WIXLIB

Managing and Understanding MAS500 User Accountswith Sage MAS 500Product: MAS 500 ERPDescriptionThis course is intended to provide you with information on how to manage and understandMAS500 user accounts. Overview of maintaining user accounts, security groups, permissions,license use, and logins are discussed. Topics that will be covered include: Creating, Removing, and Modifying User Accounts Enabling Security Groups for users and permissions Understanding User License Consumption Difference Between SQL and Windows NT Authentication Login process Application Role and Its Purpose Common Troubleshooting Tips for user accountsLearning ObjectivesAt the end of today‟s session, you will be able to: Add / Remove / Modify User Accounts Learn to work in Security Group(s) Understand User License Validation Learn the differences between the SQL and Windows NT Authentication Login Review Application Role and Its Purpose Sage Software, Inc. All rights reserved. The Sage logo and the Sage product and service names mentioned herein areregistered trademarks or trademarks of Sage Software, Inc., or its affiliated entities. All other trademarks are the property of theirrespective owners.

Managing and Understanding MAS500 User AccountsCreating New MAS500 UserAdding a new user for SQL and Windows account System Manager, Maintenance, Maintain Users, Type the name of an existing SQL Server or Windows user If the user is in the current domain, the field adds the domain automatically when youleave the field. Assign Default Security Group, Task Menu, and Company Save and Exit Instruct new user to login and set password in User Preference (if using SQL login) User Preference is applicable to SQL user login. System Manager, Tools, UsersPreferences2 of 14

Managing and Understanding MAS500 User AccountsNote: „SysAdmin‟ or System Manager user security group membership is required toperform the tasksTip: Requiring Password can be enabled at Maintain Site “Require Password” in Option Tab To create a logon for a user in a different domain, first create a SQL Server logon for theuser, then specify the user name with the domain in this format: domain\ login name.3 of 14

Managing and Understanding MAS500 User AccountsRemoving /Deactivating Existing User AccountIn order to remove existing user, user performing the task must have administrative rights toSQL database and MAS500 System Manager, Maintenance, Maintain Users Type or Lookup User Account Use the Delete “X” button or CTRL-D (short key)Accounts Payable, Maintenance, MaintainVendors Confirm the deletion by clicking OK Permanently removing user name from database Delete user from MAS 500(Maintain User task). Then open SQL Studio Management and delete the user from theMAS 500 database and from the SQL server Security\Login folder.4 of 14

Managing and Understanding MAS500 User AccountsNote: Deleting the user from MAS500 will not affect the transactions history created by thedeleted user account. The user will remain in the user list but will have No status under “IsSage MAS 500 User” column.Modifying Existing User AccountUser can be assigned to multiple security groups for one or more companies; however, if theuser is assigned to more than one security group within the same company, the system grants theuser access permissions of the security group with the highest access permissions level. Changing User Name Once the user name is established, it cannot be changed. But can be added after removing theuser name from SQL database. Reason : Editing the name in Active Directory does not assign a new SID (SecurityIdentifier). Thus, adding the new user name in MAS 500 uses values already in use in SQL.5 of 14

Managing and Understanding MAS500 User AccountsHow to Set, Change, and Clear User Password (applicable for SQL loginusers) User can create password during initial login prompt screen Admin can clear the user password from Maintain Users clear Password button SQL admin can clear password from SQL ServerUPDATE tsmUser SET DBPassword NULL,Password NULL WHERE UserID ' username „ After executing the script above,go to Server ROOT Security (LOGIN) and clear out the password under Properties.6 of 14

Managing and Understanding MAS500 User AccountsSecurity Group(s) Assignment and SettingNote: „SysAdmin‟ or „System Manager‟ user security group membership is required to performthe tasksSecurity Group(s) can be created to assign users to specific tasks, permissions, and roles. Benefitof using security group includes time saving administration, global security settings, and efficientuser account management System Manager, Maintenance, Maintain Security Groups Type new security group name and description Select Module ID from dropdown menu and assign appropriate permission level To locate the permission tasks, use Display Tracker to identify the task Levels of permissions are Excluded, Display Only, Normal, and Supervisory Excluded - Prevent users in the security group to view the task. Task may be bypassed,button not visible, or dialog box not display Display Only – Allow users to view the data only. Users cannot change values or use buttons Normal – Allow users to enter or change data. Buttons and Dialog boxes are available tousers Supervisory – Allow users to enter or change data with administrative rights. Example, usercan post private batches. Positional roles dependencyTips and Tricks for managing Security Group(s) Identifying the task name using Display Tracker tool. On the Tools menu, click DisplayTracker. Look for Task Description from the tool. Also can simply right-mouse click on task and select properties. Look for MAS500 TaskName. The task names on the grid can be sorted alphabetically by clicking on column header withmouse7 of 14

Managing and Understanding MAS500 User Accounts Clicking on top left corner cell will highlight all task for master change Use the Security List and User List Reports from System MangerUser License ConsumptionThere are two types of MAS500 User Desktop Licenses. First is called Standard MAS500 userlicense and second is known as Business Insights (BI) user license. Both Licenses are consumedor validated according to the task/application launch Business Insights license consumed when following applications are launched:–Business Insights Explorer–Business Insights Analyzer–Business Insights DashboardExample: A company purchases five (5) standard Sage MAS 500 application user licensesand two (2) Business Insights user licenses. Seven sessions can be started with active tasks,five standard application tasks and two Business Insights tasks.User License ReleaseBoth Standard MAS500 User license and Business Insights User license are released when userlog outs of the MAS500 desktop. Simply closing task(s) or view(s) will not release the license(s). Changes for how MAS500 releases Licenses will be in 7.40 version The license consumption will release when All tasks/application window close. Users willNOT have to completely log out of the desktop.8 of 14

Managing and Understanding MAS500 User AccountsUnderstanding Windows Vs. SQL Authentication LoginMAS500 currently supports two types of login credential validation. Windows and SQLAuthentication method are used for MAS500 login. SQL Authentication is also known as MixedMode. Windows Authentication - Enables Windows Authentication and Disables SQLServer Authentication SQL Server performs the authentication itself by checking to see if a SQL Server loginaccount has been set up and if the specified password matches the one previously recorded If SQL Server does not have a login account set, authentication fails and the user receives anerror message stating Login failed for user „xxxx‟ SQL Authentication (Mixed Mode) - Enables both Windows Authentication and SQLServer Authentication. Windows Authentication is always available and cannot be disabled SQL Authentication is the environment that all of your users are part of a Windows domain In SQL Authentication, access to SQL Server is controlled by Windows account or group,which is authenticated when you log on to the Windows operating system on the client.9 of 14

Managing and Understanding MAS500 User Accounts10 of 14

Managing and Understanding MAS500 User AccountsEnabling Windows Authenication for MAS500 DesktopClient Configuration Utility is required for the following task. Windows authentication can betsetup in two areas for MAS500 desktop. Launch MAS500 desktop, Login window Check „Use Windows Authenication‟ option box for current user Alternately, setting can be set for individual or all MAS500 user using the ClientConfiguration Utility. All Programs, Sage Software, Utilities, Client Configuration Utility Select Current User or All Users and check the “Use Windows Authentication” option. Click OKNote: The client configuration utility will apply changes to the the machine user only if “CurrentUser” is selected. The machine user must have MAS500 Database access11 of 14

Managing and Understanding MAS500 User AccountsUnderstanding Application Role SettingApplication role allows users to access Sage MAS 500 databases through the Sage MAS 500 clientsoftware, but not other applications. Application Role - database principal that enables an application to run with its own,userlike permissions. You can use application roles to enable access to specific data to only thoseusers who connect through a particular application (MAS500). User can perform normal processing against the data while in Sage MAS 500; however, thisuser has no permissions against the database objects when using other applications such asQuery Analyzer, Crystal Reports, etc. Important: If Credit Card is installed, you must select this check box for each user toprocess credit card transactions. „Allow Read Access‟ Option - Select this check box to grant users read-only access to SageMAS 500 databases from other programs. This check box is available only if the UserApplication Role check box is selected.12 of 14

Managing and Understanding MAS500 User AccountsCommon Troubleshooting Tips and Frequently Asked QuestionsFor additional information, please reference the following Knowledgebase Resolution IDsvia Sage InfoSource:“Unable to set the application role - either the approle does not exist or incorrectpassword”When two database sets exist, the passwords must be the same for SQL Server logins and theAppRole. The error mostly relates to some kind of data corruption of Role Password. RunMaintain Site to re-set password for Application Role usually resolves the issue. Knowledgebase Resolution ID: 1978How to clear user passwords in Sage MAS 500As an administrator, you can use the Clear Password function in System Manager / Maintenance/ Maintain Users. If the Clear Password button is disabled, a password does not exist, you do nothave the necessary permissions in Sage MAS 500 or SQL Server to reset the password, or theuser is a Windows Authenticated login. Windows Authenticated logins are maintained at thedomain, not SQL Server or Sage MAS 500; however the login does need exist in SQL Serverand Sage MAS 500. Knowledgebase Resolution ID: 1310How to find the task description for a task to maintain security in Sage MAS 500There may be instances where the task description to set the security for the task is not evident ordo not belong in the module that it is found. To figure out the task description and which moduleit belongs, simply go to the task itself, right click and select 'Properties'.Also can locate task description name by using Display Tracker tool Knowledgebase Resolution ID: 51896113 of 14