Security Setup

This chapter describes how ChannelCRM is using the security features of the Windows operating system and MS SQL Server. It is somewhat technical so you might want to bring your technician along for the reading.

SQL Server 2008 (and 2005) are able to control user access in several ways. ChannelCRM does want to dictate which way you and your organization should choose. Instead we support the most common ways of user access. In this chapter we describe the two main methods: Windows Authetication Mode and SQL Server Mode.

For both methods we will describe how a user is logged on to the database server, and how an access profile is followed

1.	The User Logs on to SQL Server 2008/2005 Either Windows Authentication or SQL Server mode is used. (See below)

2.	Obtaining Access to the Actual Database At the database level there will be one or more database users that are mapped against the log.ins from step 1

3.	Obtaining the Database-role The database user that is matching the login has a specific database-role

4.	Obtaining Additional Profile Information Immediately after start-up, the ChannelCRM will check in the CRM system User table for the specific user profile and access rights. The user must be in the CRM User table. If not the user is rejected and the system shuts down.

This access control is the central security component in a windows network. Upon startup of the users' computers they are validated against a windows domain. Thus the users are already validated before they start ChannelCRM. The approval is passed on to the SQL Server, which will then give the user access. This is extremely convenient and also the safest way to proceed since security policies can then be managed centrally (by the IT department).

Users can been defined into groups, which also makes Windows Authentication highly effective. For instance you will most often find a group named something along the lines of OurDomainName\Users. If this group is listed as a log-in and a single database user is mapped against this log-in - then the work is done for all the users in the group.

Windows Authentication requires that the users are under a domain when they are using ChannelCRM (ie. that you are using a domain controller in your network). If this is not the case then you cannot use Windows Authentication mode with ChannelCRM.

The access control method is the common "Username and Password" type. Using this method every single user of the CRM system has to be created both as a log-in to the SQL Server and as a user in the actual CRM-database. There are no constraints on password format (for instance 1234 is accepted).