Security Tab

Use the Security tab on the Affiliate Setup screen to manage usernames; initials used for logs, WhoCreated fields in reports, and audit trails; passwords; and levels of security and access within Keystone. On this screen, you can add new users, modify the information and privileges of existing users, and mark as inactive users who no longer need access to Keystone. The Security tab helps you control what parts of Keystone a user can access and allows some control over what users can do with data in each section.

Open Security vs. User-Level Security

Keystone provides two security options: Open Security and User-Level Security.

Open Security creates only one password for access to all Keystone functions. All users use this one password when they launch Keystone. You can still define initials for users, which will help you assign and manage logs and reminders for people at your affiliate. Keystone is set to Open Security by default, with an initial password of Keystone.

User-Level Security allows you to create separate usernames and passwords for each person who uses Keystone. As a result, users have to log in with a username and password when they start Keystone. Since each user has their own unique username, you can restrict an individual user’s access to certain parts of Keystone and use Keystone’s Audit Trail to identify who created, modified, or deleted records. It is highly recommended that you use User-Level Security to help protect your data.

To set up Open Security

1. Go to the Security tab on the Affiliate Setup screen.
   You will need Administrator-level access to open Affiliate Setup.
2. Select Open Security in the Type of Security pane.
3. Set the password that all users will use to log in to Keystone by entering it into the Open Security Password field.
   You can leave the Open Security Password blank; however, this allows anyone who launches Keystone to access your database without having to enter a password.
4. If you need to add new users to the list, or to modify or delete an existing user, click the Add/Modify/Delete Users button.
   If you have never created users in Keystone, you will need to add them first. When you click the Add/Modify/Delete Users button, the Users Add/Modify/Delete window appears.
   
   Enter the user’s full name (e.g., Jane Smith) in the new record line. You can enter as many names as you want at one time. When you are done, click the Close button to return to the Security tab.
5. Select the user for whom you wish to edit security information from the Users drop-down list.
   While Open Security does not use individual usernames and passwords, it still allows you to set up different users for the purpose of tracking user's initials and names in log entries.
   
6. Check the Active check box.
   The Active check box should be checked for all users who are currently using Keystone. It should be unchecked for users who are no longer using Keystone.

You may not want to delete inactive users so that you can preserve those users for the purpose of retaining their username and initials for historical log entries and audit trails.

7. Enter the user’s initials.
   The initials in the Initials field are used on all log screens to indicate which user added a particular log entry. For purposes of Keystone security, no user may share the same initials with another user.
8. Enter the Job Title and Term for the user, if needed.
   Here you can enter the user’s job title and the date he or she started working at your affiliate (Term). When the user leaves, you can add an end date to the Term field to show their total time of service at your affiliate.

The User Name and User Password fields are not used for Open Security and, therefore, are disabled. The only exception to this is the Administrator's password. The Access pane is also disabled under Open Security as you cannot restrict access to individual parts of Keystone using Open Security.

The Log Initials report provides a list of the users’ Initials, Name, Job Title, and Term. Use this report to see who added past entries into logs, what their function was, and when they held that job.

To set up User-Level Security

For User-Level Security, the Administrator must enter a separate username and password for each user. Under User-Level Security, when a user starts Keystone, they are asked to log in with a username and password. Because each user has their own account, Keystone can use security features such as the Audit Trail to track how a user changes your affiliate’s database. You can also limit what parts of Keystone a user can access.

1. Go to the Security tab on the Affiliate Setup screen.
   You will need Administrator-level access to open Affiliate Setup.
2. Select User-Level Security in the Type of Security pane.
3. If you need to add new users to the Users list, or to modify or delete an existing user, click the Add/Modify/Delete Users button.
   If you have never created users in Keystone, you will need to add them first. When you click the Add/Modify/Delete Users button, the Users Add/Modify/Delete window appears.
   
   Enter the user’s full name (e.g., Jane Smith) in the new record line. You can enter as many names as you want at one time. When you are done, click the Close button to return to the Security tab.
4. Select the user for whom you wish to edit security information from the Users drop-down list.
   
5. Check the Active check box.
   The Active check box should be checked for all users who are currently using Keystone. It should be unchecked for users who are no longer using Keystone.

You may not want to delete inactive users so that you can preserve those users for the purpose of retaining their username and initials for historical log entries and audit trails.

6. Enter the username and password for the user in the User Name and User Password fields.
   The User Name must be unique and not in use by another user. The User Name can only be edited on the Security tab.
   
   While the initial User Password must be entered on the Security tab, the user can always change their password later by choosing Change User Password from the Tools menu.

Because the Administrator user is a default account in Keystone, its User Password can be changed on the Security tab.

7. Enter the user’s initials.
   The initials in the Initials field are used on all log screens to indicate which user added a particular log entry. For purposes of Keystone security, no user may share the same initials with another user.
8. Enter the Job Title and Term for the user, if needed.
   Here you can enter the user’s job title and the date he or she started working at your affiliate (Term). When the user leaves, you can add an end date to the Term field to show their total time of service at your affiliate.
9. Set up which areas in Keystone you want the user to have access to in the Access pane.
   The Access pane contains many choices for setting levels of access to Keystone’s six functional groups. These groups are: Construction, Contact Management, Development, Family Services, Finances, and Volunteer Coordination.
   
   When the Administration check box is checked, this means that this user has full access to all Keystone functionality. If the Administration box is unchecked, you can set the separate levels of access to each of the six functional groups listed above.
   
   The levels of access within each functional group are: None (No Access), Read Only (can view data but cannot add, modify, or delete), or Read/Write (can view, add, modify, or delete data). This access can be set separately for each of the six different functional groups. Because Contact Management is used by all of the other functions, None is not a choice for Contact Management.
   
   For example, if the user’s access for the Development group is set to None (No Access), when the user starts Keystone, the menu options and the tool bar shortcuts related to Development are disabled. In addition, on the Reports screen, Development is not available as a report category and Development reports are not available.
   
   Similarly, if the user’s access to the Family Services group is set to Read Only, when the user opens a Family Services screen, all of the data on that screen will be locked; the Add/Delete/Modify button will not be available; and Read Only will be shown in the title bar. If the user’s access to the Family Services group is instead set to Read/Write, when the user accesses a Family Services screen, the user can view or modify all of the data on the screen; and the Add/Delete/Modify button is available for use.
   
   When a new user is created, the user’s default access is set to Read Only for all functional groups.

Setting User-Level Security ensures that the identity of users making changes to financial information or creating Contact and Category records is recorded for audit purposes.

The Log Initials report provides a list of the users’ Initials, Name, Job Title, and Term. Use this report to see who added past entries into logs, what their function was, and when they held that job.