03 - Security Schema

The KwaMoja security scheme consists of the following parts:

  1. Users:
    A separate account should be created for each user.
    User accounts may be added or removed by an administrator at:
    Main Menu > Setup > User Accounts (WWW_Users.php)
    +++
    Each user is assigned a 'Security Role' by selecting a choice
    from the drop down list labeled 'Security Role'.
    See below for a list of the default Security Roles available.
    +++
  2. Security Roles::
    Security Roles may be added or removed by an administrator at:
    Main Menu > Setup > Role Permissions (WWW_Access.php)
    +++
    Each 'Security Role' is assigned one or more 'Security Tokens'.
    The 'Security Tokens' assigned to a particular 'Security Role' can be
    changed at: Main Menu > Setup > Role Permissions (WWW_Access.php)
    +++
    See below for a list of the default 'Security Roles' and the
    'Security Tokens' assigned to each.

  3. Security Tokens:
    15 'Security Token' choices are available by default.
    See below for a list of the default 'Security Tokens'.
    Each 'Security Token' allows access to one or more KwaMoja pages.
    +++
    There is no KwaMoja tool to add, remove or edit 'Security Tokens'.
    However, an administrator can edit the underlying table (securitytokens).

  4. PageSecurity values:
    Each KwaMoja page is given a Page Security value from 1 to 15 in the table scripts. The system reads all the scripts and the PageSecurity value for each into a SESSION array - $_SESSION['PageSecurityArray'] - the key for each element is the script name and the value is the PageSecurity value for that script. The key - the script name is retrieved from the $_SERVER['SCRIPT_NAME'] variable. In this way every time a script is called, the PageSecurity is retrieved from the array. +++
    There is a KwaMoja tool to change PageSecurity values, for each script which is accessible from the Setup menu.

These parts work together as follows. The user name and password combination entered at log on enables the system to identify the 'Security Role' for the User. The User's 'Security Role' determines what 'Security Tokens' are available to the User. The User is allowed access to any page with a 'PageSecurity' value equal to the 'Security Token' values available to that User.

⬆ Top

A more comprehensive description of the security scheme follows:

Each KwaMoja page (script) is assigned a specific PageSecurity value. This page security value is stored in the scripts table of the database and read into a SESSION array on login (from the GetConfig.php script). At the time of writing this is a number between 1 and 15. If more levels of security are necessary then this can be expanded by an administrator or developer. The default PageSecurity values for each page can be inspected by browsing the scripts table

The user is allowed access to a page if the PageSecurity value of the page/script is a number contained in the SESSION AllowedPageSecurityTokens array as determined from the users access level (Security Role). The user access level Security Role) is an integer that represents the Security Role assigned to the user in the user set up page (WWW_users.php).

Access authority is checked in the session.php script for all pages (or PDF_Starter.php for PDF pages). The variable $_SESSION['AccessLevel'] is retrieved from the database when the user logs on - in session.php. This variable refers to the Security Role of the user. The SESSION['AllowedPageSecurityTokens'] array of numbers is retrieved from the database based on the users AccessLevel - or Security Role. Any page that has a $PageSecurity value equal to any value in this array is deemed to be an authorised page.

If you wish to add more Security Roles then you must use the Role Permissions script (WWW.Access.php). You must also specify the Security Tokens for the new Security Role. Users assigned to the new Security Role will have access to any page where the Page Security value is equal to a Security Token value assigned to the new Security Role. This mechanism allows the system administrator to control who can access what.

By changing the Security Role assigned to each users and the Security Tokens assigned to each Security Role the security access can be tailored for all users. When making these changes reference the default values in the tables below. PageSecurity values must also be known. The value of the default settings can be modified as needed from the Page Security script accessible from the Setup module

⬆ Top

Security Scheme Tables:

Table.Field Example Data Comment
www_user.userid
www_user.fullaccess
demo
8
These fields are updated by
WWW_Users.php.
securityroles.secroleid
securityroles.secrolename
8
System Administrator
These fields are changed when a
'Security Role' is created or deleted
at WWW_Access.php.
securitygroups.secroleid
securitygroups.tokenid
8
1
These fields are updated when
'Security Tokens' are assigned or
removed from 'Security Roles'.
at WWW_Access.php.
securitytokens.tokenid
securitytokens.tokenname
1
Menu and Order Entry Only
15 default security tokens are defined.
This data can not be edited using any
KwaMoja tool.
KwaMoja page CustomerInquiry.php
$PageSecurity = 1;
The PageSecurity value for each page
is pre-defined and can not be edited
using any KwaMoja tool.
⬆ Top

Changes in Later Versions

Below the default security roles and page security values are set out. However, be aware that all these settings are now modifiable in the database. The roles can be defined choosing which security tokens will be allowed. Also, as of version 4.0 it is now possible to change the PageSecurity of each script to allow access to be more tightly defined. The PageSecurity value for a particular script is mapped to the security token that is either available to a particular user or not. Without the security token being in the users list of allowed security tokens then the script will not be available to that user.

Security Roles: Defaults for KwaMoja version 3.0.5:

1 - Inquiries/Order Entry
2 - Manufac/Stock Admin
3 - Purchasing officer
4 - AP Clerk
5 - AR Clerk
6 - Accountant
7 - Customer logon only
8 - System Administrator

Security Token assignments: Defaults for KwaMoja version 3.0.5:,

1 - Inquiries/Order Entry tokens = 1, 2
2 - Manufac/Stock Admin tokens = 1, 2, 11
3 - Purchasing officer tokens = 1, 2, 3, 4, 5, 11
4 - AP Clerk tokens = 1, 2, 5
5 - AR Clerk tokens = 1, 2, 5, 11
6 - Accountant tokens = 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11
7 - Customer logon only token = 1
8 - System Administrator = All the currently defined security tokens

Security Tokens: Defaults for KwaMoja version 3.0.5:

1 - Menu and order entry only
2 - Inventory, AR & AP inquiries & reports
3 - AR setup customers, areas, receipts, allocations, credit notes, salesfolk, credit status
4 - PO Entry, Purchasing data & reorder levels
5 - AP Invoice, Credit, Payment entry. Supplier maintenance
6 - Not used
7 - Bank reconciliations
8 - GL Journals, COA, sales/COGS GL postings, terms, cost update, company prefs
9 - Ledger Maintenance and Manufacturing
10 - GL Journals, COA, sales/COGS GL postings, terms, cost update, company prefs
11 - Pricing & Inventory locations, categories, receiving & adjustments
12 - Not Used
13 - Not Used
14 - Not Used
15 - User management, System Admin setup & utilities

PageSecurity values: Defaults for KwaMoja version 3.05:

Page (script) File Name PageSecurity value
CustomerInquiry.php 1
GetStockImage.php 1
index.php 1
Logout.php 1
MailInventoryValuation.php 1
PDFStockLocTransfer.php 1
PDFStockNegatives.php 1
PrintCustTrans.php 1
PrintCustTransPortrait.php 1
reportwriter/FormMaker.php 1
reportwriter/ReportMaker.php 1
SelectCompletedOrder.php 1
SelectOrderItems.php 1
AgedDebtors.php 2
AgedSuppliers.php 2
BOMInquiry.php 2
BOMListing.php 2
ConfirmDispatch_Invoice.php 2
CustomerTransInquiry.php 2
CustWhereAlloc.php 2
DebtorsAtPeriodEnd.php 2
EmailCustTrans.php 2
FTP_RadioBeacon.php 2
InventoryPlanning.php 2
InventoryValuation.php 2
OrderDetails.php 2
OutstandingGRNs.php 2
PDFCustomerList.php 2
PDFLowGP.php 2
PDFPriceList.php 2
PDFQuotation.php 2
PDFStockCheckComparison.php 2
PeriodsInquiry.php 2
PO_OrderDetails.php 2
PO_PDFPurchOrder.php 2
PO_SelectOSPurchOrder.php 2
PO_SelectPurchOrder.php 2
Prices.php 2
PrintCustOrder_generic.php 2
PrintCustOrder.php 2
PrintCustStatements.php 2
reportwriter/admin/ReportCreator.php 2
SalesAnalReptCols.php 2
SalesAnalRepts.php 2
SalesAnalysis_UserDefined.php 2
SelectCustomer.php 2
SelectProduct.php 2
SelectRecurringSalesOrder.php 2
SelectSalesOrder.php 2
SelectSupplier.php 2
ShiptsList.php 2
StockCheck.php 2
StockCostUpdate.php 2
StockCounts.php 2
StockLocMovements.php 2
StockLocStatus.php 2
StockMovements.php 2
StockQuantityByDate.php 2
StockSerialItems.php 2
StockStatus.php 2
StockUsage.php 2
StockUsageGraph.php 2
SupplierBalsAtPeriodEnd.php 2
SupplierTransInquiry.php 2
Tax.php 2
WhereUsedInquiry.php 2
Z_CheckAllocs.php 2
Areas.php 3
Credit_Invoice.php 3
CreditItemsControlled.php 3
CreditStatus.php 3
CustomerAllocations.php 3
CustomerBranches.php 3
CustomerReceipt.php 3
Customers.php 3
PDFBankingSummary.php 3
PDFChequeListing.php 3
PDFDeliveryDifferences.php 3
PDFDIFOT.php 3
PDFOrdersInvoiced.php 3
PDFOrderStatus.php 3
SalesPeople.php 3
SelectCreditItems.php 3
StockSerialItemResearch.php 3
PO_Header.php 4
PO_Items.php 4
PurchData.php 4
SpecialOrder.php 4
StockReorderLevel.php 4
Payments.php 5
PrintCheque.php 5
StockQties_csv.php 5
SuppCreditGRNs.php 5
SuppInvGRNs.php 5
SupplierAllocations.php 5
SupplierCredit.php 5
SupplierInvoice.php 5
Suppliers.php 5
SuppPaymentRun.php 5
SuppShiptChgs.php 5
SuppTransGLAnalysis.php 5
SalesGraph.php 6
BankMatching.php 7
BankReconciliation.php 7
GLAccountInquiry.php 8
GLBalanceSheet.php 8
GLCodesInquiry.php 8
GLProfit_Loss.php 8
GLTransInquiry.php 8
GLTrialBalance.php 8
SelectGLAccount.php 8
BOMs.php 9
Currencies.php 9
Z_CreateChartDetails.php 9
AccountGroups.php 10
AccountSections.php 10
BankAccounts.php 10
COGSGLPostings.php 10
CompanyPreferences.php 10
EDIMessageFormat.php 10
GLAccounts.php 10
GLJournal.php 10
PaymentTerms.php 10
SalesGLPostings.php 10
WorkOrderEntry.php 10
WorkOrderIssue.php 10
ConfirmDispatchControlled_Invoice.php 11
CustEDISetup.php 11
DiscountCategories.php 11
DiscountMatrix.php 11
EDIProcessOrders.php 11
FreightCosts.php 11
GoodsReceived.php 11
GoodsReceivedControlled.php 11
Locations.php 11
Prices_Customer.php 11
ReverseGRN.php 11
SalesCategories.php 11
ShipmentCosting.php 11
Shipments.php 11
Shipt_Select.php 11
StockAdjustments.php 11
StockAdjustmentsControlled.php 11
StockCategories.php 11
StockLocTransfer.php 11
StockLocTransferReceive.php 11
Stocks.php 11
StockTransferControlled.php 11
StockTransfers.php 11
TaxAuthorityRates.php 11
EDISendInvoices.php 15
PaymentMethods.php 15
SalesTypes.php 15
Shippers.php 15
SystemParameters.php 15
TaxCategories.php 15
TaxProvinces.php 15
UnitsOfMeasure.php 15
Z_CheckAllocationsFrom.php 15
Z_index.php 15
Z_MakeNewCompany.php 15
Z_poAddLanguage.php 15
Z_poAdmin.php 15
Z_poEditLangHeader.php 15
Z_poEditLangModule.php 15
Z_poRebuildDefault.php 15
Z_Upgrade_3.01-3.02.php 15
Z_Upgrade_3.04-3.05.php 15