FAQ: “I did a EZMQC-ER 4.81 installation yesterday. The pre-installation wizard worked fine; the software was installed within a network, with all users are domain users. I have created two groups, the QCERAdmins and QCERUsers, privileges configured accordingly in EZMQC-ER.
Now the question: Any user who was part of either group has been able to login into software, independent from the person logged into the PC. Is this correct? I (and customer) where under the assumption, only the current PC user can login into EZMQC-ER.
Please confirm if this is correct or if this is a bug.”
We can have further discussions on this but the current situation is as you describe, and there is no software bug. This is regarded as correct from a data security perspective as the EasyMatch QC-ER login/password/privilege level is independent of the Windows login/password/privilege level, causing no security issues with respect to color measurement data created within EasyMatch QC-ER.
Let’s start with Windows access. Any user who has been given privilege by the System Admin can log into the network or local PC. Typically, users who log into any computer have instruction to logout before they leave, and there is usually an automatic logoff set if no activity is detected within a fixed length of time. All of this should be recorded in an audit trail in the Windows System Log.
With EasyMatch QC-ER, any user who is assigned by the System Admin to the QCERAdmins or QCERUsers groups can log into EasyMatch QC-ER. The two groups are created and individuals assigned to the two groups by the System Admin. You must be a member of one of those two groups to use our software. The EasyMatch QC-ER privilege level applies only to the File Menu functionality within EasyMatch QC-ER and is based on which group you are in.
There is an Auto Logoff feature within EasyMatch QC-ER (configurable from 5 to 30 minutes by QCERAdmins member that cannot be turned off) such that if no activity is detected within that time interval, the person is automatically logged out of EasyMatch QC-ER (but not the PC which has its own separate Auto Logoff feature).
An audit trail activates for all persons logged into EasyMatch QC-ER and is maintained in the Event and Job Audit Logs, independent of the Windows System Log.
A member of QCERAdmins or QCERUsers groups can login into EasyMatch QC-ER software, independent from the person logged into the PC. This is not regarded as a security flaw because network or local PC logins and passwords used to access the PC are not passed on when logging into EasyMatch QC-ER. The EasyMatch QC-ER login/password/privilege level is independent of the Windows login/password/privilege level.
For a System Administrator to operate EasyMatch QC, their login/password must be assigned to the QCERAdmins or QCERUsers group and their privilege to operate EasyMatch QC-ER is limited to the privilege level assigned to that EasyMatch QC-ER group. For example, members of the QCERAdmins or QCERUsers groups cannot delete data records within EasyMatch QC-ER and if the System Admin is assigned to one of those groups, the Sys Admin cannot either. This is true even if they can completely wipe EasyMatch QC-ER from the PC in Windows using their Sys Admin privileges.
You are right again – in most cases the person logging into the Windows local or network computer will be the same person who logs into EasyMatch QC-ER, but they do not have to be. This is not regarded as a security flaw as there is no security issue involving EasyMatch QC-ER data records that would result from this.
If you did implement a requirement to have the person logging into EasyMatch QC-ER be the same person as logged into Windows, how would that add to our color data security? Many versions ago before we had the QCERAdmins and QCERUsers groups, when EasyMatch QC-ER would read in all members of the domain, there was a requirement that the person logged into the network/local PC must use the same logging for EasyMatch QC-ER. It was not regarded as necessary in the current implementation where the EasyMatch QC-ER login/password/privilege level is independent of the Windows login/password/privilege level.
Do you still need more information? Submit a ticket and our support team member will reach out to you soon!