User authorization: Overview

For each INVOICES module you can enable or disable user authorization.

If user authorization is enabled

• A user who starts the module must be authorized to do so. There are two types of user authorization:

  • Local user – INVOICES' built-in system to control user access. Users must enter a user name and password to log in to the module. Enabled by default.

  • Network authentication – Uses Microsoft Windows users and groups to control access to INVOICES. More information.

    When INVOICES starts, the currently logged-in user is checked using Windows credentials. If the user exists in INVOICES' database, the user is logged in without any additional password check, and the user has the rights specified in the user profile.

    If no user is found, local authorization is used instead.

    If a user belongs to more than one group, the first group that the user belongs to (in alphabetical order) is used.

    Note: If a network user or group is specified, the user cannot log in as a local user.

    Limitation: In order for a user to be logged in as a member of a group, he must be a direct member of that group. He cannot be an member indirectly, for example if another group that he belongs to is a member of the group that has permission to access the module.

    Tip: Installing and Configuring Microsoft SQL Server describes how to set up Windows users and Windows groups. (Nothing happens when I click the link.)

  You determine which system you use when you define a user (User selection settings).

• The program keeps track of the user who most recently changed each invoice in the process log. You can use the #ProcessLog or #UserName variables to export this information in the transaction description.

If user authorization is disabled

• Any person who has "read" access to the INVOICES program can start the module.

• All users have full administrator rights to the module.

The process behind user authorization

When a user starts an INVOICES module, database authentication is performed first. Then:

1. INVOICES checks whether user authorization is enabled for the module. If not, the module starts and the user has complete access to all functionality within the module.

2. If user authorization is enabled, INVOICES retrieves the name of the currently logged-on Windows user, what domain the user is logged on to, and what groups the user belongs to.

3. INVOICES compares this information with the Domain and Account or Domain and Group data that was saved in its database when users were defined, and looks for a match.

4. If a match is found, INVOICES checks whether the user has access rights to the module.

5. If both of the previous steps are true, the module starts.

   Note: Only the names of domains, users, and groups are checked. Users’ Windows passwords are not used or validated in any way.

6. If no match is found in step 3, or if the currently logged-on Windows user was found in step 4 not to have permission to use the module, the user is prompted to log on as a local user.

   Note that this is the INVOICES user name and password, not the Windows user name and password.

7. INVOICES compares the login information that the user provides with the details saved in its database. If a match is found, the user is logged on. Otherwise, an error message is displayed and the Login dialog is displayed again until “correct” credentials are supplied or the user clicks Cancel.

Other ways of limiting user access

Editing roles and users for the inbox view

Adjusting user authentication for access to the database

Related topics

When users forget their passwords