Jump to main Content | Jump to main Navigation

Security Settings

The following is an explanation of the Security settings that can be made here in the Admin utility, to protect the data being held in Calm.

Summary: Click Security on the File drop down menu to assign permissions for your users which allow them different levels of access to the Calm databases.

Please note: It is important to use the Security option in an informed way, as selecting certain combinations of settings may prevent you from accessing Calm.

Under the security system each Calm user belongs to one group. Each group has defined security attributes and roles for every database in Calm.

  • On the File drop down menu, click Security. If this is the first time Security has been opened in your organisation's copy of Calm, you will be asked if you want to provide security for the application. This is how Calm learns who will initially be allowed to edit security. After this, you must explicitly give users permission to edit security. Click Yes. You will see the following dialogue box:

    Image of security dialogue box showing Security tab

Security Tab

Security enabled - Ticking this box activates security. When this box is ticked, access to Calm will be determined by the groups and roles settings made within this security dialogue box. If security is not enabled, administrator-only functions such as deleting a hitlist of records or running scripts will NOT be available in Calm (this is because without security enabled, all roles are automatically enabled including the 'Non-Administrator' role). It is possible to disable security (by removing the tick in this box) but save all existing settings ready to enable security at a later stage. This means that security can be configured without making it active.

The following two options are global policy settings which apply in Calm.

Authentication - is the authentication method. If you are unsure which authentication method to use, please consult your I.T. department. Take care with this setting as it is possible to disable your own access to the Security option. The authentication methods available in the drop-down list are described below:
  • Authentication disabled
    To disable authentication, choose the blank line in the drop-down list. If this option is set, only Application users are allowed to access Calm, network traffic will not be encrypted and all data (including passwords) will be sent over the network as plain text.
    This setting is suitable for network environments where the other methods of authentication cause problems, or for those where security isn't required, so the overhead of the authentication process and encrypting network traffic can be avoided.
    This option is not available if the current administrator is a Windows user (otherwise the administrator will not be able to log into the system).

  • NTLM
    NT Lan Manager. This is the default option and should work in most network environments.

  • Kerberos
    This is more secure than NTLM, but also requires specific network setup by a domain administrator. A domain administrator must register a service principal name in Active directory. Please see the technical bulletin available from the Documents page.

  • Negotiate
    Automatically chooses the best authentication method for your system.

Failed login lockout - This security feature is designed to prevent automated systems forcing access to Calm by repeatedly entering different generated passwords. This option is only relevant to Application users as they need to enter their user name and password to login each time they run Calm, Windows users do not.
Calm allows three attempts at login; after which, any value you enter here determines the wait time in minutes until the user is allowed to attempt to login again. The wait time doubles following each unsuccessful login. If this value is zero, or blank as it is by default, users can repeatedly attempt to login to Calm (in sets of three attempts).
You can also log failed login attempts, see the log tab description below.

Groups Tab

All users that are registered in the security system to use Calm must belong to a group. They can only belong to one group. This tab shows existing groups with their associated attributes and also gives options to add a new group, delete a group or set roles for a group. The Users tab (described below) is where Users are assigned to their group.

Image of security dialogue box showing Groups tab

Attributes
The ‘Change security’, ‘Reindex’ and ‘Administrator’ attributes are primarily used in Admin, the ‘Edit record’, ‘Create record’ and ‘Delete’ attributes are used within Calm. These are global settings, they can be further refined using the Roles option. Ticking an attribute means that all users in the highlighted group have permission to perform that particular action – edit records, create records, delete records or reindex – in all the various Calm databases. But first the system will check the Roles settings. For example, you may tick the ‘Edit record’ attribute for a Conservators group, however in the Roles dialogue that can be further refined and the Conservators can be given permission to edit the Catalogue and Conservation databases. Whereas an Archivists group, might also have the ‘Edit record’ attribute ticked, but in Roles, only have permission to edit the Catalogue database and not the Conservation one.

Please note: In order to delete records, you must also have the 'edit record' option ticked.

Removing a tick from an attribute means the particular function will not be available for that group of users and any settings in Roles for that function will be ignored. For example, if the 'Delete' option is unchecked here, users in this group will not be able to delete records in any of the databases in Calm, regardless of the settings in the Roles section.

Ticking the 'Administrator' attribute means that users in the highlighted group can add synonyms and define glossaries in Calm, as well as being able to access this Admin program, for example to edit a field picklist. If you also want users in the group to be able to update the security settings here in the Admin utility, you will need to tick the 'Change security' option.

Add
Click this button to add a new group. Enter a name for the group, this will then be shown in the list of existing groups and you can determine the permissions for it by ticking the relevant attributes whilst the new group is highlighted.

Delete
With an existing group highlighted in the list, pressing this button will delete it. Please note: Users in this group will not be deleted, but because their group has been deleted, they will no longer belong to a group, so you will need to assign them to a new one.
Please note: The person currently logged in cannot delete their own group (the Delete button will be disabled), this adds protection and is designed to prevent customers accidentally removing their access to security completely.

Roles
When you click the 'Roles' button, another dialogue box is displayed as shown below, allowing you to choose various roles for the members of this security group.

Image of roles dialogue box in security

Tick the 'Non-Administrator' box if you do NOT want the users in this group to have access to administrator functions in Calm, such as delete or issue a hitlist of records, or run scripts. Leaving the 'Non-Administator' box unticked means that users in this group will be treated as administrators when they log in to Calm - the administrator functions will be available.

If you expand the 'Menus' branch, as shown below, you will see a list of the menus.

Image of roles dialogue box in security, showing menus branch expanded

Ticking a menu will mean that it will be displayed in Calm and menu options can be selected, removing the tick will mean that it is not shown when Calm is run and none of the functionality on that menu will be available.

Above the 'Menus' option is the 'Database Permissions' option, this can also be expanded, as shown, to display a list of each database in Calm.

Image of roles dialogue box in security, database permissions branch is expanded

You can also expand a database branch to show permissions for various functions in that database.

Image of roles dialogue box in security, accessions database branch is expanded

Check or uncheck the 'read', 'edit', 'create' and 'delete' boxes to control permissions for each database for this group of users. Note: Users always have every permission in a database below the highest-level permission selected for that database. For example, if a user only has create permission ticked for the Conservation database, that user will also have edit and read permissions even though they are not ticked.

  • Read: The user can see records from this database at the bottom of records in other databases that are linked to them but cannot open this database from the main menu or from tabs at the tops of records.

  • Edit: The user can access this database from the main menu or from tabs at the tops of records and view or edit existing records. The user cannot see the 'New' or 'Delete' buttons.

  • Create: The user can view or edit existing records and also use the 'New' buttons on the main menu and in the database to create new records. The user cannot see the 'Delete' button.

  • Delete: The user can view, edit, or create records in this database and also use the 'Delete' button in the database to delete existing records.

Please note: For a user to perform a function in a database, the user must have both the database permission and the attribute (as described above) allowing that function. For example, if the 'Create record' attribute is ticked and the 'create' box is also ticked underneath Catalog database permissions in the Roles dialogue box, members of this group will be allowed to create Catalogue records via the side button strip in Calm. But if the 'Create record' attribute is not ticked in the Groups dialogue box, users in this group will not be allowed to create records in the Catalogue or any other database, regardless of settings in the Roles dialogue box. Calm always checks both permissions and errs on the side of not allowing acces to protect your data.

Throughout the roles dialogue box, ticking the top of a branch (for example 'Database Permissions', a database name or 'Menus') will automatically tick all the options in the branch below it and removing the tick from the top of a branch will automatically remove the ticks from all the options below it.

Tick or remove ticks from these options to determine roles for all members of this security group.

Users Tab

The users tab is where you add new users and assign them to a group. You can also delete users or edit their details from this tab.

Image of security dialogue box showing Users tab

Status
This indicates the status of the selected user; choose 'Active' or 'Disabled'. A 'Disabled' status will temporarily block a user from logging in to Calm. Examples where you could use the Disabled option include maternity or paternity leave or staff on secondment who will return.

Locale
Choose the locale that has suitable settings for this particular user. The 'use client locale' option will take date, currency and alphabet settings from the computer that the user is running Calm on. Alternatively, choose a language from the list to use its associated settings, rather than the computer settings.

Add
There are two types of users that can run Calm - Windows users and Application users. Once you have added a user, you cannot change their user type.

Image of Add User dialogue box in security

If your network uses Active Directory, you can browse for people to add as Windows users. You will not need to enter a password for a Windows user as Windows will authenticate them. If authentication is disabled, Windows users can't be created.

Alternatively, add an Application user. This requires a password which Calm will ask for when the user logs in.

Assigning a group - Once you press OK on the Add User dialogue, you will be returned to the Users tab and the new user's name will be shown in the list of existing users. New Application users will default to the 'Guest' group. With the new user's name highlighted, select the group to which they belong and click OK.

Delete
With an existing user highlighted in the list, pressing this button will delete them from security.
Please note: The person currently logged in cannot delete their own user name (the Delete button will be disabled), this adds protection and is designed to prevent customers accidentally removing their access to security completely.

Edit
Use this option to change passwords for application security. Overwrite the existing password with the new one in both password boxes.

Image of Edit User dialogue box in security

Change a User to a different Group

  • Highlight the user's name on the Users tab

  • Select the group that you want them to belong to

  • Click OK

Please note: The person currently logged in cannot change their own group, this adds protection and is designed to prevent customers accidentally removing their access to security completely.

Log Tab

The log tab allows you to create an event log which records the use of Calm. Currently the only event that can be logged are Logins and Failed logins. When you select the log tab, the dialogue box shown below appears:

Image of security dialogue box showing Log tab

Each of the options you choose is recorded in the event log, detailing the date, time, and user name associated with those events, as well as a code indicating what kind of event it was. 'Login' records successful logins and uses the 128 code and Failed logins records unsuccessful logins (for example, when the wrong password is entered) and uses the 256 code.

The event log is stored internally in Admin. To produce a log file which you can view, click the 'Export and purge logs' button. This will create a text file called security.log in the startup folder (usually dscribe\Archive) on your server. If you have previously created an event log file it will remain and any information logged since the 'Export and purge logs' button was last clicked will be appended to it.

File Tab

Security settings can be imported or exported by members of the Administrators group.

Image of security dialogue box showing File tab

Export
Use this option with care, as all security information will be exported to a file that can be read.
When you click this option, you will be asked to enter a file name and location in which the security settings can be stored. The file that is produced will be in XML format. This option can be used to create a back-up copy of your current security settings.

Import
Use this option to import security settings previously exported from Calm (including from previous versions).
When you click this option, you will be asked to browse for the location of the file you wish to import.