SECURITY AND AUDITABILITY

WITH SAGE ERP X3

Introduction

An ERP contains usually a huge set of data concerning all the activities of a company or a
group a company. As some of them are sensitive information (accounting, human resources
for example), ensuring
nsuring the security of those critical information is important.
Another important point is the traceability of some modifications. This is especially the case
for legislations where the accounting regulations require a complete access to the history of
the modifications done on data. Another good example of traceability constraint is given by
the FDA regulation, and concerns data linked to the BOMs and routings.
The SAFE X3 platform, on which Sage ERP X3 is based,
bas integratess a set of tools in order to
ensure the security and the traceability of
o the information stored and the operations
performed. This
his document will give you details on the tools available on the platform.

Connection security

SAFE X3 platform is based on components that can be installed on secured servers,

protected by firewalls, using https secured connections to the client for the Web native
client, but also for the Web service layer that can be used by any external software willing to
access to application and administration services provided through the platform.
The
he user authentication can be controlled through an access to a centralized LDAP directory,
and the identity can be inherited via NTLM over http protocol (in Web mode) or through the
Windows login information (in client-server).
client LDAP means Lightweight Directory Access
Protocol. It refers to open structures used to manage identities in a centralized way, and all
the authentication information linked to it. Several implementations exist (such as
OpenLdap). Active Directory is the corresponding implementation used by Microsoft to store
identities and is LDAP compatible. In Sage ERP X3 version V6, a setup allows to declare that
an LDAP directory exists somewhere on the network, and to map information
information usually stored
in the users or parameters table with LDAP fields. Once this is done, the parameters stored
in Sage ERP X3 database can automatically be refreshed according to the values stored in the
LDAP directory (setup option):
option) a central users
ers repository of the users can thus be managed.
Since version 6.2, the connection can also be secured by using a token sent by an external
Single Sign On system. Sage SSO provides this single sign on procedure, which is used for
example by Netvibes, in order
rder to provide a secured access to business data within end-user
end
portals.

Security, traceability, auditability with SAFE X3 platform Version 1 SAGE 2010 1/ 6

Organizations

The security for Sage ERP X3 can be defined by folders. A folder is a container that stores the
data related to several entities as well as parameters and common data. In each folder, Sage
ERP X3 permits to describe companies, financial sites, operational sites, and to define
hierarchies of sites based on the legal and accounting organization (a warehouse posting
entries on a financial site belonging to a company member of the group), but also on any
organizational link (all the European warehouses, whenever they belong to the same legal
company or not). This is shown in the following screen:

Each company belongs to a given legislation; in a group of company, several legislations can
be used. The security can be established for each folder by granting rights to users and users
groups, based on these organizational levels.

Security, traceability, auditability with SAFE X3 platform Version 1 SAGE 2010 2/ 6

Users and profile

Associated to a user, the platform allows the description of function profiles managing the
access rights at any level of the organization (sites, companies, sites grouping).
Different controls can be set up:

1) Access restriction to data and operations for each function by site, by company, or by
groups of sites. For example, it is possible to set up that a user will have access to the
sales orders :
o Those related to a group of sites or companies in creation, and modification,
allocation and preparation, but not deletion nor invoicing
o Those related to a site only for inquiry
o And no access for all the other sites
This is shown by the screen copy above:

Depending on functions, the operation controlled can be different (for example, on

fixed assets, the rights to reevaluate an asset, to revise it, to split it, to issue them,
the change the methods can be controlled separately if needed).

Security, traceability, auditability with SAFE X3 platform Version 1 SAGE 2010 3/ 6

 2) Authorization management by field, and per transaction, per report through access
codes. This will permit to deny for example the access to a given accounting
transaction, or disable the modification of the payment term on the customer record.
3) In addition, filter can be added on any field by defining roles and assigning codes
related to this role by user. Lets imagine for example that a given user, connected via
the Web, is a client with the role of payer. Thus, he will have the right to view the
invoices for which he is paying customer. The roles can be freely defined: suppliers,
buyers, trade... roles can be set up to secure the filtering of information accessible
via the application.
4) Filters can be given on any inquiry, and also for groups of inquiries; access can be
given to statistics at a given level. Lets have an example: if a statistical inquiry
published on the portal gives the sales detail per area, per sales representative, per
item category and customer, a sales representative can have only access to the sales
detail for himself (by item category and customer), while the sales director for an
area will have access to the detail of his area by sales representative, product line
and customer.

Parameter setting

Transverse security parameters are also defined in the platform. Lets give examples:
password policy (length and complexity, renewal period, number of unsuccessful
connection attempts) if the authentication is managed by the platform and not
through an external SSO.
Automatic time-out for connections
Audit constraints and restrictions
Administrator identifier, and sub-administrators profile codes
These parameters can be set up, depending on the parameters, at global level, at legislation
level, at company level, at site level, or at user level. The most local level is used if it exists;
otherwise the parameter value is inherited from an upper level.
Predefined set of parameter can be registered (for example, having 3 level of security for a
given set of parameter, called LOW, MEDIUM, and HIGH).
Some global parameters can be locked to a predefined value if given legislations are used for
companies belonging to a group.

Security, traceability, auditability with SAFE X3 platform Version 1 SAGE 2010 4/ 6

Traceability and audit

The SAFE X3 platform includes several traceability and audit functions. The following
elements are available:

Every login is recorded on the system (whether it is successful or unsuccessful: in

case of login failure, the reason why the login could not be done is stored). The
information available is: the IP address of the client, the login code, the type of
connection, date and time, OS user code.

The recording of all critical data stores the date of creation, of last successful
modification, and users identifier who performed the creation and the last
modification.

Regarding operations performed by users, a first level of audit (user level) allows you
to log every successful operation done by users. For each user, a parameter can have
the following value: No log, Log of all operations, log of delete and change code
operation only. The details stored are date, time, and user code, function and
operation performed, and also the key identifying the data. For example, using this
function, you will know that John DOE performed a modification on item CD100 the
First of December 2008 at 5:31 AM.

A more detailed information track can be done through parameter setting (data
traceability in dictionary). In that case you will indicate for each database table you
want to secure, whether you want to log creation, modification and/or deletion of
this table. This level gives you, at the table level, the operation done history. You can
also store the details of the modifications done on the fields. In that case, you will get
detailed information such as: The First of December 2008 at 5:31 AM, John DOE
modified the item (table ITMMASTER) record CD100; the field DEFPOT (default
potency) was modified (the previous value was 0.95, and the new value is 0.96).
When such a parameter setting is done, a trigger is automatically created in the
database. Thus, any modification including a modification through direct access to
the database will be tracked.

In order to be compliant with regulation such as CFR-21, you can, through a

modification, add a control that will force, for modification made on critical fields,
the user to sign by entering his password and a reason code for the modification. If
the password is not entered, the modification wont be possible.

The libraries needed to implement this functionality and the inquiry function are
provided, as well as a configuration parameter (a dedicated activity code) and a
sequence code for log numbering. The only modification to be done is to add given
fields (with a predefined name) on the tables that you want to manage with e-
signature, to set up the field traceability on these fields, and finally to add a screen
control that will call a dedicated action when modification is done.

A technical document describes the methodology to be used for the implementation.

Security, traceability, auditability with SAFE X3 platform Version 1 SAGE 2010 5/ 6

Alerts, Workflow and approval

In order to trigger dedicated actions based on a given operation done, or to notify and
request for approval some modification done, the SAFE X3 platform includes a workflow
setup. The workflow engine is able:
To send mails.
To feed workbenches presented to the users in order to help them to take decisions.
To trigger updates, request for approval and manage approval circuits with multiple
approvers.
To send linked documents to the e-mails; for example, after completion of a batch
request, sending a summarized report including the log file generated if errors or
warning occurred.
Predefined rules are supplied by default, for example: purchase requests and purchase order
approval, batch operations notification, modification summary on critical data, approval on
sales quotation and orders, password renewals if they are managed by the platform,
escalation on signatures

Document management

The traceability constraints can be requested not only for the ERP data, but also for the
documents produced by the ERP or sent to the ERP.
The SAFE X3 platform is able to store securely documents in different electronic document
management systems, through a standard connector used by several EDM vendors.
The documents produced by the ERP (reports, log file, exports, linked documents) can be
securely stored in containers with associated data, and retrieved easily through link
established with the data managed in the ERP (for example, linking technical documents to
items or BOMS, linking the closing balances reports to a company record, linking simulation
Excel spreadsheet exported from a budget entry to the budget definition).

Security, traceability, auditability with SAFE X3 platform Version 1 SAGE 2010 6/ 6