Spider 2016Security

Table of Contents Spider 2016Security ........................................................................................................................................... 1

Introduction ................................................................................................................................................... 2

Previous Security Model ................................................................................................................................ 3

How Does Back Office Users Affect Spider Logins ......................................................................................... 4

Migrating Your Security to the New Model ................................................................................................... 5

Adding the Missing Securities...................................................................................................................... 10

Adding a New Security Group.................................................................................................................. 11

Check Your Setup ......................................................................................................................................... 11

Managing Identities ..................................................................................................................................... 12

Manage Favourites ...................................................................................................................................... 13

Spider Login Credentials – underlying assumptions .................................................................................... 14

Underlying Assumptions .............................................................................................................................. 14

Introduction

The security model used by Spider 2016 is very different from its predecessor, so it is CRITICAL to spend

time setting it up after updating your Spider to the 2016 version. Spider 2016 introduces a security model

whereby every control has a corresponding security object. Several new security objects are created by the

Spider installer, so they are generally not available until after the update process.

As well as the new securities, PCSchool has creates a series of user/group combinations for schools to use

in order to get up and running quickly. To see what permissions these users have visit

http://help.pcschool.net/help/spider-default-templates/?category_id=17.

The “Template User” is no longer used as a basis for creating desktops. The caregiver and student desktop

controls are based on the security objects that have allocated to them. Staff users are shown a menu and

are able to add their own “Favourites” to their desktop. There is a tool to pre-populate desktops favourites

to make it easier for staff to find key controls on their first login.

It is important that key personnel who look after the PCSchool security are available immediately after the

update to assign users to these new securities. Prior to updating Spider, ensure you have a user assigned

with security 1100 “Spider Update Administration”. This security object allows users to use the security

control within Spider 2016.

Prior to updating the Spider, it is recommended that staff are given the following links in order to get an

idea of what the new interface will look like.

The Spider 2016 interface http://help.pcschool.net/help/spider-2016-interface/?category_id=17

Spider 2016 Menu Map http://help.pcschool.net/help/spider-2016-interface/?category_id=17

Previous Security Model

PCSchool has always had the concept of a “User Profile”, or more commonly known as a “Back Office User.”

Each Back Office user is assigned one or more “Group Profiles” which generally contain one or more

security objects. From the example below, the Back Office user named “BURSAR,” has a large number of

security groups (17, only the first 10 showing). To find out what the overall security is for the user

“BURSAR”, you would need to extract the security objects within each of the 17 “Group Profiles”

The example above shows the contents of one of the 17 Group Profiles of the user BURSAR, in this case

“ADMINHIGH.” The same security items may have been added to several groups and it is possible that a

“DENY” security in one of the other Group Profiles is over-riding a security in this one. The new security

model will consolidate ALL of the security objects associated to a “User Profile” into a single Group Profile.

The example below shows the new model based on one a “User Profile” having a single “Group Profile”. All

of the security objects for the user “#PCS_STAFF#” are with the “Profile Group” #PCS_STAFF#” Users

beginning with #PCS_ have a single security group with the same name as the user (this is not essential).

When users/groups are made within Spider, they are automatically surrounded by the “#” symbol to

indicate how they were made.

How Does Back Office Users Affect Spider Logins

In order to log into Spider, a user must have an Identity Record. These are automatically created for staff,

students and caregivers when they are first created within PCSchool. They can also be made manually if you

wish to create additional logins. When an Identity is created, it is assigned a login name and is matched to a

security based on the “Default Users” as shown below. The default users are “Back Office Users” who are

associated with security. If these are blank, the Identity user will not be able to log into Spider as they will

not have any security.

After updating to Spider 2016, the default securities will likely need updating.

When the above user logs into Spider using “PBRUSH” as their login name, they will have the equivalent

security as the “Back Office User” BURSAR. Whatever security BURSAR has, PBRUSH will have. Changes to

BURSAR security affect all users who have their “User Rights Equivalence” set to follow BURSAR.

Migrating Your Security to the New Model

The first task after updating the Spider is to amalgamate your current Security User’s groups into a single

user/group pairing. After that process, additional security objects need to be added to provide users the

functionality they had before. To do this, log into Spider and find the “Portal Administration” control

(Security 1100 required).

1) Control for adding “Favourites” to a user’s desktop (Not needed for Caregivers or Students)

2) The control for managing security from within Spider

3) The control for assigning users to security groups and seeing what Security Users are being used.

Schools will generally have a default security user for Staff, Caregivers and Students. The “Manage Spider

Securities” control is used to update these.

1) Current Back Office users (In Spider they are referred to as Security Users)

2) How many “Group Profiles” are currently connected to the Security User

3) When a Security User has a single group, the [Clone User] button can clone this user/group to a

newly named combination. This is used when you wish to set another user’s security to something

similar to an existing group.

4) [Merger Groups] allows multiple groups to be merged into one. It will carry across any protected

fields. This is the tool used after the initial Spider 2016 update. Once the Security User has a single

group associated with them, this option is greyed out.

5) [Identities] shows which Identity Users are following the security user. It can be used to add

individual Identities.

6) [Securities] is only highlighted when the Security User has a single group. It allows security objects

to be added and removed as necessary.

7) Security Users surrounded by a “#” indicate that they have been created using the security tool

within Spider. Do not add the hashes when creating new users/groups, they are added

automatically.

8) Security users surrounded by a “*” indicate that they have been merged to another user/group

combination, and the Identities following it are now pointing to a new Security User. If you still

have users logging into PCSchool’s Back Office application using these, you will need to notify them

of the name change. It is recommended that ALL users log into PCSchool using an Identity login,

preferably with their login name matching their usual computer login name.

9) A Security user with more than one Security Group associated with them. These groups should be

amalgamated into one using the [Merge Groups] option.

Taking the example of PBRUSH as shown below, they are currently following a Security User called BURSAR

which has multiple groups. Stage one if to [Merge Groups]

Pre merge view within Back Office

Manage Spider Securities view

We can see that the Security User BURSAR has 17 groups. Click [Merge Groups] to start the process

The “Groups” tab show what these 17 groups are.

The “Overall Security” shows the cumulative list of ALL of the Security Objects within the 17 groups. If the

same security was in more than one group, the Access/Create/Edit/Delete option is ticked based on the

highest level the user had.

It is the “Associate or Create” tab that makes the changes. There are two options, either associate the user

to an existing group or create a new user/group.

Associate: Use this option if you already have an existing group you want to associate the Security User to.

This option DOES NOT preserve the previous securities. They will be pointed to a new single group and

their security will be changed to whatever that new group has in it.

CREATE This option allows you to do make a “Group Profile” based on the existing securities for the user

BURSAR.

1) Type in the name of the new group/user. It can be the same name as the existing group as this tool

will automatically surround the name with hashes making it different. It is advised to make the

name a description of the user’s role, NOT a personal name.

2) “Create New Group” will only make a “Group Profile”, in the case called #School Bursar# with the

cumulative securities of the BURSAR’s current 17 groups. It will not assign these to anyone and it

will leave the user BURSAR with the 17 groups. This can be used if you plan to re-use these

securities for adding to users later.

3) This option will make the “Group Profile” as above, but also create a Security User with the same

name (#School Bursar#) and associate the two together. It will not change the user BURSAR

4) This option will make both the Security User and Group Profile as above, but it will then search for

Identity users who are current following the Security User BURSAR and change them to the new

user #School Bursar# Once this has been completed, the original user BURSAR is renamed to

*BURSAR*. The result can been seen below.

1) New Security User with a single Group Profile of the same name. The single Group Profile contains

all of the securities that we in the BURSARS original 17 groups. All users in Identify who were

following BURSAR will not be set to follow #School Bursar#

2) Original user BURSAR, now renamed to *BURSAR* with original 17 groups.

The user BRUSH P has been automatically updated

Adding the Missing Securities

Once you have converted your previous Security User to have a single Group Profile, you then need to add

the new securities that will be missing from it. Controls used to be available based on a “Template” user.

This no longer applies. Every control needs a matching security and some controls have multiple securities

which affect its functionality. To see what securities affect which controls, visit

http://help.pcschool.net/help/setting-up-spider-security-for-spider/?category_id=17

The quickest way to get up and running to is add one of the default PCSchool groups to your exiting group.

Continuing from our example above, we are going to add some additional security objects to the newly

created #School Bursar# Security User. Click on the [Security] button next to #School Bursar#. The initial

view shows what security items are associated to the Security User.

1) The filter tool allows you to search for a security object by name or number

2) Checking “Show All” reveals all available security objects which can then be selected. Unchecking

this option will only show security objects selected for this Security User.

3) You can opt to add items from another Group Profile into this one.

4) Adds security from the selected group. You must check “Show All” before using

5) Check box to select/unselect a security object

6) Check and uncheck the level of access against the security object

7) This applies any changes, either adding newly selected objects or removing unselected ones

8) Exit this control. This option abandons any changes not updated.

Adding a New Security Group

1) Shows the Security User you are applying changes to

2) Select “Show All” to see all available securities

3) Choose the Security Profile you wish to add, in this case the default #PCS_STAFF# group

4) Press [Add this security]

5) Once this is pressed, any new securities not already in the original group are highlighted. From here,

scroll down the list of securities to check that the ones highlighted are needed. Uncheck any you do not

want to add are select any additional one you want to add.

6) Press [Update Permissions] to apply these changes. These steps can be repeated if you wish to add

other Group Profiles before exiting.

Check Your Setup

It is important to log into Spider to test what the user can see. This can be done by using your

“systemadmin” password against the login or creating an Identity User and assigning them the Security

User Equivalence you are testing. This is particularly important for caregiver and student users.

Schools are at liberty to assign more generic controls to caregivers or students, however in doing so, they

may expose more information than they expect. Controls such as Student Information will restrict a

caregiver to their own children however assigning “Calendar Management” would allow them to manage

your school calendar. ALWAYS check before allowing users to login.

Managing Identities

In order to see what Security Users your current Identities are following, the “Manage Identity Securities”

tool was developed. It not only allows you to see what Identities are following a particular security user, but

also allows you to changes these en-masse.

1) Select the Category of user you wish to manage

2) As we have selected staff, we can further refine our search to a particular “Staff Type”

3) .Press [Search] to list the users within Identity matching your selection

4) The Security Users found following these users are displayed. Check/uncheck the boxes to reveal

which Identity users are following the Security User

5) Check the “Code” box to select/unselect the listed users. or it can be done on an individual basis.

6) Choose the Security User you wish to reassign the selected Identity users to.

7) Pressing [Update] will reassign the selected Identity users to follow the chosen Security User.

8) [Exit] to return to the Portal Management.

When complete, all Security Users should describe a role rather than refer to a personal

name.

Manage Favourites

The ability to “Add Favourites” has been provisioned. This is primarily designed for Staff users as caregivers

and students favourites are synchronised to their security. Staff have the ability to add their own favourites

from the menu options, however favourites can be added by an administrator to make the initial login

experience easier for the user or if you wish to showcase a new control. It is also possible to replace staff

users’ favourites with another selection [Replace]. The menu options available to staff members are

governed by the “User Rights Equivalence” user they are associated with. The favourite will only show for

staff if they have the necessary security to see it.

1) It is possible to restrict the Identities by entering in all or part of their member code.

2) Select the Identity Type if you wish to restrict by a particular type

3) Pressing [Search] will find the matching Identities.

4) Select all Identities by checking “Code” or select individual Identities.

1) Choose the menu where the control is located

2) Select the control

3) [Previous] returns to the previous screen (Identity selection)

4) [Overwrite] (replace) Replaces the current favourites for the selected Identities

5) [Add] Adds the selected favourites to the Identities current selection

6) [Remove] Removes the matching favourites to the Identities current selection

7) [Exit] Exits this control

Spider Login Credentials – underlying assumptions

Every staff member, family and student within PCSchool has an associated “Identity” record. Upon initial

creation of the identity record, the origin of the person is indicated by its “Type” by flagging it as Staff,

Caregiver or Student. Once the record has been created, additional types can be selected. If an identity has

more than one type ticked, the following order of precedence will apply.

(Staff will override Caregiver, Caregiver will override Student)

Staff

Are able to select any student within the school

Caregiver

Are able to select any children within their “Family”

Caregiver Specific controls are available (Pay Student Fees)

Students

Can select them self only

Underlying Assumptions

There is also a set of governing behaviours that apply based on the relationship the logged in user has to a

child/family. Currently we have the concept of “Caregivers” and “Split families” (Primary and Alternate).

The correspondence address owner is considered the “Primary” login, whilst all other Identities associated

with a child are Alternate. This will be a lot clearer in the new “Freedom” model. Unless one of the

following securities is added, the following restrictions apply.

289 will show the address/contact information to an Alternate login

292 will hide the address/contact information form a Primary login

Primary Login

• Can see details regarding all family based caregivers

• Can see correspondence information

Alternate Login

• Unable see details regarding all family based caregivers

• Unable to see correspondence information