Cleopatra Enterprise - Cost Engineering

Cleopatra Enterprise

Administrator Training

Version : 3.5

Administrator Training

Agenda

> 9:00 - 9:16 Introduction

> 9:16 - 9:44 Configuration

> 9:44 - 10:30 Security overview

> 9:58 - 10:30 Security configuration

> 10:30 - 10:45 Break

> 10:45 - 11:45 Security configuration exercise

> 11:45 - 11:53 IT - Installation (optional)

> 11:53 - 11:57 IT - DBMS Configuration (optional)

> 11:57 - 12:00 IT - Backup and restore databases (optional)

> 12:00 Conclude

www.costengineering.eu

License

A license determines the amount of users that can (concurrently) use the different modules.

Modules

User

In Cleopatra you can specify which users have access. The permissions of a user are specified in

the following parts.

Roles

A role defines the function one or more user have within the system. Roles can be

assigned certain permissions. Permissions control the rights to perform certain actions.

Modules

ADMIN MODULES REPORTS PLUGINS

Workgroups

For a workgroup you can specify the permissions on a folder. A workgroup is a group

of users working on the same project.

Folder control

FOLDERS

Workflow

Document control

Workflow enables secure routing of documents. Users can only view or change

documents for which they have sufficient (workflow role) permissions.

Workflow Roles

STATES

TRANSITIONS

Table Of Contents

1 Configuration ____________________________________________________________ 1

1.1 Path settings 1

1.1.1 Shared / Personal configuration 2

1.2 User preferences 3

1.2.1 User preferences 3

1.2.2 How to make a user preferences template 6

1.2.3 Custom Languages 7

2 Security overview _________________________________________________________ 9

2.1 Quick reference 9

2.2 Licensing 10

2.2.1 How to import a license 10

2.2.2 Validate license 11

2.2.3 Concurrent users per module 13

2.3 The security model 14

3 Security configuration ____________________________________________________ 15

3.1 Users 15

3.1.1 How to create users 16

3.2 Roles 17

3.2.1 How to create roles 18

3.2.2 How to add users to roles 19

3.2.3 The tab Administrator rights 20

3.2.4 The tab Modules 22

3.2.5 The tab Plugins 23

3.2.6 The tab Reports 24

3.3 Workgroups 25

3.3.1 How to create 25

3.3.2 How to set security on folders 26

3.4 Workflow 28

3.4.1 workflow designer 28

3.4.2 How to create a new workflow 29

3.4.3 Workflow permissions 30

3.4.4 How to create a new workflow role 31

3.4.5 How to assign users to a workflow role 32

3.4.6 How to create a new workflow state 32

3.4.7 How to assign a role to a workflow state 33

3.4.8 How to create a new state transition 34

3.4.9 How to assign a role to a state transition 35

3.5 Security facts 36

4 Exercise ________________________________________________________________ 38

4.1.1 Introduction 38

4.1.2 How to setup user security 39

4.1.3 How to setup role security 43

4.1.4 How to setup role security for reports 49

4.1.5 How to setup workgroup security 53

4.1.6 How to create a workflow design 58

i

Administrator training

4.1.7 How to setup workflow roles (part 1) 61

4.1.8 How to setup workflow roles (part 2) 66

4.1.9 Conclusion 68

4.2 Security trouble shooting 69

4.2.1 How to resolve security problems 69

4.2.2 How to determine permissions 71

5 Installation ______________________________________________________________ 73

5.1 MS SQL server 73

5.1.1 Introduction 73

5.1.2 Encrypting connections to SQL server 73

5.1.3 Installing MS SQL server 74

5.1.4 Configuring MS SQL Server for Cleopatra Enterprise 75

5.1.5 Choosing an authentication mode 76

5.1.6 Opening a Port on the firewall 76

5.2 Cleopatra Enterprise 77

5.2.1 Downloading Cleopatra Enterprise 77

5.2.2 Installing Cleopatra Enterprise 78

5.2.3 Common installation issues 79

5.2.4 Remote access 80

5.2.5 How to prevent out-of-memory-errors 80

6 DBMS configuration ______________________________________________________ 82

6.1 Database server registration 82

6.1.1 How to create a database server registration 83

6.1.2 How to open a database server registration 84

6.1.3 How to create a database 85

6.1.4 How to create a database user 86

6.1.5 How to reset a database user password 87

6.2 Database connections 88

6.2.1 How to create a database connection 89

6.2.2 How to verify database connection 91

7 Backup and restore database ______________________________________________ 92

7.1 Backup 92

7.1.1 How to create a backup of a database 92

7.2 Restore 93

7.2.1 How to restore a database 93

7.3 Migrate 94

7.3.1 How to migrate your data 94

7.3.2 How to migrate shared database connections 95

7.3.3 How to migrate personal database connections 96

ii

Cleopatra Enterprise


Configuration

> Path settings

> Personal / shared configuration

> User preferences

> Custom languages


Security overview

> Quick reference

> License model

> Security model


Security configuration

> Users

> Roles

> Workgroups

> Workflow (optional)


Security configuration exercise

> Exercise


IT – Installation (optional)

> Setup

> MS SQL Server installation

> Cleopatra Enterprise installation

> Provided documentation

> Path settings


IT - DBMS Configuration (optional)

> Database server registration

> Create database

> Database users

> Database connections


IT - Backup and restore databases (optional)

> Backing-up database

> Restoring database

> Migrating database



1 Configuration

1.1 Path settings

A path setting defines the location where the configuration settings are stored. In Cleopatra Enterprise path

settings are defined for a "Shared configuration" as well as a "Personal configuration". For more information

on the difference between the two see "Shared / Personal configuration".

Select "File => Configuration" from the main menu.

The "Configuration" dialog appears.

Select "Shared configuration => Path settings" or

Select "Personal configuration => Path settings".

The current configuration path is displayed.

Personal configuration settings are typically stored on the following location:

"C:\Documents and Settings\[user profile]\CleopatraEnterprise\" where [user profile] is the profile directory of

the current user.

Path settings for shared configuration can be modified as follows:

Select "Shared configuration => Path settings".

Press the "Change path" button.

A message appears explaining that Cleopatra Enterprise needs to be closed before the

configuration path can be changed

Press the "Yes" button.

The application is closed and the "Cleopatra Enterprise path configuration" dialog is

shown.

Press the browse ("...") button behind the "Configuration path" edit field.

Select the desired directory.

This path must be accessible for all Cleopatra Enterprise users that use the same

configuration and all these users should have access rights (Read and Write) to this

configuration directory.

Press the browse ("...") button behind the "Installation path" edit field.

Select the install directory of Cleopatra Enterprise.

Press the "OK" button.

Press "Yes" to restart Cleopatra Enterprise.

1


1.1.1 Shared / Personal configuration

Shared configuration

The "Shared configuration" directory is a directory which contains all configuration data for all users. All users

participating in the same Cleopatra Enterprise license should have access rights (Read and Write) to this

configuration directory. It is possible to configure this location within Cleopatra Enterprise.

Personal configuration

The "Personal configuration" directory is a directory which contains all configuration data (like user

preferences) specific for this user. This directory can not be configured instead it uses the user’s home

directory defined by the operating system.

Personal configuration settings are typically stored on the following location:

"C:\Documents and Settings\[user profile]\CleopatraEnterprise\" where [user profile] is the profile directory of

the current user but on a network this location can be different.

2

Configuration

1.2 User preferences

1.2.1 User preferences

With "User preferences" the system will remember certain choices and settings that users make, and offer

these as the default option next time.

Most user preferences will be explicitly set by the user, through the "My user preferences" section of the

configuration screen. Other preferences will be saved automatically such as the "Recently-used-documents

list" when a document is opened and the window position and size when a dialog is closed.

It could be desirable to use certain user preferences as a company standard e.g. the default currency, the

default language or the column layout of a document. See "How to make a user preferences template" and

"How to import a user preferences template" for more information.

User preferences in the configuration dialog

Currency The default currency for new document.

Date format Define the way dates are shown in Cleopatra Enterprise.

Default file The default folder when a file dialog is shown. If an empty path is used, the file dialog

folder will open in the default home folder.

Default login The default database connection and user name to use when logging in, so that only

a password has to be filled in. Optionally the "Login dialog" can be shown right after

Cleopatra Enterprise is started.

Document When creating a new document, often you want to use a template with standard

Template information filled in, such as company name or standard breakdown structures. The

Folder template folder gives quick access to the templates in the "New document Wizard".

Default The language to be used in Cleopatra Enterprise. Note that you can customize a

language language to use the terms you are familiar with. See "Custom languages".

Layout The default layout of the various windows in Cleopatra Enterprise. Using the "Load

last used layout" option, restore the windows to the same layout as the last time you

were logged into the same database. For more information, see "Layout".

Log file Enables a log file used for solving problems with Cleopatra Enterprise. It is best to

leave this option off unless asked for a log by the Cleopatra Enterprise help desk.

Number The format in which numbers are shown in Cleopatra Enterprise. The number

format formatting can also be used in reports.

Recently

used

documents

Document

column

preferences

Show the recently used documents on the welcome screen and the file menu. Clicking

on a recent document link will open the login dialog for the correct database and

automatically opens the document. For more information, see "Login with recent

document link".

The default columns to show when a estimate or knowledgebase is opened. These

preferences are also saved when a document is closed. For more information on how

to arrange columns when a document is opened, see "Add and remove properties".

Other user preferences

Dialog sizes Most dialogs will remember their position and size from the last time they were

opened.

Table Most tables (besides the document ones) also save which columns are visible, in what

columns order and their widths. For more information on how to arrange columns, see "Add

and remove properties".

Spare text

columns

Both a documents and components have spare text fields which can be customized to

add extra codes or information. By default these properties are not visible unless they

have been given a custom name. This preference can be changed on the "Object

inspector" properties tab.

3


Date format

You can design your own patterns to format dates and times from the list of symbols in the following table:

Symbol Meaning Presentation Example

G Era designator Text AD

y Year Number 96 or 1996

M Month in year Number and Text 07 and July

d Day in month Number 10

h Hour in AM/PM (1-12) Number 12

H Hour in day (0-23) Number 18

m Minute in hour Number 30

s Second in minute Number 55

S Millisecond Number 978

E Day in week Text Tue or Tuesday

D Day in year Number 189

F Day of week in month Number 2 (2nd Wed in July)

w Week in year Number 27

W Week in month Number 2

a AM/PM marker Text PM

k Hour in day (1-24) Number 24

K Hour in AM/PM (0-11) Number 0

z Time zone Text

Pacific Standard Time, PST or GMT-

08:00

' Escape for text Delimiter (none)

' Single quote Literal '

In some cases it is possible to repeat the symbol which will change the way the result will be displayed. The

following table summarizes these rules:

Presentation Number of Symbols Result Example Result

Text 1 - 3 Abbreviated form, if one E, EE or EEE Mon

exists.

Text >= 4 Full form. EEEE Monday

Number Minimum number of digits

is required

Shorter numbers are

padded with zeros (for a

year, if the count of 'y' is 2,

then the year is truncated

to 2 digits).

d

dd

y

yyyyy

Text & Number 1 - 2 Number form. M

MM

Text & Number 3 Text form. MMM

MMMM

Next follow some more examples:

Example Result

yyyy MM dd 2004 06 02

y MMMM d 04 June 2

E M d yyyy Wed Jun 2 2004

K:mm a

6:15 PM

HH:mm:ss:SSS 18:15:32:964

1

01

09

2009

1

01

Jan

January

4

Configuration

Number format

The number format can be split up into several formats, which format is used for a particular number

depends on it value. If a number falls in to a specified range, the format for that range is used. If a number

doesn't fit into any of the defined ranges, the default format is used.

Rounding The rounding determines how many decimal places are visible for a number or to

what multiple of ten the number should be rounded. For example, 150.7568 is

shown as 150.76 with two decimals, but as 200 when rounding to multiples of

hundred.

Engineering

notation

The engineering notation show large or small numbers with an exponential

notation where the exponent takes steps of three. For example, 1000 will be

shown as 1x10 3 , 1000000 as 1x10 6 and 0.0001 as 1x10 -3 .

5


1.2.2 How to make a user preferences template

It could be desirable to use certain user preferences as a company standard e.g. the default currency, the

default language or the column layout of a document. To make a user preference template, you'll need to do

the following:


Select "My user preferences".

Configure the desired default user preference.

Select "Export user preferences".

The "Save" dialog appears.

Select a location to save the preferences template to.

Distribute this file to all the desired users.

Import the preferences template on the user's machine. See "How to import a user

preferences template" for more information.

6

Configuration

1.2.3 Custom Languages

The "Custom Languages" functionality is meant for users who have their own terminology for a certain

concept. For example, the term "cost" may be referred to as "price" in some organizations. Through the

control panel, users with sufficient permissions can supply their own values for the strings on most elements

(such as dialog titles, textbox labels, table headers etc). This can be done on a per-language basis. The

language overrides are stored in the system configuration directory on the network, so it is shared between

all Cleopatra Enterprise users within a company, rather than being per database.

Change resource strings



Select "Shared configuration".

Select "Custom languages".

Select the "Language" button on the toolbar and choose the desired language.

Select the word that needs to be changed from the "All keywords" list.

Enter the new description in the "Modified" field of the desired language(s) at the right.

Press the "Close" button.

The "Configuration" dialog is closed.

Filter or find resource strings

Follow steps 1 through 4 from "Change resource strings" above.

Select the "Terms" field in front of the "Search" button.

Enter the search or filter value.

Press the "Search" button.

Continue from step 5 of "Change resource strings" above.

7


Create new language:

Follow steps 1 through 3 from "Change resource strings" above.

Press the "New language" button.

Select the base language to use. If you do not translate a term, the base language

translation will be used.

Optionally select a region where this language is used. This setting can change how some

standard texts are translate.

Choose a flag to represent the new language.

Continue from step 5 of "Change resource strings" above to translate the terms of new

language.

You can export all terms with their current translations to a text file if you prefer you

translate them outside Cleopatra Enterprise.

8

Security overview

2 Security overview

2.1 Quick reference

9


2.2 Licensing

2.2.1 How to import a license

When starting Cleopatra Enterprise for the first time the "License wizard" will appear. You will need to import

the license file provided by Cost Engineering. If you did not receive a license file, please contact our sales

department. See "Contact" for more information.

When you need to replace an existing license (e.g. because you updated the number of users) you will need

to start the license wizard manually.

When replacing an existing license you will need to make sure nobody is logged in into a

database connection (including yourself) otherwise the "Import license" button will be

disabled.

Select "Help => License" from the main menu.

The "License" wizard appears.

Press the "Import license" button in the license wizard.

If you are already using a license a "Question" dialog appears.


The "Open" dialog will appear.

Select the license file.

Press the "Open" button.

The "Open" dialog is closed.

Press the "Finish" button.

The "License" wizard is closed and the license will be imported.

10

Security overview

2.2.2 Validate license

When starting Cleopatra Enterprise for the first time the "License wizard" will appear. You will need to import

the license file provided by Cost Engineering. If you did not receive a license file, please contact our sales

department. See "Contact" for more information.

When you need to replace an existing license (e.g. because you updated the number of users or you

purchased new modules) you will need to start the license wizard manually.

Most licenses need to be activated before they can be used. To activate a license you will need to do the

following:

When replacing an existing license you will need to make sure nobody is logged in into the

program (including yourself) otherwise the "Import license" button will be disabled.

Select "Help => License" from the main menu.

The "License" wizard appears.

Press the "Import license" button in the license wizard.

If you are already using a license the "Import new license" dialog appears.


The "Open" dialog will appear.

Select the license file.



11


Press the "Next" button.

The "License activation" page will appear.

Press the "Create activation request" button.

A folder browser appears.

Select a location for the activation request file.

Press the "Create activation request" button.

The activation request will be created at the selected location. Send this file to our support department. Cost

Engineering in return will send an activation file which should be imported as follows:

It is possible to close the program until you receive the activation response from Cost

Engineering. To continue, just restart Cleopatra Enterprise and the license wizard will be

shown again.

Press the "Import activation" button.

The "Open" dialog appears.

Select the activation file.




The license will be activated and the program is ready for use.

12

Security overview

2.2.3 Concurrent users per module

The license specifies how many people can use a particular module at the same time. If that number is

reached, no more users will be able use that particular module. The users will still be able to use other

modules (provided that the license contains enough users for those modules).

Press "Help => License => View License" to view the license details. The product should be licensed to your

company. You will be able to use Cleopatra Enterprise until the "Expiration date". You will be able to update

the licensed modules until the "Expiration date for updates". This dialog will also display the number of

current users per module and the maximum number of users for each module.

13


2.3 The security model

Security and privacy of cost and project data has a high priority. The architecture of Cleopatra Enterprise

provides a flexible and enhanced security technology. This provides an easy way to customize the security

within the application to align with your business processes. The security architecture is divided into three

layers. For each layer the authorization level can be configured per user. A user is only allowed to execute

certain actions if all the layers grant him access.

The three security layers are:

Functional

Information

Workflow

The functional security layer:

The functional security layer specifies which users can perform certain functions and actions. For most

modules this consists of "no access", "read only" or "all". For some other administrative functions you can

define the user permissions on a very detailed level. Most of the time, certain groups of users will need to

have the same permissions regarding the functionality of the program. Therefore, permissions will not be

assigned to individual users, but to "Roles". A "Role" can consist of multiple users. In that case, you only

need to define the permissions once after which they can easily be applied to a group of users. Permissions

of the functional security layer can be set in the configuration dialog.

The information security layer:

The information security layer determines which users can see or edit what information. Most of the time this

is related to the fact that multiple people are working on the same project. Other users who are not working

on that project should not have access to the project’s information. These kind of permissions can be set in

the data explorer and are known as the folder permissions. Like the functional security, it is not necessary to

specify the permissions per individual user. Permissions can be assigned to workgroups, where a workgroup

consists of users working on the same project for instance.

The workflow security layer:

The workflow security layer is optional and can only be used if you have purchased the Workflow module. In

the workflow security layer users can see or edit documents depending on the workflow state the document

is currently in. These permissions are defined in the workflow designer. Again, permissions are not assigned

to individual users, but to groups of users, in this case the workflow roles. These permissions only apply if

the document is linked to a certain workflow. The workflow state of a document determines whether the user

can view or edit the document or possibly doesn't grant access to the document at all.

14


3 Security configuration

3.1 Users

Users need to be created to be able to control their permissions. By assigning users to roles and workgroups

their permissions can be defined. A role defines the function one or more user have within the system (see

"roles" for more information). A Workgroup is a collection of users with specific folder permissions (see

"workgroups" for more information).

For a newly created database, a demo user (password demo) is created. This user has all

rights and is useful when investigating all features of the product. It is recommended to delete

this user in a production environment.

Every newly created database contains the "admin" user (password "admin"). This user has

all permissions to perform basic administrative task like setting up the security. This user

cannot be deleted, nor can his security permissions be changed. It is recommended that the

password is changed in a production environment.

Changes to user rights can only be done by users with sufficient rights. It is possible to login

as a different user from within the configuration dialog. See "Select database" for detailed

information.

15


3.1.1 How to create users

Login if not already logged in.



Select "Security management => Security".

Select the "Users" tab if not already selected.

Press the "New user" button.

All edit fields are cleared if they weren't empty already

Enter the "Login name".

Enter a value in any other desired field (usually a password should be set).




rights and is useful when investigating all features of the product. It is recommended to

delete this user in a production environment.

Every newly created database contains the "admin" user (password "admin"). This user

has all permissions to perform basic administrative task like setting up the security. This

user cannot be deleted, nor can his security permissions be changed. It is recommended

that the password is changed in a production environment.

Changes to user rights can only be done by users with sufficient rights. It is possible to

login as a different user from within the configuration dialog. See "Select database" for

detailed information.

16


3.2 Roles

A role defines the function one or more user have within the system. Roles can be assigned certain

permissions. Permissions control the rights to perform certain actions. Within the application there is a

distinction between three types of permissions:

Functional permissions: permissions which allow users to perform certain functions.

Workgroup permissions: permissions which allow users to access certain data.

Workflow permission: permissions which allow users to perform certain workflow actions or view

data in certain states.

Permissions can be grouped in (workflow) roles or workgroups. Users can be assigned to these roles or

workgroups. In this way they get the permissions defined.

17


3.2.1 How to create roles




Select "Security management => Security"

Select the "Roles tab" if not already selected.

Press the "New role" button.

All edit fields are cleared if they weren't empty already and all available users are in the

excluded list.

Enter the "Role name".

Optionally: enter the "Role description".



Changes to role assignments can only be done by users with sufficient rights. It is possible

to login as a different user from within the configuration dialog. See Select database for


18


3.2.2 How to add users to roles




Select "Security management => Security".

Select the "Roles" tab.

Select the role to which one or more users need to be added.

Users can be a member of multiple roles. When rights of a certain user need to be

determined, rights of the different roles are examined and the highest right (the right that

grants the user the most access) will be used.

It is not possible to change the rights of a role when a user that is a member of that role is

logged in.

Select the desired user(s) in the "Excluded" users list.

Press the "Add to selected" button.



It is possible to add users to the "Administrator" role but it is recommended to create a

'custom administrator' role and assign users to that. This because the "Administrator" role

has only very restricted rights and cannot be changed. A 'custom administrator' role can

be setup to fit your own needs.

Changes to role assignments can only be done by users with sufficient rights. It is possible

to login as a different user from within the configuration dialog. See Select database for


Changes to the security settings might not take affect until the next login of the affected

user(s).

19


3.2.3 The tab Administrator rights

The "Administrator rights" tab contains the settings that define the permissions that are usually associated

with Cleopatra Enterprise administrators. Various user management permissions and role and workgroup

permissions can be set here. We recommend that only a few users have (some of) these permissions.

Usually there is one Cleopatra Enterprise administrator who is responsible for the administrative tasks like

user management and management of roles and workgroups. In larger companies there could be more then

one administrator. In that case we usually see an 'administrator' that manages the role and workgroup

permissions and a 'user manager' that is responsible for the management of Cleopatra Enterprise users.

Add and remove roles, and assign permissions to roles:

Users within a role with this permission have full rights on the roles page (of the "Configuration" dialog)

except for adding and removing users to / from roles. For that the "Add and remove users to/from roles"

permission needs to be set.

Add and remove users to/from roles:

Users within a role with this permission can add users to roles or remove them from roles. For all other role

manipulation permissions the "Add and remove roles, and assign permissions to roles" permission needs to

be set..

Add and remove users to/from workgroups:

Users within a role with this permission can add users to workgroups or remove them from workgroups. For

all other workgroup manipulation permissions the "Add and remove workgroups" permission needs to be set.

Add and remove workgroups:

Users within a role with this permission have full rights on the workgroups page (of the "Configuration"

dialog) except for adding and removing users to / from workgroups. For that the "Add and remove users

to/from workgroups" permission needs to be set.

20


Administrate folders and documents:

Users within a role with this permission can modify folder permissions in the "Data explorer" even when they

don't have any permissions on a certain folder. A user with this permission can always modify folder

permissions in the "Data explorer". It is recommended that at least one person should be member of a role

which has this permission, set so that there is always someone who can change permissions on folders. All

other users should NOT have this permission because they need to comply to the permissions that are set

on the different folders.

Create new users:

Users within a role with this permission can create Cleopatra Enterprise users. See "Delete existing users",

"Modify user information" and "View user information" for more user management permissions.

Delete existing users:

Users within a role with this permission can delete other Cleopatra Enterprise users. Keep in mind that it is

not possible to delete a user when that user is logged in. See "Create new user", "Modify user information"

and "View user information" for more user management permissions.

Delete locks for a specific user:

Users within a role with this permission can remove user locks. Locks on users are set as soon as the user

logs in and are not released until the user logs out. In some rear cases the lock is not released properly (e.g.

when the application is aborted improperly or when it crashes). In that case the user cannot login for a

certain time (the lock is released automatically after a set time, usually 20 minutes). In such a situation an

administrator with this permission can unlock the user so that the user can login immediately. Keep in mind

that removing locks can cause problems if the 'unlocked user' is still working in Cleopatra Enterprise.

Modify user information:

Users within a role with this permission can modify all user information of every user. The "View user

information" permission also needs to be set in order for this permission to work. Keep in mind that it is not

possible to modify user information when that user is logged in. See "Create new user"and "Delete existing

users" for more user management permissions.

View user information:

Users within a role with this permission can view all user information of every user. Changes to other users

information is not possible until the "Modify user information" permission is also set. See "Create new

user"and "Delete existing users" for more user management permissions.

21


3.2.4 The tab Modules

The "Modules" tab contains the settings that define the module permissions for the users that are a member

of this role.




There are three different security settings:

No access: This means the user has no permissions on the module. A user with this

permission cannot open the module and cannot view any content of this module.

Read only: This means the user cannot make modification within this module. A user with this

permission can use this module for viewing purposes.

Full access: This means the user has full permissions on the module. Other security settings

still can prevent the user to perform certain actions. See other parts of the "Security" chapter

for more information.

The "Modules" security settings for "Reporting" only affect the permissions on the manage

reports module and the header and footer designer. Permissions on the individual reports

need to be set on the tab "Reports".

The "Modules" security settings for "Plug-ins" only affect the permissions on the manage

plug-ins module. Permissions on the individual plug-ins need to be set on the tab "Plug-ins".

To change the module permissions follow the next steps:

Set a tick mark for the module(s) that need to be changed.

To select all, clear or inverse the selection, press the change selection button.

Select "No access", "Read only" or "Full access" on the top slider to set the permissions

for all selected modules at once or

Move the slider behind the module name to set the desired permissions for that single

module.

Changed security settings might not take effect until the next login of the affected users.

22


3.2.5 The tab Plugins

The "Plugins" tab contains the settings that define the plugin permissions for the users that are a member of

this role.





No access: This means the user has no permissions on the plugin. A user with this

permission cannot open the plugin and cannot view any content of this plugin.

Read only: User permissions can vary depending on the design requirements of the plugin.

Usually this setting means the user cannot make modification within this plugin, the user with

this permission can use this plugin for viewing purposes.

Full access: This means the user has full permissions on the plugin.

The "Plugins" security settings only affect the permissions on the individual plugins. The

permissions to manage plugins needs to be set on the tab "Modules".

To change the plugin permissions follow the next steps:

Set a tick mark for the plugin(s) that need to be changed.



for all selected plugins at once or:

Move the slider behind the plugin name to set the desired permissions for that single

plugin.


23


3.2.6 The tab Reports

The "Reports" tab contains the settings that define the report permissions for the users that are a member of

this role.





No access: This means the user has no permissions on the report. A user with this

permission cannot open the report and cannot view any content of this report.

Read only: This means the user cannot make modification to this report. A user with this

permission can use this report for viewing purposes.

Full access: This means the user has full permissions on the report.

The "Reports" security settings only affect the permissions on the individual reports. The

permissions to manage reports and headers and footers need to be set on the tab "Modules".

To change the report permissions follow the next steps:

Set a tick mark for the report(s) that need to be changed.



for all selected reports at once or:

Move the slider behind the reports name to set the desired permissions for that single

report.


24


3.3 Workgroups

Cleopatra Enterprise offers the possibility for users to work in groups on the same project.

A Workgroup is a collection of users with specific folder permissions.

3.3.1 How to create




Select "Data store configuration => Security".

Select the "Workgroups" tab.

Press the "New workgroup" button.

All edit fields are cleared if they weren't empty already.

Enter the "Work group name".

Optionally Enter the "Work group description".



To assign users to work group see "Change work group assignment".

25


3.3.2 How to set security on folders

Folder permissions can be set for different workgroups. A Workgroup is a collection of users with the same

specific folder permissions. Users can be assigned to workgroups in the configuration dialog.

Select "Data Explorer" from the main toolbar.

Select the folder that needs security settings.

Press the "Security" button.

The "Workgroup permissions" dialog appears.

Remove the tick mark from the "Inherit folder permissions from parent folder".


When the Inherit folder permissions from parent folder" tick mark is disabled, you don't

have sufficient rights to change the security properties. To find out what causes this see

"How to determine permissions".


Add the desired workgroup(s) to the "Selected workgroups" list using the "Add to selected"

button.

Set the desired permissions for the added workgroup(s). See table below for more

information.

When you select one of the permissions the "Permission hint" panel will show a

description of the permission.


The "Workgroup permissions" dialog is closed.

26


Workgroup permissions:

Workgroup permissions control the permissions for all users within the selected workgroup. If a user is a

member of multiple workgroups, the set permissions of all workgroups will apply. So if a user has a certain

right in any of the workgroups, this will allow the user to perform the action.

Browse

folder

Rename

folder

Add or

delete sub

folders

Allows the users of this workgroup to view the folder and the documents located in this

folder.

Allows the users of this workgroup to rename this folder.

Allows the users of this workgroup to add or remove folders located in this folder.

To see the documents in this folder, the workgroup also needs to have the "Browse folder"

permission, which will automatically be set.

Open

documents

Allows the users of this workgroup to view and open documents located in this folder.



Edit

documents

Allows the users of this workgroup to modify and rename the documents located in this

folder. Users can also create documents in this folder.

To actually edit the documents in this folder, the workgroup also needs to have the

"Browse folder" and the "Open documents" permission, which will automatically be set.

Delete

documents

Allows the users of this workgroup to delete the documents located in this folder.

To actually delete the documents in this folder, the workgroup also needs to have the

"Browse folder", the "Open documents" and the "Edit documents" permission, which will

automatically be set.

Change

ownerships

Allows the users of this workgroup to change ownership of this folder. Users who will

create a folder or document will automatically become owner of that folder or document.

Owners have all permissions related to that folder or document.

27


3.4 Workflow

The Workflow Module enables you to thoroughly yet easily manage specific workflow processes and link any

document from the data explorer to specific steps in a work process. Workflow capabilities are ideally suited

for handling all aspects of established procedures required for internal sub tasks.

The Workflow Module is designed to let you conduct organizational processes accurately and efficiently. As

a result, you can count on shortened process-cycle times, reduced costs, improved accountability, better

visibility of process status, reduced errors, enhanced ability to adhere to compliance regulations and

improved quality.

The workflow module enables intelligent and secure routing of documents within the data explorer.

During the processing of workflow tasks, users always have access to all relevant information available in the

process and can view any document(s) for which they have corresponding permissions. Not only does the

workflow enforce a certain route for your documents, it also secures the documents based on the specific

workflow state the documents are currently in.

3.4.1 workflow designer

With the help of the workflow designer it becomes a simple task to define your workflow. It does this by

offering you a visual designer which helps you to define states, transitions and roles with a couple of mouse

clicks. It is even possible to design multiple workflow's, so support for multiple work processes within your

company is possible. Please note that a document can only be in one workflow at the time.

28


3.4.2 How to create a new workflow

Select "Module navigator" from the main toolbar.

Expand the "Workflow" module.

Select "Workflow designer".

The "Workflow designer" dialog appears.

Press the "Create a new workflow" button.

The "New workflow" dialog appears.

Enter a "Name" and a "Description".


The workflow will be created.

29


3.4.3 Workflow permissions

To be able to add documents to a workflow, at least one of the states need to have the "Initial

state" set.

Workflow role permissions:

Workflow role permissions control the permissions for all users within the selected role. State permissions

apply to all users within that role. If a user is a member of multiple roles, the set permissions of all roles will

apply. So if a user has a certain permission in any of the roles, this will allow the user to perform the action.

Assign documents

Open documents

Edit documents

Remove documents

Export documents

Allows the users of this role to assign documents to this workflow state.

Allows the users of this role to open documents in this workflow state.

Allows the users of this role to edit documents in this workflow state.

Allows the users of this role to remove documents in this workflow state from

the workflow.

Allows the users of this role to export documents from and import into this

workflow state. It also controls the right to unlock exported documents. See

"Export and import of documents in a workflow" and "How to unlock exported

documents" for more information.

Transition permissions:

Transition permissions control the permissions for all users within a role to move documents form one state

to another. Only users that are member of the role that has been given rights to the transition will be able to

move the documents to the next (or previous) state.

Transition between

states

Allows the users of this role to transfer documents along this workflow state

transition. (this depends on the direction of the transition.)

It is possible to add transitions in two directions: from A to B and from B to A.

30


3.4.4 How to create a new workflow role

Open a workflow.

Press the "Create a new workflow role" button.

The "New workflow role" dialog appears.

Enter a "Name" and a "Description".


The workflow role will be created.

31


3.4.5 How to assign users to a workflow role

Open a workflow.

Select the desired workflow role in the "Workflow roles" list.

Press the "Assign users to role" button.

The "Assign users to role" dialog appears.

Select one or more users in the "Excluded" list.


The user(s) will appear in the "Included" list.


The user(s) will be assigned to the Workflow role.

3.4.6 How to create a new workflow state

Open a workflow.

Press the "Create a new workflow state" button on the toolbar.

The "New workflow state" appears.

If you want to add more workflow states, repeat step 2.

New states will be created at the same base position.

Select the state and move it to the desired position.

The workflow state will be created.

32


3.4.7 How to assign a role to a workflow state

Open a workflow.

Select a "Workflow state".

Press the "Edit" button on the toolbar.

The "Edit workflow component" dialog appears.

Press the "Roles" tab.

Select one or more roles from the "Available" list.


The available role(s) will appear in the "Selected" list.

Select a role from the "Selected" list.

Set the desired permission(s).


The role(s) will be assigned to the workflow state.

To select all, clear or inverse the permissions, press the "Change Selection" button

33


3.4.8 How to create a new state transition

Open a workflow.

Press the "Add a new state transition" button on the toolbar.

Select the first state (from).

Select the second state (to).

The state transition is created.

It is possible to add state transitions in two directions: from A to B and from B to A.

34


3.4.9 How to assign a role to a state transition

Open a workflow.

Select a "State transition".

Press on the "Edit" button on the toolbar.


Press the tab "Roles"

Select one or more roles in the "Available" list.


The added role(s) will appear in the "Selected" list.

The "Selected" role has always the permission "Transition between states".

35


3.5 Security facts

General

It is not possible to modify a role when a user that is a member of that role is logged in.

It is not possible to change the rights of a role when a user that is a member of that role is

logged in.

It is not possible to modify a user when the user is logged in.

It is not possible to modify a workgroup when a user that is a member of that workgroup is

logged in.


License

When replacing an existing license you will need to make sure nobody is logged in into a

database connection (including yourself) otherwise the "Import license" button will be

disabled.

It is possible to close the program until you receive the activation response from Cost

Engineering. To continue, just restart Cleopatra Enterprise and the license wizard will be

shown again.

You can still connect to the server database with a single user license. This will not use up a

concurrent user of the server license.

In case you are using Cleopatra enterprise off-line you will not be able to access the shared

reports - make sure you make a local copy of those you need for personal use.

Users

For a newly created database, a demo user (password "demo") is created. This user has all

rights and is useful when investigating all features of the product. It is recommended to delete

this user in a production environment.

Every newly created database contains the "admin" user (password "admin"). This user has

all permissions to perform basic administrative task like setting up the security. This user

cannot be deleted, nor can his security permissions be changed. It is recommended that the

password is changed in a production environment.

36


Roles

The "Modules" security settings for "Reporting" only affect the permissions on the manage

reports module and the header and footer designer. Permissions on the individual reports

need to be set on the tab "Reports".

The "Modules" security settings for "Plug-ins" only affect the permissions on the manage

plug-ins module. Permissions on the individual plug-ins need to be set on the tab "Plug-ins".

Changes to role assignments can only be done by users with sufficient rights. It is possible to

login as a different user from within the configuration dialog. See "Select database" for





It is possible to add users to the "Administrator" role but it is recommended to create a

'custom administrator' role and assign users to that. This because the "Administrator" role has

only very restricted rights and cannot be changed. A 'custom administrator' role can be setup

to fit your own needs.

Every database contains the "Administrator" role. This role has all "Administrator rights"

permissions but no rights in any other part of the application. This role cannot be deleted, nor

can its security permissions be changed.

Workgroups

When the Inherit folder permissions from parent folder" tick mark is disabled, you don't have

sufficient rights to change the security properties. To find out what causes this see "How to

determine permissions".

When you select one of the permissions the "Permission hint" panel will show a description of

the permission.





To actually edit the documents in this folder, the workgroup also needs to have the "Browse

folder" and the "Open documents" permission, which will automatically be set.

37


4 Exercise

4.1.1 Introduction

The next Exercises will show you how to setup the various security settings within Cleopatra Enterprise. We

will start by adding users. Next we will create some roles to define the functions users have within the

system. The roles will be assigned permissions to control the rights to perform certain actions. After an in

depth example of the different role permissions we will look at workgroups. A workgroup is a collection of

users with specific folder permissions. Workgroups offer the possibility for users to work in groups on the

same project and can prevent them to edit documents of another project. Finally we will have a look at the

workflow functionality. The workflow module enables intelligent and secure routing of documents within the

data explorer. Not only does the workflow enforce a certain route for your documents, it also secures the

documents based on the specific workflow state the documents are in.

In the next chapters the trainer will demonstrate how to setup the different security settings. During this

demonstration the participants can do some exercises to verify the functionality. The next parts will be

explained:

How to setup user security

How to setup role security

How to setup role security for reports

How to setup workgroup security

How to create a workflow design

How to setup workflow roles (part 1)


Conclusion

38

Exercise

4.1.2 How to setup user security

Before it is possible for a person to use Cleopatra Enterprise it is necessary to create a user account.

Because it is not possible to login multiple times as the same user, it is necessary to create an account for

each user.

Before we can access the different security parts it is required to login as a user with sufficient permissions.

We are going to use the default Admin user for this. To login do the following:


The "Configuration" dialog will appear.

39


Select the "Select database" option.

Press the "Select..." button.

The "Login wizard" appears.

Enter "Admin" in the "User name" field.

Enter "Admin" in the "Password" field.






The application will now login as the Admin user.

40

Exercise

Next we are going to create an account for each user. User accounts can be created in the following way:

Select the "Security" option.

Press the "New user" button.

The "New user" dialog appears.

Enter the "login name" of the desired user.


The user account is created.

41


Users are now known to the system and they are able to log into Cleopatra Enterprise.

Excercise:

Log into the application.

Note that it is possible to log into the application but that the user does not have any

permissions in any module or on any document.

To allow the user to enter their personal details we will temporary assign him to the Admin role:


Select the "Admin" role.

Select all new users in the "Excluded" users list.


Select the "Users" tab.

Exercise:

Log into the Configuration dialog.

Edit personal details.

Enter a password.

Before we continue with the explanation of the role functionality we will first remove all users from the Admin

role:


Select the "Admin" role.

Select all new users in the "Included" users list.

Press the "Remove from selected" button.

How to setup role security

42

Exercise

4.1.3 How to setup role security

Roles are used to group users that have a similar function within the system. E.g. Estimator, Project

manager, Application manager or Knowledgebase administrator. Each role can contain one or more users

and has it own permission settings which apply to all users within the role. To demonstrate the role

functionality we are going to create two different roles:

Make sure the "Roles" tab is selected.

Press the "New role" button.

The "New role" dialog appears.

Enter "Estimator" as the "Name" of the role.

Enter a "Description" for the role.


The "Estimator" role is created.

Again press the "New role" button.

The "New role" dialog appears.

Enter "Knowledgebase admin" as the "Name" of the role.

Enter a "Description" for the role.


The "Knowledgebase admin" role is created.

43


Now we have created two roles it is time to assign users to them. To do so we need to do the following:

Select the "Estimator" role.



The users are assigned to the "Estimator" role.

Select the "Knowledgebase admin" role.



The users are assigned to the "Knowledgebase admin" role.

Note that users can be a member of multiple roles. When rights of a certain user need to

be determined, rights of the different roles are examined and the highest right (the right

that grants the user the most access) will be used.

44

Exercise

Next we are going to assign different permissions to the two roles. To setup all permissions for the

"Estimator" role we need to do the following:


Press the "Permissions for role" button.

The "Permissions for estimator" dialog appears.

Select the "Modules" tab.

Press the "Change selection" button.

Select "Select all" from the popup menu.

Now all modules are selected.

Remove the tick mark for the "Reed business" and "Web sharing" modules.

Select "Full access" for the top slider.

Move the slider behind "Knowledgebase" to "Read only".

45


Select the "Administrator rights" tab.

Make sure all tick marks are turned off.


The "Permissions for Estimator" dialog is closed.

46

Exercise

And for the "Knowledgebase admin" role we do:



The "Permissions for Knowledgebase admin" dialog appears.

Select the "Modules" tab.

Place a tick mark for the "Currency manager", "Knowledgebase" and "Import/Export"

modules.


Move the slider behind "Cost estimation" and "Reporting" to "Read only".

Select the "Administrator rights" tab.

Make sure all tick marks are turned off.


The "Permissions for Knowledgebase admin" dialog is closed.

47


How to login using a specific role:

Press the login button on the main toolbar.

The "Login wizard" appears.

Enter the "User name".

Enter the "Password".


Disable the "Knowledgebase admin" role.


The application will now login only using the "Estimator" role.

Exercise:

Log into Cleopatra Enterprise but make sure that only the "Estimator" role is used.

Open an estimate.

Make sure you have access to the correct modules.

Open an knowledgebase.

Note that the knowledgebase is read only.

Select the estimate and select "Estimating" in the module navigator.

Note that it is possible to estimate from the knowledgebase.

Log into Cleopatra Enterprise and make sure that only the "Knowledgebase admin"

role is selected.


Make sure you have access to the correct modules.

Open an estimate.

Note that the estimate is read only.

How to setup role security for reports

48

Exercise

4.1.4 How to setup role security for reports

Role security is also used to set the permissions for the different reports. In the next example we are going to

set some report permissions for the two roles we have created previously:

Make sure the "Roles" tab is selected.



The "Permissions for estimator" dialog appears.

Select the "Reports" tab.


49



Now all reports are selected.


Move the slider behind "Knowledgebase components" and "Knowledgebase properties" to

"Read only".


50

Exercise

Now we are going to do the same for the "Knowledgebase admin" role:



The "Permissions for Knowledgebase admin" dialog appears.

Select the "Reports" tab.

Move the slider behind "Knowledgebase components" and "Knowledgebase properties" to

"Full access".


Changes to the security settings might not take affect until the next login of the affected

user(s).

51


Exercise:

Re-log into Cleopatra Enterprise but make sure that only the "Estimator" role is used.

Open an estimate.

Open the report wizard.

Select the "Direct cost" report and make some changes to the default settings.

Proceed to the "Save report settings" page.

Note that it is possible to save changes to report settings.

Close the report wizard.

Open a knowledgebase.


Select the "Knowledgebase components" report and make some changes to the

default settings.


Note that it is not possible to save changes to report settings.

Re-log into Cleopatra Enterprise and make sure that only the "Knowledgebase

admin" role is selected.



Select the "Knowledgebase components" report and make some changes to the

default settings.


Note that it is possible to save changes to report settings.

Open an estimate.


Note that the estimate reports are not available.

Close the report wizard.

How to setup workgroup security

52

Exercise

4.1.5 How to setup workgroup security

Workgroups are used to control the documents of different projects. Usually it is not desirable that every user

has access to every document in the database. Only users that are working on a certain project need access

to the documents of that project. Workgroups are used to determine the permissions users have on folders

and the documents in those folders. To show how the workgroup functionality works we are going to create

two workgroups:

Select the "Workgroups" tab.

Press the "New workgroup" button.

The "New workgroup" dialog appears.

Enter "Project X" as the workgroup "Name".

Enter a "Description" for the workgroup.


The "Project X" workgroup is created.

Again press the "New workgroup" button.

The "New workgroup" dialog appears.

Enter "Project Y" as the workgroup "Name".

Enter a "Description" for the workgroup.


The "Project Y" workgroup is created.

Now we need to assign users to the workgroups in the same way as we did for the roles:

53


Select the "Project X" workgroup.



The users are assigned to the "Project X" workgroup.

Select the "Project Y" workgroup.



The users are assigned to the "Project Y" workgroup.

Note that, as with roles, users can be a member of multiple workgroups. When rights of a

certain user need to be determined, rights of the different workgroups are examined and

the highest right (the right that grants the user the most access) will be used.

54

Exercise

Next we are going to create a project folder and grant full permissions to the "Project X" workgroup:

Log into Cleopatra Enterprise.

Press the "New folder" button on the database explorer toolbar.

The new folder is created.

Enter "Project X" as the folder name.

Press the "New folder" button on the database explorer toolbar.

The new folder is created.

Enter "Project Y" as the folder name.

Make sure the "Project X" folder is selected.

Press the "Security" button on the database explorer toolbar.


Remove the tick mark from the "Inherit folder permissions from parent folder" option.

A "Question" dialog appears with the question "Copy the security settings from the parent

folder"

Press the "NO" button.

Select the "Project X" workgroup from the "Available workgroups" list.


Set a tick mark for all options.

55


Now we are going to allow the "Project Y" workgroup read only permission to the "Project X":

Select the "Project Y" workgroup from the "Available workgroups" list.


Set a tick mark for the "Open documents" permission.

Note that the "Browse folder" permission is ticked automatically when "Open documents"

is selected. This is because in order to open a document you need to be able to browse

the folder that contains the document.


56

Exercise

Finally we need a document in the project folder to demonstrate the functionality:

Press the "New document" button.

The "New document wizard" appears.

Enter "001 project X" in the "Name" field.

Make sure that the "Project X" folder is selected in the "Folder" field.



A new document is created in the "Project X" folder.

Exercise:

Re-log into Cleopatra Enterprise but make sure that only the "Project X" workgroup is

used.

Open the "001 project X" document in the "Project X" folder.

Rename the "001 project X" document to "002 project X".

Close the document.

Re-log into Cleopatra Enterprise and make sure that only the "Project Y" workgroup is

used.

Open the "001 project X" document in the "Project X" folder.

Note that the document can only be opened read-only.

How to create a workflow design

57


4.1.6 How to create a workflow design

The last security functionality we are going to look at is workflow. Workflow offers an intelligent and secure

way to enforce a logical routing of documents. Documents can be placed in and moved though different

states. Each state will only allow users with sufficient permission to manipulate the document. First we need

to create a workflow

Select "Workflow => Workflow designer" from the module navigator.

The "Workflow designer" appears.

Press the "Create new workflow" button in the "Workflows" toolbar.

The "New workflow" dialog appears.

Enter "Administrator training" in the "Name" field.

Enter a "Description" for the workflow design.


The workflow design is created.

58

Exercise

Next we are going to design a very basic workflow that consists of two states "For approval" and "Approved":

Press the "Create a new workflow state" button.

A new state is added to the workflow design.

Again press the "Create a new workflow state" button to create a second state.

The second state is added to the workflow design.

Move one of the two states besides of below the other state.

Press the "Add a new state transition" button.

Click on the first state.

Click on the second state.

A state transition (arrow line) is drawn between the two states.

59


Now we are going to set some initial properties:

Select the first state.

Press the "Edit" button.


Enter "For approval" in the "Name" field.

Enter a "Description" for the workflow state.

Place a tick mark in the "Initial state" field.

The initial state option means that this state is a 'start point' of the workflow and that

documents that are not already part of this workflow can be assigned to this state. To be

able to add documents to a workflow, at least one of the states need to have the "Initial

state" set.


Select the second state.



Enter "Approved" in the "Name" field.




60

Exercise

4.1.7 How to setup workflow roles (part 1)

Now we have designed the workflow, we will determine the user permissions. To do so we first need to

create two workflow roles and add users to them:

Press the "Create new workflow role" button on the "Workflow roles" toolbar.


Enter "Estimator" in the "Name" field.



61






The users are assigned to the "Estimator" workflow role.


Again press the "Create new workflow role" button on the "Workflow roles" toolbar.


Enter "Project manager" in the "Name" field.



At this moment all users are assigned to the "Estimator" workflow role and none to the

"Project manager" workflow role. This will be changed later on in this course.

62

Exercise

Next we will setup the security for the "For approval" state:

Select the "For approval" state.



Select the "Permissions" tab.

Select the "Estimator" workflow role in the "Available" list.




All permissions are selected for the "Estimator" workflow role.

Select the "Project manager" workflow role in the "Available" list.


Only place a tick mark for the "Open documents" permission.


63


The same we will do for the "Approved" state:

Select the "Approved" state.




Select the "Estimator" workflow role in the "Available" list.


Only place a tick mark for the "Open documents" permission.





Remove the tick mark from the "Edit documents" permission.


64

Exercise

Finally we are going to set the permissions for the "Transition" between the two states:

Select the "Transition" (arrow line).






Place a tick mark for the "Transition between states" permission.


Exercise:

Create a new estimate.

Close the new estimate.

Assign the new estimate to the "For approval" workflow state.

Try to move the new estimate from the "For approval" state to the "Approved" state.

Note that the "Estimator" role does not have the permission to move the estimate to

the "Approved" state.

Open the new estimate.

Note that it is still allowed to open and edit the estimate.

Close the estimate.


65


4.1.8 How to setup workflow roles (part 2)

Now remove the users from the "Estimator" workflow role and assign them to the "Project manager" workflow

role:

Select the "Estimator" workflow role.





The users are removed from the "Estimator" workflow role.


Select the "Project manager" workflow role.





The users are assigned to the "Project manager" workflow role.


Exercise:

Move the estimate from the "For approval" state to the "Approved" state.

Open the estimate.

Note that the estimate cannot be edited.

66

Exercise

For a last check we will re-assign the users to the "Estimator" role:

Select the "Estimator" workflow role.





The users are assigned to the "Estimator" workflow role.


Select the "Project manager" workflow role.





The users are removed from the "Project manager" workflow role.


Exercise:

Conclusion

Open the estimate

Note that it is not longer possible to edit the estimate.

It is also not possible for the users in the "Estimator" role to remove the estimate from

the "Approved" state.

67


4.1.9 Conclusion

We have now finished the tutorial in which we looked at the different security types and how they can be

used. We hope you have found it informative and useful.

Now you have completed the security section of the course you will now be able to do the following in

Cleopatra Enterprise:

1. Setup user security:

How to create new Cleopatra Enterprise users.

How to edit their user properties.

How to create the different user roles you recognize within you own company.

How to setup the permissions for these roles.

How to setup the security for the reports.

2. Setup folder security:

How to create workgroups.

How to create folder structures for your various projects.

How to setup the security for these folders.

3. Setup workflow:

How to create a workflow design.

How to create workflow roles.

How to setup the permissions for the workflow roles.

How to add documents to a workflow and how to move documents between different workflow

states.

Of course, this is just a small overview of the capabilities of the security within Cleopatra Enterprise. Every

company has its own demands regarding security. We hope you are triggered to investigate more. If so,

please have a look at our "Manual" where are all topics are covered in detail.

68

Exercise

4.2 Security trouble shooting

4.2.1 How to resolve security problems

Document problems:

69


Folder / workgroup problems:

Module problems:

Report / plugin problems:

70

Exercise

4.2.2 How to determine permissions

Due to security a document or module can sometimes only be viewed in read-only mode and sometimes it

can not be opened at all. It can be quite complex to determine the cause of this. In order to easily determine

why a document or module is read-only or cannot be opened at all we have provided the following options:

Module access:

This shows what functional security permissions a user has. Module access can be viewed as follows:

Select "Help => Module access" from the main menu.

The "Current module access" dialog appears.

This dialog shows you the roles you are member of and which of them are currently used. It also shows the

permissions you have on the different modules, reports and plugins. It also shows the permissions a users

has on the administrator level.




71


Document and folder permissions:

This shows what information security permissions a user has. Document and folder properties can be viewed

as follows:

Select "Data explorer" from the main toolbar.

Select the folder or document which permissions you want to view.

Press the "Properties" button.

The "Properties" dialog appears.

Besides general document information, the "Properties" tab also shows information which can influence a

users permissions. It shows if a document is opened or locked and by who. It also shows in which workflow

state the document is in and if a expiration date is set on the document and if it is permitted to export the

document.

There is a special tab "Permissions" which shows what permissions you currently have on the

selected document. It is divided into folder permissions and workflow permissions.


72

Installation

5 Installation

5.1 MS SQL server

5.1.1 Introduction

Security is becoming increasingly important. It is one of the critical features of a database engine, protecting

the enterprise against myriad threats.

Apart from the usual security of physically securing the server, backing up data regularly and putting it

behind one or more firewalls if it is connected to a network, we recommend you to avoid installing SQL

Server on a computer with other server applications, and enable only the minimum network protocols

required.

5.1.2 Encrypting connections to SQL server

Microsoft SQL Server can use the Secure Sockets Layer (SSL) to encrypt data that is transmitted across a

network between an instance of SQL Server and a client application.

SSL can be used for server validation when a client connection requests encryption. If the instance of SQL

Server is running on a computer that has been assigned a certificate from a public certification authority,

identity of the computer and the instance of SQL Server is vouched for by the chain of certificates that lead to

the trusted root authority. Such server validation requires that the computer on which the client application is

running be configured to trust the root authority of the certificate that is used by the server.

The level of encryption used by SSL, 40-bit or 128-bit, depends on the version of the Microsoft Windows

operating system that is running on the application and database computers.

Enabling SSL encryption increases the security of data transmitted across networks between instances of

SQL Server and applications. However, enabling encryption does slow performance. When all traffic

between SQL Server and a client application is encrypted using SSL, the following additional processing is

required:

An extra network round trip is required at connect time.

Packets sent from the application to the instance of SQL Server must be encrypted by the client Net-

Library and decrypted by the server Net-Library

Packets sent from the instance of SQL Server to the application must be encrypted by the server

Net-Library and decrypted by the client Net-Library.

Also see "Encrypting Connections to SQL Server" on Microsoft's SQL server TechCenter

pages for more detailed information.

73


5.1.3 Installing MS SQL server

Cleopatra Enterprise stores its data in a central database using Microsoft SQL Server 2005.CLIENT

machines who whish to work with Cleopatra Enterprise need to have access to this database server. When

there is no Microsoft SQL Server available, it needs to be installed. The database server can either be

installed on a central server or on the local machine. When installing Microsoft SQL Server on a local

machine a special edition "Microsoft SQL Server 2005 Express" needs to be installed, which can be found in

the installation procedure of Cleopatra Enterprise. There are no additional server requirements for running a

Cleopatra Enterprise database besides the requirements for Microsoft SQL Server 2005. Of course, the

requirements typically depend on the number of users concurrently accessing the database server and the

amount of data which is involved. General hardware recommendations regarding Microsoft SQL Server 2005

can be found at:

http://www.microsoft.com/sqlserver/2005/en/us/system-requirements.aspx

By default the Cleopatra Enterprise installation procedure contains an automated installation of ”r;Microsoft

SQL Server 2005 Express”:

Start the installation.

The Microsoft SQL server setup dialog appears. Screen shot

Tick the "I accept the licensing terms and conditions".



The installation will check your system. Screen shot

After the system configuration check finishes, press the "Next" button.

Enter the user "Name" and "Company name".


The next step allows you to select the components to install. Screen shot

Select "SQL Server Database Services".

Select "Workstation components, Books and development tools".

Select "Integration Services".


If this is the first instance of SQL server on the target machine select "Default instance".

Otherwise select "Named instance".


Select "Use the built-in System account".


Set the "The authentication mode" to "Mixed Mode". See "Choosing an authentication mode"

for more detailed information.

Enter a password for the System Administrator (SA).

74

Installation

This password will be needed when installing Cleopatra Enterprise.


The "Collation settings" page needs no specific changes.


All configuration settings are now set and you are ready to start the actual installation.

Press the "Install" button to start the installation.

During the installation the progress will be shown.


Press the "Finish" button, to exit the installation.

5.1.4 Configuring MS SQL Server for Cleopatra Enterprise

Cleopatra Enterprise requires some specific MS SQL Server settings. Below you will find all steps to

configure these settings.

In order to connect to an SQL server on a remote machine you need to make sure the firewall

opens the port on which SQL server is listening (default 1433). You can do that in the

"Control Panel" (see steps below) or by using the command line: "Netsh firewall set port

opening tcp 1433 SQL_PORT_1433 ENABLE ALL".

See "Opening a port on the firewall" for more information.

Start the "SQL Server Configuration Manager". You can find this option in the Start menu in

the option "Microsoft SQL Server 2005 => Configuration tools".

The "SQL Server Configuration Manager" appears.

Select "Protocols for MSSQLSERVER". Screen shot

Double click the "TCP/IP" option.

The "TCP/IP properties" dialog appears.

Set the "Enabled" option to "Yes". Screen shot

Select the "IP Addresses" tab.

Make sure all "TCP Port" settings are set to "1433". Screen shot


The "TCP/IP properties" dialog is closed.

The next step allows you to select the components to install. Screen shot

Close the "SQL Server Configuration Manager".

75


5.1.5 Choosing an authentication mode

When configuring the SQL server, you must select an authentication mode.

There are two possible modes:

Windows Authentication mode. This enables Windows Authentication and disables SQL Server

Authentication.

Mixed mode. This enables both Windows Authentication and SQL Server Authentication.

Windows Authentication is always available and cannot be disabled.

Microsoft advises to use Windows Authentication when possible.

Disadvantages of SQL Server Authentication:

If a user is a Windows domain user who has a login and password for Windows, he must still provide

another (SQL Server) login and password to connect.

SQL Server Authentication cannot use the "Kerberos security protocol".

Windows offers additional password policies that are not available for SQL Server logins.

Advantages of SQL Server Authentication:

Allows SQL Server to support environments with mixed operating systems.

Allows users to connect from unknown or untrusted domains.

See "Choosing an Authentication Mode" on Microsoft's developer center pages for

more detailed information.

5.1.6 Opening a Port on the firewall

In order to connect to an SQL server on a remote machine you need to make sure the firewall opens the port

on which SQL server is listening (default 1433). You can do that in the "Control Panel" (see steps below) or

by using the command line: "Netsh firewall set port opening tcp 1433 SQL_PORT_1433 ENABLE ALL"

Opening a port on the firewall:

Select "Start" on the windows taskbar.

Select the "Control panel".

Select "Windows firewall".

Select the "Exceptions" tab.

Press the "Add port" button.

The "Add port" dialog appears.

Enter a "Name"

Enter the "Port number" on which SQL server is listening

Select "TCP".


The port is added.


76

For local installations Microsoft SQL server express edition is available. Be aware that this

version has its limitations. E.g. The express edition has 4 GB database size limit, the

MSDE has a maximum of 2 GB database size. See the Microsoft documentation for


Installation

5.2 Cleopatra Enterprise

5.2.1 Downloading Cleopatra Enterprise

Click here to view the minimum system requirements.

To view PDF documents install Adobe Acrobat Reader 8.0 or higher.

Downloading Cleopatra Enterprise:

Open the Cost Engineering web site: www.CostEngineering.eu

Select the "Support" option.

Select the "Download" option.

Enter the "Username" and "Password" provided by Cost Engineering.

Press the "Login" button.

Select "Cleopatra Enterprise" from the list at the right hand side.

Select the desired Cleopatra Enterprise file.

A "File download" dialog appears.

Press the "Save" button

A "Save" dialog appears.

Select a location to save the installation file.

Press the "Save" button.

Also see "Installing Cleopatra Enterprise".

77


5.2.2 Installing Cleopatra Enterprise

Cleopatra Enterprise can be installed using the provided installation procedure. The installation of Cleopatra

Enterprise requires no additional system libraries like dll’s. Therefore, it is possible to install Cleopatra

Enterprise once on a network or application server. Users who want to start Cleopatra Enterprise just need to

have access to the “Cleopatra Enterprise.exe” on the network server.

Start the installation (provided by download or CD-rom).

The Cleopatra Enterprise installation dialog appears (screen shot).

Select "Cleopatra Enterprise".

Press the "Install" button.


Accept the license agreement.


Select the installation folder.

Cleopatra Enterprise can be installed on a local machine as well as a network or application

server. See "Remote access" for more information.


Select the configuration folder.

The configuration folder is a folder which will contain all shared configuration data for all

users. All users who use this installation of Cleopatra Enterprise should have sufficient

access rights (read / write) to this configuration folder.


Cleopatra Enterprise will be installed.

Press the "Finish" button, to exit the installation.

License.

Click here to view the minimum system requirements.

To view PDF documents install Adobe Acrobat Reader 8.0 or higher.

78

Installation

5.2.3 Common installation issues

Installing Cleopatra Enterprise is quite straightforward. However, there are couple of issues you need to be

aware of the next:

Make sure you have administrator rights to install Cleopatra Enterprise and MS SQL Server.

Cleopatra Enterprise needs access to a shared configuration directory on your file system. Users

need to have read / write access. This directory can be configured in the “Configuration dialog”.

Cleopatra Enterprise needs read / write access to the user directory to store user settings. This is

specified in the Windows variable “%USERPPROFILE%.

Cleopatra Enterprise does not need any software to be installed on the client machine. As such,

installation of the client can be done on a central file server.

MS SQL Server needs access through TCP/IP port (default 1433), even if it is installed locally. You

may need to configure your firewall to open up this port.

In order for Cleopatra Enterprise to communicate with MS SQL Server, SQL Server needs to support

TCP/IP traffic. This is a special setting, which is not enabled by default. To configure it, see

"Configuring MS SQL Server for Cleopatra Enterprise".

Deployment via Citrix is supported. Be aware that each user needs read / write access to his own

user directory, which can be configured in Citrix.

To view the online manual, Cleopatra Enterprise needs access to the internet. If this is not possible,

an offline version is provided as well with the installation. Be aware that the online manual is updated

regularly. To get an update of the offline version, please contact support.

79


5.2.4 Remote access

If it is not possible for all users to access the central file system where Cleopatra Enterprise is installed, there

are various options to support remote access to Cleopatra Enterprise:

Citrix

This is actually the preferred way of supporting users over multiple remote locations which don't have access

to the company's network, but do have access to the internet. Citrix implements the server based computing

concept and enables application accessibility through small bandwidths.

Cleopatra Enterprise needs to be installed for each Citrix server. The "Shared configuration" directory

containing the license and other configuration data needs to be located on a common data server; the

Microsoft SQL Server needs to be located on a database server. For a good performance the communication

between the Citrix server and the Microsoft SQL Server must meet the recommended Microsoft SQL Server

requirements.

Multiple local versions

If there are users who have no access to the "Shared configuration" directory and database server, multiple

local versions of Cleopatra Enterprise need to be installed. Please note that each of these installations

requires a separate license. In order to share data between the various local installations the "Web sharing"

module can be used. The "Web sharing" module enables secure sharing of Cleopatra Enterprise documents.

Cleopatra Enterprise uses the WebDav protocol to accomplish this. In order to use the "Web sharing"

module client machines need to have access to a web server which supports servlet containers (e.g.

Tomcat) or an application server that supports at least servlet spec 2.3. The web server needs to have Slide

installed. The web server can be accessed from within Cleopatra Enterprise and sharing documents is just a

matter of dragging and dropping documents onto the web server.

Other technologies

There are various other useful technologies to enable network access for users who only have internet

access. VPN and remote desktop are just two of the available options.

5.2.5 How to prevent out-of-memory-errors

When working with large documents, you can encounter the following error message:

The task could not be completed, because it could not reserve enough memory. Check the manual how to

increase the amount of memory Cleopatra Enterprise can use.

To increase the amount of memory Cleopatra Enterprise is allowed to use, take the following steps:

Go to installation folder where Cleopatra Enterprise is installed. By default this is C:\Program

Files\Cleopatra Enterprise\ on Windows XP.

Create a new text document (right click in the folder => New => Text Document) and name it

"Cleopatra Enterprise.vmoptions" without quotes.

Open the file in Notepad (right click on the file => Open With... => Notepad) and add the

following line to the file:

-Xmx950m

This means Cleopatra Enterprise will reserve a maximum of 950 MB of memory when

running. You can increase or decrease this number as appropriate.

Restart Cleopatra Enterprise for the new memory settings to take effect.

You can check if the settings is correctly used by checking "Help => About => System Info"

and look for the line memory usage, which for the above example should look something like:

Memory usage: 27MB of 62MB (max: 508MB)

If you assign too little or too much memory, Cleopatra Enterprise will not be able to start and

show an error. Adjust the amount of memory or remove the line from the file to use the

default setting.

80

Installation

81


6 DBMS configuration

6.1 Database server registration

A database server is a program that stores data and processes SQL queries. The term may also refer to a

computer dedicated to running such a program.

Data on a (SQL) database server is stored in databases. In order for Cleopatra Enterprise to be able to

manage databases belonging to a SQL database server on the network, that server must first be added to

the list of managed database server registrations.

A database server registration can be compared to a connection that is made to the actual database server.

Registration refers to the process that makes Cleopatra Enterprise able to use a particular database server

(also see "How to create a database server registration").

82

DBMS configuration

6.1.1 How to create a database server registration


Registration refers to the process that makes Cleopatra Enterprise able to use a particular database server.



Select "Database management => Manage databases".

Press the "New SQL server registration" button.

The "New SQL server registration" dialog appears.

Enter "Localhost" in the address field.

Leave the "Instance name" field blank.

Enter the "Port" number e.g. by default the port number is "1433".




83


6.1.2 How to open a database server registration


Registration refers to the process that makes Cleopatra Enterprise able to use a particular database server.



Select "Database management =>Manage databases".

Double click on the desired database server registration or press the ’+’ sign in front of it.

The "Login" dialog appears.

Select "Use windows authentication".

Press the "Login" button.

The "Login" dialog is closed.

84

DBMS configuration

6.1.3 How to create a database



Select "Database management =>Manage databases".

Login into a SQL server registration.

Select an SQL server registration.

Press the "Create database" button.

The "Create database" dialog appears

Enter a "Name" for the database.

Press the "OK" button

Press "OK" on the message dialog.

The database is created.




rights and is useful when investigating all features of the product. It is recommended to

delete this user in a production environment.





85


6.1.4 How to create a database user





Select a database.

Press the "Create database user" button.

The "Create database user" dialog appears.

Enter a "User name".

Enter a "Password".

Enter the password again in the "Confirm password" field.


The user is added to the database.



86

DBMS configuration

6.1.5 How to reset a database user password





Select a database.

Select the database user who's password needs to be changed.

Press the "Reset password" button.

The "Reset password" dialog appears.

Enter a "Password".

Enter the password again in the "Confirm password" field.


An "Information" dialog appears.


The password of the database user is changed.



87


6.2 Database connections

A database connection contains all parameters necessary to set up a connection with a certain database. A

database connection is a facility that allows Cleopatra Enterprise to talk to database server software,

whether on the same machine or not. A connection is required to send commands and receive answers.

Cleopatra Enterprise supports two different types of connections:

Public: Available to all users using the same configuration setting.

Private: Public connections are only available for the user that created them.

88

DBMS configuration

6.2.1 How to create a database connection

or





Select a "Database".

Press the "Create connection" button.

The "Create connection" dialog appears.

Select a "Personal connection" or "Shared connection".

Enter a "Connection name".

Select "Use Windows authentication" or use "SQL Server authentication".

Press the "OK" button on the "Create connection" dialog.



89




Select the "Shared configuration => Database connections" or

Select "Personal configuration => My Database connections".

Press the "New database connection" button

The "New connection" dialog appears.

Enter a "Connection name".


Enter the database "Server name" that contains the database.

Optionally enter the "Port" number for the SQL server registration. e.g. to select the default

port number enter "1433".

Enter the "Database name".

Set a tick mark in "Use Windows authentication" or use "SQL Server authentication".

Press the "OK" button on the "New connection" dialog.



In order to connect to an SQL server on a remote machine make sure the firewall opens

the port on which the SQL server registration is listening.

90

DBMS configuration

6.2.2 How to verify database connection


The configuration dialog appears.

Select the "Shared configuration => Database connections" or

Select "Personal configuration => My Database connections".

Select the "Database connection" to be verified.

Press the "Verify database connection" button.

The "Verify Database connection" dialog appears.




In order to connect to an SQL server on a remote machine make sure the firewall opens

the port on which the SQL server registration is listening.

91


7 Backup and restore database

7.1 Backup

7.1.1 How to create a backup of a database





Select a database.

Press the "Backup database" button.

The "Backup database" dialog appears.

Enter the full filename including the file path for the backup file.


The backup database is created.



92

Implementation Plan Cleoptra Estimating

7.2 Restore

7.2.1 How to restore a database




Login into a SQL server registration to which the database should be restored.

Press the "Restore database" button.

The "Restore database" dialog appears.

Enter a "Database name" for the restored database.

Enter the full filename including the "File path" of the backup file.


The database is restored.



93


7.3 Migrate

7.3.1 How to migrate your data

Migrating existing data consists of the following three parts.

Migrating shared configuration data

See one of the following chapters for more information:

How to migrate shared database connections

How to migrate shared web sharing connections

How to migrate custom languages

Migrating existing databases

See How to migrate existing databases for more information.

Migrating user preferences

Migrating user preferences has to be done for each user (locally on his machine). See one of the following

chapters for more information:

How to migrate personal database connections

How to migrate personal web sharing connections

How to migrate user preferences

As an alternative you could make use of preference templates as described in "How to make

a user preferences template" and "How to import a user preferences template".

In case of any problems see "How to recover from an error during migration".

How to migrate shared database connections

94

Implementation Plan Cleoptra Estimating

7.3.2 How to migrate shared database connections


Select "Database connections".

Press the "Update all connections from another Cleopatra Enterprise version" button.

The "Select Cleopatra Enterprise configuration folder" dialog appears.

Select the configuration folder of a previous Cleopatra Enterprise version.


If there are any database connections in the previous version that are not present in the

current version, they will be added to the list.

How to migrate shared web sharing connections

95


7.3.3 How to migrate personal database connections


Select "My database connections".

Press the "Update all connections from another Cleopatra Enterprise version" button.

The "Select version" dialog appears.

Select a previous Cleopatra Enterprise version from the list.


If there are any database connections in the previous version that are not present in the

current version, they will be added to the list.

How to migrate personal web sharing connections

96

Cost Engineering

IJsselmeer 32e

3332 EX Zwijndrecht

PO Box 25

3330 AA Zwijndrecht

The Netherlands

Tel +31 (0)78 620 09 10

Fax +31 (0)78 620 91 42

www.CostEngineering.eu

Cleopatra Enterprise - Cost Engineering

Create successful ePaper yourself

Delete template?

Save as template?