Product: Foundry Platform
Note: You need to have administrator privileges to view/edit this functionality in the application.
This article contains basic concepts for all Foundry applications. For more detailed information about a specific product, click here.
To ensure Foundry applications are used appropriately, each company must implement a security model to control which applications each user and group can see, and what information is passed from the respective applications.
Permissions control access to an application and functions within that application. Our security system is flexible enough to accommodate the scenarios you might encounter.
Below are some basic definitions to get you familiar with our terminology. Click on a term for more detailed information.
User - A user is an individual at a company who uses the Foundry application.
Role - Roles allow you to group users into a single unit to which you can apply permissions and access to Foundry.
Authorization - An admin can determine what custom permissions are allowed per application. These custom permissions enable you to allow, deny, or inherit access to screens or modules within an application.
Identity Claim - You can use Identity claims to filter data to which multiple users have access, ensuring that they only see what applies to them.
License - A license controls how many users can log in concurrently. Let’s say you purchase three licenses. You can set up infinite users but only three of them can be logged in at one time.
Authorizations
There are three settings for any given permission:
Allow - You can access this assuming it wasn't denied anywhere else.
Deny – You explicitly cannot do whatever function/screen/module that's been denied.
Not Specified – This is like deny but you can get an allow via another mechanism. For example, on a Pulse role, we don’t care if you log into the Foundry platform but we’re not going to explicitly say you're allowed to. If you're going to do it, you have to get that permission some other way.
We have what we call a pessimistic security policy.
1. If you don't explicitly say someone has a permission, it’s assumed they don't have permission
2. Since you can have multiple roles, a deny at any level wins.
Let's say you have three roles: Shipping, Pulse, Orders. Two say you can log into the Foundry platform but one denies your login. The one deny will win and you won't be allowed in.
Settings > Security > Users and Roles > Users > Choose a User > Authorizations > Platform > Permissions
Configure UI Preferences - Controls whether or not you can save the grid configuration.
If you have questions about other settings on this screen, please contact your TrueCommerce representative.
Identity Claims
You can use Identity claims to filter data to which multiple users have access, ensuring that they only see what applies to them.
Usually, you would implement identity claims to identify an external party or
group within the business to which you belong.
Based on identity, Foundry determines which users have permission to change, view, or otherwise access an application resource.
For example, the system may allow warehouse managers access to only records pertaining to their warehouse and employees, while a CFO may have access to records pertaining to all warehouses and employees by using a different setting in the identity claim.
Settings > Users and Roles > Users > Choose a User > Identity Claims > Platform
Below is a breakdown of the options available on this page.
Account Lockout
These settings to be configured system wide level and can be overridden per tenant. Any time a login is attempted, and the password is incorrect, the lockout rules should apply.
Account Lockout Threshold | The number of failed sign-on attempts before the account gets locked. |
Account Lockout Duration | The number of minutes that a locked-out account remains locked out before automatically becoming unlocked. |
Reset Account Lockout Counter After | The number of minutes that must elapse from the time a user fails to log on before the failed logon attempt counter is reset to 0. If Account lockout threshold is set to a number greater than zero, this reset time must be less than or equal to the value of Account lockout duration. |
Password Policy
These settings can be made more strict (stronger) but not less strict than the global setting. If a user has multiple roles, whichever is more restrictive will win.
Cannot use last passwords | The number of previous passwords you canNOT use when you change it. If this is set to 3, your current and the 2 prior can’t be re-used. |
Minimum Characters | Total length of password. If the global default is a minimum charcters of 8, this cannot be changed to 6. |
Minimum digits | Password must contain at least this many numerics. |
Minimum lowercase characters | Password must contain at least this many lowercase letters. |
Minimum special characters | Can require characters such as # or %. |
Minimum uppercase characters | Password must contain at least this many uppercase letters. |
Password expiration days | Amount of time before you have to change your password again. |
Should not contain name | If checked, it can’t contain part of this user’s name. |
User Configuration
These settings can be made more strict (stronger) but not less strict than the global setting. If a user has multiple roles, whichever is more restrictive will win.
External ID | If you have a single sign-on provider, this field lets you store the sign-on information. |
HTML condensed view | User preference that allows the user to change the interface of the application to a more or less condensed view. |
Licenses
Before deploying and using a Foundry application, you must obtain a license for the application and it must be active for the applicable version. Each tenant, or company, has its own license.
If you're not licensed for it, you can't access the product.
Scenario:
I purchased a 3-user pack of Pulse.
When user 1 logs in, she can see everything.
When user 2 logs in, he can see everything.
When user 3 logs in, he can see everything.
User 4 will be unable to log in.
Licensing has modules within it, too and can control what modules you see. For example, in the Pack & Ship application there are packing modules and shipping modules. If you don’t have the packing module, there are screens you'll never see.
If you have additional questions about licensing, please contact your sales rep or other TrueCommerce representative.
Click a link below to see more detailed information about specific applications:
rev: 4/28/22