The basics of computer security are more or less understood. A username is given a password and some permissions. If a user knows the username and password, they are given permission to print, run reports, or open files. The irony is that security frequently doesn’t become misunderstood until organization, with the intent of convenience, is applied.
Groups assign permissions to several usernames at a time. This is especially useful when permission to a feature needs to be given or taken away. Without groups, administrators would have to grant permissions one user at a time, whether there be 2 or 50.
The confusion introduced by groups is one of precedence. Should a user’s permissions conflict with its group’s, which permissions take precedence? In the case of BS&A, the least restrictive permissions do. So, should a user have permission to print and its group not, the user would be able to print. Conversely, if the user should not have permission, but the group does, then the user would still be able to print.
Active Directory Comparison
Active Directory controls permissions for Window’s networks. Comparing BS&A’s users to Active Directory’s removes the need to sign into BS&A’s software or memorize another username and password.
However, this sword has another edge. BS&A and Active Directory must agree on the credentials. Should a disagreement ever occur, the user would be locked out of BS&A’s software until it was resolved.
The Enterprise Admin
Presiding over all of this is the Enterprise Admin. The Enterprise Admin is a username and password that has permission to create users, assign permissions to users, and view everything. This access is given sparingly for obvious reasons.
Enterprise Admin access is usually granted at training. From that point on, BS&A will require the Enterprise Admin to log into the software before they can change, add, or remove any BS&A user. Furthermore, BS&A requires a written request, on letterhead, from the municipality’s supervisor or board member to make changes to the Enterprise Admin.