Row Name column, select the role you want to add to the role set. : For contact-related user types, you can associate only roles that are marked as guest roles (that is, they have the Guest Role check box selected) on the User Roles (SM ) form. c. 6. Optional: If the role must be assigned to the user by default, select the Default check box. On the form toolbar, click Save.

12 Integrating Acumatica ERP with Active Directory 12 Integrating Acumatica ERP with Active Directory The integration of Acumatica ERP with Microsoft Active Directory (AD) provides centralized management of users and access. After integration, your domain users can use their domain user names and passwords to sign in to Acumatica ERP. You can set up integration with AD if Acumatica ERP is installed in your organization's intranet. If your Acumatica ERP instance is deployed in the external network, you must use Active Directory Federation Services to provide access to the system for your domain users. For details, see Integration with AD FS. You create, delete, and manage user accounts by using Active Directory. Users' access rights to Acumatica ERP are determined based on the mapping rules between AD groups and Acumatica ERP roles. This chapter describes the configuration and management of Acumatica ERP integration with Active Directory. In This Chapter Integration with Active Directory To Enable Active Directory Integration To Map Active Directory Groups to Roles in Acumatica ERP To Set Up Role Assignment for Domain Users Integration with Active Directory You integrate Acumatica ERP with Microsoft Active Directory (AD) to manage users and access in one place. You create, delete, and manage user accounts by using AD. During integration you map AD groups with user roles in Acumatica ERP to determine users' access rights. : Enabling integration with AD does not affect the standard authorization and authentication mechanism of Acumatica ERP. With the AD integration enabled, you still can create regular (non-ad) users in Acumatica ERP. Configuration Steps To integrate an instance of Acumatica ERP with AD, you perform the following steps: Enable integration with Active Directory by modifying the web.config file of the application instance, as described in To Enable Active Directory Integration. : After you save changes to the web.config file, the website is automatically restarted. Make sure that all users are warned about the restart so that they can save their documents in advance. Map the user roles configured in Acumatica ERP to the groups configured in the Active Directory domain by using the User Roles (SM ) form in Acumatica ERP. For details, see To Map Active Directory Groups to Roles in Acumatica ERP. : Enabling AD integration does not affect the standard authorization and authentication capabilities of Acumatica ERP. With AD integration enabled, you can still create internal users in Acumatica ERP. 3. Optional: If you need to override roles assigned to AD users, manually add the AD user accounts to the system (if necessary) and specify the roles for the accounts. For details, see To Set Up Role Assignment for Domain Users.

13 Integrating Acumatica ERP with Active Directory 13 User Accounts of Domain Users in Acumatica ERP After you have enabled integration with the identity management system, user accounts for domain users are created automatically when the users sign in to your Acumatica ERP instance for the first time. The accounts of domain users in Acumatica ERP are based on their accounts in the domain. The password of a domain user in Acumatica ERP is the same as the domain account password. The address and the first and last name of the user are populated from the domain account as well. However, the login, password, address, and first and last name are managed through the domain and cannot be changed in Acumatica ERP. : You cannot restore the passwords of domain users by using Acumatica ERP tools. You should restore users' domain credentials by using tools of Active Directory (AD). If the number of users or groups in AD is greater than or equal to 1000, information about users and groups from AD is automatically cached by Acumatica ERP to speed authentication of users. When you make any changes in AD, you can manually synchronize the cached lists of users and groups with AD in Acumatica ERP. If the number of users and groups in AD is less than 1000, Acumatica ERP retrieves the lists of users and groups directly from AD. Domain User Authentication Generally, to sign in to Acumatica ERP, AD users type their domain credentials without specifying the domain name. But some employees may have both a local user account and a domain user account with the same user name. In this case, Acumatica ERP will authenticate the users based on the password they specify (assuming that the local and domain passwords differ). If both the user names and the passwords are the same for a local user account and a domain user account, on the Welcome screen, the user can select the account to sign in with as follows: To sign in with a local account, the user enters the user name of the local account (as usual). To sign in with a domain account, the user enters the login in the <Domain_Name>\<User_Name> format, where <Domain_Name> is the NetBIOS domain name of the integrated domain and <User_Name> is the user account name in the integrated domain. : If there is a local account with the name which includes a domain name and a user name from this domain, for example, Terra\User1, a domain user with the name User1 from domain Terra will be mapped to this local account and will inherit all permissions of this account. In this case passwords of a local user and a domain user may differ but they both will access the same user account. To prevent confusion, we recommend that you disable or delete the local accounts of employees who do not perform any administration or configuration tasks in Acumatica ERP. Domain User Authorization When a domain user tries to access Acumatica ERP, user authorization occurs as follows: The application instance sends an authentication request to the AD server to validate the user's credentials. When validation has completed successfully, the AD server sends Acumatica ERP the list of AD groups to which the user is assigned. 3. Acumatica ERP compares the list of AD groups with the internal Acumatica ERP roles, based on the mapping rules defined on the User Roles (SM ) form. 4. The system finds any Acumatica ERP roles that are associated with AD groups to which the domain user account is assigned. If Acumatica ERP finds at least one role, the user is authenticated to sign in to the Acumatica ERP instance.

14 Integrating Acumatica ERP with Active Directory 14 The user access rights within the Acumatica ERP application instance are based on the internal list of roles. For more information about authentication in Acumatica ERP, see User Accounts in Acumatica ERP. For details about roles and access rights in Acumatica ERP, see User Access Rights. Access Rights of Domain Users Domain users inherit access rights from the AD groups that you mapped to Acumatica ERP user roles. In addition, you can assign specific user roles to each domain user if the access rights for this user should differ from the AD group rights. New domain users automatically get the rights to sign in to Acumatica ERP when they join a domain. The membership of these users in Acumatica ERP roles is then automatically updated to comply with the membership of the users in the domain groups. : The user type functionality, described in User Types, cannot be applied to domain users. To Enable Active Directory Integration To integrate you Acumatica ERP instance with Active Directory (AD) you should first enable integration in Acumatica ERP, as described in this topic. For a description of all steps required for integration with AD, see Integration with Active Directory. To Enable Active Directory Integration Create an AD user account that has Read permissions throughout the entire AD forest. This user account must be included in the Domain Users group or have at least Read permissions to the following properties defined in the AD schema: objectsid, distinguishedname, samaccountname, displayname, description, lastlogon, pwdlastset, primarygroupid, and memberof. Modify the web.config file as follows: a. Open the web.config file, which is located in the folder that contains the application instance website. : After you save changes to the web.config file, the website is automatically restarted. Make sure that all users are warned about the restart so that they can save their documents in advance. b. In the file, find the activedirectory section within the system.web section and edit it similarly to the example shown below. <activedirectory enabled="true" path="domain_path" dc="domain_name" user="user_name" password="user_password" /> In the code shown above: Domain_Path is the DNS name or the IP address of the domain controller (DC). Domain_Name is the domain name, such as terra, terra.com, or sing.terra.com. This setting affects the visibility of the data of Acumatica ERP to the domain users. Preferably, you should use the highest-level domain of the domain name. For example, in the sing.terra.com domain name, the highest level domain is sing, and

15 Integrating Acumatica ERP with Active Directory 15 you would have to specify dc="sing". For the terra.net domain, the highest level domain is terra and you would have to specify dc="terra". c. User_Name is the name of the user account you created in Step Depending on the AD settings, you should use one of the following formats: User_Name, or Domain_Name\User_Name. User_Password is the AD password of the user account you created in Step Save the web.config file. The website restarts automatically. After you have enabled integration with Active Directory, you need to map AD groups to Acumatica ERP roles, as described in To Map Active Directory Groups to Roles in Acumatica ERP. To Map Active Directory Groups to Roles in Acumatica ERP After you have enabled Active Directory (AD) integration, you need to map AD groups to user roles defined in Acumatica ERP by using the User Roles (SM ) form. Before You Begin Before you start configuring your system, make sure that all the domain users have addresses configured in AD. To Map Active Directory Groups to Acumatica ERP Roles Navigate to Configuration > User Security > Manage > User Roles. In the Summary area, in the Role Name box, select the role you want to associate with an Active Directory group (or with multiple groups). 3. On the Active Directory tab, click Add Row. : The Active Directory tab appears on this form if the integration of Acumatica ERP with AD has been enabled in the web.config file, as described in To Enable Active Directory Integration. 4. In the Group column on the new row, select the AD group that you want to associate with the role. 5. On the form toolbar, click Save. 6. Repeat Steps 2 through 5 for every role that should be mapped to AD groups. To Remove Mapping of Active Directory Groups to Roles Navigate to Configuration > User Security > Manage > User Roles. In the Summary area, in the Role Name box, select the role for which you want to remove association with an Active Directory group (or with multiple groups). 3. Click the row that contains the AD group that you want to disassociate from the role, and click Delete Row on the table toolbar. 4. On the form toolbar, click Save. 5. Repeat Steps 2 through 4 for every role for which mapping with AD groups should be removed. After you have mapped AD groups with user roles in Acumatica ERP you can assign specific roles for a particular domain user, as described in To Set Up Role Assignment for Domain Users.

16 Integrating Acumatica ERP with Active Directory 16 To Set Up Role Assignment for Domain Users When a Microsoft Active Directory (AD) domain user signs in to Acumatica ERP for the first time, the system adds a user account for this user and assigns roles to the new account based on the mapping between AD groups and Acumatica ERP roles. For the full integration procedure, see Integration with Active Directory. You can override the automatically assigned roles of a particular domain user by selecting the required roles manually for the user on the Users (SM ) form, for example, if you want the user to access additional Acumatica ERP forms. To Override a User's Role Assignment Based on AD Groups Navigate to Configuration > User Security > Manage > Users. Optional: If the user has never signed in to Acumatica ERP with his or her domain credentials, add a local user account for the domain user as follows: a. On the form toolbar, click Add Active Directory User to open the Active Directory User dialog box. b. In the Active Directory User box, select the AD user account. c. Click OK to close the dialog box and populate the form with the user's information. 3. In the Login box, select the user whose default roles you want to change. 4. In the Selection area, select Override Active Directory Roles with Local Roles. 5. On the Roles tab, select the roles you want to assign to the user. 6. On the form toolbar, click Save. To Restore AD Group Role Assignment for Domain Users Navigate to Configuration > User Security > Manage > Users. In the Login box, select the domain user for whom you want to restore the default roles. 3. In the Selection area, clear Override Active Directory Roles with Local Roles. 4. On the form toolbar, click Save.

17 Integrating Acumatica ERP with AD FS 17 Integrating Acumatica ERP with AD FS The integration of Acumatica ERP with Microsoft Active Directory Federation Services (AD FS) provides centralized user and access management (by using Active Directory) and single sign-on (SSO) for your domain users. You can integrate Acumatica ERP with AD FS if you use an Acumatica ERP instance that is deployed on the Internet but not in the your organization's intranet. With such integration in place, users of Acumatica ERP can access the instance with their domain credentials. : You can integrate your Acumatica ERP instance with AD FS or Azure AD, but not with both. These two identity management systems are mutually exclusive because they use the same functionality to connect to Acumatica ERP. This chapter provides detailed information on the integration of Acumatica ERP with AD FS. In This Chapter Integration with AD FS To Configure the AD FS Relying Party Trust To Configure AD FS Claims To Enable AD FS Integration with Acumatica ERP To Map AD FS Claims to Roles in Acumatica ERP To Set Up Role Assignment for Domain Users To Enable Silent Logon Integration with AD FS You integrate Acumatica ERP with Microsoft Active Directory Federation Services (AD FS) when you want to manage users and access rights using Active Directory (AD) and your Acumatica ERP instance is deployed on the Internet but not in your organization's intranet. Integration of Acumatica ERP with AD FS also provides single sign-on for domain users between your Acumatica ERP instance and other services that use AD FS. Requirements To seamlessly integrate your AD FS server and your Acumatica ERP instance, make sure that the following requirements are met. The AD FS version is 2012 R2 (included in Windows Server 2012 R2). AD FS is configured to provide access to external web services. The domain users have preconfigured addresses. Configuration Steps You can configure integration with AD FS when you implement Acumatica ERP or at any later time. To integrate an instance of Acumatica ERP with AD FS, you perform the following steps: Configure the AD FS server. Do the following: a. Configure AD FS Relying Party Trust to register your Acumatica ERP instance with AD FS. For details, see To Configure the AD FS Relying Party Trust. b. Configure claims for Acumatica ERP, as described in To Configure AD FS Claims.

18 Integrating Acumatica ERP with AD FS 18 Enable integration with AD FS by modifying the web.config file of the application instance, as described in To Enable AD FS Integration with Acumatica ERP. : After you save changes to the web.config file, the website is automatically restarted. Make sure that all users are warned about the restart so that they can save their documents in advance. 3. Map the AD FS claims to Acumatica ERP roles. This process is described in To Map AD FS Claims to Roles in Acumatica ERP. 4. Optional: If required, override the roles assigned to any user automatically by selecting the required roles manually. For details, see To Set Up Role Assignment for Domain Users. 5. Optional: If you want to use the AD FS service as the default identity provider, enable silent logon with AD FS, as described in To Enable Silent Logon. User Accounts of Domain Users in Acumatica ERP After you have enabled integration with the identity management system, user accounts for domain users are created automatically when the users sign in to your Acumatica ERP instance for the first time. The accounts of domain users in Acumatica ERP are based on their accounts in the domain. The password of a domain user in Acumatica ERP is the same as the domain account password. The address and the first and last name of the user are populated from the domain account as well. However, the login, password, address, and first and last name are managed through the domain and cannot be changed in Acumatica ERP. : You cannot restore the passwords of domain users by using Acumatica ERP tools. You should restore users' domain credentials by using tools of Active Directory (AD). If the number of users or groups in AD is greater than or equal to 1000, information about users and groups from AD is automatically cached by Acumatica ERP to speed authentication of users. When you make any changes in AD, you can manually synchronize the cached lists of users and groups with AD in Acumatica ERP. If the number of users and groups in AD is less than 1000, Acumatica ERP retrieves the lists of users and groups directly from AD. Domain User Authentication After integration of Acumatica ERP with AD FS users use single sign-on (SSO) with the domain to sign in to Acumatica ERP. By default, the users do the following to authenticate themselves: On the Welcome page of your Acumatica ERP instance, the user selects the Azure AD icon ( to open the AD FS sign-in page. ) On the sign-in page, the user enters the domain credentials in the following format: <User_Name>@<Domain_Name>, where <User_Name> is the user account name in the integrated domain and <Domain_Name> is the UPN suffix, also known as the domain name. To simplify the procedure, you can configure silent logon with the AD FS server. For more information, see To Enable Silent Logon. : If you configured a multi-company instance and selected the Secure Company on Login option on the Company Setup page (see Multi-Company Instances), then users with access to several companies, who sign in to Acumatica ERP using single sign-on with an external identity provider, will be logged in to the first company with enabled single sign-on. Domain User Authorization When a domain user tries to access Acumatica ERP, user authorization occurs as follows:

19 Integrating Acumatica ERP with AD FS 19 The application instance sends an authentication request to the AD server to validate the user's credentials. When validation has completed successfully, the AD server sends Acumatica ERP the list of AD groups to which the user is assigned. 3. Acumatica ERP compares the list of AD groups with the internal Acumatica ERP roles, based on the mapping rules defined on the User Roles (SM ) form. 4. The system finds any Acumatica ERP roles that are associated with AD groups to which the domain user account is assigned. If Acumatica ERP finds at least one role, the user is authenticated to sign in to the Acumatica ERP instance. The user access rights within the Acumatica ERP application instance are based on the internal list of roles. For more information about authentication in Acumatica ERP, see User Accounts in Acumatica ERP. For details about roles and access rights in Acumatica ERP, see User Access Rights. Access Rights of Domain Users Domain users inherit access rights from the AD groups that you mapped to Acumatica ERP user roles. In addition, you can assign specific user roles to each domain user if the access rights for this user should differ from the AD group rights. New domain users automatically get the rights to sign in to Acumatica ERP when they join a domain. The membership of these users in Acumatica ERP roles is then automatically updated to comply with the membership of the users in the domain groups. : The user type functionality, described in User Types, cannot be applied to domain users. To Configure the AD FS Relying Party Trust To configure communication between your Active Directory Federation Services (AD FS) server and your Acumatica ERP instance, you should add a relying party trust for your Acumatica ERP instance. For a description of all steps required for integrating Acumatica ERP with AD FS, see Integration with AD FS. The procedure below illustrates this process on Microsoft Windows 2012 R Attention: This topic describes the configuration of third-party software. Please note the following: The procedure below is designed for the most common usage scenarios. If you are implementing a more complicated scenario and you encounter difficulties, contact Acumatica ERP technical support. The vendor of the third-party software may change the user interface and settings. Therefore, the screen elements and setting names you see may differ from the ones described in the procedure. The procedure will be updated each time information is made available about new common scenarios and changes in the user interface and settings. To Add a New Relying Party Trust Sign in to the AD FS server and open the AD FS Management tool. : To configure AD FS, you must be a member of the Domain Admins group in the domain to which the federation server belongs. In the left pane, right-click Relying Party Trusts, and then select Add Relying Party Trust (as shown in the screenshot below).

20 Integrating Acumatica ERP with AD FS 20 Figure: AD FS Management tool 3. On the Welcome page of the Relying Party Trust Wizard, which opens, click Start, as shown in the following screenshot. Figure: Welcome page 4. On the Select Data Source page, select Enter data about the relying party manually, as shown in the screenshot below, and then click Next.

21 Integrating Acumatica ERP with AD FS 21 Figure: Select Data Source page 5. On the Specify Display Name page, specify the display name for the relying party, as shown in the following screenshot. The display name is the name that will be displayed in the AD FS Management Console for the relying party. Then click Next. Figure: Specify Display Name page 6. On the Choose Profile page, select AD FS Profile, as shown in the screenshot below, and then click Next.

22 Integrating Acumatica ERP with AD FS 22 Figure: Choose Profile page 7. On the Configure Certificate page, click Next to skip the step of specifying a token encryption certificate. Figure: Configure Certificate page 8. On the Configure URL page, select the Enable support for the WS-Federation Passive protocol check box, and specify the full URL of your Acumatica ERP instance for example, as shown in the following screenshot.

23 Integrating Acumatica ERP with AD FS 23 Figure: Configure URL page 9. On the Configure Identifiers page (shown in the screenshot below), specify the relying party trust identifier, and then click Next. Figure: Configure Identifiers page 10. On the Configure Multi-factor Authentication Now? page, select the option button indicating that you do not want to configure multi-factor authentication at this time, and then click Next. (See the following screenshot.)

24 Integrating Acumatica ERP with AD FS 24 Figure: Configure Multi-factor Authentication Now? page 1 On the Choose Issuance Authorization Rules page, select the Permit all users to access this relying party option button, as shown in the following screenshot, and then click Next. Figure: Choose Issuance Authorization Rules page 1 On the Ready to Add Trust page, review the settings, and then click Next. 13. On the Finish page, select the Open the Edit Claim Rules dialog for this relying party trust when the wizard closes check box (as shown in the screenshot below), and then click Close.

25 Integrating Acumatica ERP with AD FS 25 Figure: Finish page This opens the Edit Claim Rules dialog box, which you will use to configure claim rules for the added relying party trust. For the detailed procedure, see To Configure AD FS Claims. To Configure AD FS Claims After you have added a relying party trust for your Acumatica ERP instance to the Microsoft Active Directory Federation Services (AD FS) server, you need to configure the necessary claims for the relying party trust. For description of all steps required for integrating Acumatica ERP with AD FS, see Integration with AD FS. The procedure below provides a sample configuration of claims for AD groups. You may add other claims that are specific to your organization. Attention: This topic describes the configuration of third-party software. Please note the following: The procedure below is designed for the most common usage scenarios. If you are implementing a more complicated scenario and you encounter difficulties, contact Acumatica ERP technical support. The vendor of the third-party software may change the user interface and settings. Therefore, the screen elements and setting names you see may differ from the ones described in the procedure. The procedure will be updated each time information is made available about new common scenarios and changes in the user interface and settings. To Configure AD FS Claims for the Relying Party Trust Sign in to the AD FS server, open the AD FS Management tool, and select the relying party trust of your Acumatica ERP instance in Trust Relationships > Relying Party Trusts. : To configure AD FS, you must be a member of the Domain Admins group in the domain to which the federation server is joined. In the right pane, click Edit Claim Rules. 3. In the Edit Claim Rules dialog box, add the Main Claims rule. Do the following: a. Click Add Rule.

26 Integrating Acumatica ERP with AD FS 26 b. In the Add Transform Claim Rule Wizard dialog box, in the Claim rule template box, select Send LDAP Attributes as Claims, and then click Next. c. In the Claim rule name box, type Main Claims, as shown in the screenshot below. Figure: Main Claims rule d. In the Attribute store box, select Active Directory. e. In the Mapping of LDAP attributes to outgoing claim types area, add the attributes specified in the following table. f. 4. LDAP Attribute Outgoing Claim Type Necessity Surname Surname Optional Given-Name Given Name Optional User-Principal-Name UPN Required Token-Groups - Qualified by Domain Name Role Required -Addresses Address Required SAM-Account-Name Name Optional Display-Name Common Name Optional Click Finish to add the rule. In the Edit Claim Rules dialog box, add the SID rule. Do the following: a. Click Add Rule. b. In the Add Transform Claim Rule Wizard dialog box, in the Claim rule template box, select Pass Through or Filter an Incoming Claim, and then click Next. c. In the Claim rule name box, type SID, as shown in the screenshot below.

27 Integrating Acumatica ERP with AD FS 27 Figure: SID rule d. In the Incoming claim type box, select Primary SID. e. Select the Pass through all claim values option button. f. Click Finish to add the rule. Now that you have configured the AD FS server, you have to enable integration in your Acumatica ERP instance. For details, see To Enable AD FS Integration with Acumatica ERP. To Enable AD FS Integration with Acumatica ERP After you have configured the Microsoft Active Directory Federation Services (AD FS) server, you should enable AD FS integration with your Acumatica ERP instance, as described in this topic. For a description of all steps required for AD FS server configuration, see Integration with AD FS. To Enable AD FS Integration with Acumatica ERP Open the web.config file, which is located in the folder that contains the application instance website. : After you save changes to the web.config file, the website is automatically restarted. Make sure that all users are warned about the restart so that they can save their documents in advance. In the file, find the externalauth section within the system.web section and set the claimsauth attribute to True. 3. In the audienceuris element within the system.identitymodel section, specify the URL of the Acumatica ERP instance similarly to the example shown below. <audienceuris> <add value="full_instance_url" /> </audienceuris> In the code shown above, Full_Instance_URL is the full URL of your Acumatica ERP instance for example,

28 Integrating Acumatica ERP with AD FS In the federationconfiguration element within the system.identitymodel.services section, edit the wsfederation element similarly to the example shown below. <wsfederation passiveredirectenabled="false" issuer=" realm="full_instance_url" requirehttps="false" PersistentCookiesOnPassiveRedirects="false" /> In the code shown above: is the URL of the sign-in page of your AD FS server. Full_Instance_URL is the full URL of the Acumatica ERP instance for example, app.site.net/instance_name. : Automatic redirect to the AD FS sign-in page may not work if there is a slash at the end of the URL: To avoid this situation, you can specify the URL without this slash. 5. Save the web.config file. The website restarts automatically. After you have enabled AD FS integration for your Acumatica ERP instance, you need to map AD FS claims to Acumatica ERP roles, as described in To Map AD FS Claims to Roles in Acumatica ERP. To Map AD FS Claims to Roles in Acumatica ERP After you have enabled Microsoft Active Directory Federation Services (AD FS) integration, you need to map AD FS claims to user roles defined in Acumatica ERP by using the User Roles (SM ) form. Claims configured in To Configure AD FS Claims transfer domain groups to Acumatica ERP to associate them with user roles. Do the following: Navigate to Configuration > User Security > Manage > User Roles. In the Summary area, in the Role Name box, select the Acumatica ERP user role you want to associate with a domain group (or with multiple groups). 3. On the Claims tab, click Add Row. : The Claims tab appears on this form if the integration of Acumatica ERP with AD FS has been enabled in the web.config file, as described in To Enable AD FS Integration with Acumatica ERP. 4. In the Group column, type the name of the domain group that you want to associate with the role in the following format: <Domain_Name>\<Group_Name>. : If you have configured claims that transfer other parameters to Acumatica ERP, you need to specify the values of these parameters in the Group column. 5. On the form toolbar, click Save. 6. Repeat Steps 2 through 5 for every role that should be mapped. After you have mapped AD FS claims with user roles in Acumatica ERP you can assign specific roles for a particular domain user, as described in To Set Up Role Assignment for Domain Users or enable silent logon with Azure AD to use the Azure AD service as the default identity provider, as described in To Enable Silent Logon.

29 Integrating Acumatica ERP with AD FS 29 To Set Up Role Assignment for Domain Users When a domain user signs in to Acumatica ERP for the first time, the system adds a user account for this user and assigns roles to the new account based on the mapping between AD groups and Acumatica ERP roles. For the full integration procedure, see Integration with AD FS. If necessary, you can override the automatically assigned roles of a particular domain user by selecting the required roles manually for the user on the Users (SM ) form. To Override a User's Role Assignment Based on AD Groups Navigate to Configuration > User Security > Manage > Users. Optional: If the user has never signed in to Acumatica ERP with his or her domain credentials, add a local user account for the domain user as follows: a. On the form toolbar, click Add Active Directory User to open the Active Directory User dialog box. b. In the Active Directory User box, select the AD user account. c. Click OK to close the dialog box and populate the form with the user's information. 3. In the Login box, select the user whose default roles you want to change. 4. In the Selection area, select Override Active Directory Roles with Local Roles. 5. On the Roles tab, select the roles you want to assign to the user. 6. On the form toolbar, click Save. To Restore AD Group Role Assignment for Domain Users Navigate to Configuration > User Security > Manage > Users. In the Login box, select the domain user for whom you want to restore the default roles. 3. In the Selection area, clear Override Active Directory Roles with Local Roles. 4. On the form toolbar, click Save. To Enable Silent Logon To make your users authenticate themselves with a selected identity provider, you enable the silent logon capability and select the identity provider to be used by default. Before You Proceed Before you enable silent logon, you need to configure your Acumatica ERP instance to use the external identity provider with which you want to set up silent logon. If you want to enable silent logon with Google or Microsoft Account, make sure that your users have registered their external accounts with the Acumatica ERP instance, as described in To Activate Your Google or Microsoft Account. To Enable Silent Logon Open the web.config file for the site instance. : Usually the file is located in %Program Files%\Acumatica ERP\<instance name>, where <instance name> is the name of the application instance website.

30 Integrating Acumatica ERP with AD FS 30 : After you save changes to the web.config file, the website is automatically restarted. Make sure that all users are warned about the restart so that they can save their documents in advance. Add the Silentlogin parameter to the <externalauth> section, as shown below. <externalauth returnurl="main.aspx" authurl="frames/authdock.ashx" silentlogin="{parameter}" /> Specify one of the following values of the Silentlogin parameter, depending on the identity provider. Federation: To enable silent logon with Microsoft Azure Active Directory or Active Directory Federation Services, depending on your system configuration. Google: To enable silent logon with Google. MicrosoftAccount: To enable silent logon with Microsoft Account. Save your changes to web.config. To Disable Silent Logon Open the web.config file for the site instance. : Usually the file is located in %Program Files%\Acumatica ERP\<instance name>, where <instance name> is the name of the application instance website. : After you save changes to the web.config file, the website is automatically restarted. Make sure that all users are warned about the restart so that they can save their documents in advance. Specify the none value for the Silentlogin parameter in the <externalauth> section, as shown below. <externalauth returnurl="main.aspx" authurl="frames/authdock.ashx" silentlogin="none" /> 3. Save your changes to web.config. To Override Silent Logon Settings with URL Parameters You can specify a different external identity provider or disable silent logon using the SilentLogin URL parameter with a corresponding value in the URL of your Acumatica ERP instance or a particular form. It overrides a value of the SilentLogin parameter specified in the web.config file. The SilentLogin URL parameter can take the following values. Parameter Identity Provider None Acumatica ERP Federation Microsoft Azure Active Directory or Active Directory Federation Services Google Google MicrosoftAccount Microsoft Account Example To sign in to an Acumatica ERP instance using silent logon for Google account, you use the following URL:

31 Integrating Acumatica ERP with Azure Active Directory 31 Integrating Acumatica ERP with Azure Active Directory The integration of Acumatica ERP with Windows Azure Active Directory (Azure AD) provides single signon (SSO) and centralized user and access management. You can use an instance of Azure AD, which is a cloud version of the Active Directory service, if your organization is signed up for a Microsoft cloud service, such as Azure or Office 365. With such integration in place, users of your Acumatica ERP instance will use their Azure AD domain credentials for authorization in Acumatica ERP. : You can integrate your Acumatica ERP instance with AD FS or Azure AD, but not with both. These two identity management systems are mutually exclusive because they use the same functionality to connect to Acumatica ERP. This chapter describes how to integrate Acumatica ERP with Azure AD. In This Chapter Integration with Azure Active Directory To Register Your Acumatica ERP Instance on Windows Azure To Enable Azure Active Directory Integration for the Acumatica ERP Instance To Map Azure Active Directory Groups to Roles in Acumatica ERP To Set Up Role Assignment for Domain Users To Enable Silent Logon Integration with Azure Active Directory You integrate Acumatica ERP with Windows Azure Active Directory (Azure AD) to manage users and access in one place and to provide single sign-on. You create, delete, and manage user accounts by using Azure AD. During integration you map Azure AD groups with user roles in Acumatica ERP to determine users' access rights. Requirements Before you integrate Acumatica ERP with Azure AD, your company must be signed up for a Microsoft cloud service, such as Azure or Office 365, with the Azure Active Directory instance configured. For more information, see Azure Active Directory on the Windows Azure Portal. Configuration Steps You can configure integration with Azure AD when you implement Acumatica ERP or at any later time. To integrate an instance of Acumatica ERP with Azure AD, you will perform the following steps: Register your Acumatica ERP instance with the Azure AD instance and obtain the client ID and client secret, as described in To Register Your Acumatica ERP Instance on Windows Azure. Enable integration with Azure AD by modifying the web.config file of the application instance, as described in To Enable Azure Active Directory Integration for the Acumatica ERP Instance. : After you save changes to the web.config file, the website is automatically restarted. Make sure that all users are warned about the restart so that they can save their documents in advance. 3. Map the Azure AD groups to Acumatica ERP roles, as described in To Map Azure Active Directory Groups to Roles in Acumatica ERP.

32 Integrating Acumatica ERP with Azure Active Directory Optional: If required, override the roles assigned to any user automatically by selecting the required roles manually. For details, see To Set Up Role Assignment for Domain Users. 5. Optional: If you want to use the Azure AD service as the default identity provider, enable silent logon with Azure AD, as described in To Enable Silent Logon. User Accounts of Domain Users in Acumatica ERP After you have enabled integration with the identity management system, user accounts for domain users are created automatically when the users sign in to your Acumatica ERP instance for the first time. The accounts of domain users in Acumatica ERP are based on their accounts in the domain. The password of a domain user in Acumatica ERP is the same as the domain account password. The address and the first and last name of the user are populated from the domain account as well. However, the login, password, address, and first and last name are managed through the domain and cannot be changed in Acumatica ERP. : You cannot restore the passwords of domain users by using Acumatica ERP tools. You should restore users' domain credentials by using tools of Active Directory (AD). If the number of users or groups in AD is greater than or equal to 1000, information about users and groups from AD is automatically cached by Acumatica ERP to speed authentication of users. When you make any changes in AD, you can manually synchronize the cached lists of users and groups with AD in Acumatica ERP. If the number of users and groups in AD is less than 1000, Acumatica ERP retrieves the lists of users and groups directly from AD. Domain User Authentication After integration of Acumatica ERP with Azure AD, users use single sign-on (SSO) with the domain to sign in to Acumatica ERP. By default, the users follow these steps: On the Welcome page of your Acumatica ERP instance, the user selects the Azure AD icon ( to open the Azure AD sign-in page. ) On the sign-in page, the user enters the domain credentials in the following format: <User_Name>@<Domain_Name>, where <User_Name> is the user account name in the integrated domain and <Domain_Name> is the UPN suffix, also known as the domain name. To simplify the procedure, you can configure silent logon with Azure AD server. For more information, see To Enable Silent Logon. : If you configured a multi-company instance and selected the Secure Company on Login option on the Company Setup page (see Multi-Company Instances), then users with access to several companies, who sign in to Acumatica ERP using single sign-on with an external identity provider, will be logged in to the first company with enabled single sign-on. Domain User Authorization When a domain user tries to access Acumatica ERP, user authorization occurs as follows: The application instance sends an authentication request to the AD server to validate the user's credentials. When validation has completed successfully, the AD server sends Acumatica ERP the list of AD groups to which the user is assigned. 3. Acumatica ERP compares the list of AD groups with the internal Acumatica ERP roles, based on the mapping rules defined on the User Roles (SM ) form.

33 Integrating Acumatica ERP with Azure Active Directory The system finds any Acumatica ERP roles that are associated with AD groups to which the domain user account is assigned. If Acumatica ERP finds at least one role, the user is authenticated to sign in to the Acumatica ERP instance. The user access rights within the Acumatica ERP application instance are based on the internal list of roles. For more information about authentication in Acumatica ERP, see User Accounts in Acumatica ERP. For details about roles and access rights in Acumatica ERP, see User Access Rights. Access Rights of Domain Users Domain users inherit access rights from the AD groups that you mapped to Acumatica ERP user roles. In addition, you can assign specific user roles to each domain user if the access rights for this user should differ from the AD group rights. New domain users automatically get the rights to sign in to Acumatica ERP when they join a domain. The membership of these users in Acumatica ERP roles is then automatically updated to comply with the membership of the users in the domain groups. : The user type functionality, described in User Types, cannot be applied to domain users. To Register Your Acumatica ERP Instance on Windows Azure To integrate your Acumatica ERP instance with Windows Azure Active Directory (Azure AD), you should start by registering your Acumatica ERP instance on Windows Azure and obtaining OAuth 0 credentials. Attention: This topic describes the configuration of third-party software. Please note the following: The procedure below is designed for the most common usage scenarios. If you are implementing a more complicated scenario and you encounter difficulties, contact Acumatica ERP technical support. The vendor of the third-party software may change the user interface and settings. Therefore, the screen elements and setting names you see may differ from the ones described in the procedure. The procedure will be updated each time information is made available about new common scenarios and changes in the user interface and settings. Before You Begin Your company should have an Azure AD instance configured. For more information, see Azure Active Directory. Your company should have a Windows Azure subscription to register your Acumatica ERP instance in Azure AD. : We recommend that you use Internet Explorer to work with Windows Azure as it was optimized to work in this browser. If you use other browsers, web interface of Windows Azure may work incorrectly. To Register Your Application on Windows Azure Sign in to Windows Azure portal. On the left menu, click the Azure Active Directory icon. If you have one Azure AD instance it will be opened automatically. If you have multiple instances click an Azure AD instance where you want to register the application.

34 Integrating Acumatica ERP with Azure Active Directory In the left pane, click App registrations. You will see a list of applications (as shown in the screenshot below) or the empty list, depending on whether any applications were registered previously. Figure: Windows Azure: Applications registered in Azure AD 4. On the pane toolbar, click Add. 5. On the Create pane (that is shown in the following screenshot), do the following: a. In the Name box, type a name for your Acumatica ERP instance to be displayed in the applications list. b. In the Application Type box, select Web app / API. c. In the Sign-on URL box, enter the full URL of your Acumatica ERP instance (for example, d. Click Create.

35 Integrating Acumatica ERP with Azure Active Directory 35 Figure: Windows Azure: Register an application Now your Acumatica ERP instance is registered with Azure AD. 6. In the App registrations list, click the application name that you have just created. 7. Obtain an application ID value as follows: a. On the Settings pane, click Properties.

36 Integrating Acumatica ERP with Azure Active Directory 36 b. On the Properties pane, copy the Application ID box value to use it as a client ID in Acumatica ERP (see the screenshot below). Figure: Windows Azure: Application ID 8. Obtain an access key value as follows: a. On the Settings pane, click Keys. b. On the Keys pane, select the key duration and click Save. The key value appears in the Value box (see the screenshot below). Copy this value to use it as a client secret in Acumatica ERP. : You must copy the key value right after clicking Save. Later the value will be hidden. Figure: Windows Azure: Access Keys 9. Specify permissions as follows: a. In the Settings pane, click Required permissions. b. Select the following permissions for Windows Azure Active Directory: Access the directory as a signed-in user and Read and write directory data, as shown in the following screenshot. c. Click Save.

37 Integrating Acumatica ERP with Azure Active Directory 37 Figure: Windows Azure: Required permissions After you registered your Acumatica ERP instance in Azure AD, you must enable integration with Azure AD for your Acumatica ERP instance as described in To Enable Azure Active Directory Integration for the Acumatica ERP Instance. To Enable Azure Active Directory Integration for the Acumatica ERP Instance After you have registered your Acumatica ERP instance with Windows Azure and obtained the necessary credentials, you should enable integration with Windows Azure Active Directory (Azure AD) for your Acumatica ERP instance. Before You Begin Your Acumatica ERP instance has to be registered on the Windows Azure Management portal, as described in To Register Your Acumatica ERP Instance on Windows Azure. To Enable Azure AD for the Acumatica ERP Instance Open the web.config file, which is located in the folder that contains the application instance website. : After you save changes to the web.config file, the website is automatically restarted. Make sure that all users are warned about the restart so that they can save their documents in advance. In the file, find the activedirectory section within the system.web section and edit it similarly to the example shown below. <activedirectory enabled="true" protocol="adal" path="tenant_id"

38 Integrating Acumatica ERP with Azure Active Directory 38 dc="domain_name" user="user_name" password="user_password" /> In the code shown above: 3. Tenant_ID is the DNS domain name of your Azure ID instance for example, company.onmicrosoft.com. It can be found, for example, in Windows Azure on the Configure page of your Azure AD instance. Domain_Name is the full URL of your Acumatica ERP instance for example, app.site.net/instance. User_Name is the client ID you obtained when you registered your Acumatica ERP instance on the Azure Management portal. User_Password is the key you obtained when you registered your Acumatica ERP instance on the Azure Management portal. In the audienceuris element within the system.identitymodel section, specify the URL of your Acumatica ERP instance similarly to the example shown below. <audienceuris> <add value="full_instance_url" /> </audienceuris> In the code shown above, Full_Instance_URL is the full URL of your Acumatica ERP instance for example, 4. In the federationconfiguration element within the system.identitymodel.services section, edit the wsfederation element similarly to the example shown below. <wsfederation passiveredirectenabled="false" issuer=" realm="full_instance_url" requirehttps="false" PersistentCookiesOnPassiveRedirects="false" externallogout="true"/> In the code shown above: 5. Tenant_ID is the DNS domain name of your Azure ID instance for example, company.onmicrosoft.com. It can be found, for example, in Windows Azure on the Configure page of your Azure AD instance. Full_Instance_URL is the full URL of the Acumatica ERP instance for example, app.site.net/instance_name/. externallogout is the parameter that defines whether the system initiates single sign-out across applications when a user signs out of your Acumatica ERP instance. The following values are possible: true: The system initiates single sign-out. false: The system signs out the user from Acumatica ERP only. Save the web.config file. The website restarts automatically. After you have enabled integration with Active Directory, you need to map AD groups to Acumatica ERP roles, as described in To Map Azure Active Directory Groups to Roles in Acumatica ERP.

39 Integrating Acumatica ERP with Azure Active Directory 39 To Map Azure Active Directory Groups to Roles in Acumatica ERP After you have enabled integration with Windows Azure Active Directory (Azure AD), you need to map Azure AD groups to user roles defined in Acumatica ERP by using the User Roles (SM ) form. : The Active Directory tab appears on the form if the integration of Acumatica ERP with Azure AD has been enabled in the web.config file, as described in To Enable Azure Active Directory Integration for the Acumatica ERP Instance. Before You Begin Before you start configuring your system, make sure that all the domain users have addresses configured in Azure AD. To Map Active Directory Groups to Acumatica ERP Roles Navigate to Configuration > User Security > Manage > User Roles. In the Summary area, in the Role Name box, select the role you want to associate with an Active Directory group (or with multiple groups). 3. On the Active Directory tab, click Add Row. : The Active Directory tab appears on this form if the integration of Acumatica ERP with AD has been enabled in the web.config file, as described in To Enable Active Directory Integration. 4. In the Group column on the new row, select the AD group that you want to associate with the role. 5. On the form toolbar, click Save. 6. Repeat Steps 2 through 5 for every role that should be mapped to AD groups. To Remove Mapping of Active Directory Groups to Roles Navigate to Configuration > User Security > Manage > User Roles. In the Summary area, in the Role Name box, select the role for which you want to remove association with an Active Directory group (or with multiple groups). 3. Click the row that contains the AD group that you want to disassociate from the role, and click Delete Row on the table toolbar. 4. On the form toolbar, click Save. 5. Repeat Steps 2 through 4 for every role for which mapping with AD groups should be removed. After you have mapped Azure AD groups with user roles in Acumatica ERP you can assign specific roles for a particular domain user, as described in To Set Up Role Assignment for Domain Users or enable silent logon with Azure AD to use the Azure AD service as the default identity provider, as described in To Enable Silent Logon. To Set Up Role Assignment for Domain Users When a domain user signs in to Acumatica ERP for the first time, the system adds a user account for this user and assigns roles to the new account based on the mapping between Active Directory (AD) groups and Acumatica ERP roles. For the full integration procedure, see Integration with Azure Active Directory.

40 Integrating Acumatica ERP with Azure Active Directory 40 If necessary, you can override the automatically assigned roles by selecting the required roles manually for each domain user on the Users (SM ) form. To Override a User's Role Assignment Based on AD Groups Navigate to Configuration > User Security > Manage > Users. Optional: If the user has never signed in to Acumatica ERP with his or her domain credentials, add a local user account for the domain user as follows: a. On the form toolbar, click Add Active Directory User to open the Active Directory User dialog box. b. In the Active Directory User box, select the AD user account. c. Click OK to close the dialog box and populate the form with the user's information. 3. In the Login box, select the user whose default roles you want to change. 4. In the Selection area, select Override Active Directory Roles with Local Roles. 5. On the Roles tab, select the roles you want to assign to the user. 6. On the form toolbar, click Save. To Restore AD Group Role Assignment for Domain Users Navigate to Configuration > User Security > Manage > Users. In the Login box, select the domain user for whom you want to restore the default roles. 3. In the Selection area, clear Override Active Directory Roles with Local Roles. 4. On the form toolbar, click Save. To Enable Silent Logon To make your users authenticate themselves with a selected identity provider, you enable the silent logon capability and select the identity provider to be used by default. Before You Proceed Before you enable silent logon, you need to configure your Acumatica ERP instance to use the external identity provider with which you want to set up silent logon. If you want to enable silent logon with Google or Microsoft Account, make sure that your users have registered their external accounts with the Acumatica ERP instance, as described in To Activate Your Google or Microsoft Account. To Enable Silent Logon Open the web.config file for the site instance. : Usually the file is located in %Program Files%\Acumatica ERP\<instance name>, where <instance name> is the name of the application instance website. : After you save changes to the web.config file, the website is automatically restarted. Make sure that all users are warned about the restart so that they can save their documents in advance. Add the Silentlogin parameter to the <externalauth> section, as shown below. <externalauth returnurl="main.aspx" authurl="frames/authdock.ashx"

41 Integrating Acumatica ERP with Azure Active Directory 41 silentlogin="{parameter}" /> Specify one of the following values of the Silentlogin parameter, depending on the identity provider. Federation: To enable silent logon with Microsoft Azure Active Directory or Active Directory Federation Services, depending on your system configuration. Google: To enable silent logon with Google. MicrosoftAccount: To enable silent logon with Microsoft Account. Save your changes to web.config. To Disable Silent Logon Open the web.config file for the site instance. : Usually the file is located in %Program Files%\Acumatica ERP\<instance name>, where <instance name> is the name of the application instance website. : After you save changes to the web.config file, the website is automatically restarted. Make sure that all users are warned about the restart so that they can save their documents in advance. Specify the none value for the Silentlogin parameter in the <externalauth> section, as shown below. <externalauth returnurl="main.aspx" authurl="frames/authdock.ashx" silentlogin="none" /> 3. Save your changes to web.config. To Override Silent Logon Settings with URL Parameters You can specify a different external identity provider or disable silent logon using the SilentLogin URL parameter with a corresponding value in the URL of your Acumatica ERP instance or a particular form. It overrides a value of the SilentLogin parameter specified in the web.config file. The SilentLogin URL parameter can take the following values. Parameter Identity Provider None Acumatica ERP Federation Microsoft Azure Active Directory or Active Directory Federation Services Google Google MicrosoftAccount Microsoft Account Example To sign in to an Acumatica ERP instance using silent logon for Google account, you use the following URL:

42 Configuring Single Sign-On with Google 42 Configuring Single Sign-On with Google Acumatica ERP supports integration with Google by using the OAuth 0 standard for providing single sign-on (SSO). After you set up SSO with Google, the employees of your organization can use their Google accounts to access your Acumatica ERP instance as well as Google services. This reduces the number of logins and passwords the users have to remember, thus reducing the risk of identity theft. With this integration, the Google account provides the only authentication for employees of your company. You set up authorization for users in your Acumatica ERP instance by assigning user types and roles for an Acumatica ERP user account, as described in Managing User Access Rights. Then users need to log in to Acumatica ERP once using the login and password there in order to assign their own Google account to their user account. In this chapter, you can find information on setting up SSO with Google for your Acumatica ERP instance. In This Chapter Single Sign-On with Google To Register an Acumatica ERP Instance with Google To Enable SSO with Google To Enable Silent Logon Single Sign-On with Google You integrate Acumatica ERP with Google if you want to allow employees of your organization to use their Google accounts to access your Acumatica ERP instance as well as Google services. Requirements If you plan to use this integration, we strongly recommend that you host your Acumatica ERP instance (or instances) over HTTPS. For more information, see Setting Up an HTTPS Service in Web Server (IIS). Configuration Steps The configuration of single sign-on (SSO) with Google for your Acumatica ERP instance consists of the following steps: You register your Acumatica ERP instance with Google and obtain the OAuth 0 credentials, including the client ID and client secret. For details, see To Register an Acumatica ERP Instance with Google. You enable SSO with Google in your Acumatica ERP instance by using the client ID and client secret you obtained in the previous step, as described in To Enable SSO with Google. : You can enable and disable SSO with Google for your Acumatica ERP instance at any time because Acumatica ERP uses SSO with Google only for verifying user identities. Users can still authenticate themselves by using their Acumatica ERP credentials. 3. Optional: You activate SSO with Google on the Users (SM ) form for each user who will use his or her Google account for authorization in Acumatica ERP. Alternatively, each user can activate SSO with Google for himself or herself on the User Profile (SM ) form. For details, see To Activate Your Google or Microsoft Account. 4. Users of your Acumatica ERP instance associate their Acumatica ERP accounts with their Google accounts. They can do this in either of the following ways:

43 Configuring Single Sign-On with Google 43 Users click the Associate User button on the User Profile form (for details, see To Activate Your Google or Microsoft Account). The system registers the unique user key associated with the user's Google account with the user's Acumatica ERP account. This way can be used if users activate SSO with Google for their accounts on their own. If the value of the selfassociate parameter in the externalauth section of the web.config file is true (which is the default value), users click the Google icon ( ) on the Welcome page of Acumatica ERP, and the system suggests that they enter the credentials of an Acumatica ERP user that should be associated with the Google account. This way can be used when you activated SSO with Google for each user. 5. Optional: You configure your Acumatica ERP instance to automatically redirect users to the Google sign-in page, as described in To Enable Silent Logon. : Before you turn on silent logon with Google, ask your users if all of them can sign in to Acumatica ERP with their Google accounts. User Authentication After you have integrated Acumatica ERP with Google account, users use SSO with Google services to sign in to Acumatica ERP. By default, each user follows these steps: On the Welcome page of the Acumatica ERP instance, the user clicks the Google icon ( open the Google sign-in page. ) to On the sign-in page, the user enters his or her Google account credentials. To simplify the procedure, you can configure silent logon with Google. For more information, see To Enable Silent Logon. : If you configured a multi-company instance and selected the Secure Company on Login option on the Company Setup page (see Multi-Company Instances), then users with access to several companies, who sign in to Acumatica ERP using single sign-on with an external identity provider, will be logged in to the first company with enabled single sign-on. To Register an Acumatica ERP Instance with Google For your users to be able to sign in with their Google accounts, you first have to register your Acumatica ERP instance with Google and obtain OAuth 0 credentials. This is a necessary step in configuring single sign-on (SSO) for your Acumatica ERP instance. For more information about registering applications in Google, see Google Developers Console Help. Before You Begin You should have a Google account that you will use to register your Acumatica ERP instance. Attention: This topic describes the configuration of third-party software. Please note the following: The procedure below is designed for the most common usage scenarios. If you are implementing a more complicated scenario and you encounter difficulties, contact Acumatica ERP technical support. The vendor of the third-party software may change the user interface and settings. Therefore, the screen elements and setting names you see may differ from the ones described in the procedure. The procedure will be updated each time information is made available about new common scenarios and changes in the user interface and settings.

44 Configuring Single Sign-On with Google 44 To Register an Acumatica ERP Instance with Google Sign in to the Google Developers Console. Optional: If you have not created any projects yet and you see the Projects page of the Google Developers Console, as shown in the screenshot below, click Create project and type the project name. Then click your project name to open the API Manager page. Figure: Active projects 3. Optional: If you created a project previously and you see the API Manager page, go to step 4 if you want to use the previously created project. If you want to create a new project, select <Project name> > Manage all projects in the top right corner of the page to open the Projects page. (If needed, see the Step 2 for information on how to create a project.) 4. On the API Manager page, configure the settings of the consent screen as follows: a. In the sidebar on the left, click Credentials and select the OAuth consent screen tab. b. Enter at least the following settings, as shown in the screenshot below: address Product name shown to users Figure: Consent screen configuration c. 5. Click Save. Add credentials for the project as follows:

45 Configuring Single Sign-On with Google 45 a. In the sidebar on the left, click Credentials, select the Credentials tab and then navigate to Create credentials > OAuth client ID, as shown in the screenshot below. Figure: Credentials creation b. On the Create Client ID page, shown in the screenshot below, enter the information as follows, and then click Create: Application type: Select Web application. Name: Type your application name. Restrictions > Authorized JavaScript origins: Type the root domain of your application site for example, Restrictions > Authorized redirect URIs: Type the redirect URL of your instance (which is the full URL of your instance with /frames/authdock.ashx appended onto the end for example, : The box is case-sensitive.

46 Configuring Single Sign-On with Google 46 Figure: Create Client ID page 6. Copy the client ID and the client secret for later retrieval (see the screenshot below). You have to register these credentials in your Acumatica ERP instance. Figure: OAuth 0 credentials of the selected project 7. Enable the Google+ API. Do the following: a. In the sidebar on the left, click Overview. b. On the Google APIs tab, navigate to Social APIs > Google+ API.

47 Configuring Single Sign-On with Google 47 c. On the Google+ API page, click Enable. After you have registered your Acumatica ERP instance with Google and obtained OAuth 0 credentials, you have to enable SSO with Google in your Acumatica ERP instance using these credentials, as described in To Enable SSO with Google. To Enable SSO with Google After you have obtained the required credentials from Google, you have to enable single sign-on (SSO) and register these credentials in your Acumatica ERP instance for Google. To do this, you use the Security Preferences (SM ) form. To Configure SSO in the Acumatica ERP Instance Navigate to Configuration > User Security > Configure > Security Preferences. In the Allowed External Identity Providers table, do the following in the row that corresponds with the Google provider name: 3. a. To enable SSO with Google, select the Active check box. b. In the Realm column, enter the full URL of your instance for example, app.site.net/instance_name. c. In the Application ID column, paste the client ID generated by Google. d. In the Application Secret column, paste the client secret generated by Google. On the form toolbar, click Save. After you have activated SSO with Google, your users have to register their Google accounts with Acumatica ERP by using the User Profile (SM ) form, as described in To Activate Your Google or Microsoft Account. To Enable Silent Logon To make your users authenticate themselves with a selected identity provider, you enable the silent logon capability and select the identity provider to be used by default. Before You Proceed Before you enable silent logon, you need to configure your Acumatica ERP instance to use the external identity provider with which you want to set up silent logon. If you want to enable silent logon with Google or Microsoft Account, make sure that your users have registered their external accounts with the Acumatica ERP instance, as described in To Activate Your Google or Microsoft Account. To Enable Silent Logon Open the web.config file for the site instance. : Usually the file is located in %Program Files%\Acumatica ERP\<instance name>, where <instance name> is the name of the application instance website. : After you save changes to the web.config file, the website is automatically restarted. Make sure that all users are warned about the restart so that they can save their documents in advance.

48 Configuring Single Sign-On with Google 48 Add the Silentlogin parameter to the <externalauth> section, as shown below. <externalauth returnurl="main.aspx" authurl="frames/authdock.ashx" silentlogin="{parameter}" /> Specify one of the following values of the Silentlogin parameter, depending on the identity provider. Federation: To enable silent logon with Microsoft Azure Active Directory or Active Directory Federation Services, depending on your system configuration. Google: To enable silent logon with Google. MicrosoftAccount: To enable silent logon with Microsoft Account. Save your changes to web.config. To Disable Silent Logon Open the web.config file for the site instance. : Usually the file is located in %Program Files%\Acumatica ERP\<instance name>, where <instance name> is the name of the application instance website. : After you save changes to the web.config file, the website is automatically restarted. Make sure that all users are warned about the restart so that they can save their documents in advance. Specify the none value for the Silentlogin parameter in the <externalauth> section, as shown below. <externalauth returnurl="main.aspx" authurl="frames/authdock.ashx" silentlogin="none" /> 3. Save your changes to web.config. To Override Silent Logon Settings with URL Parameters You can specify a different external identity provider or disable silent logon using the SilentLogin URL parameter with a corresponding value in the URL of your Acumatica ERP instance or a particular form. It overrides a value of the SilentLogin parameter specified in the web.config file. The SilentLogin URL parameter can take the following values. Parameter Identity Provider None Acumatica ERP Federation Microsoft Azure Active Directory or Active Directory Federation Services Google Google MicrosoftAccount Microsoft Account Example To sign in to an Acumatica ERP instance using silent logon for Google account, you use the following URL:

49 Configuring Single Sign-On with Microsoft Accounts 49 Configuring Single Sign-On with Microsoft Accounts Acumatica ERP supports integration with Microsoft Account by using the OAuth 0 standard for providing single sign-on (SSO). After you set up SSO with Microsoft Account, the employees of your company can use their Microsoft Accounts to access your Acumatica ERP instance as well as Microsoft services. This reduces the number of logins and passwords the users have to remember, thus reducing the risk of identity theft. With this integration, Microsoft Account provides the only authentication for employees of your company. You set up authorization for users in your Acumatica ERP instance by assigning user types and roles for an Acumatica ERP user account, as described in Managing User Access Rights. Then users need to log in to Acumatica ERP once using the login and password there in order to assign their own Microsoft Accounts to their user account. In this topic, you can find information on setting up SSO with Microsoft Account for your Acumatica ERP instance. In This Chapter Single Sign-On with Microsoft Account To Register an Acumatica ERP Instance with Microsoft Account To Enable SSO with Microsoft Account To Enable Silent Logon Single Sign-On with Microsoft Account You integrate Acumatica ERP with Microsoft Account if you want to allow employees of your organization to use their Microsoft Accounts to access your Acumatica ERP instance as well as Microsoft services. Requirements If you plan to use this integration, we strongly recommend that you host your Acumatica ERP instance (or instances) over HTTPS. For more information, see Setting Up an HTTPS Service in Web Server (IIS). Configuration Steps The configuration of SSO with Microsoft account for your Acumatica ERP instance consists of the following steps: You register your Acumatica ERP instance with Microsoft Account and obtain the OAuth 0 credentials, including the client ID and client secret. For details, see To Register an Acumatica ERP Instance with Microsoft Account. You enable SSO with Microsoft Account in your Acumatica ERP instance by using the client ID and client secret you obtained in the previous step, as described in To Enable SSO with Microsoft Account. : You can enable and disable SSO with Microsoft Account for your Acumatica ERP instance at any time because Acumatica ERP uses SSO with Microsoft Account only for verifying user identities. Users can still authenticate themselves by using their Acumatica ERP credentials. 3. Optional: You activate SSO with Microsoft Account on the Users (SM ) form for each user who will use his or her Microsoft Account credentials for authorization in Acumatica ERP.

50 Configuring Single Sign-On with Microsoft Accounts 50 Alternatively, each user can activate SSO with Microsoft Account for himself or herself on the User Profile (SM ) form. For details, see To Activate Your Google or Microsoft Account. 4. Users of your Acumatica ERP instance associate their Acumatica ERP accounts with their Microsoft Account credentials. They can do this in either of the following ways: Users click the Associate User button on the User Profile form (for details, see To Activate Your Google or Microsoft Account). The system registers the unique user key associated with the user's Microsoft Account with the user's Acumatica ERP account. This way can be used if users activate SSO with Microsoft Account for their accounts on their own. If the value of the selfassociate parameter in the externalauth section of the web.config file is true (which is the default value), users click the Microsoft icon ( ) on the Welcome page of Acumatica ERP, and the system suggests that they enter the credentials of an Acumatica ERP user that should be associated with the Microsoft Account. This way can be used when you activated SSO with Microsoft Account for each user. 5. Optional: You can configure your Acumatica ERP instance to automatically redirect users to the Microsoft Account sign-in page, as described in To Enable Silent Logon. : Before you turn on silent logon with Microsoft Account, ask your users if all of them can sign in to Acumatica ERP with their Microsoft Account credentials. User Authentication After you have integrated Acumatica ERP with Microsoft Account, users use single sign-on (SSO) with Microsoft services to sign in to Acumatica ERP. By default, the users follow these steps: On the Welcome page of the Acumatica ERP instance, the user clicks the Microsoft icon ( open the Microsoft sign-in page. ) to On the sign-in page, the user enters his or her Microsoft account credentials. To simplify the procedure, you can configure silent logon with Microsoft account. For more information, see To Enable Silent Logon. : If you configured a multi-company instance and selected the Secure Company on Login option on the Company Setup page (see Multi-Company Instances), then users with access to several companies, who sign in to Acumatica ERP using single sign-on with an external identity provider, will be logged in to the first company with enabled single sign-on. To Register an Acumatica ERP Instance with Microsoft Account For your users to be able to sign in with their Microsoft accounts, you first have to register your Acumatica ERP instance with Microsoft Account and obtain OAuth 0 credentials. This is a necessary step in configuring single sign-on (SSO) for your Acumatica ERP instance. Before You Begin You should have a Microsoft account that you will use to register your Acumatica ERP instance. For more information about Microsoft accounts, see Microsoft account home page. Attention: This topic describes the configuration of third-party software. Please note the following: The procedure below is designed for the most common usage scenarios. If you are implementing a more complicated scenario and you encounter difficulties, contact Acumatica ERP technical support. The vendor of the third-party software may change the user interface and settings. Therefore, the screen elements and setting names you see may differ from the ones described in the procedure.

51 Configuring Single Sign-On with Microsoft Accounts 51 The procedure will be updated each time information is made available about new common scenarios and changes in the user interface and settings. To Register Your Application with Microsoft Account Sign in to Microsoft Account Developer Center. In the Live SDK applications section, click Add an app, as shown in the screenshot below. Figure: My Applications 3. In the New Application Registration window, type a name of your application and click Create application, as shown on the screenshot below. Figure: New Application Registration 4. To configure the application, on the Application Registration page, do the following: a. In the Web frame of the Platforms sections, enter the following settings, as shown in the screenshot below: Allow Implicit Flow: selected Restrict token issuing to this app: selected Target Domain: The root domain of your application site for example, app.site.net Redirect URIs: The redirect URL of your instance (which is the full URL of your instance with /frames/authdock.ashx appended onto the end for example, app.site.net/instance_name/frames/authdock.ashx)

52 Configuring Single Sign-On with Microsoft Accounts 52 Figure: Platforms b. 5. Optional: In the Profile section, upload the logo and enter the terms of service URL and privacy and cookies policy URL. On the Application Registration page, copy the application ID and the application secret (see the screenshot below) for later retrieval. Figure: Application Registration After you have registered your Acumatica ERP instance with Microsoft Account and obtained OAuth 0 credentials, you have to enable SSO with Microsoft Account in your Acumatica ERP instance by using these credentials, as described in To Enable SSO with Microsoft Account. To Enable SSO with Microsoft Account After you have obtained the required credentials from Microsoft Account, you have to enable single sign-on (SSO) and register these credentials in your Acumatica ERP instance for Microsoft Account. To do this, you use the Security Preferences (SM ) form. To Configure SSO in the Acumatica ERP Instance Navigate to Configuration > User Security > Configure > Security Preferences. In the Allowed External Identity Providers table, do the following in the row with the MicrosoftAccount provider name: a. To enable SSO with Microsoft account, select the Active check box. b. In the Realm column, enter the full URL of your instance for example, app.site.net/instance_name. c. In the Application ID column, paste the client ID generated by Microsoft.

53 Configuring Single Sign-On with Microsoft Accounts 53 d. 3. In the Application Secret column, paste the client secret generated by Microsoft. On the form toolbar, click Save. After you have activated SSO with Microsoft account, your users have to register their Microsoft accounts with Acumatica ERP by using the User Profile (SM ) form, as described in To Activate Your Google or Microsoft Account. To Enable Silent Logon To make your users authenticate themselves with a selected identity provider, you enable the silent logon capability and select the identity provider to be used by default. Before You Proceed Before you enable silent logon, you need to configure your Acumatica ERP instance to use the external identity provider with which you want to set up silent logon. If you want to enable silent logon with Google or Microsoft Account, make sure that your users have registered their external accounts with the Acumatica ERP instance, as described in To Activate Your Google or Microsoft Account. To Enable Silent Logon Open the web.config file for the site instance. : Usually the file is located in %Program Files%\Acumatica ERP\<instance name>, where <instance name> is the name of the application instance website. : After you save changes to the web.config file, the website is automatically restarted. Make sure that all users are warned about the restart so that they can save their documents in advance. Add the Silentlogin parameter to the <externalauth> section, as shown below. <externalauth returnurl="main.aspx" authurl="frames/authdock.ashx" silentlogin="{parameter}" /> Specify one of the following values of the Silentlogin parameter, depending on the identity provider. Federation: To enable silent logon with Microsoft Azure Active Directory or Active Directory Federation Services, depending on your system configuration. Google: To enable silent logon with Google. MicrosoftAccount: To enable silent logon with Microsoft Account. Save your changes to web.config. To Disable Silent Logon Open the web.config file for the site instance. : Usually the file is located in %Program Files%\Acumatica ERP\<instance name>, where <instance name> is the name of the application instance website. : After you save changes to the web.config file, the website is automatically restarted. Make sure that all users are warned about the restart so that they can save their documents in advance.

54 Configuring Single Sign-On with Microsoft Accounts 54 Specify the none value for the Silentlogin parameter in the <externalauth> section, as shown below. <externalauth returnurl="main.aspx" authurl="frames/authdock.ashx" silentlogin="none" /> 3. Save your changes to web.config. To Override Silent Logon Settings with URL Parameters You can specify a different external identity provider or disable silent logon using the SilentLogin URL parameter with a corresponding value in the URL of your Acumatica ERP instance or a particular form. It overrides a value of the SilentLogin parameter specified in the web.config file. The SilentLogin URL parameter can take the following values. Parameter Identity Provider None Acumatica ERP Federation Microsoft Azure Active Directory or Active Directory Federation Services Google Google MicrosoftAccount Microsoft Account Example To sign in to an Acumatica ERP instance using silent logon for Google account, you use the following URL:

55 Managing Security Policies in Acumatica ERP 55 Managing Security Policies in Acumatica ERP If your organization employs security policies for all information systems you use, you can enforce them in Acumatica ERP as well. The system gives you the ability to implement system-wide security policies for user accounts, passwords, and audit security events. In this chapter, you will find information on implementing security policies in Acumatica ERP. In This Chapter Security Policies in Acumatica ERP Security Policies in Acumatica ERP Acumatica ERP provides a wide range of tools for security control. You can implement your organization's security regulations by configuring and maintaining system-wide security policies for user accounts, password policies, and security auditing. You can also specify password security policies for individual user accounts, as described in User Accounts in Acumatica ERP. This topic describes system-wide security policies in Acumatica ERP and ways you can audit security events. System-Wide Account Lockout Policies You can configure the system to lock out a user account after a particular number of failed login attempts. This configuration option helps to stop an unauthorized person who might be trying to gain system access by guessing a user's password. On the Security Preferences (SM ) form, you can specify the following system-wide parameters: The number of failed login attempts that will cause a user account to be locked out The duration of the account lockout that is, the number of minutes the user account remains locked before the system automatically unlocks it The time period before the system resets the counter of the failed login attempts System-Wide Password Policies In Acumatica ERP, you can use the Security Preferences (SM ) form to set up the password policies for all user accounts defined in the system. : If your Acumatica ERP instance is integrated with Active Directory, the password policy for domain users is set at the domain level through Active Directory. For more information about the integration of Acumatica ERP with Active Directory, see Integration with Active Directory. You can set up any of the following system password policy parameters: Password duration: For maximum security, we recommend that users change passwords periodically, such as every 90 to 180 days. Shorter ranges can reduce the security of accounts, because users may use simple passwords or struggle to create complex, memorable passwords often, which encourages them to write down these passwords. Password length: You can set up a minimum required password length. Password complexity: You can enforce password complexity requirements, which means that a new password must include at least three of the following:

56 Managing Security Policies in Acumatica ERP 56 Latin uppercase letters (A Z) Latin lowercase letters (a z) Digits (0 through 9) Special characters (such as +, :, =, and -) Password validation mask: You can configure an additional password validation mask to enforce your company's password policy. You can specify a regular expression to enforce additional regulations for example, to exclude some special characters that are not supported by thirdparty software (if used). To improve password security, a hashing algorithm is used to process passwords, and only hash values are stored in the database. Security Auditing Acumatica ERP can monitor and record system events with the security auditing provided by the User Security module. On the Security Preferences (SM ) form, you can select the types of events the system will monitor and set up the time period for which the audit trail must be kept. Events to be audited can include any of the following: Successful login. Unsuccessful login attempts. User logout. Session expiration. Form access. : The event is logged only once for each form during a user session (when the user first opens the form). Exceeding the maximum number of users specified in the license. Successful sending of an . Failed sending of an . Customization publishing. For more information, see the Acumatica ERP Customization Guide. Access of an Acumatica ERP data through a generic inquiry that has been exposed by using the OData protocol. For more information on support for OData in Acumatica ERP, see OData Support. You use the Access History (SM ) form to view the audit trails. The audit trail for the event type shows the time when the event took place, the user who performed the operation, the IP address from which the user signed in to the system, and other parameters, depending on the event type. You can filter the events by user, date range, and operation type.

57 Managing User Access Rights 57 Managing User Access Rights In Acumatica ERP, access to information is controlled primarily by the roles assigned to the user who logs in to the system. Roles generally correspond to particular job assignments or functions of groups of users. When they log in, the users authenticate themselves, and the associated roles determine which system resources they may access. In this chapter, you will find information on Acumatica ERP roles and access rights for users. In This Chapter User Access Rights Role-Based Access Access Rights for Roles Levels of Access Rights User Access Rights To access Acumatica ERP, users must pass authentication to confirm their identity (see User Accounts in Acumatica ERP). Then users pass authorization to determine their access rights to the system resources, such as suites, modules, and forms. Users can access only the resources they are allowed to use and perform only the actions they are authorized to based on their access rights. If Acumatica ERP is integrated with Microsoft Active Directory, Microsoft Active Directory Federation Services, or Microsoft Azure Active Directory, the user's roles may be automatically assigned, based on Active Directory groups. For details, see Integration with Active Directory, Integration with AD FS, and Integration with Azure Active Directory. In this topic, user access rights in Acumatica ERP are described. Configuration of User Access Rights You need to perform the following steps to set up access rights to system resources for users in Acumatica ERP: You create user roles on the User Roles (SM ) form according to the responsibilities of your organization' employees who will work with Acumatica ERP. For details, see Role-Based Access. You set up access rights for user roles to Acumatica ERP resources, depending on the tasks performed by users with these user roles. For details, see Access Rights for Roles. 3. You assign user roles with user accounts to provide users of your Acumatica ERP instance with access rights to system resources. You can do this in two ways: 4. To assign multiple users a selected role, use the User Roles (SM ) form. For example, you use this way when you have created a new role and want to assign it to existing users. To assign multiple roles to a selected user, use the Users (SM ) form. For example, you use this way when you have created a new user account and want to assign it existing roles. User account configuration is described in User Accounts in Acumatica ERP. Optional: You use user types to simplify the assignment of user roles to users. For details, see User Types.

58 Managing User Access Rights Optional: You delegate to external users the rights to create users for instance, you might delegate these rights to external administrators of Self-Service Portal, as described in To Delegate the Right to Create Users. Ability to Track Access Rights You can track access rights to different objects by using the following forms: Access Rights by Screen (SM ): Gives you the ability to build a report to view access rights by each system object (a suite, a module, and a form). Access Rights by Role (SM ): Gives you the ability to view access rights by each user role. Access Rights by User (SM ): Gives you the ability to view the access rights of each user to every system object. Role-Based Access Acumatica ERP uses roles to restrict access to the system. You assign users one role or multiple roles, and based on these assignments, the users are then granted the appropriate levels of access to system objects. You never assign access rights to individual users. With this approach, you can quickly and easily control access to system objects because changing the access rights of a role affects all the users with the role assigned. A user with no role assigned has no access to system resources. Roles Users who work with Acumatica ERP have specific job responsibilities that define their access level to financial and other suites, modules, forms, records, and operations on the records. User roles in Acumatica ERP are sets of access rights designed for convenient management of access rights for users with similar responsibilities in the system. On the User Roles (SM ) form, you create a role and assign it to as many user accounts as needed. If you need to change access rights for all users assigned to a role, you change the settings of the role instead of editing each user's permissions. When new users are hired in your organization, you assign a role to a new user. When existing users change their position in the company, you simply change set of roles according to their new responsibilities. We recommend that you configure the roles so that a user with a role has only the access rights necessary to perform typical tasks. It is better to give a user multiple roles than to create complicated roles that overlap with existing ones. For example, suppose that the Accounting Manager role has broader access rights than the Accountant role. Instead of giving the Account Manager role the same privileges the Accountant role has, give a user in a managerial position the Accountant role along with the Accounting Manager role. For more information, see Access Rights for Roles. : The process of defining task-based roles requires in-depth knowledge of both the organization's business processes and the Acumatica ERP approach to security. Built-In Roles For ease of defining and administering roles, Acumatica ERP provides a set of built-in roles that are stored in the System company (for details, see Support of Multiple Companies). Built-in roles are always supplied with the system and cannot be deleted. Some of these roles grant the users access to special functionality, and some of the roles are used by the system and should not be assigned to users manually. The following built-in roles are available in the system: Administrator: A user with this role has full access to all system objects, and any access restrictions to system objects are not applied to this role. Therefore we recommend that you

59 Managing User Access Rights 59 assign users to this role only during initial system setup so they can define roles and enter users. Then assign the role only in extraordinary cases. We recommend that you create a user role for system administrators with access only to Acumatica ERP suites and modules that are used for configuration and management of the system. Anonymous: This role is reserved for system use. DashboardDesigner: The system automatically designates this role as a dashboard owner role for dashboards that were created in previous versions of Acumatica ERP. We recommend that you create specific roles for users who should own particular dashboards. For details, see Dashboard Pages. BI: A user with this role can access the BI Views that is, the preconfigured generic inquiries that are exposed through the OData protocol, such as BI-Opportunities. For more information, see OData Support. Customizer: A user with this role can customize Acumatica ERP applications. For details, see To Assign the Customizer Role to a User Account. Field-Level Audit: A user with this role can view the audit trail directly from an audited form. For details, see Management of Access to Field-Level Audit Functionality. Guest: This role is used for backward compatibility. Internal User: A user with this role can change personal settings, and view Help. It is automatically assigned to all user accounts linked with the Employee user type. Portal Admin: A user with this role can access the Acumatica Self-Service Portal Configuration suite and configure Self-Service Portal. For more information about Acumatica Self-Service Portal, see Self-Service Portal. Portal User: A user with this role can access Self-Service Portal. You should assign this role only to contacts who must have access to Self-Service Portal. For more information about Acumatica SelfService Portal, see Self-Service Portal. ReportDesigner: A user with this role can publish reports in Acumatica ERP. Any user can create reports in Report Designer, but for publishing reports in Acumatica ERP, the user needs to be granted this role. Wiki Admin: A user with this role can set other users' access rights to wikis. For details, see Wiki Access Management. Wiki Author: A user with this role can create wiki articles. For details, see Wiki Access Management. Guest Roles Users from outside your organization may need access to your Acumatica ERP instance if they are partners or customers of your organization. We recommend that they access necessary data through Acumatica Self-Service Portal. You can perform the following steps to provide external users with the rights to use Acumatica Self-Service Portal: You create a contact-related user type on the User Types (EP ) form, as described in To Add a User Type. You add at least one user role with the Guest Role check box selected in the list of allowed roles of the created user type. You can use the built-in Portal User role or create a new one. 3. You assign the external user account with the created user type, as described in To Create a Local User Account. For more information, see Managing Access to Self-Service Portal.

60 Managing User Access Rights 60 Roles and Access Rights In Acumatica ERP, you can control a role's access to system entities, from the suite level, which is the most broad, down to the form element level, which is the most specific. The available levels of access depend on the system entity type. For more information about configuring access rights, see Access Rights for Roles. An Example of Roles and Access Rights Consider an example of some roles a business might set, as shown in the illustration below (with full or Delete access rights shown in blue and View Only access rights shown in purple): Accountant: Allows its members full access to journal entries and schedules, and limited (View Only) access to allocations. AR Administrator: Allows its members full access to Accounts Receivable documents; these members may also view Accounts Payable documents and budgets. AP Administrator: Allows its members full access to Accounts Payable documents; in addition, users with the role may view Accounts Receivable documents and budgets. Accounting Manager: Allows its members full access to allocations and budgets; these members may view other user accounts too. Security Officer: Allows its members full access rights to user accounts, roles, and restriction groups. Roles and User Access to Entities Note that some users have only one role assigned, while other users have multiple roles, in accordance with their responsibilities. A user's access to an entity is defined by the most permissive level of access among the roles assigned to this user. With the roles shown here, User 6 (with both the Accounting Manager and AP Administrator roles assigned) has full access to budgets from the Accounting Manager role, rather than view-only access from the AP Administrator role.

61 Managing User Access Rights 61 Access Rights for Roles Most users can access only particular Acumatica ERP suites and modules. Among users who can access a suite or a module, some users are allowed to access only a few forms within the module, while others are allowed to access all forms within the module. To restrict the access rights that users have to system objects, you assign users roles, as described in Role-Based Access. For example, you define the Junior Accountant and Senior Accountant roles. Users with both roles will work with the Accounts Payable module. Users with the Junior Accountant role assigned can only enter bills, while users with the Senior Accountant role assigned can enter bills and approve them for payment. There are two ways to set up access rights for roles in Acumatica ERP: To set up access rights for a particular role to multiple system objects, you use the Access Rights by Role (SM ) form. For example, you use this way when you have created a new role and want to set up access to all necessary forms for it. For details, see To Configure Access Rights for a Selected User Role. To set up access rights to a particular system object (a suite, a module, a form, or a form element) for multiple roles, you use the Access Rights by Screen (SM ) form. You use this way when you want to configure access rights suite by suite, module by module, or form by form. For details, see To Configure Access Rights to System Objects. The specific levels of access rights to system objects you select for roles depend on the object type suite, module, form, or form element for which you are specifying access rights. For some objects, you can only permit or deny access, but for others you can set up partial access (for example, viewonly access). For details about levels of access rights for system objects in Acumatica ERP, see Levels of Access Rights. : You have to be very careful when you assign multiple roles to a user account because these roles may have different levels of access rights to system objects. For details, see Access Rights Level for a User Account. This topic describes the most common tasks of access rights configuration. Initial Setup of Access Rights After you have installed Acumatica ERP and created user roles, all roles that you have created have the Not Set access level set to all suites, modules, and forms. Important: The Not Set access level indicates that all roles have access to the suite or the module until Revoked or Granted access rights are set to the suite or the module for at least one role. All roles with the Not Set level are then denied access to the suite or module. You need to set up the access rights that roles have to the system objects (suites, modules and forms) that will be used by users with the roles in their work. The most frequent scenarios of access rights setup are the following: The role should have access to a suite and all modules and forms within the suite or to a module and all forms within it. For example, suppose that chief accountants should work with the Finance suite and all modules and forms within this suite. For the role you define for chief accountants, you can specify access rights level to a system object on a higher level and apply this access rights level to all nested objects. For a detailed procedure, see To Initially Configure Access Rights. Users with the role should work with particular modules within a suite and with particular forms within a module. For example, suppose that junior accountants should work only with particular forms within the Accounts Payable module. For the role you set up for these accountants, you need to set up access rights to nested system objects manually. For a detailed procedure, see To Configure Access Rights for a Selected User Role.

62 Managing User Access Rights 62 Management of Access Rights During ongoing maintenance of Acumatica ERP, you may have tasks to change roles' access rights to some system objects (suites, modules, forms and form elements). You can change these access rights in different ways, depending on your task: If you want users with a particular role to work with all forms within a suite or a module (for example, users with the Chief Accountant role should have access to the whole Finance suite), for the role, you set the Granted access level for the suite and all its modules, and the Delete access level for all forms within all modules. If you want to hide a suite or a module from users with a particular role in the Acumatica ERP user interface so these users cannot work with it (for example, warehouse workers should work only with the Distribution and Help suites and should not see all other suites in the system), you set the Revoked access rights level for the suite and for all modules and forms within the suite. Suppose you want to forbid a particular role's access to a suite and its nodes but permit access to a particular form within the suite so that a user with the role can access it from another form. For example, a user with the Junior System Administrator role should not have access to the Organization suite as a whole, but he or she needs to use the Contacts (CR ) and Employees (EP ) forms to create user accounts (For details on user accounts creation, see User Accounts in Acumatica ERP). In this case, for the role, you set the Revoked access rights level to the suite and its modules and the Delete access level to the form. If you want to restrict access to a particular form element (for example, only a user with the Chief Accountant role can release documents on the Payments and Applications (AR ) form), you set the Edit access rights level to this element for the role that should use it, and the Revoked access rights level for all roles that should not use it. If you need to reset access rights for a user role to whole suites or modules, you can reset access rights to Not Set for this role to all modules and forms within the suite or a module. For a detailed procedure, To Reset Access Rights to a Suite or a Module. If you want to configure a role for the users who will be working with wikis, including Help wiki, you give the role access to: The wiki suite and module by using the Access Rights by Role (SM ) or Access Rights by Screen (SM ) form. The wiki articles by using the Wiki Access by Role (SM ) form. For details about managing access to wikis, see Wiki Access Management. Levels of Access Rights With Acumatica ERP, you can control access to system objects at broad and granular levels, down to the control of form elements, such as buttons, text boxes, and check boxes. Users are assigned to roles, and you give these roles the appropriate levels of access rights (or access levels) to system objects suites, modules, forms, and form elements. : You have to be very careful when you assign multiple roles to a user account because these roles may have different levels of access rights to system objects. For details, see Access Rights Level for a User Account. You use the Access Rights by Role (SM ) and Access Rights by Screen (SM ) forms to manage access rights. For more information about access rights, see User Access Rights. This topic describes the levels of access rights available to system objects.

63 Managing User Access Rights 63 Access Rights at the Suite and Module Levels The following table summarizes the levels of access rights that roles can have to the suites and modules of Acumatica ERP. Level Not set Allows all roles to have access to the suite or the module until Revoked or Granted access level is set to the suite or module for at least one role. After that, a role with this level is denied access to the suite or module. Revoked Denies the role access to the suite or module and its forms; for users with the role, the suite or module and its contents do not appear on the screen. However, a role with this access level to a module may have access to the functionality of the forms within it. A user with such a role can access forms within the module only from other forms that have commands that cause the system to open the form (if applicable); the user will not be able to view the forms on the navigation pane. Granted Allows the role access to the suite or module. You can, however, limit or revoke access to particular forms within the module. Only a user with a role with an access level to a form higher than Revoked can access it by clicking the suite and module on the main menu and then clicking the form on the navigation pane. View Only Allows the role access to the suite or module. You can, however, limit or revoke access to particular forms within the module. Only a user with a role with the access level to a form higher than Revoked can access it by clicking the suite and module on the main menu and then clicking the form on the navigation pane. : You can set up access rights to individual forms in the Hidden node (which cannot be accessed from the main menu) on the site map, but not to the node itself. If you change a role's access level to a suite from Not Set to Granted or Revoked, and apply this access level to all nested objects, the role's access rights to modules and forms of the suite with the Not Set access level are changed as follows: If you set the access level for the suite to Granted, access level to the modules of the suite are changed to Granted, and access level to forms of the suite are changed to Delete (which allows full access to the form and its functionality). If you set the access level for the suite to Revoked, access levels to the modules and forms of the suite are changed to Revoked. Access configuration works similarly for a module with the Not Set access level and the forms within it. The capability to set up an access level to a suite or module and to all objects within it at once is helpful if the role's access level to most objects within the suite or module is Delete or Revoked. You can reset a role's access level to a suite to Not Set any time you want. While resetting access levels, you have the option to update the access level to Not Set either for the suite and all the suite's modules and forms or for only the selected suite. Similar options are available when you set access level for a module to Not Set. For a procedure that describes how to reset access rights, see To Reset Access Rights to a Suite or a Module. Access Rights at the Form Level Within each module, you can set the access rights that roles have to Acumatica ERP forms, which affects what users with those roles can access. The level of access rights to the form is inherited by the entities and records that can be created by using the form. You can set any of the following levels of access rights to forms.

64 Managing User Access Rights 64 Level Not Set When assigned to all roles, allows all roles to have access to the form until access rights are set to any other level for at least one role. After at least one role has been assigned another level of access rights, access to the form is denied for a role with this access level. Revoked Denies the role access to the form and its functionality. View Only Gives the role restricted access to the form and its functionality. This level allows users with the role to view the form and any records associated with the form (in drop-down lists on other forms). This level forbids users with the role to edit details about any record, create new records or entities of the type, and delete records. Edit Gives the role restricted access to the form and its functionality. This level allows users with the role to view the form, select records, and edit details about any record. This level forbids users with the role to create new records or entities of the type, and to delete records. The Clipboard button is available on the form toolbar for users with the role. Insert Gives the role restricted access to the form and its functionality. This level allows users with the role to view the form, select records, edit details about any record, and create new records or entities of the type. This level forbids users with the role to delete records. The Clipboard and Insert buttons are available on the form toolbar for users with the role. Delete Gives the role complete access to the form and its functionality. This level encompasses the capabilities of the View Only, Edit, and Insert levels, while also giving users with the role the ability to delete records. For users with the role, the Clipboard, Insert, and Delete buttons are available on the form toolbar. By default, a new role has the Not Set access level. If you change access rights for a user role to a form or a form element, your changes affect only this form or form element. To make the form available in the navigation pane to a user with this role, set the access level for the form to the View Only level or more permissive and set the access level for the suite and the module where the form is located to Granted. Access Rights to Containers of Form Elements Each form includes containers of elements, such as nested forms, tabs, and grids. Each container includes multiple elements and actions. You can restrict access to any of these containers on the form. The level of access rights a role has to the container is inherited by the entities and records created by using the container, if applicable. For example, if you permit access for a user role to a grid, a user with this role can access all records in this grid. By default, containers inherit access level from the form to which they belong. You can set any of the following levels of access rights to the containers. Level Inherited Indicates that the role's access to the container is inherited from its access level to the form.

65 Managing User Access Rights 65 Level Revoked Denies the role access to the container and hides it from the form for users with the role. These users will not see the container on the form. View Only Gives the role restricted access to the container and its functionality. This level allows users with the role to view the container and any records associated with the container (in drop-down lists on other forms), if applicable. The level forbids users with the role to edit details about any record, create new records or entities of the type, and delete records, if applicable. Edit Gives users with the role restricted access to the container and its functionality. This level allows users with the role to view the container, select records, and edit details about any record, if applicable. The level forbids users with the role to create new records or entities of the type, and delete records, if applicable. Insert Gives the role restricted access to the container and its functionality. This level allows users with the role to view the container, select records, edit details about any record, and create new records or entities of the type, if applicable. This level forbids users with the role to delete records, if applicable. Delete Gives the role complete access to the container and its functionality. This level encompasses the capabilities of the View Only, Edit, and Insert levels, while also giving users with the role the ability to delete records, if applicable. Access Rights to Form Elements By default, a role's access rights to the form elements and actions are inherited from the role's access level to the container of form elements to which elements and actions belong. Thus, you should set the role's access level to the container of form elements before setting an access level to an element or an action. Then you can set access rights to the form elements and actions. You can set up the following levels of access rights to form elements. Level Inherited Indicates that the role's access level to the element is inherited from its access level to the container of form elements. Revoked Denies the role access to the element and hides the element. A user with the role will not see the element on the form. View Only Makes the element read-only for users with the role. A user with the role will see the element on the form but will not be able to use it. Edit Allows the use of the element for users with the role. If a particular form toolbar contains form-specific buttons, you can deny access for the role to these buttons, by setting Revoked for the buttons. You can revoke access to some of the elements to hide their contents from users with View Only access level. : Configuring a role's access rights at the form control level requires in-depth knowledge of Acumatica ERP functionality. Access Rights Level for a User Account The level of access rights a user account has to a system object is defined by the user roles assigned to the user. If a user has multiple roles assigned and the roles have different access levels to the system

66 Managing User Access Rights 66 object, the following general rule is used: Acumatica ERP applies the most permissive access level among the roles. For example, suppose that a user is assigned the Employee and Sales Manager roles. The Employee role has the Revoked access level to the Distribution suite, and the Sales Manager role has the Granted access level to this suite. With these settings, the user has the Granted access level to the Distribution suite. The algorithm of calculating access rights differs from the general rule described in the previous paragraph for a user with multiple roles assigned, some or all of which have the Inherited access level (which is applied to form element containers and form elements by default). For this user, the following rules are used to calculate access rights to a form element container or form element: If all roles have the Inherited access level to the particular form element container or form element, the resulting access level is the most permissive access level of the system object at the next highest level the form (for a form element container) or the form element container (for a form element). If you have explicitly specified an access level to the particular form element container or form element for at least one role, while the other roles have the Inherited access level to this system object, then the resulting level of access rights is the most permissive access level among only the roles with explicitly defined access levels. The system ignores the roles with the Inherited level of access rights. This algorithm is used to optimize the speed of loading the form. The following examples illustrate the system behavior described in this section: Suppose that a user is assigned the Employee and the Accountant user roles. The Employee role has the Revoked access level to the Customers (AR ) form, and the Accountant role has the Edit access level to this form. The default access level both roles have to the form elements is Inherited. The user with these roles, then, has the Edit access level to the Customers form and its elements. Suppose that a user is assigned the Employee and Accountant user roles. Both roles have the Insert access level to the Invoices and Memos (AR ) form. You have decided to forbid users with the Accountant role to release invoices. For the Accountant role, you specify the Revoked access level for the Release button on this form. The Employee role has the Inherited access level to the Release button. With the settings you have specified, the user has the Revoked access level to the Release button. 3. Suppose that a user is assigned the Employee, Warehouse Worker, and Sales Assistant user roles. All these roles have the Insert access level to the Receipts (IN ) form. The Employee role has the Inherited access level to the Release button on this form, the Warehouse Worker role has the Revoked access level to this button, and the Sales Assistant role has the View Only access level to this button. As a result, the user has the View Only access level (the most permissive level of the two explicitly defined levels) to this button. To Initially Configure Access Rights After Acumatica ERP is installed, you create user roles (see Role-Based Access) to provide users with access to the system objects according to their responsibilities. By default, each user role has the access level specified as Not Set (see Levels of Access Rights) to all suites, modules, and forms. Initially, this means that all users can view and use all system objects. You need to configure access rights to these system objects so that users can use only forms they need in their work. Important: The Not Set access level indicates that all roles have access to the suite or the module until Revoked or Granted access rights are set to the suite or the module for at least one role. All roles with the Not Set level are then denied access to the suite or module. This topic describes how you set the same access rights level for user roles to multiple system objects at once during the initial setup of Acumatica ERP on the Access Rights by Screen (SM ) form.

67 Managing User Access Rights 67 Before You Proceed You need to create the necessary user roles on the User Roles (SM ) form before configuring roles' access levels to system objects. To Set the Same Access Rights Level to Multiple System Objects at Once Navigate to Configuration > User Security > Manage > Access Rights by Screen. In the System Tree, click the name of the suite or module to which you want to set up access rights. 3. In the right pane, select the required access rights level for all necessary user roles. 4. Select the Applies to Children check box. After this the access level to all modules and forms within the suite selected in Step 2 or all forms within the module selected in Step 2 will be automatically changed. For example, if you change the access rights level of the Finance suite to Granted for the Accountant role, the access rights level for all modules within this suite will be changed to Granted and the access rights level for all forms within each module in the Finance suite will be changed to Delete. 5. On the form toolbar, click Save. 6. Repeat Steps 2 5 for each suite or module to which you need to configure access rights. To Configure Access Rights for a Selected User Role You use the Access Rights by Role (SM ) form to set up access rights to multiple system objects (such as suites, modules, forms, and form elements) for a particular role in Acumatica ERP. For more information on user roles, see Access Rights for Roles. This procedure describes how you set up access rights for a single user role. To Configure Access Rights for a Selected User Role Navigate to Configuration > User Security > Manage > Access Rights by Role. Select a user role in the Role Name box. 3. In the System Tree, click the system object to which you need to set up access rights as follows: For a suite: Click the Company Name node. For a module: Click the name of a necessary suite. For a form: Expand the node of a necessary suite to the form level, and click the name of the module. For a form element: Expand the node of the necessary suite to the form element level, and click one of the following: The form name, if you are setting up access rights to a container of form elements (that is, a subform, a tab, or a grid) The name of the container of form elements, if you are setting up access rights for a form element (that is, a text box or an action) 4. In the right pane, for the row with the required system object, select the level of access rights from the drop-down list. For details, see Levels of Access Rights. 5. On the form toolbar, click Save.

68 Managing User Access Rights Repeat Steps 2 5 for each system object to which you need to set up access rights for the selected role. To Configure Access Rights to System Objects You use the Access Rights by Screen (SM ) form to set up access rights to system objects (such as suites, modules, forms, and form elements) for multiple user roles in Acumatica ERP. For more information on user roles, see Access Rights for Roles. This procedure describes how you set up access rights to system objects for multiple user roles at once. Before You Proceed You need to create the necessary user roles on the User Roles (SM ) form before configuring access rights to system objects. To Configure Access Rights to System Objects Navigate to Configuration > User Security > Manage > Access Rights by Screen. In the System Tree, expand nodes to the necessary level and click the name of the system object to which you want to set up access rights. For example, for a form, you expand the suite node to module level and then the form level, and click the name of the necessary form. 3. In the right pane, select a required access rights level for all necessary user roles. For details, see Levels of Access Rights. 4. On the form toolbar, click Save. 5. Repeat Steps 1 3 for each system object for which you want to configure access rights. To Reset Access Rights to a Suite or a Module You use the Access Rights by Screen (SM ) form to reset access rights for a user role to whole suites or modules. For details about access rights, see Access Rights for Roles. This procedure describes how you reset access rights to a suite or a module in Acumatica ERP. To Reset Access Rights to a Suite or a Module Navigate to Configuration > User Security > Manage > Access Rights by Screen. In the System Tree, select a name of a necessary suite or a module. 3. In the right pane, select the Not Set access level for each role to which you need to reset access rights. 4. In the right pane, select the Applies to Children check box for each role to which you need to reset access rights. 5. On the form toolbar, click Save. 6. Repeat Steps 2 5 for all suites and modules to which you want to reset access rights. To Delegate the Right to Create Users You use the User Types (EP ) form to delegate to an external user the right to create users. This may be required if you need to give your partners the right to manage their users or customers on the Self-Service Portal of your Acumatica ERP instance.

69 Managing User Access Rights 69 This procedure describes how you provide an external user with the right to create users in Acumatica ERP. To Delegate the Right to Create Users Navigate to Configuration > User Security > Manage > User Types. Create a contact-related user type for an external administrator who will have the right to create users. You could name it, for example, External Admin. For details, see To Add a User Type. 3. Create a contact-related user type for external users. You could name it, for instance, Portal User. The external administrator will have a right to create users of this type. 4. In the Selection area, in the User Type box, select the External Admin user type. 5. On the table toolbar of the Managed User Types tab, click Add Row, and in the User Type column, select the Portal User user type. 6. On the form toolbar, click Save. Now any user of the External Admin type can create, delete, and manage users of the Portal User type.

70 Managing Data Encryption 70 Managing Data Encryption With Acumatica ERP, you can encrypt the most sensitive data and use the encryption certificates to sign the generated PDF files. In this chapter, you will find information on managing encryption certificates and encrypting the database of your Acumatica ERP instance. In This Chapter Data Encryption in Acumatica ERP To Import Certificates To Encrypt the Database Data Encryption in Acumatica ERP Acumatica ERP uses digital certificates to store sensitive information in the database encrypted and to authenticate documents (PDF files) that are shared or sent electronically. These certificates can be purchased from a recognized certification authority. Each certificate has a password that is used to validate the owner of the certificate if you need to reinstall the system or move the database. This topic describes the ways of using digital certificates in Acumatica ERP in more detail. Configuration Steps When you want to use a digital certificate in Acumatica ERP, you do the following: You import your certificate on the Encryption Certificates (SM ) form. For a detailed procedure that describes how to import certificates, see To Import Certificates. : Digital certificates used by Acumatica ERP have the.pfx extension. Before you can import digital certificates into the system, make sure.pfx is on the list of allowed extensions on the File Upload Preferences (SM ) form. You apply the uploaded certificate to one of the following processes: Encrypting the database: You can replace the encryption algorithm used in Acumatica ERP to encrypt sensitive data by using your encryption certificate on the Certificate Replacement (SM ) form. For more information, see Database Encryption. Signing PDF documents: You can use the imported encryption certificate for signing PDF files generated in Acumatica ERP. You can specify a default certificate (which will be used for all PDF documents generated in Acumatica ERP) in the PDF Signing Certificate box on the Security Preferences (SM ) form, or you can Individual users can also select an imported certificate as a personal certificate (which overrides the default one) in the PDF Signing Certificate box on the User Profile (SM ) form. For details, see PDF Signature. Database Encryption Acumatica ERP database stores sensitive data, such as credit card numbers, encrypted. You can find the list of encrypted data on the Certificate Replacement (SM ) form. You can replace the encryption algorithm used in Acumatica ERP with your encryption certificate. If the database of your Acumatica ERP instance is large, encryption may take a lot of time and may cause slowdowns in responses from the database. For large databases, we recommend that you postpone the start of

71 Managing Data Encryption 71 encryption by scheduling it at a time when nobody uses the system (for example, at night). For a procedure that describes how to encrypt the database, see To Encrypt the Database. PDF Signature You can use encryption certificates to sign PDF files generated in the system. A PDF certificate protects the authenticity of a document throughout its life cycle. For example, when a company employee s the company's digitally signed quarterly financial statements, the recipients of the documents can be sure of the identity of the sender and the integrity of the financial information. You can specify a default certificate that will be used for signing all the PDF documents generated by the system. You use the Security Preferences (SM ) form to specify a default certificate. In addition, you (or any other user of your Acumatica ERP instance) can select another certificate to be used as a personal certificate on the User Profile (SM ) form. For a user with a personal certificate, the personal certificate is used instead of the default certificate for signing PDF documents when the user creates PDF documents in the system. To Import Certificates In Acumatica ERP, digital certificates are used for database encryption and for signing documents. To use a certificate, you must import it into the system by using the Encryption Certificates (SM ) form, as described in this topic. : Digital certificates used by Acumatica ERP have the.pfx extension. Before you can import digital certificates into the system, make sure.pfx is on the list of allowed extensions on the File Upload Preferences (SM ) form. In this topic, you will also find instructions on how to remove a certificate from the system if it is not used any more. To Import a Certificate Navigate to Configuration > User Security > Configure > Encryption Certificates. On the table toolbar, click Add Row. 3. In the Name box, type the certificate name that will be used in the system. 4. In the Password box, type the password for the certificate. It will be hidden after you save your changes. 5. On the form toolbar, click Save. 6. Upload the file with the certificate as follows: a. Click the paper clip icon in the Files column of the row with the certificate, and click Add File. (For more information about attaching files to table rows, see To Attach a File to a Record Detail.) b. In the Files dialog box, click Browse and select the file with the certificate you want to upload. c. Click Upload to import the certificate. : Although you can upload multiple files in this dialog box, only the latest uploaded file will be used by the system. We recommend that you delete unnecessary files from the system. For details, see To Manage Files. d. 7. Close the Files dialog box. Repeat Steps 2 6 for each certificate you want to import.

72 Managing Data Encryption 72 After importing certificates, you can use them for encrypting the database and for signing PDF documents. For details, see Data Encryption in Acumatica ERP. To Remove a Certificate Before you remove a certificate from the system, make sure that the certificate is not being used for the database encryption (on the Certificate Replacement (SM ) form) or for PDF document signing (on the Security Preferences (SM ) form). : If you try to remove a certificate that is used in the system, a warning message is displayed, and you cannot remove the certificate. To remove a certificate, do the following: Navigate to Configuration > User Security > Configure > Encryption Certificates. In the table, select the row with the certificate that you want to remove. 3. On the table toolbar, click Delete Row. 4. On the form toolbar, click Save. To Encrypt the Database To encrypt the Acumatica ERP database with your digital certificate, you should use the Certificate Replacement (SM ) form, as described in this topic. This topic also describes how to restore default encryption for the Acumatica ERP database. To Encrypt the Database Navigate to Configuration > User Security > Process > Certificate Replacement. : In the Selection area, you can see the certificate currently used for database encryption in the Current Certificate box. If the box is blank, the default encryption algorithm is being used. In the Selection area, in the New Certificate box, select the certificate whose key will be used for encrypting the database. You can select from only the certificates that you have imported into the system (see To Import Certificates). 3. Optional: Assign the process of replacing the certificate to a schedule by using the Schedule menu on the form toolbar. For more information, see Scheduled Processing. 4. On the form toolbar, click Replace Certificate. This initiates the process of decrypting the data with the previous encryption algorithm and encrypting it by using the new key. Once you have replaced the certificate, you can remove the previous certificate by using the Encryption Certificates (SM ) form, as described in To Import Certificates. To Restore the Default Database Encryption Navigate to Configuration > User Security > Process > Certificate Replacement. In the Selection area, clear the value of the New Certificate box. 3. On the form toolbar, click Replace Certificate. This initiates the process of decrypting the data with the previous certificate and encrypting it by using the default encryption algorithm.

73 Integrating Acumatica ERP Forms on Your Website 73 Integrating Acumatica ERP Forms on Your Website Acumatica ERP gives you the ability to embed particular forms on a website that is used by employees of your organization in their daily work. For example, you can embed the Tasks (EP ) form within your Office 365 page to view and access your Acumatica ERP task list directly in Office 365. To display an Acumatica ERP form on your website, you use the URL of the Acumatica ERP form. You can include additional parameters in the URL for more convenient display and use of the form. These parameters are described in this topic. Appearance of the Embedded Acumatica ERP Form When you integrate an Acumatica ERP form on your website, the form area, the main menu, and the navigation pane are displayed by default. To simplify the appearance of the form, you can hide the main menu and the navigation pane and display only the form area by using the HidePageTitle URL parameter with the true value. Example To embed the Contacts (CR ) form of the instance on a website with only the form area displayed, you use the following URL: Silent Logon in URL of Acumatica ERP Forms Users access an Acumatica ERP form embedded on your website by using an authentication method that you set up during the system configuration (for details, see Overview of the User Security Configuration Process). If you have enabled single sign-on with an external identity provider, such as Microsoft Azure Active Directory or Google, you can use the SilentLogin URL parameter to automatically redirect your users to the sign-in page of this identity provider. : Before you use the SilentLogin URL parameter, confirm on the Users (SM ) form that your users have registered their external accounts with the Acumatica ERP instance, as described in To Activate Your Google or Microsoft Account. The SilentLogin parameter can take the following values. Parameter Identity Provider None Acumatica ERP Federation Azure Active Directory Google Google MicrosoftAccount Microsoft Account Example To give users who access the Contacts (CR ) form on the external website the ability to authenticate themselves with Google, you use the following URL:

74 User Security Form Reference 74 User Security Form Reference On the Navigation pane of the User Security module, the forms are grouped into nodes to bring together similar forms. This topic follows this layout when listing the forms of the User Security module. Manage Users (SM ) User Roles (SM ) User Types (EP ) Access Rights by Screen (SM ) Access Rights by Role (SM ) Access Rights by User (SM ) Explore Process Certificate Replacement (SM ) Print Access History (SM ) For the description of the report forms, see User Security Reports. Configure Security Preferences (SM ) Encryption Certificates (SM ) Access History Form ID: (SM ) On this form, you can view the log of activities that users have taken in the system, such as signing in, signing out, accessing specific forms, and publishing customizations. Form Toolbar The form toolbar includes standard and form-specific buttons. For the list of standard buttons, see Form Toolbar. The form-specific buttons are listed below. Button Delete History Deletes from the system database the audit history records that are older than the number of months specified in the Keep Audit History for x Months box on the Security Preferences (SM ) form. Selection Area In this area, you can select a particular user, operation, and date range to view the system log for this user in this date range.

75 User Security Form Reference 75 Element Username The user name of the person for whom you want to view the system log. Leave this box blank to view data for all system users. From The date and time that starts the range for which you want to view data. Leave this box blank if you do not want to limit the starting date and time of data. To The date and time that ends the range for which you want to view data. Leave this box blank if you don't want to limit the ending date and time of data. Operation The operation for which you want to view data. The following operations are available: Login: The user signed in to the system. Logout: The user signed out of the system. Session Expired: The user session expired. Login Failed: The user tried to access the system but failed to sign in. Access Screen: The user accessed a form. The ID and title of the form are displayed in the Screen ID and Title columns, respectively. : The event is logged only once for each form during a user session (when the user first opens the form). Send Success: The user successfully sent an . Send Error: The user's attempt to send an resulted in an error. Customization Published: The user published a customization on a form. The ID and title of the form are displayed in the Screen ID and Title columns, respectively. For more information, see the Acumatica ERP Customization Guide. License Exceeded: The number of concurrent users exceeded the license limit. The login of the user who is forcibly signed out is displayed in the Username column. OData Refresh: The user accessed Acumatica ERP data by using the OData interface. The generic inquiry that was accessed is displayed in the Comment column. For more information on support for OData in Acumatica ERP, see OData Support. Table This table contains the log of user activities that meet the criteria specified in the Selection area. The table toolbar includes only standard buttons. For the list of standard buttons, see Table Toolbar. Table Columns Column Date The date and time of the activity. Username The name of the user who performed the activity. Operation The operation performed by the user. (See the list of operations in the previous section.) Host The system host.

76 User Security Form Reference 76 Column IP Address The IP address from which the user signed in to the system. Screen ID The screen ID of the form that was accessed by the user. Title The name of the form that was accessed by the user. Comment The automatically generated comment. Access Rights by Role Form ID: (SM ) On this form, you can fine-tune the access rights each role has to system suites, modules, wikis, forms, and even specific form elements. Also, you can create a role directly on this form and configure its access to system entities. You use this form when you want to give a particular user role access rights to multiple Acumatica ERP system objects. For example, you might use this form to give the custom user role Chief Accountant access to all forms of the General Ledger, Cash Management, and Accounts Payable modules. : If you configure a role for working with a wiki, give the role access to the wiki by using this form, and then configure access to particular articles on the Wiki Access by Role (SM ) form. For details, see Wiki Access Management. You can also set multiple roles' access rights to suites, modules, forms, and form elements on the Access Rights by Screen (SM ) form. For more information about setting up user access rights, see User Access Rights. Form Toolbar The form toolbar includes standard and form-specific buttons. For the list of standard buttons, see Form Toolbar. The form-specific buttons are listed below. Button Copy Role Copies the set of access rights of the selected role to the new role. To create and populate a new role, type the new role name in the New Role Name box in the New Role dialog box, which appears when you click this button, and click Copy. New Role Dialog Box This dialog box opens when you click the Copy Role button. By using this dialog box, you can copy the current role's set of access rights to a new role. Element New Role Name The name of the new role to which access rights will be copied. This dialog box has the following buttons. Copy Creates a new role and copies the access rights of the current role to the new role. Summary Area You use this area to specify the name and description of a new role or to select an existing role.

77 User Security Form Reference 77 Element Role Name The role name. Select a name from the list of roles or, if you're adding a new role, type the role name. Role The description of the role. Left Pane In this pane, system suites are represented as first-level nodes. The top node represents the home page dashboard. Click the node icon to the left of any suite to expand the suite and view the modules within that suite. Click the node icon to the left of any module to expand the node and view the hierarchical structure of the module. Some modules have a single-level list of forms, while other modules have more levels, which correspond to the organization of these forms on the user interface. Click the node icon to the left of any form to expand the node and view the list of form elements, such as tabs and grids. All wikis are represented by non-expandable nodes. To view and update the map of any wiki, use the Wiki Site Map (SM ) form. The Hidden node contains system objects, such as forms and reports, that are not displayed in the site map but can be accessed through other forms. When you click any node, the right pane displays the list of its objects with the level of access rights the role has to each object. You can restrict access to these objects as well. Right Pane In this pane, you can view and edit the access rights of the selected role for the objects of the selected node. To change a level of access rights, in the row with the appropriate object, select the needed option in the Access Rights column. Table Columns Column The name of the object. Access Rights The access rights of the selected role for the object. For more information, see Levels of Access Rights. Applies to Children A check box that indicates (if selected) that the access rights level to a system object specified for the selected role is the same for all nested objects (children) within the object. You can change the access rights level for any nested object manually. The system clears this check box automatically when the access rights levels of the system object and its children become different. Access Rights by Screen Form ID: (SM ) On this form, you can view and modify the access rights of roles to system suites, modules, wikis, forms, and form elements. For more information on roles and their access rights, see User Access Rights. You use this form to assign access rights for multiple user roles to a particular suite, module, Acumatica ERP form, or form element. For example, you might use this form to provide access to the Configuration suite for the Administrator role and to prohibit access for all other roles.

78 User Security Form Reference 78 : If you configure a role for working with a wiki, give access to the wiki by using this form, and then configure access to particular topics on the Wiki Access by Role form. For details, see Wiki Access Management. You can also use the Access Rights by Role (SM ) form to select a particular role and set its access to suites, modules, forms, and form elements. Form Toolbar The form toolbar includes only standard buttons. For the list of standard buttons, see Form Toolbar. Left Pane In this pane, system suites are represented as first-level nodes. The top node represents the home page dashboard. You can click the node icon to the left of any suite to expand the suite and view the modules within that suite. Also, you can click the node icon to the left of any module to expand the node and view the hierarchical structure of the module. Some modules have a one-level list of forms, while other modules have more levels, which correspond to the organization of these forms on the user interface. You can click the node icon to the left of any form to expand the node and view the list of form elements, such as tabs, grids, fields, and actions. All wikis are represented by non-expandable nodes. To view and update the map of any wiki, use the Wiki Site Map (SM ) form. The Hidden node contains system objects, such as forms and reports, that are not displayed in the site map but can be accessed through other forms. When you click any node, the right pane display roles defined in the system and the details for each, including its level of access rights. Right Pane In this pane, you can view and edit the access rights of the roles for the selected node. To change a level of access rights, in the row with the appropriate role, select the needed option in the Access Rights column. Table Columns Element Role The name of the role. Guest Role A check box that, if selected, indicates that the role is marked as a guest role. For details, see Role-Based Access. A description of the role. Access Rights The access rights of the role for the selected object. For more information, see Levels of Access Rights. Applies to Children A check box that indicates (if selected) that the access rights level for the role specified to the selected system object is the same for all nested objects (children) within the object. You can change the access rights level for any nested object manually. The system clears this check box automatically when the access rights levels of the system object and its children become different.

79 User Security Form Reference 79 Access Rights by User Form ID: (SM ) On this form, you can view the actual access rights each user has to system modules and objects. That is, the system calculates the actual level of access for objects that have the Not Set or Inherited levels. You can view access rights down to the level of specific form elements. You can set access rights to modules on the Access Rights by Screen (SM ) and Access Rights by Role (SM ) forms. For more information about setting up user access rights, see User Access Rights. Summary Area You use this area to select the login of the user whose access rights you want to review. Element Login The login of the user whose access rights will be shown. Left Pane In this pane, system modules are represented as first-level nodes. (The top node represents the home page dashboard.) You can click the node icon to the left of any module to expand the node and view the hierarchical structure of the module. Some modules have a one-level list of forms, while other modules have multiple levels in the list. When you click a node, the right pane displays the list of its components with their details. All wikis are represented by non-expandable nodes. To view and update the map of any wiki, use the Wiki Site Map (SM ) form. Right Pane In this pane, you can view the access rights of the selected user for the objects contained in the node you have selected in the left pane. The table toolbar includes standard and table-specific buttons. For the list of standard buttons, see Table Toolbar. The table-specific buttons are listed below. Button View Roles Opens the View Roles dialog box, where you can view the list of roles assigned to the user selected in the Summary area. For each role, you can view the access rights given to the role for the object you selected in the table. If the user is assigned to multiple roles, the listed role with the most permissive level of access defines the access rights to the object for the user selected in the Summary area. Table Columns Column The name of the object. Access Rights The access rights of the selected user to the object. The user's access to the object is determined by the most permissive level of access among the roles assigned to the selected user. To view the list of roles assigned to the user, click the View Roles button on the table toolbar or double-click the object line in the table. For more information, see Role-Based Accessand Levels of Access Rights.

80 User Security Form Reference 80 View Roles Dialog Box This dialog box opens when you click the View Roles button. By using the dialog box, which includes the following elements, you can view the list of roles assigned to the user selected in the Summary area and the access rights of each role to the object selected in the table on the right pane of the form. Element The dialog box includes a table with the following columns. Role The identifier of a role assigned to the user selected in the Summary area. Initial Access Rights The initial permissive level of access of the role to the object selected in the table on the right pane of the form. You can see this level on the Access Rights by Role (SM ) and Access Rights by Screen (SM ) forms. Computed Access Rights The actual permissive level of access of the role to the object selected in the table on the right pane of the form. That is, the system calculates the actual level of access for roles that have the Not Set or Inherited levels. This dialog box has the following button. Close Closes the dialog box. Certificate Replacement Form ID: (SM ) On this form, you can encrypt the data in the database by using the specified certificate. You can also replace the certificate with a new one and perform database encryption based on the new certificate. For more information, see To Encrypt the Database. Form Toolbar The form toolbar includes standard and form-specific buttons. For the list of standard buttons, see Form Toolbar. The form-specific buttons are listed below. Button Replace Certificate Initiates encryption based on the certificate specified in the New Certificate box. If data has already been encrypted with a custom certificate, this action performs decryption based on the certificate displayed in the Current Certificate box before initiating encryption based on the certificate specified in the New Certificate box. Selection Area In this area, you can check which database encryption certificate has been used most recently (if any) and specify a new certificate. Element New Certificate The name of the new certificate to be used for database encryption. Select the name from the list of certificates that users have imported to the website by using the Encryption Certificates (SM ) form. Current Certificate The name of the certificate that was used most recently for database encryption. A blank box indicates that no certificate has been used before.

81 User Security Form Reference 81 Table This table provides a read-only list of fields with sensitive data stored in the database that are encrypted by default. When you select a new encryption certificate in the New Certificate box and click Replace Certificate, this data is encrypted with the specified certificate. The table toolbar includes only standard buttons. For the list of standard buttons, see Table Toolbar. Table Columns Column Entity Type The type of sensitive data that is encrypted. Entity Name The description of the data that is encrypted. Encryption Certificates Form ID: (SM ) On this form, you can register a new certificate with the system and upload the certificate file to the database. For more information, see To Import Certificates. Acumatica ERP requires security certificates for users to digitally sign PDF files generated in the system and to encode sensitive information stored in the database. Each certificate requires a password. The system uses passwords to validate the owners of the certificate if the system is reinstalled or you move the data to other storage, such as another computer. For more information on using certificates in the system, see Data Encryption in Acumatica ERP. Form Toolbar The form toolbar includes only standard buttons. For the list of standard buttons, see Form Toolbar. Table By using this table, you can add new certificates, import certificate files, manage existing certificates, and remove outdated certificates. For more information, see To Import Certificates. The table toolbar includes only standard buttons. For the list of standard buttons, see Table Toolbar. Table Columns Column Name The name of the certificate. Password The password to the certificate. Security Preferences Form ID: (SM ) You use this form to define security settings for your organization, such as the system password and the lockout policies for the user accounts, encryption certificates, and audit settings. Form Toolbar The form toolbar includes only standard buttons. For the list of standard buttons, see Form Toolbar.

82 User Security Form Reference 82 Selection Area You use this area to set the password policy, account lockout policy, PDF encryption certificate, and audit settings. Password Policy Section Element Force User to Change Password Every x Days A check box that you select to require periodic password changes; if you select the check box, type the number of days (as an integer) that should pass before a user is prompted to change the password in the corresponding box. To let users leave the password unchanged, clear the check box. By default, this check box is cleared. Minimum A check box that you select to enforce a minimum password length; if you select Password Length the check box, type in the corresponding box the minimum password length x Characters (as an integer) needed for user passwords. Clear the check box to not require a minimum password length. By default, the check box is selected and the minimum length is 8 characters. Password Must Meet Complexity Requirements A check box that you select if each user password must have at least three of the following features: lowercase letters, uppercase letters, special symbols, and digits. Clear the check box to allow the password to be any ASCII string between the minimum password length and 10 characters. Blank passwords are prohibited. By default, this check box is selected. Additional Password Validation Mask A regular expression that you can enter to enforce the company password policies. Incorrect Password Alert The message that the user receives if the password does not match the additional validation mask or regular expression (if any was set in the above box). For more information about using regular expressions, see Input Validation Options. Account Lockout Policy Section Element Lock Account After x Unsuccessful Login Attempts The number of unsuccessful login attempts that will cause the account to be locked out. Lock Account for x Minutes The number of minutes an account should be locked out after the defined number of unsuccessful attempts to sign in. The default value of this box is 3. The default value of this box is 15. Reset Lockout Counter After x Minutes The number of minutes after the last login attempt must pass before the system resets the lockout counter. The default value of this box is 10.

83 User Security Form Reference 83 Encryption Certificates Section Element DB Encryption Certificate A read-only info box that displays the certificate used to encrypt data stored in the database. PDF Signing Certificate The default certificate to be used for signing PDF files. If a user has his or her own certificate, PDF files created by the user will instead be signed with the user certificate. Audit Section Element Keep Audit History for x Months An integer that represents the number of months the system should keep the audit history of user operations. Login A check box you select to audit each successful login. The default value of the box is 999. By default, this check box is selected. Login Failed A check box you select to audit each failed login. By default, this check box is selected. Logout A check box you select to audit each logout. By default, this check box is selected. Screen Accessed A check box you select to audit each form accessed by users. : The event is logged only once for each form during a user session (when the user first opens the form). By default, this check box is selected. Session Expired A check box you select to audit each instance of an expired session. By default, this check box is selected. License Exceeded A check box you select to audit each instance of the number of allowed concurrent users being exceeded. By default, this check box is cleared. Send Success A check box you select to audit each successful instance of a user sending an through Acumatica ERP. By default, this check box is selected. Send Error A check box you select to audit each failed instance of a user sending an through Acumatica ERP. By default, this check box is selected. OData Refresh A check box you select to audit each instance of accessing Acumatica ERP data by using the OData interface. By default, this check box is cleared.

84 User Security Form Reference 84 Element Customization Published A check box you select to audit each instance of publishing a customization on any form. By default, this check box is cleared. Allowed External Identity Providers Table By using this table, you can configure and enable single sign-on with the supported external identity providers. For more information, see Single Sign-On with Google and Single Sign-On with Microsoft Account. Table Columns Column Provider Name The external identity provider. Acumatica ERP supports the following external identity providers: Google Microsoft Account Active A check box you select to allow your users to sign in with the external identity provider credentials. Clear the check box to disable single sign-on with the selected external identity provider. Realm The full URL of the Acumatica ERP instance for example, Application ID The client ID provided when you register your application instance with the external identity provider. Application Secret The client secret provided when you register your application instance with the external identity provider. User Roles Form ID: (SM ) You can use this form to create new roles and to assign roles to users. For each existing role, you can view the list of users assigned to it. If your system is integrated with Active Directory (AD), Azure Active Directory (Azure AD), or Active Directory Federation Services (AD FS), you can map the roles configured in Acumatica ERP to the groups configured in the Active Directory domain. For more information, see Overview of the User Security Configuration Process. A role is a set of access rights to specific modules or other system entities. Some users are assigned only one role, while others are assigned multiple roles in accordance with different sets of employee responsibilities. For more information about roles, see Role-Based Access. A guest role is a role that you configure to give restricted access to the website and to only particular modules. Roles marked as guest roles can be associated with contact-related user types, which are intended for users who are external to the company, such as partners or contacts. For more information, see User Types. Form Toolbar The form toolbar includes standard and form-specific buttons. For the list of standard buttons, see Form Toolbar. The form-specific buttons are listed below.

85 User Security Form Reference 85 Button Reload AD Groups Updates the list of user groups in Acumatica ERP with current information from AD. This button appears only when you integrated Acumatica ERP instance with AD, AD FS or Azure AD, and when the number of user groups in AD or Azure AD is greater than or equal to Summary Area This area contains the summary elements of the role you are creating or viewing. Element Role Name The unique identifier of the role. Type the name of the new role, or select a role from the list of available roles. Role A detailed description of the role. Guest Role A check box that you select to indicate that the selected role is a guest role. Membership Tab On this tab, you can view and update the list of users to whom the role selected (or entered, for a newly added role) in the Summary area is assigned. The table toolbar includes only standard buttons. For the list of standard buttons, see Table Toolbar. Table Columns Column Username The login name of the user to whom this role is assigned. Display Name The combination of the First Name and Last Name on the Users (SM ) form of the user selected in the Username column. Status The current status of the selected user (Active, Online, Disabled, Temporarily Locked). Comment Any comment that was provided for the selected user on the Users (SM ) form. Domain The domain the user belongs to. This column appears if integration with Active Directory is enabled. Inherited A check box that shows (if selected) that the roles assigned to the user are defined by the AD group the user belongs to. If the check box is cleared, the roles were assigned specifically to the user. This column appears if integration with Active Directory is enabled. Active Directory Tab This tab provides information about Active Directory domain groups mapped to Acumatica ERP roles. The tab appears if the integration of Acumatica ERP with Active Directory or Microsoft Azure Active Directory has been enabled in the web.config file. For more information, see Integration with Active Directory and Integration with Azure Active Directory. The table toolbar includes only standard buttons. For the list of standard buttons, see Table Toolbar.

86 User Security Form Reference 86 Table Columns Column Group The name of the domain group mapped to the role selected in the summary area. Domain The domain with which Acumatica ERP is integrated. A more detailed description of the domain group from Active Directory. Claims Tab This tab provides information about claims specified during the integration of Acumatica ERP with Active Directory Federation Services (AD FS) which are mapped to Acumatica ERP roles. This tab appears once the integration of Acumatica ERP with AD FS has been enabled in the web.config file. For more information, see Integration with AD FS. The table toolbar includes only standard buttons. For the list of standard buttons, see Table Toolbar. Table Columns Column Group The name of the domain group mapped to the role selected in the summary area. You must use the following format to enter the domain groups: <Domain> \<Domain Group>. User Types Form ID: (EP ) You use this form to define user types, which are used to provide default settings for creating new users. On the form, you can also define the set of roles that are available for a user of the type and the default roles to be assigned when a user of this type is created. You can add new user types, view existing user types and modify their settings, and delete unused types from the system. Form Toolbar The form toolbar includes only standard buttons. For the list of standard buttons, see Form Toolbar. Summary Area In this area, you can enter the settings for a new user type, or select an existing type to view or modify its settings. Element User Type The unique identifier of the user type. Enter the ID of the new type, or select a user type from the list. Linked Entity The entity associated with this user type. The following options are available: Contact: You can assign this user type to external users, such as partners or contacts of customer or vendor organizations. Employee: You can assign this user type to employees of your company and possibly to consultants that you consider part of your company. A description of the user type.

87 User Security Form Reference 87 Allowed Roles Tab You use this tab to view and update the list of roles that can be assigned to users of this type. Table Toolbar The table toolbar includes standard buttons and buttons specific to this table. For the list of standard buttons, see Table Toolbar. The table-specific buttons are listed below. Button Apply to Users Applies the default roles to all users of the selected user type. You can click this button if you have added a default role to the list of allowed roles and want to assign this role all users of the selected user type. If you instead want to assign a role for a particular user, you can use the Users (SM ) form. Table Columns Column Default A check box that you select to assign the role to a user of this type by default. The role or roles with this check box selected will be assigned to any new user of the type. (If you change value of this box after creating users of the selected type, their user role assignment will remain unchanged.) Role Name The role that can be assigned to the user of the type. Role Read-only. The detailed description of the role. Users You use this tab to view the list of users that are assigned to the selected user type. You can add users in this list by using the Users (SM ) form. For details, see To Create a Local User Account. Managed User Types A user with the selected user type can create, manage, and delete users that are associated with the user types listed on this tab, which appears only if the type has the Contact linked entity. You use this tab to view and update the list of these user types. The table toolbar includes only standard buttons. For the list of standard buttons, see Table Toolbar. Table Columns Column User Type The type of user that a user of the current type can create. Read-only. The description specified for this user type. Login Creation Rules On this tab, you specify the default rules that apply when a new user of this type is added. Element Use as Login A check box that you select to use the address of a contact as the user name of the contact for new users of this type. : This policy applies only when you add a user account to a contact account by using the Contacts (CR ) form.

88 User Security Form Reference 88 Element Reset Password on First Login A check box that you select to require new users of this type to change their password at the first login. Require Login Activation A check box that you select to require activation of a new user account. If you select this check box, new users of this type will receive an with information on how to enable their user account. Users Form ID: (SM ) On this form, you can add users to the system and edit existing users. You can assign roles to a user, associate the user with an employee or business contact account, and edit user information. You can also use the form to delete obsolete users. Also, from this form, you can sign in as the selected user if you need to see the system as the user sees it. To get access to the system, users must authenticate themselves by entering their user name and password. These users should have roles assigned before they sign in to the system. Each role is a set of access rights, or permissions, to work with system entities. You can assign each user one role or multiple roles in accordance with different sets of responsibilities. For more information, see Role-Based Access and Restriction Groups in Acumatica ERP. If your system is integrated with Active Directory (AD), Active Directory Federation Services (AD FS) or Microsoft Azure Active Directory (Azure AD), all domain users access Acumatica ERP by using the same credentials they use to sign in to the local network. The password and user account policies are set at the domain level, and the security policy settings in Acumatica ERP do not affect user accounts. In this case, the roles assigned to users are defined by AD or Azure AD groups by default but can be overridden for specific users. For more information, see Integration with Active Directory and Integration with Azure Active Directory. Form Toolbar The form toolbar includes standard and form-specific buttons. For the list of standard buttons, see Form Toolbar. The form-specific buttons are listed below. Button Log in as User Gives you the ability to sign in to the system by using the credentials of the selected user. This button is available only if the selected user already exists in the database and you are not already signed in as the selected user. Membership Opens the Restriction Groups by User (SM ) form, where you can view or configure the user's membership in groups. This button appears only when you are viewing an existing user. Activate User Activates the new user account if the account requires activation. This button appears only when you create a new user and select a user type that requires account activation. Unlock User Unlocks the selected user account. This button appears only if the account was temporarily locked. Reset Password Opens the Reset Password dialog box, where you can specify a new password for the selected user.

89 User Security Form Reference 89 Button Disable User Temporarily disables the selected user account. This button appears only for an enabled user account. Enable User Enables the selected user account. This button appears only for a disabled user account. Add Active Directory User Gives you the ability to add an AD user from the list of available users. When you click this button, the system opens the Active Directory User dialog box. This button appears if your Acumatica ERP instance is integrated with AD for your company. Reload AD Users Updates the list of users in Acumatica ERP with current information from AD. This button appears only when you integrated Acumatica ERP instance with AD, AD FS, or Azure AD, and when the number of users in AD or Azure AD is greater than or equal to Reset Password Dialog Box You can use this dialog box, which opens when you click the Reset Password button, to reset the password for the selected user. Element New Password The new password for the selected user. Confirm Password The new password for the selected user, which you retype to confirm it to the system. This dialog box has the following buttons. OK Resets the password with the new one and closes the dialog box. Cancel Closes the dialog box without resetting the password. Active Directory User This dialog box opens when you click the Add Active Directory User button. By using this dialog box, you can add an AD user from the list of available users to the list of users in Acumatica ERP. Element Active Directory User The AD user that should be added to the list of users. Click the magnifier icon to open the list of AD users. This dialog box has the following buttons. OK Adds the selected AD user and closes the dialog box. Cancel Closes the dialog box without adding an AD user. Summary Area You use this area to specify the settings for a new user account or to edit and possibly update an existing account. Element Login Required. The unique login name to authorize this user to log in to the system. Select a user name to view information about the user, or enter the name to create a new user.

90 User Security Form Reference 90 Element If Acumatica ERP is integrated with AD, Active Directory Federation Services (AD FS), or Microsoft Azure Active Directory (Azure AD), accounts for domain users are added in the system. The login of a domain user account includes the name of the domain and the user name of the user in the domain as follows: AD: <Domain>\<UserName>, where <Domain> is the NetBIOS domain name of the integrated domain, and <UserName> is the user account name in the integrated domain. AD FS or Azure AD: <UserName>@<Domain>, where <UserName> is the user account name in the integrated domain, and Domain is the UPN suffix, also known as the domain name. For more information about the accounts of the domain users, see Integration with Active Directory, Integration with AD FS, and Integration with Azure Active Directory. Password The password the new user should use when initially signing in. This box appears only for newly added users. You can specify the password only if you clear the Generate Password check box. Generate Password A check box that you select to have the system generate the password automatically; this check box appears (and is selected by default) for newly added users. The login information will be sent to the user's address when you save the user account. If you clear this check box, you must enter a password for the new user in the Password box. Guest Account A read-only check box that indicates (if selected) that the account is associated with a contact-related user type. For a new user, the system selects or clears this check box automatically when you select the user type. User Type The user type of this user, which defines the set of roles available to the user, the default roles assigned to the user, and the user types for which the user can create, manage, and add users. If you are creating a user account for a contact, you must select a contact-related user type for the user or add a new user type. To add a new user type, click Edit ( ) to the right of the box to open the User Types (EP ) form in a pop-up window and add the type. For more information about user types, see User Types. : This box is not available when you select a domain user. Linked Entity An employee or contact account that is associated with the user. If the user you are creating is already defined in the system as an employee or contact account, you can select the appropriate employee or contact name in this box. This will cause relevant elements to be filled in. The user type you have selected determines whether this box can be left blank and what type of account you can select. If you have selected an employeerelated user type in the User Type box or left it blank, you can select an employee account or leave the Linked Entity box blank. If you have selected a contact-related user type in the User Type box, you must select a contact account here or add a new contact. To add a new contact account, click Edit ( ) to the right of the box to open the Contacts (CR ) form in a pop-up window and add the contact account. When you save the added contact account, it will automatically be inserted in this box.

91 User Security Form Reference 91 Element For more information about contacts, see Managing Leads and Contacts. First Name The first name of the user. Last Name The last name of the user. Required. The address of the user, which is used to send information to the user, such as a link to password reset. Comment Any additional user-related information that you want to add to the record. Status Read-only. The account status. The following options are available: Allow Password Recovery Pending Activation: The new user account is awaiting activation. Active: The user account is active. Online: The user account is active and the user is signed in to the system. Disabled: The user account is disabled. Temporarily Locked: The user account is temporarily locked out. A check box that you select to allow password recovery for the user if this user forgets the assigned password. This check box is not available for domain users. By default, this check box is selected. Allow Password Changes A check box that you select to allow the user to change the password at will by using the User Profile (SM ) form. This check box is not available for domain users. By default, this check box is selected. Password Never Expires A check box that you select to prevent the user from ever being prompted to change the password. This check box is not available for domain users. By default, this check box is selected. Force User to Change Password on Next Login A check box that you select to require the user to change his or her password during the next login. Override Active Directory Roles with Local Roles A check box that you select to assign the domain user roles other than those automatically assigned based on the user's Active Directory groups. When you select this check box, the Roles tab becomes available on the current form for the selected domain user. After you make changes on that tab and save the changes, the user is assigned only the roles selected on the Roles tab. This check box is not available for domain users. By default, this check box is selected. This check box appears for a domain user only. By default, this check box is cleared. Roles Tab By using this tab, you can view, add, and remove any role assigned to the selected local user. For a domain user, this tab shows the roles assigned to the user automatically depending on the Active Directory groups associated with the user. To assign other roles to the domain user, select the Override Active Directory Roles with Local Roles check box in the Summary area, and assign the roles to the user on this tab.

92 User Security Form Reference 92 The table toolbar includes only standard buttons. For the list of standard buttons, see Table Toolbar. Table Columns Column Selected A check box that you select to assign this role to the selected user. Role Name Read-only. The name that identifies the role. Role Read-only. The description of the role. Statistics Tab On this tab, you can see the account usage information. This tab is not available for domain users. Element Account Creation Read-only. The date and time when the account was created. Date Last Login Date Read-only. The date and time of the last login. Last Lockout Date Read-only. The most recent date when the account was temporarily locked out. Last Password Change Date Read-only. The date and time of the most recent password change. Number of Unsuccessful Attempts to Enter Password Read-only. The number of unsuccessful attempts the user made to sign into the account. It is reset according to a value of the Reset Lockout Counter After x Minutes box on the Security Preferences (SM ) form. Number of Unsuccessful Attempts to Enter Recovery Answer Read-only. The number of unsuccessful attempts the user made to enter the user recovery response. : For more information on account lockout policy, see Security Policies in Acumatica ERP. : For more information on account lockout policy, see Security Policies in Acumatica ERP. IP Filter Tab You can use this tab to set up the range (or ranges) of IP addresses from which the user may sign in. If you have specified addresses here, access from other addresses will not be allowed. If you want to specify a list (rather than a range) of IP addresses, specify the same address in both columns for each IP address. The table toolbar includes only standard buttons. For the list of standard buttons, see Form Toolbar. Table Columns Column Start IP Address The IP address that starts the range of allowed IP addresses. End IP Address The IP address that ends the range of allowed IP addresses.

93 User Security Form Reference 93 External Identities Tab You can use this tab to see whether single sign-on (SSO) with particular providers is activated for the user and to control this possibility. For more information on single sign-on configuration, see Single Sign-On with Google and Single Sign-On with Microsoft Account. Table Columns Column Provider Name The external identity provider supported by Acumatica ERP. Active A check box that indicates whether SSO with the identity provider for this user is activated. Users can use SSO with the selected identity provider only if SSO has been enabled with this identity provider for your Acumatica ERP instance on the Security Preferences (SM ) form. User Key The unique identifier of the user account that is used for SSO with the external identity provider. The key value, which is generated by the external identity provider, is displayed in the box after the user has registered his or her external account with the Acumatica ERP instance. Acumatica ERP uses the key to map the user's external account with his or her local account in the Acumatica ERP instance. Personal Settings Tab On this tab, you can specify a variety of default settings to be used in Acumatica ERP for the selected user. For example, you can select one of the available certificates as the user's personal certificate for signing portable document format (PDF) files. Users can change these settings themselves on the User Profile (SM ) form. Element PDF Signing Certificate The certificate that the system will use for signing PDF files this user generates in Acumatica ERP. If no certificate is specified here, files will be signed with the default PDF certificate specified on the Site Preferences (SM ) form. Time Zone The user's time zone, which will be used to display the timestamps for documents and wiki articles. If a time zone is specified for the user, these timestamps will be converted to the user's specified time zone. If no time zone is specified, documents will be time-stamped using the time settings on the server computer. Default Branch The branch to which the selected user will be signed in by default if the user has access to multiple branches. Home Page The dashboard to be displayed for the user on the home page of Acumatica ERP instance.

94 User Security Reports 94 User Security Reports The reports available in the User Security module provide information that can be useful for employees who manage users, roles, and access rights to the system objects. You can use these reports, for example, for analyzing, optimizing, and restructuring user accounts, user roles, and access rights. All User Security reports can be generated in various formats, including PDF, and can be printed or sent by . For more information about reports, see Reports. User Security Reports The User Security module includes the following reports, which contain information about users, roles, and access rights: User List (SM ): Lists the existing user accounts and the properties of the accounts in summary or detailed format. Role List (SM ): Lists the roles available in the system and shows the list of user accounts assigned to each role. Access Rights by Screen (SM ): Lists all system forms with the user roles for which access rights to the form have been set up explicitly at the form, module, or suite level. For each role, its level of access rights to the form is displayed. Access Rights by Role (SM ): Lists the roles available in the system and their access rights to system forms. Only those forms for which access rights were set up explicitly at the form, module, or suite level are displayed in the report. Access Rights by Role Form ID: (SM ) This report lists the roles available in the system and their access rights to system forms. Only those forms for which access rights were set up explicitly at the form, module, or suite level are displayed in the report. The report has no report-specific elements. For more information about using other elements on the report form, see Reports. Access Rights by Screen Form ID: (SM ) This report lists all system forms with the user roles for which access rights to the form have been set up explicitly at the form, module, or suite level. Each role's level of access rights to the form is displayed. The report has no report-specific elements. For more information about using other elements on the report form, see Reports. Role List Form ID: (SM )

95 User Security Reports 95 This report lists the roles available in the system and shows the user accounts assigned to each role. The report can be created in summary or detailed format. See below for a description of each parameter on the Report Parameters tab. For more information about using other elements on the report form, see Reports. Report Parameters On the Report Parameters tab, use the following parameters to select the information to be displayed on the report: Format: The format to be used for the report. Select one of the following options: Detailed: Displays the list of roles with the description of each role and the total number of users with the role assigned. For each role, lists the users with the role assigned and the basic information, including address, for each user. Summary: Displays the list of roles with the description of each role and the total number of users who have the role assigned. User List Form ID: (SM ) This report displays the existing user accounts and their key properties. The report can be created in a summary or detailed format. See below for a description of each parameter on the Report Parameters tab. For more information about using other elements on the report form, see Reports. Report Parameters On the Report Parameters tab, use the following parameters to select the information to be displayed on the report: Format: The preferred format of the report. Select one of the following options: Detailed: Displays the complete list of user accounts with key account properties (such as first and last name and password security options). For each account, the report lists the roles assigned to the account. Summary: Displays the complete list of user accounts with key account properties (such as first and last name and password security options).

96 Appendix 96 Appendix The appendix provides some reference information relevant for this document. The additional information in this section is a useful source for readers who need some reference material that is related to system forms and tables, as well as running reports. In this section: Reports Form Toolbar Table Toolbar Glossary Reports In addition to offering a comprehensive collection of reports for each module, Acumatica ERP gives you a high degree of control over each report. A typical report form, described in Report Form, lets you adjust the report settings to meet your specific informational needs. You can specify sorting and filtering options and select the data by using reportspecific settings such as financial period, ledger, and account and configure additional processing settings for each report. The settings can be saved as a report template for later use. For details, see To Run a Report and To Create a Report Template. After you run a report, the prepared report appears on your screen. You can print the report, export the report to a file, or send the report by . This chapter describes a typical report form and the main tasks related to using reports. In This Chapter Report Form To Run a Report To Configure an Ad Hoc Filter on a Report Form To Modify an Ad Hoc Filter on a Report Form To Create a Report Template Report Form Before you run a report, you set a variety of parameters on the report form. You can select a template or manually make selections that affect the information collected. Also, you can specify appropriate settings to print or the finished report. The following screenshot shows a typical report form.

97 Appendix 97 Figure: Parameters View of Report Form Report Form Toolbar Parameters Toolbar 3. Template Area 4. Details Area Report Form Toolbar The following table lists the buttons of the report form toolbar when you are configuring a report. Button Cancel Clears any changes you have made and restores default settings. Run Report Initiates data collection for the report and displays the generated report. Save Template Gives you the ability to save the currently selected report as a template with all the selected settings. Remove Template Removes the previously saved template. Schedule Template Opens the Select Schedule Name dialog box, which you can use to schedule report processing. This button is available only when you select a template. This button is available only when you select a template. Select Schedule Name Dialog Box Element Schedule The schedule for report processing. Select an existing schedule, or leave the box blank and click OK to open the Automation Schedules (SM ) form to create a new schedule for running the report. For more information on scheduling, see To Schedule Processing in the Acumatica ERP User Guide. Merge Reports A check box that indicates (if selected) that this report will be merged with the other reports selected for merging into one net report when processed.

98 Appendix 98 Element : You can check the reports that will be merged when processed on the Send Reports (SM ) form. Merging Order The number of the report in the net report. Report Toolbar The following table lists the buttons of the toolbar after you run the configured report. Buttons Icon Parameters Navigates back to the report form to let you change the report parameters. Refresh Refreshes the information displayed in the report (if any data changes were made). Groups Adds to the report a left pane where the report structure is shown. Click a report node to highlight the pertinent data in the right pane. View PDF / View HTML Displays the report as a PDF, or displays the report in HTML format. The available button depends on the current report view; if you're viewing a PDF, for instance, you will see the View HTML button. / First Displays the first page of the report. Previous Displays the previous page. Next Displays the next page. Last Displays the last page of the report. Print Opens the browser dialog box so you can print the report. Send Opens the Activity dialog box, which you use to send the report file (in the chosen format) to the specified address. Export Enables you to export the data in the chosen format (Excel or PDF). Template Area Use the elements in this area to select an existing template and then use the template, share it with other users, or use it as your default report settings. The Template area elements, which are available for all reports, are described in the following table. Template Area Elements Element Template The template to be used for the report. If any templates were created and saved, you can select a template to use its settings for the report.

99 Appendix 99 Element Default A check box that indicates (if selected) that the selected template is marked as the default one for you. A default template cannot be shared. Shared A check box that indicates (if selected) that the selected template is shared with other users. A shared template cannot be marked as the default. Locale A locale that you select to indicate to the system that the report should be prepared with the data translated to the language associated with this locale. This box is displayed if there are multiple active locales in the system. For details, see Locales and Languages. Report Parameters Tab The Report Parameters tab includes sections where you can specify the contents of the report depending on the current report and vary in the following regards: How many elements and which elements are available on a particular report Whether elements contain default values Whether specific elements require values to be selected Whether elements may be left blank to let you display a broader range of data Additional Sort and Filters Tab The Additional Sort and Filter tab contains additional sorting and filtering conditions: Additional sorting conditions: Defines the sorting order. You can add a line, select one of the report-specific properties, and select the Descending or Ascending sort order for the column. Additional filtering conditions: Defines the report filter. You can add a line, select one of the report-specific properties, and define a condition and its value. The list of conditions include oneoperand and two-operand conditions. To create a more complicated logical expression, you can use brackets and logical operations between brackets. For more information on creating filters, see Creation of Ad Hoc and Reusable Filters in Acumatica ERP User Guide. For detailed procedures on using ad hoc filters, see To Configure an Ad Hoc Filter on a Report Form and To Modify an Ad Hoc Filter on a Report Form. Print and Settings Tab If you plan to print the report or save the report as a PDF, select the appropriate settings in the Print Settings area. Print Settings Section Element Deleted Records Selects the visibility of the data deleted from the database. Print All Pages Causes all pages of the report to be printed. Print in PDF format Displays the report in PDF format. Compress PDF file Indicates that the system will generate a compressed PDF. Embed fonts in PDF file Indicates that the system will generate the PDF with fonts embedded.

100 Appendix 100 If you plan to send the report as an , in the Settings area, specify the format in which the report will be sent, as well as the subject, the recipients of copies of the report, and the account of the recipient. Settings Section Field Format The format (HTML, PDF, or Excel) in which the report will be ed. : Merge function for reports in Excel format is not supported. If you want to merge a report with other reports and send an aggregated report by , you should select either the HTML or PDF format for the report. Account The address of the recipient. CC An additional addressee to receive a carbon copy (CC) of the . BCC The address of a person to receive a blind carbon copy (BCC) of the ; an address entered in this box will be hidden from other recipients. Subject The subject of the . Report Versions Tab If the report has multiple versions, you can select one of them. Report Versions Tab Toolbar Button Refresh Refreshes the list of report versions. Select Temporarily activates the selected report version. Report Once you click Run Report, the prepared report appears on your screen. You can print the report, export the report to a file, or send the report by . The prepared report is displayed in the report view of the report form. For more information about setting up the report parameters and the parameters view of the report form, see Report Form. Report Toolbar The following table lists report toolbar buttons. Buttons Icon Parameters Navigates back to the report form to let you change the report parameters. Refresh Refreshes the information displayed in the report (if any data changes were made). Groups Adds to the report a left pane where the report structure is shown. Click a report node to highlight the pertinent data in the right pane.

101 Appendix 101 Buttons Icon View PDF / View HTML Displays the report as a PDF, or displays the report in HTML format. The available button depends on the current report view; if you're viewing a PDF, for instance, you will see the View HTML button. / First Displays the first page of the report. Previous Displays the previous page. Next Displays the next page. Last Displays the last page of the report. Print Opens the browser dialog box so you can print the report. Send Opens the Activity dialog box, which you use to send the report file (in the chosen format) to the specified address. Export Enables you to export the data in the chosen format (Excel or PDF). Form Toolbar The form toolbar, available on most forms, is located near the top of the form, under the form title bar (see the screenshot below). The form toolbar may include standard and form-specific buttons. Figure: Form toolbar You use the standard buttons on the form toolbar to navigate through objects and entities that were created by using the current form, insert or delete an object or entity, use the clipboard, save the data you have entered, or cancel your work on the form. In addition to standard buttons, a form toolbar on a particular form may include form-specific buttons. These buttons usually provide navigation to other forms, take specific actions, and perform modifications or processing related to the functionality of the form.

102 Appendix 102 Standard Form Toolbar Buttons The following table lists the standard buttons of the form toolbar. A form toolbar may include some or all of these buttons. Standard Form Toolbar Buttons Button Icon Save Saves the changes made to the object or entity. Cancel Depending on the context, does one of the following: Discards any unsaved changes you have made to objects or entities and retrieves the last saved version. Clears all changes and restores the default settings. Add New Record Clears any values you've specified on the form, restores any default values, and initiates the creation of a new object or entity. Clipboard Provides options to do the following: Copy: Copy the selected object or entity to the clipboard. Paste: Paste an object, entity, or template from the clipboard. Save as Template: Create a template based on the selected object or entity. Import from XML: Import an object, entity, or template from an.xml file. Export to XML: Export the selected object or entity to an.xml file. For more information on templates and copy-and-paste operations in Acumatica ERP, see Using Forms. For more information on importing and exporting.xml files, see System-Wide Actions in Acumatica ERP in the Acumatica ERP User Guide. Delete Deletes the currently selected object or entity, clears any values you've specified on the form, and restores default values. : You can delete a document that is not linked with another document. Go to First Record Displays the first object or entity (in the list of objects or entities of the specific type) and its details. Go to Previous Record Displays the previous object or entity and its details. Go to Next Record Displays the next object or entity and its details. Go to Last Record Displays the last object or entity (in the list of objects or entities of the specific type) and its details. Schedules Gives you the ability to schedule the processing. For more information, see To Schedule Processing topic in the Acumatica ERP User Guide.

103 Appendix 103 Inquiry Form Toolbar Buttons Acumatica ERP inquiry forms present the data in a tabular format. These forms can be designed by a user with the appropriate access rights by using the Generic Inquiry tool (for details, see Managing Generic Inquiries in the Acumatica ERP User Guide), or can be initially configured in your system. A toolbar of an inquiry form contains both the standard form toolbar buttons (described in the table above) and additional buttons described below. Button Icon Fit to Screen Expands the form to fit on the screen and adjusts the column widths proportionally. Export to Excel Exports the data to an Excel file. For more information, see Integration with Excel in the Acumatica ERP User Guide. Filter Settings Opens the Filter Settings dialog box, which you can use to define a new filter. After the filter has been created and saved, the corresponding tab appears on the table. For more information about filtering, see Filters. Table Toolbar Each table on an Acumatica ERP form, tab, or dialog box has a table toolbar, which contains the search box and buttons you can use to work with the details or objects of the table. The table toolbar, shown in the following screenshot, can include the following sections: Action section: Contains buttons that are specific to the table, standard buttons that most table toolbars have, and the search box. Footer section: Displays navigation buttons if there are too many details or objects (that is, table rows) to fit on one page. Figure: Table toolbar sections Action section Footer section Action Section of Table Toolbar The action section, commonly located at the top of a table, can contain standard and table-specific buttons. If a table toolbar includes table-specific buttons, they are described in the form reference help topic.