Security

Prerequisites:
To manually modify configuration files, you need to log in to the operating system with a user account that has permission to edit files in the POS Client installation directory.
Note:
Information on password handling can be found in the Employee Hub Apps User Guide, chapter Password Policy Maintenance.

This chapter describes how to set the security settings for the POS Client.

Information on the following topics will be provided:

  • Configuring authorization
  • Configuring alphanumeric authentication screens
  • Notes on rights configuration
  • Configuring four-eyes authorization

Configuring authorization

Configuration files
  • ..\parameter\client\flow\authorizationConfigs.properties

All functions and their function numbers are listed in the file authorizationConfigs.properties . Define the functions that require authorization.

Proceed as follows:

  • Set the following mode: authorizationMode=Single

    See also the following example:

    AuthorizationConfigs.VoidTransaction.authorizationMode=Single

The authorization is only called if the logged-in user does not have the corresponding right. When executing the subsequent authorization, it is checked whether the authorizing user has the right.

Configuring alphanumeric authentication screens

Configuration files
  • ..\parameter\client\ui.properties

To support alphanumeric users or passwords on the POS, an alphanumeric keyboard needs to be configured for the authentication screens. This can be achieved using the following configuration:

UiConfig.authenticationScreenConfig.numericKeyboard=false

Notes on rights configuration

Configuration files
  • ..\parameter\client\flow\authorizationConfigs.properties

The permission in the form of a function number is defined for each function. See the example below taken from the file authorizationConfigs.properties :

AuthorizationConfigs.VoidTransaction.requiredRight=S.01040100604.00

The function number is structured as follows:

X.FunctionID.NN

Component Description
X "S" = Standard

"C" = Customer-specific
FunctionID The number consists of 11 characters: PPBBGGMMFFF
  • P = Product ID
  • B = Process, service ID
  • G = Grouping ID, e.g. application, component, etc.
  • M = Module ID (optional)
  • F = Function ID, starting with 001 (if optional module ID is not used: 00001)
NN Subresource ID, starting with 0

The operator is only allowed to execute or authorize the function if they have the corresponding right. If not, theAuthorization function is called.

Roles are managed with user rights via import:

Each operator has a RoleID:

 <Operator> <OperatorID>gk70935</OperatorID> <WorkerID>5</WorkerID> <LanguageID>enUS</LanguageID> <BusinessUnitAssignment> <BusinessUnitID>7093</BusinessUnitID> <BusinessUnitAssignmentContent> <RoleID>1</RoleID> <PeripheralSystemTypeLogin> <PeripheralSystemType>POS</PeripheralSystemType> <LoginName>70935</LoginName> <Password>5</Password> </PeripheralSystemTypeLogin> <PeripheralSystemTypeLogin> <PeripheralSystemType>Web</PeripheralSystemType> <LoginName>gk70935</LoginName> <Password>5</Password> </PeripheralSystemTypeLogin> </BusinessUnitAssignmentContent> </BusinessUnitAssignment> </Operator>

This RoleID is stored as a workGroupID in the workgroup import:

<workGroupResourceAccess> <workGroupID>1</workGroupID> <resourceID>100</resourceID> </workGroupResourceAccess> <workGroupResourceAccess> <workGroupID>1</workGroupID> <resourceID>200</resourceID> </workGroupResourceAccess> <workGroupResourceAccess> <workGroupID>1</workGroupID> <resourceID>201</resourceID> </workGroupResourceAccess>

In addition, a resourceID is assigned to each workGroupID.

All functions are listed and linked with the resourceID resulting from the last entry on the same parentResourceID:

 <resource> <resourceID>S.01040100604.00</resourceID> <parentResourceID>201</parentResourceID> <description>VoidTransaction</description> <resourceLevel>1</resourceLevel> </resource>

In the resourceID, the functions are defined by means of the function number. Thus, the operator assigned to the parentResourceID is allowed to execute or authorize the function VoidTransaction.

Configuring four-eyes authorization

Configuration files
  • ..\parameter\client\flow\authorizationConfigs.properties

All functions and their function numbers are listed in the file authorizationConfigs.properties . Define the functions that require four-eyes authorization.

Proceed as follows:

  1. Set the following mode: authorizationMode=FourEyes

    See also the following example: 

    AuthorizationConfigs.LoginForgotPassword.authorizationMode=FourEyes
    In this example, the four-eyes authorization is called during login in case of the function Forgotten Password.
  2. In addition, it is possible to configure whether or not the authorizing user must have the corresponding right. In the following example, the user must have the right to execute the authorization:
    AuthorizationConfigs.LoginForgotPassword.checkSecondUserRights=true