Professional Documents
Culture Documents
Page 2
Introduction
Business Portal extends Microsoft® Business Solutions–Solomon to the Web, providing a Web interface to
securely access back office data. This distributed computing model brings significant challenges. Among
these is security. Business Portal’s distributed model of computing – with levels of integration between
clients, servers, and services– demands that security be an integral part of every implementation.
Much of the information in this whitepaper is discussed in more detail in the Business Portal product
documentation, namely, the Business Portal Administrator’s Guide, the Business Portal Integration Guide,
and the Business Portal Installation Guide. These documents are supplied on the product CD.
Portal architecture
Microsoft .NET
Integrated security is a hallmark of Microsoft .NET. A general-purpose development platform, .NET is ideal for
creating Web-based applications because it contains the building blocks for creating security-enhanced, role-
based applications using a browser client, along with an existing back office solution.
Page 3
TCP/IP
TCP/IP must be running on the network that is used to access Business Portal. Organizations should use
some type of name resolution to identify each computer by having a server act as a domain name server or
by putting a hosts file on each client and server.
Domains
Domain controllers provide a convenient, secure way to log on to Business Portal. When users log on to a
domain, Business Portal can easily retrieve and verify those credentials. Business Portal requires that your
Web server, back office server, terminal services server, and client workstations all belong to a domain.
SQL authentication
Business Portal requires that Microsoft SQL Server™ is using SQL authentication, so SQL Server must use
mixed-mode authentication.
When you install Business Portal, you’ll create a Business Portal logon, which is the account Business Portal
uses to access Solomon data in SQL Server. This user shouldn’t be used for any other purpose and the
password should be held securely.
Digest authentication
Business Portal also supports digest authentication, or enhanced security. If selected, users will be required
to enter their credentials when attempting to access the administration pages of Business Portal. Digest
authentication hashes, or encrypts, user credentials across the network and makes it virtually impossible for
hackers to reconstruct the credentials. We recommend using digest authentication if:
• Business Portal users have valid Windows user accounts stored in Active Directory® on the domain
controller with passwords stored in a reversibly encrypted (clear text) form.
• The Business Portal server is on a domain with at least one domain controller running Windows 2000
Server or later.
• Users need to be prompted for domain credentials when performing administrative tasks in Business
Portal.
• The users and the Web server are members of, or are trusted by, the same domain.
Page 4
The following services or subcomponents must be enabled for Business Portal:
• ASP .NET This component provides support for ASP .NET applications such as Business Portal. It is
required for both WSS and Business Portal installations and for accurate operation.
• ASP This component provides support for ASP applications such as Business Portal. It is required for
Project Self Service.
In addition, Microsoft FrontPage® 2002 Server Extensions must be disabled on the IIS Server before the
Business Portal virtual directory can be extended to WSS. See the WSS Administrator’s Guide for procedural
information.
Use the following recommendations regarding IIS to further secure the server:
• In the machine.config and Web.config files, determine whether debugging is enabled and whether
detailed error messages are sent to the client. Make sure that debugging is disabled on all production
servers and that a generic error message is sent to the client in the event of a problem. This avoids
unnecessary information about the Web Server configuration being sent to the client.
• Make sure that the IIS Web root is installed on a non-system NTFS partition for file system-level security.
A non-system partition is one other than the partition containing the operating system files (for example,
C:\Winnt).
• Make sure that the latest operating system and IIS service packs and hot fixes are applied. Check the
Microsoft Security & Privacy Web site (www.microsoft.com/security/default.asp) for the latest details.
Page 5
To avoid having to relax security in the Internet or Local Intranet zones of Internet Explorer in order to view
the Microsoft Outlook Web parts, Business Portal must be added to the list of Trusted Sites unless you use
Secure Sockets Layer (the default security level for Trusted Sites is lower than for the Internet or Intranet
zone).
Portal roles
Roles control the data, tasks, pages, and reports that users can access by displaying or hiding navigational
elements. For example, when a user logs on to Business Portal, the menu on the user’s Home page will
contain all the pages that the user can access based on the roles assigned to that user.
Page 6
Default portal roles and security permissions
Business Portal ships with several roles that have been preconfigured with access to appropriate pages and
data. These roles include typical functions that a user such as Sales Manager or Employee might have. By
default, role information is displayed on the role’s associated Center page. For example, users assigned to
the Accounting Specialist role will have access to the Finance Center page. However, the same users might
see different information on the Finance Center page, depending upon the data permissions assigned to
them.
The following table contains the default roles that are installed with Business Portal, including a description
of the role and the associated default page and data permissions. The additional roles installed with the
Project Self Service suite are also listed.
Portal role Description Associated page permissions Associated data permissions
Accounting Specialist Used to manage access to pages Finance Center, including: Account – All
and data (such as General Ledger Account History – All
Accounts page
account balances) provided for Account Subaccount – All
Cash page
members of your accounting Reports page Bank Reconciliation – All
department Batch – All
Financial Queries page
Cash Accounts – All
Cash Manager Transactions – All
Companies and Subaccounts – All
Daily Cash Balances – All
Entry Type – All
General Ledger Setup – All
General Ledger Transactions – All
GL Summary By Period – All
Ledger – All
Subaccount – All
Valid Company Accounts – All
Valid Company Subaccounts – All
Administrator Used to manage access to the Site Settings Center, including: N/A
entire Business Portal, including
Manage Business Portal Users page
page and data access for all users Manage Roles page
Manage Data Permissions page
Manage Navigation page
Manage Portal Pages page
Manage Back Office Pages page
Organize Queries page
Set Up Default Tasks page
Change Portal Logo page
Set Up E-Mail page
Set Up Back Office Terminal Server Access
page
Set Up Reports Catalog page
Manage Reports Catalog page
Report Scheduler page
Page 7
Portal role Description Associated page permissions Associated data permissions
Administrator Used to manage access to the Employee Center, including: N/A
entire Business Portal, including
My Profile page
page and data access for all users Pay page
Page 8
Portal role Description Associated page permissions Associated data permissions
Administrator Used to manage access to the Windows SharePoint Services N/A
entire Business Portal, including Administration pages, including:
page and data access for all users Manage Users
Manage Site Groups
Manage Cross-Site Groups
Web Part Gallery
Documents and Lists
Manage Web Discussions
List Template Gallery
Storage Space Allocation
Sites and Workspaces
View Site Hierarchy
Manage Site Collection Users
Site Usage Report
Modify Site and Workspace Creation
Site Template Gallery
My Alerts on this Site
Create Page
Modify Site Content
Regional Settings
Manage User Alerts
Configure Connection to Portal Site
Delete Web Site
Inventory Manager Used to manage access to pages Inventory Center, including: Inventory – All
and data (such as quantities and Order – All
Items page
pricing) provided for employees
Reports page
who manage inventory
Inventory Queries page
information
Order Entry Clerk Used to manage access to pages Sales Center, including: Accounts Receivable Setup – All
and data provided for employees Customer – All
Customers page
who process sales orders Receivables Activity page Customer Adjustments – All
Customer Balances – All
Documents page
Customer Company Associations – All
Orders page
Customers Orders page Customer Documents – All
Customer History – All
Reports page
Customer Transactions – All
Sales Queries page
Order – All
Payroll Administrator Used to manage access to pages Payroll Center, including: Benefit – All
and data (such as employee and Check Stub Detail – All
Employees page
pay information) provided for Reports page Deduction – All
members of your payroll Earnings Type – All
Payroll Queries page
department Employee – All
Employee Benefits – All
Employee Documents – All
Employee Earnings and Deductions – All
Page 9
Portal role Description Associated page permissions Associated data permissions
Payables Specialist Used to manage access to pages Purchasing Center, including: Accounts Payable Adjusted Documents – All
and data (such as vendor Accounts Payable Setup – All
Vendors page
information) provided for Payables Activity page PO Address – All
members of your purchasing PO Receipt – All
Payments page
department PO Transactions – All
Reports page
Purchase Order Detail – All
Purchasing Queries page
Purchase Orders – All
Vendor – All
Vendor Adjustments – All
Vendor Balances – All
Vendor Company Associations – All
Vendor Documents – All
Vendor History – All
Vendor Received Transactions – All
Vendor Transactions – All
Reports Catalog Used to manage access to pages Set Up Reports Catalog page Report Catalog – All
Administrator and data used to set up and Manage Reports Catalog page ReportCatalog_RoleDAP
configure the Reports Catalog
Sales Manager Used to manage access to pages Sales Center, including: Accounts Receivable Setup – All
and data (such as customer or Customer – All
Customers page
order information) provided for Customer Adjustments – All
Receivables Activity page
sales managers within your Documents page Customer Balances – All
company Customer Company Associations – All
Orders page
Customer Documents – All
Customers Orders page
Reports page Customer History – All
Customer Transactions – All
Sales Queries page
Order – All
Sales Territory – All
Salesperson – All
Salesperson History – All
If you install the Project Self Service suite, you will also have:
Project Executive Used to manage access to pages Project Center, including: Commitment Detail – All
and data for project executives Detail Transactions – All
Executive Project Analyst
within your company Project – All
Project Results – All
Project Account Category – All
Approvals page
Document Approvals page Project Analysis – All
Project Budget – All
Executive Line Item Approvals
Project Budget History – All
Queries
Project Commitment Summary – All
Reports
Project Employee – All
Project Extension – All
ReportCatalog_RoleDAP
Task Analysis – All
Task Budget – All
Task Budget History – All
Task Commitment Summary – All
Tasks – All
Tasks Extension – All
Transaction Analysis – All
Page 10
Portal role Description Associated page permissions Associated data permissions
Project Manager Used to manage access to pages Project Center, including: Commitment Detail – Business Manager
and data for project managers Commitment Detail – Project Manager
Project Analyst
within your company Project Results – Business Manager Detail Transaction – Business Manager
Detail Transaction – Project Manager
Project Results – Project Manager
Project – Business Manager
Approvals page
Document Approvals page Project – Project Manager
Project Account Category – All
Line Item Approvals
Project Analysis – Business Manager
Queries
Project Analysis – Project Manager
Reports
Project Budget – Business Manager
Project Budget – Project Manager
Project Budget History – Business Manager
Project Budget History – Project Manager
Project Commitment Summary – Business
Manager
Project Commitment Summary – Project Manager
Project Employee – All
Project Extension – Business Manager
Project Extension – Project Manager
ReportCatalog_RoleDAP
Task Analysis – Business Manager
Task Analysis – Project Manager
Task Budget – Business Manager
Task Budget – Project Manager
Task Budget History – Business Manager
Task Budget History – Project Manager
Task Commitment Summary – Business Manager
Task Commitment Summary – Project Manager
Tasks – Business Manager
Tasks – Project Manager
Tasks Extension – Business Manager
Tasks Extension – Project Manager
Transactions Analysis – Business Manager
Transactions Analysis – Project Manager
Page 11
Advanced portal roles
Portal users can be assigned to an advanced portal role which provides more granular data access. Portal
users are mapped to a back office ID, which provides the user with information only to that is specific to that
ID. For example, you can assign a portal user to the Employee advanced role, which allows you to associate
the user with a specific Solomon employee ID. Users can then access information such as pay stubs and time
off. The user will have access to his employee ID, but not any other employee’s information.
Salesperson Used to manage access to pages Sales Center, including: Accounts Receivable Setup – All
and data (such as sales or Customer – All
Customers page
customer information) provided Customer Adjustments – All
Receivables Activity page
for salespeople within your Customer Balances – All
Documents page
company; can be linked to Orders page Customer Company Associations – All
Salesperson ID in Solomon Customer Documents – All
Customers Orders page
Customer History – All
Reports page
Customer Transactions – All
Sales Queries page
Order – All
Orders – Restricted to Salesperson's Customers
Sales Territory – All
Salesperson – All
Salesperson – Restricted
Salesperson History – All
Salesperson History – Restricted
If you install the Project Self Service suite, you will also have:
Project Employee Used to manage access to pages Project Center, including: Task Assignment (View) - All
and data provided for project Task Assignment (View) - Manager View
Time
employees within your company;
Expenses
can be linked to Project Employee
Communicator
ID in Solomon Assignments
Page 12
Data permissions
Just because two users are from the same department doesn't automatically mean they should have the
same permissions. Access to secure information should be granted on an individual, need-to-know basis, not
by a whole department. This can be accomplished using data permissions.
Data permissions provide read and write access, read-only access, or customized access to back office data.
Permissions can be further refined to provide access to specific rows of data. This data is displayed to the
Business Portal user through the portal’s various query functions. For example, an administrator could set up
a row-level restriction so that a user assigned to the Salesperson role could view only the customers assigned
to his or her specific territory. The restriction is, in effect, specifying which rows from the Customer SQL table
will be displayed.
Only users in the Administrators group can create data permissions for business entities, which are
components that store data such as customer IDs and orders, and processing capabilities that can act on
that data. Typical Business Portal users cannot create their own data permissions.
When administrators create data permissions, they specify:
• Which attributes from the business entity can be accessed
• Which rows from the corresponding SQL table will be accessed (if using the BPSDK)
• Which roles have access to the data permission
Report permissions
The Business Portal Reports Catalog is a folder on a server that contains back office reports that can be
viewed through Business Portal. A “Top 5 Reports” Web Part appears on each portal Center page and
contains links to back office reports that are stored in the folder. Users can also access Reports from the
center pages of Business Portal.
The Reports folder is a shared folder on the network. In addition to the security granted during installation,
only the user that runs Solomon Application Server should be given write access. The “Everyone” and
“Anonymous User” groups should not have access to the shared reports folder. Business Portal
administrators assign permissions to view reports by assigning roles to the reports.
Terminal services
Windows Terminal Server (WTS) can be used in conjunction with Business Portal to provide access to
Solomon windows from Business Portal Web pages. Portal users must be assigned to the BackOffice User
role and have a corresponding back office user ID in order to view back office windows in Business Portal.
A terminal services connection is commonly called “thin client” access. Once Business Portal connects to the
Solomon back office, windows from the Solomon application can be displayed in the client browser. All
system functions run on the terminal services server.
In order to preserve back office performance and security, WTS must be implemented on a server separate
from both the Business Portal and database servers.
Page 13
●●●●●
Disclaimer
© 2005 Microsoft Corporation. All rights reserved.
Microsoft, Active Directory, ActiveX, FrontPage, SharePoint, Windows, and Windows Server are either
registered trademarks or trademarks of Microsoft Corporation or its affiliates in the United States and/or
other countries.
The names of actual companies and products mentioned herein may be the trademarks of their respective
owners.
The information contained in this document represents the current view of Microsoft Corporation on the
issues discussed as of the date of publication. Because Microsoft must respond to changing market
conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot
guarantee the accuracy of any information presented after the date of publication.
This White Paper is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR
IMPLIED, AS TO THE INFORMATION IN THIS DOCUMENT.
Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights
under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system,
or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise),
or for any purpose, without the express written permission of Microsoft Corporation.
Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights
covering subject matter in this document. Except as expressly provided in any written license agreement from
Microsoft, the furnishing of this document does not give you any license to these patents, trademarks,
copyrights, or other intellectual property.
Page 14