Security within SYSTOC

SYSTOC provides a range of management tools to control user access to data from within SYSTOC.

The Help information found in Utility > Security explains how to use the various controls.

Permission

You set access levels for each SYSTOC screen using Permission Groups. You can create an unlimited number of Permission Groups, which define rights for various classes of users. Permission Groups control the ability to view, edit, list, add, or delete data on each screen and its associated memo fields. For example, the "Read_Only" permission group might only allow viewing data, and a user who is a member of that group could not edit, add, or delete.

Auditing

SYSTOC can produce an audit log for monitoring user activity through options available in the Security Validation screen (Utility > Security > Security Validation). The options include:
  • Auditing of successful logins, failed login attempts, and logouts (from the SYSTOC application)
  • Logging of database activity at three levels: Patient Data, Injury Data, or All Data.
  • Logging of database activity filtered by user-defined criteria using SYSTOC SQL Statements. For example, you may wish to audit data activity for a particular User ID or other text string within specific data fields.

To view the results of auditing, run the SYSTOC User Activity report. The report filters the audited data by a variety of specifications. You can archive the audited data by running the same report to PDF without any filtering. Once the data have been archived, contact Customer Support to clear the audited data.

Maintenance of the audit tables is important because they can become extremely large, especially if SYSTOC SQL Statement auditing is left running for long periods of time or if auditing of "All Data" is enabled. If left unmanaged, audit data can substantially degrade the performance of SYSTOC. We recommend you turn auditing on only when you have reason to monitor data activity. Once the monitoring period is over, turn auditing off.

You can view users currently logged into SYSTOC by going to the Utility > Security > Current Users screen. This lists users who logged in from a login prompt. Users who may be logged into the database using Crystal Reports or via other database connections are not displayed here. Auditing of data access by users outside of the application falls beyond the scope of SYSTOC's auditing control. If you wish to audit non-SYSTOC-controlled logins, see your database administrator for assistance.

Passwords

Strong passwords are another way to improve security. SYSTOC prevents reusing any password that was used with the past five iterations and locks a user's account after five unsuccessful login attempts. Create a strong password policy through options on the Security Validation screen (Utility > Security > Security Validation). These options include:

  • Minimum/maximum length
  • Number of days a password is valid
  • Number of required special characters
  • Number of required lower case letters
  • Number of required upper case letters
  • Number of required numeric characters