User's guide /
/
Security
We at OBS look at the information security as a mixture of organizational and technical activities aiming to prevent security related incidents. Keeping the information safe and preventing unauthorized access to confidential information is crucial and requires a well-established company policy and constant efforts in that direction.
OBS ERP centralizes the information and provides it in a well-structured and easy to use way. In that regards, it is vital to define role based privilege groups allowing the users to access only the information they are allowed to. In addition, you need to terminate the access of leaving employees (preferably before their last working day). These are only few of the best practices that needs to be followed in order to keep you data safe.
Good security practices recommended by OBS2GO and implemented in OBS ERP:
1. Deactivation (withdrawal of access) of leaving employees before the last working day
2. Requirement of complexity of passwords - minimum 8 characters, including special characters and numbers
3. Restrict the access to an ERP system to certain IP addresses only
4. Obfuscation of personal data (GDPR)
5. Two-factor authentication
6. Regular overview of system access logs
7. Session termination after a specified time of inactivity
8. Regular verification of the access granted to employees
Privilege groups are created via the module "Privileges" located in Administration"-> Settings menu. The module allows you to delegate read or write permissions over an OBS ERP component to a user.
Fig. 1
Choose "Read" or "Write" access where applicable and press "Save". This concludes the configuration of the privilege group. Now you can assign this group to a user in module "Administration" -> Settings -> Users
User access
Open respective module and click the 'wrench' icon at the top-right corner. Click on "Manage permissions" to manage access for users.
This will open a pop-up that will give you the option for changing permission.
Prevent access - Prevents access to the certain module
Prevent deletion - Prevents deletion from the certain privilege
Read - Can only read the module
Write - Can write in the module
By clicking the "+" button you can add more privileges to the module and edit their access.
This will create a new users. Please note the "Privileges" field. It allows you to pick a privilege group for the user.
The field "Account owner by" is related to the "Staff" module. You can pick an employee you provide the account to.
Alternative process for user creation:
You can create an user in module "Staff" -> Edit record -> Create user as shown below:
Select a privilege group and password for the account and then press "Submit" to complete the process.
Home screen > Staff > Create user
Deactivate user account
You can terminate the access of an employee by click on switching off the "Active" checkbox in the user account.
IMPORTANT Note: cloud users are charged based on the number of users marked as "Active" or the number of employees in the Staff module marked as "Active" - whichever of these two numbers is larger.
Home screen > Left panel menu
Then, select "Two factor authentication".
Open a Two-Factor Authenticator app on your mobile device (like Google Authenticator).
After scanning the code, your authenticator application will produce a code you need to fill in the form under the QR code shown in the next image.
Left panel menu > Control panel > Two factor authentication
If you activate your two factor authentication for the first time, you need to enter the code and click "Activate" to enable 2FA.
From this step on, OBS ERP will require you to login with security code as well as password as shown on the images below.
Login screen
Access token in 2FA
2FA using your user email address
If you haven't scanned your QR code and the system requires a 2FA, then you can use your email address to generate one-time access token.
First, click “Send it to my email” on the login screen.
Then, check your email for the access token and enter it on the login screen to access your account.
OBS ERP will generate a QR code and it will invite you to scan it with your favorite authenticator app.
Encryption
OBS ERP implements AES encryption (formerly Rijndael), as defined in U.S. Federal Information Processing Standards Publication 197. In order to activate encryption in a certain module, navigate Administration -> Constructor -> Find Module -> Edit -> Activate "Encrypt uploaded files". This way the uploaded files in the module will be encrypted.
IP Address restriction
You may choose the IP addresses allowed to log in to the system. The setting is available at module Administration -> Settings -> ip_address_restriction
GDPR
With reference to the General Data Protection Regulation, the data on our servers is obfuscated, the passwords encrypted with AES256 (Advanced Encryption Standard) and the personal data - protected.
OBS ERP centralizes the information and provides it in a well-structured and easy to use way. In that regards, it is vital to define role based privilege groups allowing the users to access only the information they are allowed to. In addition, you need to terminate the access of leaving employees (preferably before their last working day). These are only few of the best practices that needs to be followed in order to keep you data safe.
Good security practices recommended by OBS2GO and implemented in OBS ERP:
1. Deactivation (withdrawal of access) of leaving employees before the last working day
2. Requirement of complexity of passwords - minimum 8 characters, including special characters and numbers
3. Restrict the access to an ERP system to certain IP addresses only
4. Obfuscation of personal data (GDPR)
5. Two-factor authentication
6. Regular overview of system access logs
7. Session termination after a specified time of inactivity
8. Regular verification of the access granted to employees
Privilege groups
OBS ERP controls the access to the information using role based privilege groups. For example, you might want to create the following groups:- Accountants - providing access to module "Finance" and "CRM",
- HR - providing access to module HR,
- Operations - access to the Time tracking module, projects and tasks,
- Administration - full access everywhere
- etc...
Privilege groups are created via the module "Privileges" located in Administration"-> Settings menu. The module allows you to delegate read or write permissions over an OBS ERP component to a user.
Create a privilege group
Go to Administration > Settings > Privileges and click on the "Add" button. Provide the group name and a brief description, then click "Add." Once the changes are saved, a comprehensive list of modules will become visible, as depicted in Fig. 1. You will have the option to either individually open specific modules or open them all simultaneously.Fig. 1
Choose "Read" or "Write" access where applicable and press "Save". This concludes the configuration of the privilege group. Now you can assign this group to a user in module "Administration" -> Settings -> Users
User access
Open respective module and click the 'wrench' icon at the top-right corner. Click on "Manage permissions" to manage access for users.
This will open a pop-up that will give you the option for changing permission.
Prevent access - Prevents access to the certain module
Prevent deletion - Prevents deletion from the certain privilege
Read - Can only read the module
Write - Can write in the module
By clicking the "+" button you can add more privileges to the module and edit their access.
Create an user
Navigate to Administration -> Settings -> Users and click the Add button. Fill-in the form shown on Fig. 2 and press "Add". This will create a new users. Please note the "Privileges" field. It allows you to pick a privilege group for the user.
The field "Account owner by" is related to the "Staff" module. You can pick an employee you provide the account to.
Alternative process for user creation:
You can create an user in module "Staff" -> Edit record -> Create user as shown below:
Select a privilege group and password for the account and then press "Submit" to complete the process.
Home screen > Staff > Create user
Deactivate user account
IMPORTANT Note: cloud users are charged based on the number of users marked as "Active" or the number of employees in the Staff module marked as "Active" - whichever of these two numbers is larger.
Two factor authentication
To enable two factor authentication, you need to open the Left panel Menu and go to Control Panel.Home screen > Left panel menu
Then, select "Two factor authentication".
Open a Two-Factor Authenticator app on your mobile device (like Google Authenticator).
After scanning the code, your authenticator application will produce a code you need to fill in the form under the QR code shown in the next image.
Left panel menu > Control panel > Two factor authentication
If you activate your two factor authentication for the first time, you need to enter the code and click "Activate" to enable 2FA.
From this step on, OBS ERP will require you to login with security code as well as password as shown on the images below.
Login screen
Access token in 2FA
2FA using your user email address
If you haven't scanned your QR code and the system requires a 2FA, then you can use your email address to generate one-time access token.
First, click “Send it to my email” on the login screen.
Then, check your email for the access token and enter it on the login screen to access your account.
OBS ERP will generate a QR code and it will invite you to scan it with your favorite authenticator app.
Encryption
OBS ERP implements AES encryption (formerly Rijndael), as defined in U.S. Federal Information Processing Standards Publication 197. In order to activate encryption in a certain module, navigate Administration -> Constructor -> Find Module -> Edit -> Activate "Encrypt uploaded files". This way the uploaded files in the module will be encrypted.
IP Address restriction
You may choose the IP addresses allowed to log in to the system. The setting is available at module Administration -> Settings -> ip_address_restriction
GDPR
With reference to the General Data Protection Regulation, the data on our servers is obfuscated, the passwords encrypted with AES256 (Advanced Encryption Standard) and the personal data - protected.