From technological point of view, the system consists of SQL database, user workstations and, if applicable, the application server, or server for EGJEWeb2. The system is created using the Java programming language, only very small parts are programmed directly in the SQL database in its native language, resp. som parts of EGJEWeb2 are written in JavaScript language

Application server uses java environment. It is possible to use OpenJDK java or java from Oracle SE subscribtion.

EGJEWeb2 uses servlet container Tomcat.

Application is distributed as follows: it is stored on the internal web server of the company (or, in worse case, on file server) and subsequently access is enabled for workstations by system EGJE Web Start (EWS).

schema_EGJE_a

Mobile access is solved using web technologies (EGJEWeb2). The application is built using "Responsive web design" technics and adapts the environment in which it is launched.

Special authentication for mobile devices is also available. There is a possibility to set up same restrictions for mobile access.

2.1 Implementation of application server

Question whether to implement application server or not depends in particular on network and memory requirements and on the load distribution. Application server communicates with the application using the RMI technology.

2.1.1 Application server in standard configuration

application server is not mandatory component
from e201905 also EGJEWeb2 server can offer AS functionality (on Tomcat)
communication between client and AS is realized via RMI (and encrypted by default)
communication is compressed (to reduce a network traffic)
differences from client only regime:

client station is not configured to connect to database
it can be without db server access completely
client station doesn't own database connection (more secure)
authentication is on application server
whole communication is encrypted (ssl/tls by default)
client station is more memory efficient; on the other side - application server should be enough strong
server provides for access to information often faster
administrator can control tasks and client access (Adm51)

2.2 Implementation of server for module EGJEWeb2, HR Portal

Module EGJEWeb2 serves as a user interface for an employee, or manager respectively. It however depends on implementation whether the manager (and possibly which one of managers) will be using simple web client HR Portal or more function-rich EGJEWeb2 client or java standard client. This application also provides most of the functionality for referents.

HR Portal user interface is a separate business item.

Application EGJEWeb2 is Java Servlet application; it uses GWT framework and ExtJs components. This application uses and make available reports and forms from the standard EGJE java client.
Application uses identical technology for processing the database (elanor datasource or JDBC) and the same technology for creating reports (Jasper Reports) as standard EGJE, while reports from the standard application are fully transferable to web solution, while forms transferability is 90%.

2.3 Operation via terminal servers

In general, the application may be operated via terminal servers (Citrix). A server’s performance and memory only needs to be sufficiently sized.

Also, integration with user’s environment is slightly more complex (mail merge, exports to XLS, e-mail communication) because SW, which takes over the outputs from EGJE and processes them, is usually located on the user’s workstation.

There is necessary to allow html clipboard in citrix - http://support.citrix.com/article/CTX112063

to work with html columns filled via clipboard (e.g. Zpu01 / Content)

The following options are available for running EGJE on the citrix installation:

· Direct triggering via javaw resp. batch execution from a file server - Recommended!

(especially if there are multiple Citrix servers)

see Appendix B: Installation - Alternative EGJE Batch Startup

· startup via EWS - the disadvantage is the application cache increasing the size of the user's home directory, but it is possible to use the system cache.

3 HW and SW requirements

3.1 Summary

Database:

· Oracle

· Oracle 12c R2, 18c, 19c

· MS-SQL Server

· Microsoft SQL Server 2014

· Microsoft SQL Server 2016

· Microsoft SQL Server 2017

· Microsoft SQL Server 2019

· Microsoft SQL Server 2022

User Workstation for java client

· Generally, any workstation with sufficient performance capabilities and can be used with Java 11, Java 17 or Java 21 (only LTS version, other one are not supported from Elanor), with PDF reader and access to printer, or with its local printer.

· Recommended minimum resolution 1366 x 768

· We also recommend to install software capable of processing export files XLSX, CSV, XLS
(Microsoft Office or Microsoft Excel viewer or OpenOffice/LibreOffice)

Application Server

· Generally, any server which can be used with Java 11, Java 17 or Java 21 (only LTS version, other one are not supported from Elanor).
It does not necessarily have to be a standalone server, for smaller installations it is possible to use common location with database server.

· Application server is not a mandatory component; implementation on EGJEWeb2 is optional as well.

· AS installation uses Tanuki wrapper
For 64-bit Windows is Tanuki wrapper commercial appl.only for other free version is sufficient.

See appendix D.

Server EGJEWeb2

• Server with Java 11, Java 17 or Java 21 with servlet container Apache Tomcat version 9.x (tested under Windows and Linux OS)

• For Tomcat 9.0.x version we recommend minimum version 9.0.33. Version 9.0.31 is not recommended. I could cause problems while uploading files

• Version Apache Tomcat 10 is not supported yet

• The support of version Apache Tomcat 7.X and 8.x has been finished (https://endoflife.date/tomcat)

• Installation is described in appendix C1

EGJEWeb2 user workstation

· Web browser (Google Chrome, EDGE, Firefox). Browsers IE and Safari are not supported.

· Recommended minimum resolution 1366 x 768

· PDF reader and accessible printer

· We recommend also SW to work with XLSX, CSV, XLS files
(Microsoft Office, resp. Microsoft Excel viewer, resp. OpenOffice/LibreOffice)
resp. DOCX, RTF, ODT (Microsoft Word resp. OpenOffice/LibreOffice)

Web server (or file server) with EWS template

· Generally, any intranet web server (in worse case a file server) accessible to end-users.

· Application template in a form of application package EGJE Web Start, resp. Java Web Start is located on the server.

· Again, it does not necessarily have to be a self-standing server – sharing a single folder will suffice.

Authentication Server

· Usually Windows domain server for all users and workstations common for other applications. This server can be used for interactive and also SSO authentication.

· Also LDAP server can be used for interactive authentication.

Mail server

· Some parts of the system (typically workflow) use email communication. This is realized by connecting to the SMTP server for sending mail.

· Applicant's area uses POP3 interface for incoming mail. Conveniently, the mail server should be equipped with antispam filter and antivirus solution, this however is not necessary precondition. Application will recognize “its own” e-mails and responses to them and will process these with priority.

3.2 Database server

Supported databases:

· Oracle 12c R2 (Standard Edition, Enterprise Edition) - version >= 12.1.0.1

· Oracle 18c (Standard Edition, Enterprise Edition)

· Oracle 19c (Standard Edition, Enterprise Edition)

· Microsoft SQL Server 2014

· Microsoft SQL Server 2016

· Microsoft SQL Server 2017

· Microsoft SQL Server 2019

· Microsoft SQL Server 2022

Database may be operated on HW with various OS (unix, linux, windows).

Application features by transaction processing (OLTP) predominantly.

Oracle Database instance shall be created with unicode charset and it must be installed with XML DB.

Installation with Oracle supports full use of unicode characters, while the installation with SQL Server works with the data in the character set 1250th (unicode characters are allowed only in certain texts and are only available in selected screens).

Requirements for the database performance and size are roughly the same as for Elanor Global.

For especially extensive installations ( > 5000 employees) Oracle RAC may be implemented.

3.3 User Workstation

· Generally, any workstation with sufficient performance capabilities with Oracle Java JRE 11 or 17, with PDF reader and access to printer, or with its local printer.

· Operational tests are under Windows 10 Enterprise and Windows 11 Enterprise.

only was tested, however.

· Recommended minimum resolution 1366 x 768

· PDF files viewer (typically Adobe Reader). Citrix compatible in case of citrix.

· We also recommend to install software capable of processing export files CSV, XLS, XLSX

· (Microsoft Office or Microsoft Excel viewer or OpenOffice/LibreOffice).

· For workstations we recommend >= 4 GB memory.

· Requirements for storage space are not big. Software takes up to 500 MB (%USERPROFILE%\AppData\Sun\Java\Deployment).

· Volume required for work files, protocols and print reports (%USERPROFILE%\Documents\EMAN) depends on the user’s work nature and typically is about 100 MB.

· Text print (Vyp12, Vyp32 ...). User chooses in dialog a text port LPT1, LPT2, LPT3. So in operating system a printer should be attached to one of these ports.

· Internet access I. (see also next chapter EGJE - Internet Access)
Report Kon04 - Check insolvency proceedings [CZ] uses a web service call.
It acquires data from a Web services server justice.cz
(See description https://isir.justice.cz/isir/common/stat.do?kodStranky=SLEDOVANIWS)

The operation requires assembly:
• Setting the http, https (proxy)
It needs to configure the connection to the proxy server, if the customer uses a proxy server in your corporate network infrastructure, resp. enable addresses starting https://isir.justice.cz:8443/.
The actual connection setting to the proxy server requires a correct connection configuration for HTTP and HTTPS.

You can test also directly in browser – enter address

https://isir.justice.cz:8443/isir_cuzk_ws/IsirWsCuzkService?wsdl

Browser should read web service xml description.

Starting EGJE via batch file *.bat and Web server configuration - administrator must not forget to set / use the following environment variables:

For HTTP, HTTPS:

• Enter into a variable proxyHost specific (domain) address of the proxy server.

• The variable proxyPort set the port on which the proxy server on the server provides its services.

So -DproxyHost = proxy.firma.cz -DproxyPort = nnnn
• If the proxy requires authentication, you need to set the variables:
- proxyUser username for authentication on the proxy server.
- proxyPassword password for authentication on the proxy server.

· Note: if you want to have different http and https settings, you can use prefixes before

variable:

http.

https.

When executing via EWS, the administrator will check if the proxy settings are needed and if it is necessary in the given environment, add to the .egje file.

Note: For installations with AS the EGJE client setting should be set

To server run via Adm53 access settings of AS is necessary. Parameter for proxy settings are admin writes to wrapper.conf file as wrapper.java.additional parameters -D.

E.g.

wrapper.java.additional.3=-DproxyHost=xxx

wrapper.java.additional.4=-DproxyPort=ppp

Resp. also -DproxyUser a -DproxyPassword

· Internet access II.

Direct access to the Internet uses a form Adm24 - Exchange rate / Import from the Web

If the Java VM hasn't direct internet access but it has through a proxy and the settings in the OS is not done. or it cannot help, you can set up a proxy using the parameters

-DproxyHost = proxy.firma.cz -DproxyPort = nnnn

(batch run is described in chapter Installation – standard EGJE client via batch files Appendix B)

Setting refers to a batch run (parameters java)

Starting with EWS, JWS - Java Runtime successfully takes the proxy settings from the OS, however you can set it here (.egje, .jnlp the element property in <resources> <property name="http.proxyHost" value="proxy.firma.cz">)

To download the exchange list on AS (Adm53) is intended analogous to custom report Adm24f.

3.4 EGJEWeb2 client workstation

· HW and SW requirements are similar as for standard client, browsers are used instead of java JRE

· Web browser (Firefox, Google Chrome,EDGE(EDGE chromium)). Chrome and firefox - we test the latest version only.

Note: browser EDGE is usable for EGJEWEB2 without limitations, for EGJEWEB is necessary to use download for PDF reports

(Adm21/Commun.param. / EGJEWEB - View reports PDF, HTML in browser:

0 - Download report)

· Recommended screen resolution from 1366 x 768

· PDF reader and accessible printer

· We recommend also SW to work with XLSX, CSV, XLS files
(Microsoft Office, resp. Microsoft Excel viewer, resp. OpenOffice/LibreOffice).

· Browser setting

o popup windows allowed
(used mainly to show protocols, also at rights setup)

o server with application insert into Local Internet resp. Trusted sites

o application require File download permission with "automatic prompting"

o to use Firefox with automatic single sign on you should assign the server with application into following group (command line / about:config / Filter Ntlm / parameter network.automatic-ntlm-auth.trusted-uris - server address (addresses)

o the same for browser Chrome - run parameter (add to shortcut)

--auth-server-whitelist
e.g. --auth-server-whitelist="*aaaa.cz,*aaaa.corp"

o enable cookies

o if you use https connection, you'll permit mixed contents
e.g. in IE 10/11 it is: Internet options / Security settings / Local Intranet zone / Custom level / Miscellaneous / Display mixed contents = Enable

3.5 EGJE - Internet Access

Internet access is required in standard EGJE for Kon04, Adm24 objects (see previous chapters) and also for access to education fields (Trexima CZ).
You can use the About menu / Test Internet Connection button to test access to internet.
Specific addresses are tested, and proxy settings may affect accessibility.
Proxy settings for both standard client and AS are described in the previous chapter "User workstations ".
Note: For EGJEWeb2 its means a web server connection. For java client with AS its means AS and client connection.

3.6 Launch Parameters for EGJEWeb2

3.6.1 Referent Interface

The command line parameters for the browser are written by adding the ? character after the starting URL.

Automatic Profile Selection

The parameter p=profile_code is used.

Example: /?p=ZAME_DOCH

Note: Do not use profile codes with diacritics – browsers have issues with this, and automatic profile selection may not work.

Form – Automatic Opening

Use f=form_code. For example: https://.../egjeweb/?f=Dca02

Theme

Use theme=style_name_without_spaces.
For example: /egjeweb/?theme=crisp or /egjeweb/?theme=crisp-touch, etc.
By default, this parameter is set by the user in the Settings / Change Theme menu.

Width / Display of Left Menu

Use the parameter lmenu=0, lmenu=1, or lmenu=x where x>150, to suppress the left menu (0) or open it (1) when the application starts, regardless of the user's previous setting when they last exited the application.

The option lmenu=x allows the administrator to directly set the width of the left menu in pixels (minimum 150 pixels).

Example: https://.../egjeweb2_prod/ref/?lmenu=1

Parameters are combined using the & symbol

Example: https://.../egjeweb2/ref/?f=Dca02&p=ZAME_DOCH

3.6.2 HR Portal Interface

The command line parameters for launching EGJEWEB2 / HR Portal are different. The form is launched here by adding #form=formCode to the end of the application’s URL, which may or may not include an interface option (e.g., /mana/ or /emp/).

Some forms also accept additional instructions for their opening—such as the ID of an element in the navigation. For example, in workflow templates (Adm14), it is possible to use the macro %ID_SWORKFLOW2% (ID of the workflow) and then address the application with the form Wflow and this parameter.

Example: %WEB2URL%/#form=Wflow&formParams=%ID_SWORKFLOW2%
Leads to https://xxxxx.cz/#form=Wflow&formParams=15929388

3.6.3 Common Syntax

Starting from version e201609, it is also possible to use launch parameters in the referent interface with # (meaning the referent interface can now process parameters previously used only in the HR portal).

The following are synonyms:

f → form
p → prof

Additionally, both interfaces now support calling a specific tab of a form and, if necessary, OSCPV in the navigation list (e.g., Pv in forms like Osb02, Opv01 or PvDoch in Dcu01, Dcd01).

The syntax used in the # part is:

tab=tab_code: Opens a form with a specific tab.
The tab code can be found in Adm04 / Object Rights Structure / Sub-object (for Tab type).
oscpv=personal_number: Personal number for a form that includes Pv or PvDoch navigation.
The navigation list code can be found when invoking the Selection function; the code is displayed in the header of this dialog.
Note: Calendar forms like Dov16, Dcu06 do not have this navigation.

The application generates alerts for certain scenarios that may occur during launch:

"User does not have rights to the form (%form_code%)"
"User does not have rights to the tab (%tab_code%)" (only if specified in the command line)
"Navigation list – unable to find the required OSČPV record (%OSČPV%)"

Example:

https.…/egjeweb2/ref/?p=MANA&f=Pkz01&tab=Komunikace&oscpv=131.01

resp.

https.…/egjeweb2/ref/#p=MANA&f=Pkz01&tab=Komunikace&oscpv=131.01

Tip:

These parameters are also shown in the command line when navigating within the application, so they can be easily copied from there.

Note 1:

If the user has multiple profiles (e.g., in different languages, or different organizations, or personal and delegation roles), the system will still prompt the user to select a profile from a list, even if a profile is specified.

Note 2:

It is possible to launch the application without specifying the interface (i.e., ref, mana, or emp) even when using profile and form parameters.

3.6.4 HR Portal Called as a Portlet

This interface is designed for integration into various intranets. The application provides a portlet here, meaning in EGJE terms, a form or report. However, it is not surrounded by the top or bottom application bars, and often the display is fixed to a single element (typically a person/PV). The form/report display is derived from the HR Portal design.

It is possible to call functionalities such as Pkz01, Vyp11, etc. Typically, this can be used to display payslips on the intranet, avoiding the existence of PDF payslip files directly in the intranet application.

The condition is SSO authentication (i.e., taking authentication from the operating system without requiring a username and password). For interactive authentication, this would be quite inconvenient for the user.

The implementation is such that additional parameters are added when calling EGJEWEB2:

&tb=false – displays without the top and bottom bars of the EGJE HR Portal.

&ns=fixed – displays without a navigation list, with a fixed parameter provided in the navigation (typically oscpv).

These parameters are usable for the command line of the HR Portal.

Example: .../mana/#p=SPR_MAXWP&form=Pkz01&tab=OsobaPanel&oscpv=109.02&tb=false&ns=fixed

3.7 Email server connection configuration

form Adm21 / Communication parameters

Parameters "Send mail" are used in widely in application.

"Receive mail" parameters are used on in Applicants module only.

Under Adm21 / Communication parameters / Sending Mail are three parameters that will allow TLS connections to the email server and authenticate EGJE as the email server user:

Connection Security:

- unfilled - ordinary unsecured SMTP connection,

- SSL / TLS - secured connection, you need a user and password
(Usually used with port 465)

- STARTTLS - way to secure existing unsecured connection
(Port 25 resp. 587)

SMTP User: The user used to connect to the SMTP server

SMTP Password: password for the user

More about SSL / TLS, respectively. STARTTLS here

https://www.fastmail.com/help/technical/ssltlsstarttls.html

When working through the AS, there is a parameter in the Configurator called AS / Sending and Receiving Email. This parameter allows all email correspondence performed by the system to be managed via the application server.

Sending emails is also related to the Configurator parameter:

Do not check e-mail sender address

Setting whether to perform a formal validation of the sender's email address (usually the user's corporate email – Osb02)

EGJE sender of all email address (voluntary) - for outsourcing mainly

In some installations, there is a problem with sending emails with the domain of the customer's email server in another domain. The correct solution is to write this server to the whitelist and thus enable the sending.

If, for reasons of security at the customer's approval is not possible, the system now allows you on the organization level to replace the sender by filling into Adm21/Parameters mail / "EGJE sender e-mail address". Such emails pass through security. However, we note that such e-mails for example, between the manager and the employee and all the others are just and only sent by this sender. Thus loses clarity of communication and the possibility of direct reply in the email client.

So, if it is not necessary, we won't recommend filling this parameter

Mode for adding the actual sender to the subject of the email:

1 - Standard (add if the sender's address for all emails is filled in)

2 - Never add the actual sender

3 - Add only the surname and first name (i.e., without titles and without 'Od/From')

4 - Actual sender in the format Surname First name (OSCPV), i.e., without titles

While Modes 1-3 are designed for an unified sender, ie the previous parameter "EGJE sender of all email addresses", mode 4 is used to change the formatting of accompanying text in the sender in the mode where the real user is sender of the emails.

Mode 4 lets you get rid of titles in the sender. Some types of e-mail clients misread what title is, what name and what surname.

Having problems with sending email from EGJE (typically workflow errors like:

cz.elanor.eman.datasource.remoteCompute.MailinatorException: Chyba odesílání emailu ...

Caused by: javax.mail.MessagingException: Could not connect to SMTP host: .... Permission denied: connect),

you can set environment parameter -Djava.net.preferIPv4Stack=true (in bat or jnlp file)

4 Installation and dimensioning of parameters

Installation and consultations concerning HW and SW are provided by Elanor employee according to internal methodology.

Certain basic points of these procedures are listed in the end of this document in its attachments.

5 Database Management regime - Data schema Elanor EGJE

Database schema EGJE is fully managed by Elanor change management.

Changes in the schema EGJE are allowed only to the company Elanor. The company reserves the rights to their implementation. As scheme in Oracle we understand a db user with EGJE objects (scheme), in Microsoft SQL whole database.

Exceptions:

Customer is allowed in the db schema EGJE create tables / views in consultation with the implementation team Elanor, respectively helpdesk.

These tables may not begin with "ce".

Especially not allowed to create / modify objects that can affect the process of change management and performance / availability of the applications.

These include triggers and indexes over EGJE objects, and adding custom columns to the tables, views EGJE.

Changing the contents of the EGJE database is only allowed using EGJE, or using an interface developed in cooperation with the implementation team, respectively accepted by Elanor via helpdesk.

If a customer uses for db Oracle statistics collection different procedure than the standard one (installed by Adm51), customer shall send their contents to implementing team / helpdesk.

Customer runs the standard procedure of collecting statistics, when requested via helpdesk - in case of solving a performance problem. It may also be accompanied by a request for deletion of collected statistics.

If a customer needs to change their own interface object created (or partially created) by Elanor, notifies the customer implementing team / helpdesk, and sends the changes source code.

5.1 BLOB - Document storage

The storage of employee documents in the database (Opv31) is more and more popular. Many customers store different documents in db.

Use of Oracle databases, respectively MS SQL Server offers the possibility to save these documents to a different disk space than other common relational data.

We can offer you advisory services for this transfer. At Oracle, it's about using mechanisms to move them directly to your table space, datafile.

MS SQL Server is more complicated, it is possible to shut down db, move data, rebuild db tables and restore data.

In these variants, documents containing relational databases remain, consistency is guaranteed, and common backup mechanisms back up both (ie, relational data and documents).

As part of the racionalization and further development of EGJE, since version e202211 objects of the document/file type have been gradually moved from sub-tables to one common storage, which is the DB table CETDOK.

The transfer of documents/files only applies to newly added or edited records at the moment, previously added documents/files remain in the original tables (for now). The moved document/file is replaced by a link to the central repository where the document/file was moved. This relation is ensured by the connection table CETDOKVAZBA.

So, at the moment it is a hybrid document storage solution. Interfaces that are the part of maintenance have been prepared for this mechanism. In the case of interfaces managed by the client itself, it is necessary to adjust the connection to meet this hybrid solution. We are ready for solution consultation.

After the implementation the relation for all corresponding tables containing BLOB objects to the new storage, a summary transfer of the original subjects will take place. You will be informed of this in advance.

6 Application administration – update procedure

Generally, administration of EGJE consists of:

· Setting and modification of parameters by means of utility configurator_egje – see next chapter.

· Installation of application update procedure (patch or release versions)
Procedure is defined in description attached to the version. Standard is the SuperConfigurator installation. The internal content is usually to copy the file eman.jar resp. egjelib.jar to relevant deployment folder on the web server (for testing and real-use versions) or possibly on application server.

If EGJEWEB is used, also actualization of tomcat web application is required.

· Database update procedure
Procedure requires running of the modification script, which is part of the version (patch), by the EGJE application itself. Action is executed on form Adm51 accessible to the system administrator. Script must be run both for testing and real-use databases.

Note: It is possible to install all programs first, then run the script only on testing database, perform thorough testing and only after that perform the same procedures on real-use installation/database.

· Database statistics (only Oracle database – Adm51)

· Administration of users

6.1 Setting and modification of parameters by means of utility Configurator_egje

Utility configurator_egje (in windows as a batch called configurator_egje.bat) is located in the configuration folder of installation folder resp. administrator has it in EGJE installation (root folder).

It starts configuration program, which includes the following:

Language of the program can be set up using parameter EGJELANG inside the batch file
e.g. -DEGJELANG = en causes it to run in English.

Starts the configuration program with the following contents:

java -Xmx128M -DEGJELANG=en -cp ../EGJE/egjelib/eman.jar;../EGJE/egjelib/egjelib.jar cz.elanor.eman.sgui.configurator.Configurator ./config_egje.jar

exit

The prerequisite is the path to java program. In terms of OS Windows java.exe that standard Java JRE installation records in Windows \ System32 / SysWOW64 directory. Resp. you need to have in the Environment Variables / Path setting the path to the directory javaJRE \ bin respectively. javaJDK \ bin.

Triggered version of java you will find from the OS command line via command java -version

Each EGJE client installation template and each server (AS or EGJWEB2) has its own configuration file config_egje.jar and it is advisable to make separate batch file to each (or mapped them all to one SuperConfigurator).

6.1.1 Address EWS

We enter the path to the root folder of EWS distribution (EGJE Web Start).

Path shall be entered in the following form:

http(s)://...

e.g.: https://prghr1/egje_vzor

or in a form:

file:/...

e.g. file:/J:/egje_install_vzor/egje

We recommend to prefer http(s) format.

Java 11 no longer supports the JWS mechanism, it is replaced with the EWS created by Elanor. So, we recommend no using the connected function with JWS (which is for example in the bold square in the picture below).

The EWS mechanism is released as a standalone distribution, and its functionality is described in the document "EWS – Documentation.pdf" within the EWS distribution package and here in Appendix B.

Note: Data file config_egje.jar but remains a major carrier of the configuration information. It is also used for AS, EGJEWeb and to run client using a batch file. Described alternative is not applicable for kerberos authentication (requiring transfer config file * .jar/krb5.conf).

Note: As an alternative to EWS the client can start using batch file from fast and reliable file server, see Appendix B. Here is also subscribed the difference between using Java 9 and 11.

Note 2: Installing EWS with built-in Java 11 no longer creates a Control Panel.

6.1.2 AS – application server

Note: All changes made must be stored by common button "Ulož" ("Save").

For configuration without application server use setting

"Mód: Klient bez AS" ("Mode: Client without AS")

For configuration with application server use setting

"Mód: Klient s AS" ("Mode: Client with AS")

For configuration of an application server use setting

"Mód: Aplikační server" ("Mode: Application server")

and the application server will process everything that may be forwarded to it.

For mode: Client without AS no other information are necessary.

For EGJEWeb2 use choice Web server.

Mode Client without AS:

For mode Client with AS

you should choose AS regime, when there is more AS (repeat couple server:port divided with comma)

Cascade - client tries to connect to AS for communication in written order

These servers are also added to AS for reports and AS for alg.processes

Specialized - client tries to connect to AS for communication in written order.
These servers are also added to AS for reports and AS for alg.processes but in reverse order
Random - randomly selected AS for communication from the listed
These servers are also added to AS for reports and AS for alg.processes

Note: for mswin_ntlm and mswin_kerberos authentications you ought to use host name instead of IP address for the server

AS for communication

basic AS to connect and work

AS for reports

request for report is sent to this server,

server collects data and depending on Generate PDF report output setting can also create the resulting PDF. We recommend this setting checked only for specialized server, for standard server for "all" we recommend PDF generation on client station (unchecked)

AS for alg. processes

if filled is used for:

· payroll calculation (Vyp01, Vyp02, Vyp51)

· monthly and yearly settlements (Vyp02, Cep02)

· imports (Vst05)

· GL exports (Uct02)

· "ELDP" export (Poj13, Poj14)

· SI export (Poj18, Poj19)

· checking apparatus (Kon*)

Generate PDF report output - discussed in AS for reports

Generate PDF report output - default not checked - on client side (recommended)

PDF generation is CPU and memory consuming action on AS

Email sending and receiving - on server by default

security consideration - station couldn't have access to smtp and pop3 server

Notice:

for a client with AS, it is not filled in on the following DB connection tab. Filling it ou tis a serious security flaw.

For mode Application server

IP Port - port to client - server communication

When there is more AS - each should has his own IP Port

AS communication encryption

Encrypted by default from security reasons.

Default is TLS_DH_anon_WITH_AES_128_CBC_SHA. It offers sufficient protection.

Java also offers:

SSL_DH_anon_WITH_3DES_EDE_CBC_SHA

SSL_DH_anon_WITH_DES_CBC_SHA

TLS_DH_anon_WITH_AES_128_CBC_SHA

TLS_DH_anon_WITH_AES_128_CBC_SHA256

TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA

TLS_ECDH_anon_WITH_AES_128_CBC_SHA

You can change encryption via parameter

rmi_cipher_suite

in client and server config_local.properties

(resp. on AS via wrapper.conf

wrapper.app.parameter.n=-Crmi_cipher_suite=...)

Compression of communication with AS

Compressed by default

We recommend using the compression; it significantly reduces the volume of transmitted data without too burdening both sides

For mode Web server

There are 3 possible interfaces to access:

EGJEWEB2/HR Portal

REST web services

AS (from e201905 AS can run also in EGJEWEB)

Maximum duration of an inactive session (in seconds):

Sets the time after which an inactive session will be terminated. The default value is 15 minutes

6.1.3 DB – Connection to database

Note: All changes made must be stored by common button "Ulož" ("Save").

Not filled for regime AS client !

"Driver" – Class of JDBC driver

either (for Oracle db) oracle.jdbc.driver.OracleDriver

or (for MS SQL db) com.microsoft.sqlserver.jdbc.SQLServerDriver

"SQL adapter":

either (for Oracle db) cz.elanor.eman.datasource.SQLOracle

or (for MS SQL db) cz.elanor.eman.datasource.SQLMicrosoft

"DB URL"

either (for Oracle db) jdbc:oracle:thin:@serverHost :port : db_sid

or (for Oracle RAC db) jdbc:oracle:thin:@description z tnsnames.ora

e.g.: everything in a single line

jdbc:oracle:thin:@(DESCRIPTION =(ADDRESS = (PROTOCOL = TCP)(HOST = host)(PORT = port))(ADDRESS = PROTOCOL = TCP)(HOST = host2)(PORT = port2)) (LOAD_BALANCE = yes) (CONNECT_DATA =(SERVER = DEDICATED)(SERVICE_NAME = service_name)))

or (for MS SQL db) jdbc:sqlserver://server;databaseName=database;sendStringParametersAsUnicode=false

commonly:

jdbc:sqlserver://[serverName[\instanceName][:portNumber]][;property=value[;property=value]]

Note: for SQL Server is recommended to write to the end of the URL
;sendStringParametersAsUnicode= false

This will result in much faster processing of SQL commands with parameters.

This setting stops completely the possibility of unicode characters (in special fields)

"DB user" - db user name used for login to application (for Oracle, it is the one without _OBJ)

"Password" – user's db password

"User password _OBJ" – password of the objects' owner (i.e. at Oracle this is user with the _OBJ suffix) – user is used only during update procedures

"Oracle - network encryption"

The option allows you to set the mode for Oracle network traffic encryption. The default value is ACCEPTED.

Encryption is also similarly made available in the Oracle Listener on the Oracle server.
See also http://download.oracle.com/docs/cd/B28359_01/java.111/b31224/clntsec.htm EHAFHEIG

The oracleNetEnc entry can also be manually added to the config_local.properties configuration file.

Item description:

# oracle network encryption

# Values: none, ACCEPTED, REJECTED, REQUESTED, REQUIRED

oracleNetEnc = none

The supplier also does not solve the licensing of Oracle Advanced Security product.

For SQL Server, there are also property parameters to enforce encrypted communications.

Property encrypt = true; respectively without setting a server certificate together

; encrypt = true; trustServerCertificate = true

In this case, jdbc driver communicates via the SSL protocol, the second parameter means that the server certificate is not verified.

The application uses a connection pool. In case of Oracle, Oracle UCP is solution for the JDBC driver, in case of SQL Server EGJE uses the Apache Commons DBCP.

For Oracle, it is possible to set the following values directly in the configuration file config_local.properties (or in the wrapper configuration file):

oracle.min.pool.size – minimum pool size
oracle.max.pool.size – maximum pool size
oracle.inactive.connection.timeout – inactive connection timeout

If these values are not specified, default values will be used.

6.1.4 Obecné (General)

"Soubor uživatelských sestav" ("User reports file") – only for administrator who creates user reports.

(see chapter User reports)

"Adobe Reader"

Default path to the PDF files viewer. It is pre-filled for the user but the user may change it in application.

RTF, XLS, TXT, HTML viewers - the same principle

"Http/file folder for help files" ("Http/file folder for help files")

link to the system help files (mapped drive or http address; http is recommended)

"http(s) address EGJE Web" ("http(s) EGJE Web address")

Used for generated emails as a link to the application in old EGJE Web MAZM client

In standard client and EGJE Web replaced with Adm21 / Config.param./ "http(s) EGJE Web address" item.

Configuration of codetable caching Configuration is important for AS respectively EGJEWEB (2)

Reload codetables which are older than user login: ("cache_cis_od_prihlas")

false - use old data read - default fast mode

true - only use data that was loaded from the time the user logged on (which may result in a slower application start from the perspective of the user, but again the certainty that all the codetables are current)

smart - a special mode detecting data changes. It brings mainly reduction the volume of data transmitted, as it always asks there is any change in results of the db query for the codetable, and reloads data conditionally. Technically, it uses Oracle functions ORA_HASH and MSS function CHECKSUM_AGG.

Max. age of codetable (seconds): 14 400 implicitly i.e. 4 hours.

Section other

Turn off SSL certificate validation for HTTPS

The item is useful for example if the company proxy server decrypts the SSL connection and re-encrypts it with a certificate issued by an internal certification authority. It has no effect when running fat EGJE client through Java Web Start.

Stack trace turn off

This option disables stack trace generation. If the customer requires turn off stack trace, for security reasons, because the stack trace may contain information about system internal paths or for example, paths to servers, etc., it is possible to check this option (in checkbox) and generation of stack trace to console will be moved out. However, stack trace is used to identify possible system errors, it contains information about system settings that are needed to detect internal errors.

Therefore, if this option was used, we highly recommend that you also check the option "Send client logs to AS" on the "Logging" tab.

In case of an error, at least the stack trace logs stored on the application server will be available. If this option will be not checked, all stack trace logs will be lost and cannot be used to detect and identify errors in system.

6.1.5 Ověření (Authentication)

Verification or authentication determines who is entering application user.

Basically is divided into interactive (user enters username and password) and SSO (Single Sign On, the application tries to take over verification from the authentication already made in OS).

Also combination is possible, when an application tries SSO and when it fails, will offer interactive user authentication.

We don’t recommend to use Windows account with diacritics.

Note: working with application server, this page is without usage for client configuration.

After changes in this tab it is necessary to restart AS respectively WEB EGJE server.

There are 3 new types of NTLM authentications from version e202405 that will newly enable the use of the SMB2 protocol: NTLogin3, NTLogin3Only, and NTLogin3Interactive. Authentication changes are to be made exclusively in the EGJE configurator. The existing older types of NTLM authentications will remain available due to backward compatibility and will be removed over the course of 2024.

Support for basic NTLM authentications – NTLogin and NTLoginOnly – has been discontinued as of version e202409. These authentications will no longer be configurable in the EGJE Configurator. Since version e202411, it is no longer possible to log in using this authentication.

"Ověření" ("Authentication") – selected authentication mechanism. One of the following values:

mswin_ntlm

Produced by Microsoft security package.
Enables SSO (authentication taking over from the OS) but only for MS Windows
(the installation of the AS / Web server, OS Windows is also mandatory for them)
It does not require any additional parameters.
AS / Web server must run under the user from domain.
Client setup - enter the server name as a name and not as an IP address.
You can use it for the java client without AS also.
If fails the SSO authentication login, it'll follow a dialogue (with the domain).

mswin_ntlmOnly

If fails the SSO application quits.

mswin_ntlmInteractive

Application always uses the authentication dialog.

mswin_kerberos

Produced by Microsoft security package.
Stringent authentication, that first tries Kerberos authentication.
SSO like mswin_ntlm.
It requires to set up a service principal name SPN for a domain (setspn utility) for applications and users:

· setspn utility (for Windows Server 2003 it or yourself from the installation CD)

· setspn.exe-A principal account

where the principal is
HTTP / ServerName for EGJEWEB,
EGJE / ServerName ASfor
account the account running the AS respectively. EGJEWEB

AS / Web server must run under the user from the domain.
Client setup - enter the server name as a name and not as an IP address.
If fails the SSO authentication login, it'll follow a dialogue (with the domain).

mswin_kerberosOnly

If fails the SSO application quits.

NTLogin2 user authentication is taken from Windows NT Authentication,

If fails the SSO authentication login, it'll follow the NTLoginInteractive

NTLogin2Only dtto with the exception that only login takeover from the OS is allowed

NTLoginInternactive the authentication dialog (common for ntlm and ntlm2)

if server is linux and authentication should be SSO with AD, there is a possibility to use

protocol NTLM2.

It is necessary to fill some parameter - see paragraph NTLogin/2 JCifs description

NTLogin3 Similar to NTLogin2 but allows the use of the newer SMB2 protocol

NTLogin3Only dtto with the exception that only OS-based login takeover is allowed, but it enables the use of the newer SMB2 protocol

NTLogin3Internactive with authentication dialog

LDAPOnly application to the LDAP server (typically Microsoft Active Directory entry userPrincipalName.

To the "LDAP / Web entries - default domain user" admin enters the domain (ie what is in userPrincipalName after the @ character- the user than need not enter it)

In this mode the ssl connection is allowed only.

ldapsearch similar to LDAPOnly. In a LDAP SSL URL is in addition the macro with the name

e.g. ldaps: / / xxxxxxx / dc = yyy , dc = com

see http://docs.oracle.com/javase/jndi/tutorial/ldap/misc/url.html format description

Note: you should set the filter to separate specialized item LDAPSearch - filter.

Other items:

LDAP - user with rights to read

LDAP - password for user with rights to read

Through this user, the application accesses and searches the whole subtree and finds in it the authenticating user.

If the LDAP server allows anonymous users you can leave the items blank.

LDAPSearch - filter - Filter, asserted after logging to the LDAP server

(required for Novell eDirectory)

e.g. uid =%username%

LDAPSearch – the unique identity attribute of the user – the attribute in AD specifying the logname value of the logged-in user. If not filled in, the DN value is used as the logname within EGJE (Distinguished Name). The value of this attribute, if filled, has to correspond to the macro %username% listed within the configuration item LDAPSearch – filter. E.g. Setting of LDAPSearch – filter (&(objectClass=person)(employeeNumber=%username%)), LDAPSearch – the unique identity attribute of the user: employeeNumber

kerberos Kerberos authentication only - ie when running user always enters name and password

It is required to configure the krb5.conf file (configuration Realms) - stored in config_ejge.jar file.

In contrast to mswin_kerberos, the AS / Web Server can be linux. For the authentication is important DNS setting. For authentication Linux against Active Directory, it is appropriate that the primary DNS server is an Active Directory domain controller.

Krb5.conf file example:

[logging]

default = FILE:/var/log/krb5libs.log

kdc = FILE:/var/log/krb5kdc.log

admin_server = FILE:/var/log/kadmind.log

[libdefaults]

ticket_lifetime = 24000

default_realm = FIRMA.CZ

dns_lookup_realm = false

dns_lookup_kdc = true

default_tgs_enctypes = des-cbc-md5

default_tkt_enctypes = des-cbc-md5

permitted_enctypes = des-cbc-md5 des-cbc-crc

[realms]

FIRMA.CZ = {

kdc = serverdc.firma.cz:88

admin_server = serverdc.firma.cz:749

default_domain = firma.cz

}

[domain_realm]

.firma.cz = FIRMA.CZ

[kdc]

profile = /var/kerberos/krb5kdc/kdc.conf

[appdefaults]

pam = {

debug = false

ticket_lifetime = 36000

renew_lifetime = 36000

forwardable = true

krb4_convert = false

}

kerberos_sso

dtto but SSO authentication attempt is first.
AS client setup - enter the server name as a name and not as an IP address.
The java client without the AS - this authentication is not suitable.
If fails the SSO authentication login, it'll follow a dialogue.

It requires the completion of accompanying items under "Kerberos SSO":

The user

and password for preauthentification

SAML

Verification against a server that complies with the SAML2 standard. Authentication settings differ for the Java client and EGJEWEB2.

Glossary of Terms:

SP – Service provider – WEB application EGJE

IdP – Identity provider – trusted system verifying user identity

Metadata – XML file provided by the IdP containing the settings needed for exchanging SAML requests

SP Metadata – XML file generated by EGJE including settings for Idp

SSO – Single Sign On – Single sign-on to multiple Service Providers

SLO – Single Logout – Single logout from both the IdP and all associated Service Providers

jks – Java KeyStore – Storage for saving digital certificates

EGJEWEB2:

In your Identity Provider, you need to configure the endpoint where EgjeWEB will receive the SAML Token. The format of the endpoint is as follows: https://<egjewebURL>/saml/SSO (note that it is case sensitive).

In the Identity Provider, this configuration setting may be labeled as Single-Sign-On URL, Destination URL, or similar, depending on your Identity Provider..

Next, you need to configure the following items in EGJE within the selected SAML authentication:

SP Entity ID: The identifier for your EgjeWEB application chosen by you. This parameter is set within your Identity Provider. The name of this item in the IdP may vary, such as Audience or Audience Restriction, depending on your IdP. Set the corresponding value in the EgjeWEB configuration according to the value you set in the IdP.

IDP SSO URL: The address for initiating automatic login initiated by the IdP. This item is optional; if not set, login for users will use SP (Service Provider) initiated login, i.e., EgjeWEB. Enter the address provided by your IdP here if you will be using IdP-initiated SSO; otherwise, leave it blank. Note that this address is not the address of your EgjeWEB application but the address within the IdP through which you can access the EgjeWEB application via the IdP.

Web Application Address: The external address where the EGJEWEB application is hosted. It should match the address to which the IdP sends the login result, excluding the trailing /saml/SSO.

IDP Metadata: XML document with IdP metadata. This document is provided by your IdP. For ADFS in Elanor, this document can be obtained from the address http://fsso.domena.cz/federationmetadata/2007-06/federationmetadata.xml.

IDP Metadata – Path: URL address to the XML document with IdP metadata. EgjeWEB2 will download the metadata document from this address upon startup.

Metadata Refresh Interval in CRON Format: Interval setting for refreshing the metadata file without needing to restart the application. If needed, you can manually refresh it using the button "Reload SAML Metadata" in Adm51/Správa AS/klienta/Web. There is a button to check the CRON format to ensure it is entered correctly and that the application can read it.

EGJE allows users to specify their own Java Keystore with certificates to be used for encrypting and decrypting SAML Tokens. The keytool utility, which is part of the Java installation, is used to manage the keystore.

In the keystore, you need to generate a key pair, including a private and public key, under some alias. The private key is used by EgjeWEB for decrypting the token that is encrypted by your IdP, while the public key needs to be provided to your IdP. The IdP will use the public key to encrypt the token before sending it to EgjeWEB.

Here is an example command using the keytool utility to generate a key pair:

keytool -genkeypair -alias spring -keypass secret -validity 365 -storepass secret -keystore keystore2.jks -keyalg RSA -keysize 2048

Command above generates a key pair under the alias spring, with the key password secret, keystore password secret, a certificate validity of 365 days, using the RSA encryption algorithm, and a key size of 2048 bits. The keystore will be saved in the file ./keystore2.jks. If the file does not exist, a new one will be created.

You can view the generated certificate in the keystore using the command:

keytool -keystore keystore2.jks -alias spring -list -rfc -storepass secret

Subsequently, you need to paste the displayed certificate into your IdP.

Documentation for the Java Keystore utility in Java 11 can be found here:

https://docs.oracle.com/en/java/javase/11/tools/keytool.html

On the EgjeWEB configuration side, you need to fill in the following items:

Path to the JKS File: Enter the path to the file containing the Java Keystore with certificates for encrypting/decrypting SAML Tokens. This file will be directly included in the configuration JAR. If you make any changes to the keystore, you must upload the file to the configuration again and restart the web server for the changes to take effect in the application. Similarly, you handle the file containing IdP metadata.

Alias for Key: The alias under which the certificate is stored in the keystore.

Keystore Password: The password for the keystore.

Key Password: The password for the private key that will be used to decrypt the SAML Token on the EGJE side.

If you do not wish to encrypt SAML Tokens, you can leave these configuration items blank.

Additional Optional Parameters:

NameID format: It is possible to set the NameID format that will be sent in the SAML AuthnRequest.

Create SP Metadata: Creates an endpoint for generating SP metadata containing the current configuration. The endpoint consists of Web Application Address/saml/metadata.

The Create Metadata button displays the current metadata.

For more details on configuration, see Generating SP Metadata.

Logname element: Sets the attribute from which the login name for signing into EGJE should be retrieved from the SAML Assertion. The default value is Subject/NameID. If AttributeStatement is used, it is necessary to fill in the field “Name of the attribute containing the login name”..

Název attributu obsahujícího logname: Contains the name of the custom attribute included in the “AttributeStatement” element in the SAML Assertion for determining the login name. The value entered should be the name specified in the “Name” attribute within the “Attribute” element.

Always enforce verification on EGJE startup: Adds the parameter forceAuthn=true to the SAML request. When EGJE is reopened, it will always enforce a new authentication with the IdP. The IdP must support and have this parameter enabled. The item name in the IdP may vary, such as "Honor Force Authentication."

Logout from EGJE also logs out from IdP: When logging out from EGJE, a request for Single Logout (SLO) is also sent to the IdP. This logs the user out from the IdP as well as from all currently logged-in Service Providers (SPs) that support this function. The IdP needs to have SLO enabled and configured with the URL: https://<egjewebURL>/logout/saml2/slo (note that it is case sensitive). Additionally, the SP Issuer must be set to the same value as the SP Entity ID.

Log SAML: Enables logging level for SAML libraries to debug. This logs a large amount of data and can make the log file cumbersome. It is recommended to enable this only when troubleshooting SAML authentication issues.

Java client:

In your Identity Provider, you need to configure the endpoint where EGJE client will receive the SAML Token. The format of the endpoint is as follows: http://localhost:<saml_port>/saml/SSO (note that it is case sensitive).

In the Identity Provider, this configuration item may be labeled as Single-Sign-On URL, Destination URL, or similar, depending on your Identity Provider.

Next, you need to configure the following items in EGJE within the selected SAML authentication:

SP Entity ID: The identifier for your EGJE AS application chosen by you. This parameter is configured within your IdP. The item name in the IdP may vary, such as Audience or Audience Restriction, depending on your IdP. Set the corresponding value in the EGJE AS configuration according to the value you set in the IdP.

IDP Metadata: XML document with IdP metadata. This document is provided by your IdP. For ADFS in Elanor, this document can be obtained from the address: http://fsso.domena.cz/federationmetadata/2007-06/federationmetadata.xml

IDP Metadata – Path: URL address to the XML document with IdP metadata. EGJE AS will download the metadata document from this address upon startup.

Metadata Refresh Interval in CRON Format: Interval setting for refreshing the metadata file without needing to restart the AS. There is a button to check the CRON format to ensure it is entered correctly and that the application can read it.

To sign SAML requests, you need to specify a Java Keystore with certificates to be used for encrypting and decrypting SAML Tokens. The keytool utility, which is part of the Java installation, is used to manage the keystore.

In the keystore, you need to generate a key pair, including a private and public key, under some alias. The private key will be used by EGJE AS to decrypt the token encrypted by your IdP, while the public key must be provided to your IdP. The IdP will use the public key to encrypt the token before sending it to EGJE AS. Here is an example command using the keytool utility to generate a key pair:

keytool -genkeypair -alias spring -keypass secret -validity 365 -storepass secret -keystore keystore2.jks -keyalg RSA -keysize 2048

This command generates a key pair under the alias spring, with the key password secret, keystore password secret, a certificate validity of 365 days, using the RSA encryption algorithm, and a key size of 2048 bits. The keystore will be saved in the file ./keystore2.jks. If the file does not exist, a new one will be created.

You can view the generated certificate in the keystore using the command:

keytool -keystore keystore2.jks -alias spring -list -rfc -storepass secret

Subsequently, paste the displayed certificate into your IdP.

Documentation for the Java Keystore utility in Java 11 can be found here:

https://docs.oracle.com/en/java/javase/11/tools/keytool.html

On the EGJE AS configuration side, you need to fill in the following items:

Path to the JKS File: Enter the path to the file containing the Java Keystore with certificates for encrypting/decrypting SAML Tokens. This file will be directly included in the configuration JAR. If you make any changes to the keystore, you must upload the file to the configuration again and restart the AS for the changes to take effect in the application. Similarly, you handle the file containing IdP metadata.

Alias for Key: The alias under which the certificate is stored in the keystore.

Keystore Password: The password for the keystore.

Key Password: The password for the private key that will be used to decrypt the SAML Token on the EGJE side.

If you do not wish to encrypt SAML Tokens, you can leave these configuration items blank.

Port for SSO/SLO: The port number on which the local server listens for redirection to the IdP and back. The specified port must be part of the URL for the SSO and SLO endpoints.

Additional Optional Parameters:

NameID format: It is possible to set the NameID format that will be sent in the SAML AuthnRequest. It is necessary to specify the exact value. If not specified, the default value urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified will be used.

Create SP Metadata: Creates an endpoint for generating SP metadata containing the current configuration. The endpoint is available at:

http://<as_address>:<saml_metadata_port>/saml/metadata

The Create Metadata button displays the current metadata.

For more information on configuration, see Generating SP Metadata.

SP Metadata Generation Port: The port on which the server for generating SP metadata will run.

Always enforce verification on EGJE startup: Adds the parameter forceAuthn=true to the SAML request. When EGJE is restarted, it will always enforce a new authentication with the IdP. The IdP must support and have this parameter enabled. The item name in the IdP may vary, such as "Honor Force Authentication."

Logout from EGJE also logs out from IdP: When logging out from EGJE, a request for Single Logout (SLO) is also sent to the IdP. This logs the user out from the IdP as well as from all currently logged-in Service Providers (SPs) that support this function. The IdP needs to have SLO enabled and configured with the URL: http://localhost:<saml_port>/saml/SLO (note that it is case sensitive). Additionally, the SP Issuer must be set to the same value as the SP Entity ID. To enable logout from the IdP, the keystore for signing SAML tokens must be configured.

Sign SAML SSO Request: Signs the SAML request for login. This is used for IdPs that do not support setting the WantAuthnRequestsSigned attribute in the IdP metadata. To sign the request, the keystore must be configured.

Log SAML: Enables logging level for SAML libraries to debug. This logs a large amount of data, making the log file cumbersome. It is recommended to enable this only when troubleshooting SAML authentication issues.

Generating SP Metadata:

In addition to basic metadata generation, it is possible to parametrically add additional information. To do so, you need to manually edit the config_local.properties file inside the config_egje.jar archive.

These attributes can typically support multiple values — for example, a separate value for each language.

To ensure correct display of Czech characters, the file must be edited using the ISO-8859-1 encoding.

The following areas can be extended:

o UIInfo – The UIInfo element within the Extensions element

§ Used to configure additional information about the launched application.

§ The following elements can be set: Description, DisplayName, InformationUrl.

§ Each element includes a lang attribute specifying the language for which the information is provided.

§ Example configuration in properties:

saml_extensions_uiinfo[0].displayname=EGJE CZ

saml_extensions_uiinfo[0].description=Personálně-mzdový systém

saml_extensions_uiinfo[0].informationurl=https://elanor.cz

saml_extensions_uiinfo[0].lang=cs

o Organization

§ Used to configure additional information about the organization.

§ The following elements can be set: name, displayname, url.

§ Each element includes a lang attribute specifying the language for which the information is provided.

Example configuration in properties:
saml_organization[0].name=Elanor
saml_organization[0].displayname=Elanor
saml_organization[0].url=https://elanor.cz
saml_organization[0].lang=cs

o ContactPerson

§ Used to define a contact person.

§ The following elements can be set: company, given_name, sur_name, email_address, telephone_number.

§ Multiple email addresses and phone numbers can be specified for a contact using indexes.

§ The contactType attribute can be set for the given contact type.

Example configuration in properties:
saml_sp_contact[0].contactType=technical
saml_sp_contact[0].company=Elanor
saml_sp_contact[0].given_name=Guy
saml_sp_contact[0].sur_name=Technical
saml_sp_contact[0].email_address[0]=mailto:[email protected]
saml_sp_contact[0].telephone_number[0]=+720123456987

NTLogin/2/3 JCifs

NTlogin* authentications without number 2 were canceled in e202409 and from e202411 it is not possible to log in to EGJE using them.

Authentications NTlogin2* are for backwards compatibility. We do not recommend using them.

Authentications NTlogin3* meet safety criteria and are appropriate for Linux OS. These authentications use the newer SMB2 protocol

SSO authentication (NTLogin3 and NTLogin3Only) does not use a secure channel for NETLOGON communication with domain controllers. For proper functionality, it is necessary to use an unsecured Netlogon connection for the service NTLM account, see link: https://support.microsoft.com/en-au/topic/how-to-manage-the-changes-in-netlogon-secure-channel-connections-associated-with-cve-2020-1472-f7e8cc17-0309-1d6a-304e-5ba73cd1a11e#bkmk_thegrouppolicy

We are working on implementing secure communication, and it will be supported in the next version of IS EGJE.

IP addresses of domain controllers (NT login)

IP address of an authentication server for NT login (if there is more they are separated by a comma; the first one , which is running, is used then)

If none is found, then controller from NT login default domain is used.

In practice, there is sometimes convenient to specify a different server than the domain controller that conveys a call on (SSO for Web application and the Windows 2003 domain controller)

NT login default domain fills the value into domain item for NTlogin dialog.

For NTlogin2 you should fill also parameters:

Simple (non-FQDN) hostname of DC host (NT Login2) (domainControllerName)

Computer account for connection to DC (NT Login2) (ntlm2ServerAccount)

Password of computer account (NT Login2) (ntlm2ServerPassword)

More technical information about NTlogin2 you can find with libraries

jespa-1.1.21 Jespa_Operators_Manual.pdf

There is a well-described creation computer account in AD, which is needed for NTlogin2.

Note: EGJE doesn't use Jespo library, so there are no licenses needed.

Briefly, the process of creating computer account into AD is following:

· Create an account with any of the standard utilities (Active Directory Users and Computers (ADUC) MMC Snap-In).

A maximum length is 15 characters from A-Z, a-z, 0-9, '-', '_'

· Set a password - from command line with script

first parameter is the account name followed by @ and $ and DNS domain name and a second is a password

ex. C:\tmp> SetComputerPassword [email protected] password

The password must be different than the name of the account.

Successful implementation indicates the message "The password was set successfully."

smart_card

Authentication is available from e201905 for java client and from e201909 for web client also.

This is a so-called 2-factor authentication, where the login client needs to insert the card into the reader and enter a password that EGJE verifies against the card's certificate.

We have developed and tested the system on a reader and card sold by First Certification Authority (https://www.ica.cz/Order-Hardware, Smart Card Reader GemPC USB-SL, Smart Card Starcos 3.5).

The user registers the certificate using the Opv51 - Personal Certificate form, while the public key itself is stored in a common storage with Opv31 (as uchaz_dok_typ 51 - Personal Certificate I).

This is used for this authentication instead of the standard Adm10 / Logname that uses all other authentication.

For this authentication, there are other parameters in the Smart Card section:

- Certificate Source: combo Smart Card / User Personal Certificates

- Certificate authority: authority certificate in binary format. If filled in, only certificates issued by this authority can be used for authentication.

- The name in the certificate must match the name in the EGJE - checkbox

Name and Last Name Checks - Certificate vs. Osb02.

In EGJEWeb, this authentication works for tomcat + Chrome or EDGE.

It also works in Firefox, but you need to set up the PKCS # 11 module in your configuration.

While here is a pin-off message from Firefox that is a little distant: "Please enter the master password for the 9203050100050786."

An example of tomcat configuration for this authentication:

<Connector port="8548" protocol="HTTP/1.1" SSLEnabled="true"

maxThreads="150" scheme="https" secure="true"

truststoreFile="${catalina.home}/conf/trust.jks" truststorePass="tomcat"

keystoreFile="${catalina.home}/conf/prghr2.pfx" keystorePass="79798796"

keystoreType="pkcs12" keyAlias="{d2046356-d048-4cac-8a82-9f195766c035}"

clientAuth="true" sslProtocol="TLS" />

Data for changing passwords via LDAP and LDAP authentication:

LDAP - SSL URL

address and port of the LDAP server

e.g. ldaps://xxxx:636

respectively address and port and the root under which there are system users (may also exist the child nodes)

e.g ldaps://prgxx1:636/OU=Country.Czech,OU=ElanorUsers,DC=myorg,DC=cz

LDAPSearch - filter

additional filter

typically is used with Novell eDirectory or with Microsoft AD and also in all situations when filter can't be in directly in connection URL

e.g. uid=%username%

resp. (&(objectclass=person)(userPrincipalName=%username%@myorg.cz))

LDAP-specific user to work with LDAP (+ password)

this user is used to log on and browse an LDAP server, respectively for action in the user management Adm12.

user is used for expired password change in AD

usually is fill with domain e.g. [email protected]

LDAP / Web - default domain for the user

domain, which is added behind the username when you log in

e.g. myorg.cz

Web - LDAP base with maxPwdAge (change password),

LDAP address to discover the maximum password duration

e.g. dc=myorg,dc=cz

It is a warning before password expiration.

Discovering is functional for LDAPOnly for users with rights to Xpw01.

Note: in EGJE is also password change before expiration - see some lines higher

LDAP / Web - time (days) in advance of the expiration a password

It is a period before password expiration when system achieves the password change dialog (typically for LDAPOnly)

Web - administrator's phone - displayed when the password has expired

Web - administrator's e-mail - displayed when the password has expired

LDAP/ Web - Notice - password does not fulfill the rules

configurable notice for the end user for this situation

Note: Additional parameters for creating users into the LDAP repository (form. Adm12) are parameters Adm21/Configuration parameters / LDAP / AD users creation.

File for requests to reset passwords (full path):

EGJE Web enables the address

http://xxxxxx/egjeweb2/ref/resetpass

to generate a text file with requests to reset a password

This parameter specifies the full path to that file.

(The followup-projection into the Active Directory the application does not solve)

WEB / http address - redirect - user has no profile assigned:

is parameter, used by EGJEWEB in case successful authentication, but current user hasn't assigned rights profile in application by its administrator.

In this case browser redirect user to this address. We consider, there will be information about what to do, whom to contact.

The list of profiles allowed for the WEB.

Parameter can reduce, for this particular EGJEWeb2 installation, list of profiles offered to the employee, manager or referent. It is a regular expression. E.g. MANA. * | EMP. * means that only profiles their codes starting with MANA, or EMP.

Exclude check the e-mail address of the sender

Setting whether to check the formal correctness of the sender's email address (usually personal business e-mail - Osb02)

6.1.5.1 Configuration for mobile access

Access from mobile phones / tablets including access outside the intranet or domain may be organized with special installation of EGJEWeb2.

There may be assigned a special authentication "Mobile", but there may be here also other authentication, but the browsers of mobile phones / tablets with mobile user agent always used authentication Mobile. If an administrator at the server enters authentication Mobile other authentication is not allowed. Even PC users are subject to authentication Mobile. Which can be used for some external accesses also from the PCs.

Security of the application in this case has a slightly different structure:

• Here in the Configurator / Authentication you can enter the "The list of profiles allowed for the WEB".

For this particular EGJEWeb2 installation a reduced list of profiles is offered to the employee, manager or referent. It is a regular expression. E.g. MANA. * | EMP. * means that only profiles their codes starting with MANA, or EMP.

Note. Restriction applies to the whole EGJEWeb2 also for the access from PC through some other authentication (e.g. mswin_ntlm etc.).

• Adm02 / Mobile authentication allowed – tells which profile is available from your mobile via Mobile authentication (valid for all EGJEWeb2 installation)

• Adm10 / Mobile access permission – tells what person can access the application from his phone / tablet (ie. Using a mobile authentication).

• Adm16 – administrator or manager or other user with the specified mobile profile and permission here (ie as the authenticated user) creates a temporary password used then to create authentication on specific mobile device and in specific browser (attention browser should be in mode "mobile user agent ' ie. not to have eg. in mobile Chrome checked "Request desktop site").

Password you can write directly to your mobile device (button “Show password”), or send it to the email entered a personnel clerk in Osb02 (kind of communication 31) – button "Send via by e-mail."

Note. If the user has multiple mobile devices, or change the device we recommend to write the record these with the name of the device.

• If the user has accessed this e-mail on a mobile device, it is straightforward commissioning. Opens the email application and clicks on a link in the e-mail. One-time password is also in link and it makes mobile device EGJE access operable.

If not, user write the application address in mobile browser and fill the one-time password here.

In both cases it is recommended to create application mobile desktop link from your mobile browser and then run application from it.

• One-time password is temporary, while the generation is entered its validity (usually 10 minutes).

• When a user loses a mobile device, you need from an EGJE as quickly as possible invalidate the access from Adm16 (button “Invalidate access”)!

Alternatively, if a user has multiple devices, and it is not clear which is which, invalidate all respectively admin can cancel in Adm10 mobile access entirely.

• Directly in mobile application user has the settings menu option "Delete mobile access token". After the dialog to make sure is then access from a particular browser particular mobile device invalidated in the same way as of Adm16 “Invalidate access” respectively. deleting whole record with the evidence of access there.

Note.: in Adm21 / Communication parameters is parameter "http (s) EGJEWeb2 address for mobile access:" This address is used in Adm16 during sending your password via email. The email link is composed of this addresses and parameter - one-time password.

Ability to turn off mobile authentication

In the configuration utility Configurator is made in tab Authentication parameter (second ranked)

"For mobile device (by user agent) use Mobile authentication" Yes / No

When set to No then from mobile devices, which are reported as a browser

User Agent = mobile, will be called the standard authentication, which is written on the line above this parameter in item authentication.

6.1.6 Installation attributes

Directories are used by installation program SuperConfigurator. It is used to control deployment of EGJE patch to the deployment destination.

Folder with web start template

Full path to webstart folder - folder where is also "egjelib" subfolder.
Standard installation - folder has name EGJE.

EGJEWEB2 WAR file

Full path to war file with EGJEWeb2 (webapps tomcat folder)

Installation consists of

Configuration - from former war file are taken from web.xml values of parameters

<param-name>config_jar</param-name>

and configured file is copied instead of the current one

Application includes also HR portal user interface for employees and managers.

Installation to Tomat 10:

For YES selection during creating war, the war is used for Tomcat 10. Viz Appendix C1.

Type of installation:

Possible values: unfilled = Production / Test / Development

The Test and Development Environment is then indicated in standard and web client as well.

For the web client, the application icon will also change.

For standard client with AS you are to configure the value in AS configuration, not the client one.

After setup, the AS (EGJEWEB2) must be restarted.

6.1.7 Logging

Application logging can be set using Log4j here.

Log4j configuration:

The address of the external Log4j configuration file can be placed here. If not set, the default EGJE setting will be used.

More you can see in Příloha E. Logování - AS, EGJEWEB2

Sending the clients logs on AS:

When checked all events logged using log4j in the client’s part of the application are sent to the AS. It is important to set only for the Java client connecting to the AS.

6.1.8 Proxy

On this tab, you can configure the proxy for HTTP and HTTPS. If authentication is required, you can also fill in the username and password for the proxy. This configuration takes precedence over the parameters set during application startup (e.g., in .bat files, Tomcat startup settings, etc.)

6.2 Settings and changing parameters using the utility „MultiConfigurator“

This utility will allow the selection of multiple configs at once and a class is created for it to run with a „*.bat file.

Notice: The old functionality of configurators remains. It is still possible to run the configurator over one file and edit only this file.

Pattern for run::

start java -Xmx512M -ea -Dlog4j.configuration=log4j.eman.properties - Djdk.jar.maxSignatureFileSize=16000000 -cp /egje/vzor/EGJE/egjelib/eman.jar;/egje/vzor/EGJE/egjelib/egjelib.jar cz.elanor.eman.sgui.configurator.MultiConfigurator %1exit

Adding the krb5.conf

If after first parameter %1 is added second one %2, containing the path to krb5.conf to configure Kerberos authentication, then this configuration parameter is automatically add into all jar files.

After starting, a table will appear with a list of configs from the folder from which the bat file was started. The files will be loaded according to the mask of config_egje*.jar. The table will allow the selection of multiple configs at once.

There will be buttons:

· Mark all – marks all records in the table

· Unmark – unmarks records in the table

· Add – display a dialog:

o Name: text editor – chosing a file name

o Type: combo box for chosing the type of the file with values:

§ C - Client without AS

§ SC - Client with AS

§ S - Aplication server

§ WS - Web server

o The buttton “Add” – creates a new file with the chosen name and for the given type

§ the file is created and immediately saved on disk

§ krb5.conf is inserted into the new file

· Remove – the dialog “The selected configuration files will be deleted from the disk. This action is non-refundable“ Do you want to continue? Yes/No“ will be displayed. After agreement the file will be deleted from the table and from the disk.

· Generate a set – creates a config set, for testing configs will set r_typ_inst=T

o config_egje_as - S

o config_egje_cl - C

o config_egje_web - WS

o config_egjetest_as - S

o config_egjetest_cl - C

o config_egjetest_web - WS

· Edit settings

o If only one config file is selected, open the standard configurator.

o All selected configs are checked to see if the data stored in multiple configs match ( (e.g.. DB settings for AS and WEB), there are checked the dates, which are saved to multiple config files see “Configurator tabs”.

§ If they don’t match

· write in the log which items are different in which files and do not continue

§ if they match

· open the standard configurator with the ability to edit all files at once

· In the "Verification" tab of the Configurator, a parameter for setting the validity of the SAML token has been added. The field is named "SAML token validity period in minutes:". The validity period of the parameter (maxAuthenticationAge) can be set in this field. If no value is filled in, the default setting is 7 days (10,080 minutes). See image.

6.3 Adm51 – Database update procedure

Tab "Verze databáze" ("Database version") shows information on current structure and content of the EGJE database. The information includes:

version code
last mandatory patch
non-mandatory patch(es) (may be multiple)

Tab "Změna Db" ("DB change") includes button " Provedení změny Db / Instalace uživatelské sestavy" ("Make change in Db / install user report")

This is followed by script selection and right after that (provided the current version check has been performed successfully) the script is executed. Protocol from making action is saved continuously in the user's working folder (identical as for saving print reports), i.e. %HOME_DIR%\Dokumenty\Eman\output under the same name as the script and with extension "html". The file is opened automatically in your default browser after completion of installation.

For installations with AS, before you run the script, we recommend to inform the users. There is a button "Send a request to logout to logged users" to do it.

Information is transmitted through the database to all clients; each client checks this information every 5 minutes. Those users who are connected through the same AS or EGJEWEB, through which the administrator presses the button, receives information immediately and their lists in the protocol. Other users connected via other server aren't in protocol; the system does not send feedback.

After installing user reports that changes the repository, the administrator has a button called "Reload repository on all AS / EGJEWEB (2)" to reflect the change to other servers EGJE.

However, even if it does not, the EGJE servers have periodically (interval of 5 minutes) check whether a change occurred in the repository, and if so, they reload it.

Tab "Změnový log" ("Update log")

shows information about all update procedures performed in the database. The finest unit here is an update procedure block.

Tab "Konfigurace klienta" ("Client configuration")

has meaning only for administrator startup directly on server by egje.bat. The button "Konfigurační formulář" ("Configuration form") then opens the same configuration window as the utility configurator_egje described in previous chapter.

Tab "Oracle statistiky" ("Oracle statistics")

has meaning only and exclusively for installation over Oracle database. For correct function of commands for operation with the database it is absolutely vital to update database statistics on regular basis. Otherwise some parts of the application will become gradually and unevenly delayed. We recommend automate this action using Oracle job. This may be created directly from this form. Fill in item "Hodina" ("Hour") (e.g. 23 => eleven in the evening; 0 – at midnight) and then press button "Vytvořit/Obnovit job na aktualizaci statistik" ("Create/Renew database update job"). If job is created successfully, buttons "Spustit job" (Run job") and "Zrušit job" ("Cancel job") are also active from this moment on.

Job duration depends on the database volume and the server's performance. It may vary from minutes to tens of minutes.

Button "Rebuild/přesun indexů" ("Rebuild/move indexes") calls alter index rebuild to all indexes. You can also choose another tablespace to move indexes. It can faster the database on some configurations. This functionality is designed for administrators of small organizations. Qualified administrators of larger installations should prefer Oracle tools.

Tab "MS SQL statistiky" (MS SQL statistics")

has sense only for MS SQL installations.

It contents the list of indexes with information about their fragmentation and last statistics update.

Button "Rebuild indexů, aktualizace statistik" ("Rebuild indexes, update statistics") calls:

· alter index rebuild - onto all EGJE indexes

· update statistics onto all EGJE tables

This functionality is designed for administrators of small organizations. Qualified administrators of larger installations should prefer MS SQL tools.

Tab Správa AS/klienta („AS/client administration“)

for installations with application server this tab offers information about connected users, for installations without AS only user connections, except tab Database locks summarizing locks over whole system. See more about locks in Attachment M. Basic description of databases’s locks.

For Oracle is also available the Tab Who is blocking whom. The content helps to discover the locks originator. Administrator can kill running tasks (with AS also connections).

This termination is on side of java, not on the database side (database connection used by EGJE hasn’t required db permissions).

The last subtab is "DB connection". It is intended for customers who use java client without AS. All other clients share db connections, so the data here has a slightly different, not so useful, meaning.

For the EGJE WEB server, there is a "Web" tab containing a button to reload metadata for SAML authentication. This tab is only visible for the WEB configuration when SAML authentication is set up.

Tab Security

After making changes on this tab, you need to restart the AS respectively WEB EGJE server.

On the "Security" tab, you can:

• Write the authentication that is the only one allowed (especially for java client without an AS)

• SuperConfigurator security against current db

o The ability to make a change script

o Enable export of codetables

o List of IP addresses from which SuperConfigurator is allowed to run

• "Try to reconnect to the application server"

The parameter specifies whether the AS client should attempt to reconnect in the case of a connection failure. If you set No here, the client does not do so and therefore does not have a reason to remember the password. If you set Yes, the client remembers the password for this purpose, but remembers it as an encrypted by symmetric algorithm.

The password must also remember the client if it is to work with multiple ASs.

• Session expiration

Items

Std.klient - session expires in [min]:

EGJEWEB(2) - session expires in [min]:

For std. (Java) client, for technical reasons, the user activity is monitored throughout the operating system, not just in the EGJE application.

When "Std.klient - session expires after [min]:" is not filled in, the expiration of the standard client does not occur.

Expiration of the standard client, which is not a web application, occurs by terminating the client's execution - the application will disappear (note - it may be considered a punishment of smokers). So, think well if you set it up for a standard client, a mandatory way (internal policy forced) - locking the screen by the operating system - is a better way.

When the entry "EGJEWEB(2) - the session expires in [min]:" is not filled, the default behavior is as follows:

The web application (including HR Portal) - expiration is given by the tomcat setting, ie by default 10 minutes.

For all clients, when the report or calculation is running, the application waits for the result and the automatic logout is paused. Exit is also blocked by the open form Adm51, which communicates with the server constantly.

The expiration time can also be extended for a certain amount of time by receiving EGJE internal mail.

Servers retrieve the data from db every 5 minutes. The client (java or browser) retrieves the data from the server at the time of login.

Tab Org. IT par.

It contains a master-detail of the organizations specified in Adm21 and selects from Adm21 and Ftp02 parameters that are more relevant to IT administrators than to the application administrator. This is an alternative location and editing.

Tab Message to all

The administrator can enter a text message for the period between two dates, which will be displayed to users for all EGJE clients after login.

These messages are above the others.

In the HR portal, messages are in the right column Messages and links.

The other interfaces display the Message using the internal form Mail.

The data remains common and messages aren't copied to each user. So user doesn't delete it. After the date expires, the message disappears.

Tab System shutdown

It is basically a similar thing, but the times are also defined here, and it is possible but not necessary to specify the server and port, so you can specify a particular AS that will be deactivated by the administrator.

From a certain time when signing in, it notifies when the shutdown will be, and when the shutdown already is and the system is still running, it will not allow the user to login or, Alerts subscribers, except administrators (Adm51 rights) and it ends their sessions as they are at expiration.

The check takes place every 5 minutes and concerns both the web and the java client (with AS or without).

Tab Link to all

Allows an administrator to add into EGJE an http(s) link.

The HR Portal displays it at the top of the Messages and links column.

Other interfaces will create links in the menu.

Also, the link can be temporary, it also has date from and to.

The links are opened according to browser settings, usually in a new tab.

Note: It is not EGJE's ambition to replace the corporate intranet, especially when using interactive authentication, links are somewhat "around the corner".

Tab E(W)SOI

Customers using the Egje extension ESOI (Egje Standard Output Interface) now have the option to set the parameters of this interface. The new version of the interface, which will be released in version e202309, will be able to use these settings.

These are choices:

Language for titles

Status for payroll closing

For the upcoming EWSOI interface there is also an option (no change option):

Web interface output.

6.4 Utilities

Utilities Anonymization and XML data validating report Ela01vxc are described only in Czech and Slovak version.

6.5 Use of the SuperConfigurator to create a report over multiple DBs for the possibility of comparing and finding items in different DBs

The super configurator now includes the option to export, for example, SLM, Roles, item lists etc. from marked DB’s.

In the upper list, the DB from which the data is to be exported is selected with the help of Ctrl + mouse click, and the items that need to be exported are selected on the "Export of code books" and "Export of code books II" tabs. Then, after pressing the "Export XLSX" button, a file in XLSX format is created, but it is not used for subsequent import, but only for comparing data in selected DB’s. It can be used, for example, to compare whether a given Role with the number 501 occurs in selected DBs, which will give the user information about, for example, the free numbers for Roles in other DB’s.

7 Administration of application users

7.1 Creating a user – brief summary

Typical procedure:

Person is not in employee records (yet)

Adm01p - we create a person with user relation (status 21 User - system records), we assign the Profile (+ language, organization) and the Logname for Authentication.

Person is in employee records as an employee

Employee/Manager

in Adm10 we assign Profile (+language, organization) and the Logname for Authentication

Person officer

we can do the same as for Employee/Manager

or in Adm01p we create to this person user relation (status 21 User - system records), we assign the Profile (+ language, organization) and the Logname for Authentication.

We often assign more profiles to managers and officers, but Logname is usually only one.

Note: Typical Logname

Authentication Windows NT

WinDomain\user e.g. MOTOR\jigecz

Authentication kerberos, LDAP

user@domain e.g. [email protected]

7.2 Rights for objects and lines, roles and profiles

7.2.1 Definitions and basic questions

Definition of access rights in EGJE, their application and usage:

Admnn – administrator's forms – opened either from menu "Správa systému" ("System administration") or from the EGJE command line

"Uživatel" ("User") – a person with PV with status 21 "Systémová evidence" ("System records") (shown and editable on form Adm11)
(PV means legal relationship person-organization)

"Uživatel přiřazený na profil" ("User assigned to profile") – link between user and access right profile – (Adm01)

"Autentizace uživatele" ("User authentication") – generally, this is verification whether the user is who he/she claims to be; in EGJE, this information is either taken over form login to operation system (Windows NT) or it is executed against Kerberos server (using mechanism embedded in java JRE);
("Adm01 – Přihlášení autentizace" / "Adm01 – Authetication login" and also Adm01p)

"Profil přístupových práv" ("Access rights profile") – connection of access rights to objects and access rights to rows. Sometimes we also use the term "abstract user". A specific person may have multiple access rights profiles assigned, acting within the system in various user roles (for instance employee and manager or payroll clerk and head of payroll department) (Adm02).
While access rights to rows are defined directly for a profile, rights for objects are assigned indirectly by means of roles (Adm03).

"Role přístupových práv" ("Access rights roles") – a set of assigned access rights to individual objects of the system. We discern roles administered by Elanor (1-499) and user-administered roles (500-999) (Adm03)

"Přístupová práva k objektům" (Access rights to objects") – basic building unit of access rights is an object. Typical objects are "Formulář" ("Form"), "Proces" ("Process"), "Sestava" ("Report"), "Export" ("Export"), "Položka menu" ("Menu item"). From the access rights point of view, objects Form and Process may be further subdivided to finer objects – "záložka" ("bookmark"), "datový zdroj" ("data source"), "položka" ("item"). (Adm04)

"Hodnoty přiřazení práv k objektu" ("Values of access rights assigned to objects") – a set of permitted values of access rights depends on type of object, to which they are to be assigned. Assignment is always applied to a role.

While to forms we usually may assign rights -2 - Withdrawal of read and write permission / -1 - Withdrawal of write permission / 0-No rights / 1-Read / 2-Write, for reports, menu items and processes we usually use a pair -1 - Withdrawal / 0-Execution disabled / 1-Execution enabled.

Special values are negative values, which limit the right, even though the right is assigned to a profile by other role for instance. Restriction then may be total (-2) or partial (rights reduced to read only, i.e. -1). (Adm03)

"Konfigurace použití objektů přístupových práv" ("Configuration of using the access rights objects") – as EGJE is a type project, it includes number of objects, which a specific customer will never need to use. To ensure that such object will not obstruct assignment of rights to specific roles and in order to eliminate errors in assignments, it is possible to define objects never to be used in form Adm04 at tab "Konfigurace použití" ("Configuration of use"). (Adm04)

"Přístupová práva k řádkům" ("Access rights to rows") – as organizations are often divided by areas or hierarchy, such divisions need to be reflected in access rights definition and assignment. In other words, a user may have right for certain object but within it, he/she cannot access all data, only their part defined by his/her competencies within the organization.

Such divisions are defined by "Správní jednotka" ("Administration unit"), "Správní oddíl" ("Administration section"), assignment to "Struktury" ("Structures") (typically an organizational center or structure of payroll clerk), "Status PV" ("PV status"), "Status - práva" ("Status - rights") or "Příznak chráněné osoby (PV)" ("Protected person attribute (PV)"). In items AU/IU you can choose one or write the list (format e.g. 1,2,5-8,10). (Adm02)

Note: There is another rights element - Organization - for installation with more Adm21 Organizations. Organization is attached to assignment Person-Profile (Adm01, Adm01p, Adm10, Adm12). So, one profile can be used for more organizations.

Setting of access rights to rows

Described options of limiting access rights to lines are very often used in combinations.
Typical examples:

User has accessible all persons within administration section – to be filled:

SJ to limit access rights

SO to limit access rights

PV evaluation method of structures account - "VSE-all"

User has accessible all persons within administration section, only "alive", i.e. counted employees – to be filled:

SJ to limit access rights

SO to limit access rights

PV evaluation method of structures account - "VSE-all"

PV account of allowed statuses - "1,2,3"

There is a new line on the form with the name: „Extension of restrictions and editing according to groups of ŘP:“, which allows using rolldown menu to extend options of the editation and group display restrictions as specified by the line rights for structures.

Basic questions

Can two users use the same profile?

Yes, they can. However, they must have the same object rights. As for the line rights, these must be the same as well or they must use "identical macro". Typically, their rights may be derived from the own user department, which is then different for each user and therefore eventually their access rights are different too.

How to name a profile conveniently?

Profile name should reflect a user's role (e.g. payroll clerk, manager) and basic definition of access rights to lines (e.g. MÚ1 SJ 1 or "My department"). Likewise, abbreviating this, the profile's code should be structured.

What is the relation between access rights to lines to data history?

Within the system, we differentiate between two basic repositories of data assignments to division of an organization – root assignment (typically Opv01) and assignment stored in accounted payroll (e.g. detail in Vyp01). Therefore, it only depends on nature of object subject to access rights. If the object draws from root data, access rights are evaluated as of the reference date and against assignments valid as of such date in a form currently available in database.

For object drawing of accounted payrolls the situation is more complex. While forms use root assignment, reports are little bit more complicated.
Relation of a report of accounted payrolls to access rights to lines may be as follows:

§ Report evaluates rights to the very detail, i.e. it decides according to individual PV assignment to structures, SJ and SO at the moment of payroll calculation in given period (Rek02p, Rek05p, ...)

§ Report evaluates access rights to lines in detail but from root, i.e. current definition of assignment (Sra02, Sra03, Vyp09, ...)

§ Report evaluates access rights but only to the level of assignment to SJ, SO while respecting protected persons. Priority with this kind of report is its completeness. Subsequently, it is up to the administrator, whether he/she will assign the rights to user who for instance does not have rights for complete SJ report or not.
(Evs10, Evs11, Rek01, Rek02, Rek03, Rek04, Rek05, Rek06, ...)

§ Report does not evaluate access rights to lines, in other words, the report makes sense only complete or not at all.

Finally, we have to mention that the rights' definitions are not historically monitored (logged). Definition of line rights in a profile is therefore used as it is displayed in the form (Adm02, Adm01). Previous settings are not stored.

Access rights and reports

From the view of access rights to objects the report is one object. The user either can or cannot run it. If you can run, you see all report items. This is in contrast to the forms, where a number of detailed form parts for object rights (tabs, datasources, data fields) can be set on the level of the role (Adm03) or configuration (Adm04) .
Access rights to rows are applied in reports. Most of these rights are rights to Persons and Employments.
In some cases, however, the requirements for completeness of the report go against the detailed rights usage requirement.
Some reports are thus realized in a way that they don't use row level rights at all, or rights are reflected to th level of Internal unit (IU) or Administration unit (AU) but not finer ( by structure ) . Typically, this includes the recapitulation reports Rekxx . In Rek_uzdoc is for each of them mentioned what rights mode is used.
Typical reports with emphasis on completeness are bank transfers Banxx broken by batch.

Evaluation of access rights to the rows and the reference date

Access rights to the rows are evaluated at the reference date.

This date is limited to future. We have long held the rule upper limit is today's date. Since version e201401 we have changed the default value to today's date + 40 days.

You can change it with the parameter

Adm21 / configuration parameters / Emp. row rights evaluation future days upper limit.

Negative values are not accepted, maximum is 9999.

This applies to access to master data, the navigation lists (typically the navigation list of persons / employees), comboboxes respectively for data in reports from other areas than payroll (where logged codetables data are used for rights).

In practice, this usually allows you to prepare data for next period using the set of data what will be valid in the next period. Everything is based on the reference date, that the user selects when logging, respectively he can change it inside EGJE.

7.2.2 Setting access rights in application

User Assignment / Creation

In situation that person is not in database, we use Adm01p to create it (with status 21).

But users, referents, employees, managers existing in database (usually as employees) don't need other special employment. User's attributes and profiles we set via Adm01 or Adm10 forms.

For a user, we enter his/her profile and language. To "Profil - autentizace" ("Profile – authentication") we enter authentication login name (names):

Authentication Windows NT

WinDomain\user e.g. MOTOR\jigecz

Authentication kerberos, LDAP

user@domain e.g. [email protected]

Authentication is taken from operating system (SSO) or is entered interactively (name and password). Modes are described in next chapter.

For each profile assignment we fill in language of user interface.

Note: At state administration we fill in "cs_ST" instead of standard "cs".

Support of English language "en" is currently only partial.

Profile creation and editing

We create and edit profile using form Adm02.

7.2.2.1 For each profile, at the first tab we define login type and access rights to lines:

· Login type – to differentiate between personnel and payroll agenda type login to a period

Item also differentiate start date to edit items with time tracking.

Values:

1 Login to date - change time data from 1st this month

2 Login to period - change time data from 1st selected period

3 Login to date - change time data from reference date

4 Login to date - change time data from 1st next months

5 Login to period - change time data from 1 next period

· GUI Type - for what UI is the profile. Values are:

1 - Java and Web client - interface officer

2 - Old Web client

3 - Web client - interface officer

4 - Java client - interface officer

11 - HR portal - interface employee separately sold product

12 - HR portal - interface manager separately sold product

21 - WS Only Without access to EGJE UI, web services access only

Unit of administration (AU, SJ) and Internal Unit (IU, SO) limitations

· SJ (AU) or SO (IU) for limitation of rights – organization is (or may be) divided into administration units (SJ=AU) and administration sections (SO=IU).
AU is an "outwards" division – it partners with various institutions, such as Health insurance companies, Tax Administration Office, etc.
IU is a division used for payroll processing. At IU we define pay days, at IU we make group calculations and balances.
Note: We recommend to fill in AU, IU when are known. It can fit the content of the Combo Boxes more precisely.

· For employee, manager but also for some reference profiles going through the whole organization, filling in AU, IU leads to create profiles separately for each IU.
To avoid this, it is appropriate to set "Yes" in the
"Not filled AU,IU rights take from accessible emp.:" attribute in this case.
Accessible AU, IU (and Legislation) are collected from all accessible employees. These values are then used to restrict values in ComboBoxes with AU, IU.

· Make IU accessible even when unassigned – definition applicable for those PV types, which are not assignable to IU (user, instructor, applicant,…). Selecting "Ano" ("Yes") will make such persons (PVs) visible.
(Assignment of employee to IU is made using Opv01, tab "Správní oddíl" ("Internal unit")).
Note: For payroll reports, this item is not relevant, because in payroll are only employees with IU assigned.

Other conditions for Person and employee access

· Employee row permission mode - evaluation method of account of structures (for PV) – option to enter another additive clause to filter by AU, IU. May have the following values:

VSE	All
STRU	Persons and PV assigned to structure
STRU_PRIMO_HIST	Persons and PV assigned to structure, the access in the whole history, but to the limit of the date of the access to the person.
ST_POD	Persons and PV assigned to structure and substructure
VL_OSO	Own person
ST_MANA	Persons and PV assigned to structure, which is managed by user
ST_MANA_PRIMO	It differs from ST_MANA in this aspect: user has access also to managers of directly subordinated structure items. Usually this is subordinate managers in the organizational structure.
ST_MANA_POD_OBD	It differs from ST_MANA_POD in that it evaluates whether the employee was assigned to the user for at least one day during the period (month).
ST_MANA_OBD	ditto for regime ST_MANA
ST_POD_OBD	ditto for regime ST_POD
STRU_OBD	ditto for regime STRU
ST_KUMUL ST_KUMUL_POD	Installation VŠE can use also these 2 modes. I Adm02 admin set for "Employee - structure type for emp. permission" structure 8; Employee - list of struct. elements for STRU, ST_POD remains empty. It support mode where there are two managers of one employee. There is more centers of structure 8 for one Position (stru 3) in Pmi01. Position works for more centers and 2 managers of structure 8 element now have access to employee sitting on position.

Note: all _OBD rules are valid only for direct structure assignment!
Direct assignment is entered in Opv01/Structures for employee.

Note: for purposes of type *MANA*we consider than manager of non-valid structure is not a manager seeing the subordinate staff.
In other words, we use structure member's Date of termination (Str01) to evaluate the user rights.

· Employee - structure type for emp. permission:
structure type (Str01)

· Employee - list of structure elements for permissions
For STRU, ST_POD and ST_POD_OBD types, the code(s) of structures is/are entered here to make restrictions according to access rights.
Code or codes are entered separated by comma.
If we leave the value blank, the structure (typically a department) where the logged-in user belongs is taken into account.
To specify a negative condition “everything except”, the symbol “!” is placed before the list - see the paragraph below.

For ST_MANA, ST_MANA_POD, ST_MANA_PRIMO, ST_MANA_OBD, ST_MANA_POD_OBD value should be blank and it means the structure items where the user is the manager.

For VSE, VL_OSO, ST_MANA, ST_MANA_POD, ST_MANA_PRIMO, ST_MANA_OBD, ST_MANA_POD_OBD this item is inapplicable.

· ST_MANA * rights in full access history:
The flag is used for payroll clerks. Their work is annual.
The Yes setting gives to the clerk access to employees who have accessible at least one day in the current year.

This mode is available only for ST_MANA*. In other cases this is not supported.

· Employee - give access also to non-assigned – definition applicable for those PV types, which are not assignable to structure (user, instructor, applicant,…). Selecting "Ano" ("Yes") will make such persons (PVs) visible.
(Assignment of PV to structure is made using Opv01, tab "Zařazení do struktur" ("Assignment to structures")).

· Employee allowed emp. status list:
additive definition of rights based on account of the item Opv01/Popis(Description)/Status of relationship person-org.
Common value for e.g. payroll clerks is restriction 1,2 (i.e. the counted ones) resp. 1,2,3

· Employee allowed emp.right status list:
additive definition of rights based on account of the item Opv01/Popis(Description)/Status - rights. Unlike previous item where the codetable is administered by Elanor, for this item is codetable in the administration by user (Jpc01 / status_prava). To specify a negative condition “everything except”, the symbol “!” is placed before the list - see the paragraph below.

· Employee - access of protected persons – additive definition based on attribute, which the administrator may assign to a person – PV – at Adm11 / PV / Chráněná osoba (Protected person).

All conditions are evaluated as "AND". Therefore, setting multiple conditions typically results in higher level of restriction.

Own line rights evaluation:

In most application locations, access rights to lines are evaluated from ongoing master data.

From Opv01 form (Duration, Description, Structure), Str01 (Hierarchy from-to, Other Structures, Manager - EGJE Person).

To view data from payroll however, EGJE is based on data of structures copied into payroll each month.

So: Vyp02 / Copies of Structures (according to Str01 / Structure Use = 1-MZDY), Vyp01 (calculation), Str05.

These are the following reports: Aps03, Coe01, Coe05, Con24, Dan16, Evs15, Kon14, Poj02, Poj05, Poj07, Poj10, Poj32, Poj34, Poj41, Pos02, Pos32, Rek02p, Rek05p, Rek11, Rek12, Rek22, Rek23, Rek24, Rek25, Rek26, Sra03, Sra04, Sra06, Sra08, Vyk27, Vyk32, Vyk33, Vyp14, Vyp17, Vyp19, Vyp20, Vyp21, Vyp24.

Plus forms Vyp07, Vst01h, Slm05.

Permissions to assign

· Employee -list of structure types - can set:
if empty - all types; otherwise list of types (from Str01 navigation) which user can assign to employee (Opv01, Opv04, Opv05)

· Preferred navigation list of Employees
Administrator can set default navigation list for forms with this navigation (e.g. Osb02, Opv01, Vyp01, Kva01, Dav01...)

Rights for rows - other objects
(groups of row level rights system is described in Adm_uzdoc - Chapter Adm06)

· Codetable’s rights by groups - the user will see (usually in the combobox) only the values of the codetable, which are marked with this group. (comma separated list , or list of intervals. Interval is with minus separator. E.g. 1,7-9,23-26,29, To specify a negative condition “everything except”, the symbol “!” is placed before the list - see the paragraph below.

· Add own group from Org.str. - Added to the groups in the previous row still have a group that is listed in the organizational center, which the user is assigned (“his” group).

· Codetable’s editing rights by groups - for users who edit codetables - there must be a list of all the groups, which user is able to see and edit (when empty user just sees the lines without marking group).
To specify a negative condition “everything except”, the symbol “!” is placed before the list - see the paragraph below.

· Add own group from Org.str.-edit - adds “his” group to previous row

· Structure codetable rights (list of str. types) - a list of types of structures (navigation Str01), the user can edit. E.g. 2, 3 causes the user in Str01 see and can edit only the organizational structure (2) and positions (3).
This can be combined with restrictions “Codetable’s editing rights by groups” (using the previous two parameters)

· Positions - row rights by organizational structure

Set to Yes causes the navigation list positions (Pm), will be only the positions, which is in organizational centers for which the user has access (assuming the definition of rights according to the organizational structure). The navigation list is used in e.g. Pmi01, Pmi08, and Pmi09.

If the item is not filled, the restriction is not applied.

· Document types (Opv31, Rea0x) - list:

Admin can set here the list of (employee or applicant) document types accessible to read and write to the user.
To specify a negative condition “everything except”, the symbol “!” is placed before the list - see the paragraph below.

· Document read-only types (Opv31, Rea0x) - list:

Admin can set here the list of (employee or applicant) document types accessible to read to the user.
To specify a negative condition “everything except”, the symbol “!” is placed before the list - see the paragraph below.

· List of types of communication contacts (Pkz01, Osb01/2) – similarly, a list of type numbers is entered, including a negative list initiated by the symbol “!”..

Access to Applicants - navigation

· RECRU - status list - navigation
The option to limit the displayed list of applicants by specifying statuses (comma-separated numerical values of the applicant's status). This also applies to statuses.Access to Applicants - workflow restrictions

· RECRU - status list - can set:
possibility to reduce status values which user can set

Attendance - definition of user level verification for attendance area

· Attendance edit level - verification and editing the profile level to control the permission to access the rows in the attendance records (daily and monthly attendance data).

The levels available are:

3 Employee; 13 Leader I.; 23 Director, Manager or 33. payroll clerk

Logs display mode (Attendance)

1 - Standard (popup)

2 - Suppress the log display in dialog

3 - EGJEWEB - log display in EGJE tab (in std. client equals to 1)

Typical usage is the fullscreen mode of terms with EGJEWEB.

Not filled AU, IU rights take from accessible employees

Manager/employee profile is usually one, common for whole organization. There aren't modifications for different AU, IU. Switch this attribute causes the online recalculation of sets of accessible AU, IU immediately after login. Source is AU, IU of accessible employees.

These rights are typically used for comboboxes in report parameters and forms also.

Default is this switch off.

Recommended and usual profiles

In table are only attributes different from default values for Adm02/New profile.

Type	Description
Employee	AU, IU not filled. Not filled AU,IU rights take from accessible emp.= Yes Employee - row permission mode = VL_OSO
Manager - persons from managed structures	AU, IU not filled. Not filled AU,IU rights take from accessible emp.= Yes Employee - row permission mode = ST_MANA Employee - structure type for emp. permission = 2 (org. structure usually) Note. For each structure 2 record manager should be filled (Str01, Str02 / Manager - person in EGJE) Own person accessibility depends on "Employee - access of protected persons" content.
Manager - ditto + managers of subordinate centers	ditto Employee - row permission mode = ST_MANA_PRIMO
Manager - all subordinates	ditto Employee - row permission mode = ST_MANA_POD
Manager, referent (person in EGJE) - persons from structure onto which is he assigned.	AU, IU not filled. Not filled AU,IU rights take from accessible emp.= Yes Employee - row permission mode = STRU (resp. ST_POD for all from subordinates centers) Employee - structure type for emp. permission = 2 (org. structure usually but also others) Employee - list of struct. elements for STRU, ST_POD = not filled
Referent payroll clerk - whole IU	AU, IU filled (lists can be) Employee - row permission mode = VSE
Referent payroll clerk - assigned employees	AU, IU filled if constant (lists can be) Employee - row permission mode = ST_MANA Employee - structure type for emp. permission = 14 - Payroll clerk Note. For each payroll clerk (part of structure 14) should be filled assignment to person/user - Str01, Str02 / Manager - person in EGJE. So one profile can be used for more payroll clerks, but each has her own employees. Employees can be assigned to payroll clerk (structure 14) on employment - Opv01 / Structrures on position - Pmi01, Str01, Str02 on organization center - Str01, Str02 For this referent type you should set the flag "ST_MANA* modes in access whole history mode:" Yes, and make accessible the employees date from the period before the referent entered the organization (Opv01 Emp. starting date).
Other referent - assigned employees	ditto payroll clerk - only the nr. of structure is different. typically 15 - 18 resp. 13

Advantage of ST_MANA usage for referents is common profile for all (or for group) referents of one type.

To this profile you can join other configuration:

· Adm06 - groups of row level rights - general groups, wage code groups, calendar groups

· Epr02 - eProposal

· Adm02 - role assigned to profile

· Mail - send message to all on profile

When each referent has own profile, these configurations should be filled separately to each profile. It is a lot of work and it is confusing.

Typically this referent has:

AU, IU filled (lists can be)
Employee - row permission mode = STRU

Employee - structure type for emp. permission = 13-18

Employee - list of struct. elements for STRU, ST_POD

= list of user codes from the structure - comma separated

How to configure structures to be usable for access rights by structures (ie, ST * modes).

On Str01 you need to set:

Relations to the other structures:

If the structure is specified on Position, then

"Subordinate Structure (Fill In Where)" will be 3 - Position

and "Superior (fill in What)" will be eg 14 - Payroll clerk

If I enter the data on the Organizational Center, then "Subordinate" will be
2 - Organizational structure.

If you enter for an employee (Opv01 / Structure), then in the "Structure usage" tab, enter 2-PERSONAL DATA for that specific structure (eg 14 – Payroll clerk).

Note: If only any user can assign this structure to Opv01 / Structures, it is possible to set on the other profile the write permission - Adm02 / "Employee – list of structure types – can set:". Admin writes a list of structure types without this structure here.

The principles of indirect assignment are applied on the structures.
So, I can fill the most common value on the organizational center (such as the Payroll clerk) into Str01 / Stru / "Manager / Person in EGJE", then fill the deviations on Position or directly to the employee.

Thus, it is possible to minimize the number of places where the data is filled.

For ST_MANA* rights used for referents, it is possible to address the situation, where there are more equal referents for the same group of persons / employees. In that case, a checkbox (eg for structure 14) is checked in Str01 / Name of structure and levels / "Simultaneously may be more managers / people:".

Then, in Str01 / Stru / / "Manager - Person in EGJE" you can enter more than one parallel referents.

However, this mode should not be used for the structures used for approval (Adm14 workflow), so it is not suitable for the structure 2, that is used for approval mostly.

Negative definition of access to Persons and Employees

From e201809, in addition to the standard assignment, "All who have something" can give access rights to lines (ie. persons and employees) negatively, "everyone except those who have something."

It makes this an easy alternative to " Employee - access of protected persons" using the Adm11 / Emp. / "Protected employee" attribute.

We all allow you to specify for:

• Employee - allowed emp. rights status list

• Employee - list of struct. elements for STRU, ST_POD (just for these 2 modes)

• Codetable's rights by groups

• Codetable's editing rights by groups

• Document types (Opv31, Rea0x) – list. Read and write.

• List of types of commun. contacts (Pkz01, Osb01/2)

Negative list is entered by entering the "!" character into the first character of the value entry.

Thus, for example, if you enter the value of "!5" for " Employee - allowed emp. rights status list" then those employees, that do not have the value "5" in the Opv01 / Description / Status - rights, will be accessible.

The "!" sign is functional just at the place of the first character and says everything behind will be evaluated negatively. Therefore, it is not possible to combine positive and negative processing within one item.

Alternative evaluation of rights to Persons and Employees (row rights)

In larger databases there is often (by manager’s and referent’s access) very long opening the windows (because of loading navigator’s lists and lists in combo boxes). From e202109 we provide the resolution, which make partly offline and which speed up this loading (the first opening of windows the type of Wflow, Epr01, Kva01).

Putting into service is optional and it contains more related steps:

· on the profile there is configured, that the profile is in the area of row rights evaluated by the offline copies of dates: Adm02 / PV – rights fo profile rows through Elis51:Yes

· the offline’s rights are generated by processing report Elis 51. You configure on Adm53 its starting – you start it one a day – typically in the mornng or in the night.

The report includes these parametres:

! Common codetable of structures - hierarchic

! Emp. assignment to structures

! Managers of structures

! Competences on the structures

For purposes of offline rights is needed to configure the first two parametres. On Elis51 there are checkboxes, on Adm53 by the parametres r_FillDataCstr, r_FillDataTpvStr

you set „1“, the next two (for function rights) you can set „0“.

It is to consider, in which profiles you set the offline evaluation – primarily, it is given for manager’s and referent’s profiles with the rights over the structures (ST*). It is possible to try it. The rights are evaluated in time of starting, as the case may be time of finishing the report Elis51. More often starting (more than once or twice a day) can causes capability problems, but on principle it can be.

On Adm10 there is a flat Structures offline, there are the first two offline disposal sites. There is also online view to records of assigning of managers’s structures on the flat. Here are used online values, i.e. those, which are also on Str01, Str02 / „Manager/Person in EGJE“ (from the another view).

Adm01 / Accessible Employees show the result i.e. which persons / Employees will user have on his profile accessible.

Role creation and editing

We create and edit role using form Adm03.

Roles numbered 1-499 are administered by Elanor and are not editable by user.

Reserved interval for user roles is 500-999.

It is quite commonly used that user has in his/her profile assigned certain standard Elanor role(s) (1-499) and the administrator, in addition, assigns to him/her some role(s) above 500 where the administrator adds or restricts rights to standard roles. Restriction is made by setting a negative value of the right in user role. It means that e.g. assignment of the right ‑2 Restrict read and write will cause that rights assigned in the standard role of such user will no longer be valid.

We assign the rights at tab "Práva k objektům" ("Rights to objects"). And here, on the tab "Objekt" ("Object") we set "Souhrnná hodnota přístupového práva" ("Access right summary value"). For forms double-level (0 no rights / 1 read / read and write), for reports and processes single-level (0 execution disabled / 1 execution enabled). Normally, this is sufficient. Please note that the "Summary value of access right" should contain a maximum of reights eventually assigned to child objects.

If necessary, some forms in section "Podřízené objekty – editace" ("Subordinate objects - edit") allow to set rights also for more detailed parts of a form (bookmark, data form, item). Here, the rights are set as a cascade in this order, i.e. from rough to fine. Evaluation then continues in this hierarchy as long as there's any right applicable ( > 0) up to the level "item". To distinguish code name of the form’s component admin can run command line parameter “-edit” (e.g. Opv01 -edit ). Form is then opened with component names.

This procedure is used to assign bulk change permissions also.

The default mode is that the user has accessible all sections of the form except that it revokes using either administrator rights (Adm03), or through configuration (Adm04)

However, the system also allows from e201303 version modes 1 and 2. Their choice is made in Adm03 item "Rights inside the form - mode" with values:

0 - Standard - by rights type (revoking mode)

1 - Adding mode (tabs, data forms), revoking mode (fields)

2 - Adding mode (tabs, data forms and fields)

Where 0 is the default value and indicate the standard mode.

Mode 1 means that the administrator enumerates open tabs and data forms, while data entry forms are available all resp. those not prohibited.

In mode 2 also items should be enumerated. Please note that if you want the user with write access, it is necessary to assign all required fields (indicated by an exclamation mark before the title) and items that are for internal logic and any checks necessary.

Please note that some of the forms may have mandatory controls, without which the form is not functional, eventually. it does not display data.

Setting is therefore sensitive thing. It can be helpful for admin to display the form (in the standard client) from the command line with the -edit parameter. Here he sees the names of internal parts of the form and then he can easier orient in the tab Child Objects.

For your convenience, we have made for the new mode automatic accessibility for panels, which are also is stored in the internal structure of the form.

The selected configuration is always necessary to test. We cannot guarantee that all preset rights configurations will be operational by your expectation.

The user may have the rights to form via multiple roles, including child objects:

From e201601 we modified the processing logic of the situation.

Before e201601 had explicitly specified rights on the child object precedence over the rights inherited from the parent element.

From e201601 are both equal. User has inherited rights when they are higher than explicitly specified rights.

In practice, it was usually on the evaluation of the rights to the item, when in one role were rights to read any specific items (whether it was in any of the modes ' Rights inside the form - mode:" see above) and in the second role was the right to write to whole tab.
Before e201601 evaluation result was user can reader only read.

Since e201601 evaluation result is user can write - inherited rights defined on the whole tab are used.

Since e201605 we handle situations Master table + multiple detail tabs, and one of them is the main via which user updates also the master table data.

The master-detail handles this main detail component rights. If the user has rights to it only for reading a Master-Detail will also be read-only. The rights does not inherit to any other detail tabs. These tabs inherits only rights from the entire Master-Detail.

Therefore, to set the user rights to write on Str01 / Hierarchical structure / Manager, you set write rights to MasterDetail (ZalStrHier), and reading rights to Detail (ZalStrHierDetail) and write rights to the Manager tab (cecstrmanaPan).

NB. MasterDetail (ZalStrHier), may also inherit rights from tab Hierarchical structure (ZalStrHierPanel).

7.2.3 Rights objects configuration

Previous chapter describes how to set rights for individual users. If however the administrator knows that the organization will not be using certain window, report of process at all, it is convenient to disable such objects by configuration. Object will thus disappear from the system at single click and will not "get in a way" in complicated forms for access rights assignment (Adm03).

Objects may be disabled in form Adm04 at tab "Konfigurace použití" ("Configuration of use") by item "Hodnota vyřazení" ("Disable value"). Here -1 and blank field means the same, 0 means completely disabled object from use. Values 1 and 2 then represent certain restriction of use: 1 object will always be available as read-only, 2 parts listed in lower part of the tab will be omitted. Again, cascade principle is applied here as described in assignment of rights to roles.

Items in the database or repository item EGJE marked as mandatory are now indicated with "!" displayed before the item title.

In Adm04 administrator can in the tab "Structure of the rights object" define other items as mandatory (column "Mandatory" = Yes). For other types than the value of the item is irrelevant. We recommend cautious switching duty!

In this way, an administrator can add some items obligation; however, mandatory status cannot be canceled for those items where it is set by "producer" at the database level.

7.2.4 Substituting user's profile

At the form Adm01 we set substitution by another user. Substitution takes place in the rights profile. Administrator enters substituting user profile, which is to substitute and select the user (item represented person). He adds dates also.

The substituting user then logged into the system will see one more line in a profiles. In the column Profile is the substituted user. If you select the profile the system sets the access rights as would be reported by the substituted user. However, all changes made during the substitution audit stamp of the logged is filled to the database.

Only exception from substitution is what is assigned as a structure manager on Str01, Str02 forms. I.e. user doesn't in standard receive email from this title. But in form Wflow user sees all the requests for approval.
Note: In many organizations, an email is forwarded to the substituted person by the mail server.

If the substitution does user himself, he can do it using the form Adm15 - Employee substitution with the same manner. There is also the option to specify the mode "Send WFL e-mails to substitute:" which allow deputies also to receive e-mail messages (see Adm_uzdoc / Adm15).

7.2.4.1 Setting the substitution profile

Profile for substitution is often other than the manager profile. It offers only any competencies.

In Adm02 administrator to manager profile (e.g. MANA) fills the "Substituted by profile" item (paragraph Permissions to assign). If not, profile is not offered to manager in Adm15.
In Adm15 manager sees profiles having the "Substituted by profile" item filled and these profiles are also in codetable offered to manager.

If organization doesn't use different profiles for substitution of the manager, administrator fills in Adm02 to profile the same profile to "Substituted by profile" item also.

7.2.5 Limited admin

There are two types of Adm12, Adm01p users:

Full rights admin

has access rights to one of the forms Adm02, Adm03, Adm10.

In contrast with limited admin.

Limited admin:

• Profile Adm12, Adm01p combo doesn't contains profiles with access rights to one of the forms Adm02, Adm03, Adm10.

• Limited admin can't edit persons having one of these profiles or own person.

Limited admin can't assign login under which is user logged now. In Adm10p, Adm12 limited admin can't see own person

Shrnutí: Dílčí správce nechť má zápisová práva na Adm12, Adm01p, zatímco na další správcovské formuláře práv nechť má pouze čtecí nebo žádná práva (Adm01, Adm02, Adm03, Adm10).

Summary: Limited admin should have write acces to Adm12, Adm01p while to other admin forms should have only read-only or no rights (Adm01, Adm02, Adm03, Adm10).

7.2.6 Attachment – model of EGJE access rights

7.2.7 Special object rights objects

Most of access rights objects are named with the forms, reports, batch reports, processes or menu objects name. Besides these, however, there is also a group of special objects:

For the area of DOCH and Approval deflection, a part of special objects is described in Doch_dopl_uzdoc.

Object	Description	Meaning
Adm11mazaniSpoc	Permission to delete person calculated a year ago or before	Generally, a user with write in Adm11 may delete person + employment, which has not yet entered into wages. When the user can also have this right, can erase a person whose most recent calculation period is a prelast year or older.
Cep01emp	Functionality employee	Group objects for typed roles used in Cep01 functionality - workflow Travel orders (see also WflowAdmin)
Cep01mana	Functionality manager
Cep01pokl	Functionality Treasury Department
Cep01ref	Functionality referent
Cep01jenObd	User can enter the travel order only into period with attendance open	Restriction for the Travel order input.
Cep01zal0	Right enforces advance = 0	User with this right can cancel Travel Order only if advance = 0
CepTypVT	Access to pay days for travel orders	Access to travel orders pay days set (10-39) E.g. for reports with parameter pay day. See also VypTypVT

Dan12email	Access to send report Dan12 to employee email	Access for other parameters on report Dan12
Dav01Admin	Access to records of all users	To overcome a time assignment of employee to the user inside the month
Dav01Kopie	Form Dav01	Access for button “Copy Inputs” on form Dav01/Inputs (Standard is this button invisible)
Dav01Protokol	Access to protocols of Time&attendance	Right to special tab Dav01 / Protocols
Dav01SadaZkrNazev	Access to field :Dav01 Short-text of Structures Set	Fill column Dav01, Structure Set, Short-text (10) from the Name item. It is not automatically assigned to any of the standard roles.
Dav01SmazatVse	Access to delete all records	Access to Delete all button - Dav01 / Inputs
Dav01Vratit	Access to function Dav01 Return to Dav01 user	Special button on tab Dav01 / Inputs / Return to Dav01 user
Dca02rezimAllSK	Dca02 in mode Allsk	Strict checks in form Dca02 - customer Allsk
Dca02ViceOdp	Dca02, more type of working time	Within the Dca02 form, it allows an alternative name for the basic buttons for the start and end of the working time and display the next set of buttons for start and end times. It does not belong to any of the standard roles.
Dcd01GenDDSLM	To set WgCode is mandatory - during daily attendance generation	Stricter rules for the tab Dcd01/Generate daily attendance
Dcd01specfunc	Special functions Dcd01	Permission to delete daily attendance and daily header
Dcd01HromZmenaSlm	Access to Mass change of WgCodes on Dcd01	Access to button "WgCode change" on Dcd01 / Transfer and closing / Mass change
Dcd01RekDniUkol	Dcd01, Days rekap, Task hours	Task column on Recap. on Dcd01
Dcd01VzorDenOblib	Dcd01, favorite sample days usage	Allow favorite sample day usage
Dcd01TypPrescas	Dcd01, Overtime/holiday benefit type	Allow dialog on Dcd01 to choose the Overtime/holiday benefit type
Dcd01UzavriDen	Closing the day for change	Allow button Close and transfer, Setting of Daily header.
Dcd21fppfSmazatVse	Permission to delete all daily records of the Timesheet	Used for accessing the [Delete all] and [Delete all for all Emp.in navigation list] to form Dcd21fppf. It is not in any standard role.
Dcd27fppfSmazatDen	Permission to delete all daily records of one day of the Timesheet - HQ	Allow the button
Dcd27fppfSmazatVse	Permission to delete all daily records of the Timesheet - HQ	Allow the buttons for Timesheets
Dcd27fppfEditZkrNazev	Dcd27fppf configuration	Allow to edit column Short name
Dcd51RekDniUkol	Dcd51, Days rekap, Task hours	Show column Task on Dcd51
DcgAdmin	Task payroll admin	Allow admin functions in task payroll area. It also closes forms to the level 2
DcgAdminEla	Task admin special functions	For ELANOR consulant only
Dcg01Parametry	Access to Dcd / Parameters tab	Allows also edit there.
Dcg02SmazatVse	Report mass deletion	Allow mass deletion of task reports in nav. list
Dcm01expert	Dcm01 expert	Recent setting for wage code list hardcoded in Dcm01 (user is allowed to insert) Replaced via Adm06 wagecode group rights. Other functionality: to see also data from Evidence (pd_zdroj=21) at Dca02, Dcm01 / tab Inputs detail.
Dcm01specfunc	Special functions Dcm01	Permission to delete monthly inputs and monthly header
Dcm01VstupySouhrnPrvni	Dcm01 – Display tab “Imputs” - first	Display tab “Imputs” on first place of the form.
Dcp01EditRezervaNeprit	Editing a Sheduled Leave Reserve	Edit for Scheduled Leave Reserve in Dcp01, Dcp02, Dov16
Dcs02objuzav	Meal ticket order after Dcs closure	User can run Dcs closure.
Dcs02ProtokolVse	Dcs02, show protocol of all users	Form Dcs02/Protocols, when set to " Permission to execute", displays the current user diet logs from all users for the current period. It is not automatically assigned to any of the standard roles.
Dcs02VyhodnoceniPrvni	Form Dcs02	Permission allows for the profile / user, when opening the Dcs02 form, to display the Evaluation tab first - current
Dcs02ZalTypNaroku	Form Dcs02	Permission to see tab “Typ of entitlement”
Dcs03specfunc	Special functions Dcs03	Permission to delete the evaluation of meals
Dcu06ctiDOCH	Dcu01 records from daily monthly inputs only for reading	User with this access right cannot edit records from Adm06 groups 22, 23, 24, 25, 26. User also can't close/open attendance.
Dcu06_inspektor	Dcu06 - dialog items extension (WgCode group, Origin, Status)	This right offer to see the group number from the Adm06 rights group in the dialog button text. And columns WgCode group, Source, Editation status while editing. The right is not a part of any standard role.
Dcu06pocitaj	Dcu06 - Permission of the hour calculation daily/monthly record	Standard mode (without this right) - Dcu06 after save of the record doesn't run calculation. Data are calculated usually via nightly calculation. Slower the response! It is not part of any standard role.
Dcu06editPlSmen	Dcu06 - is allowed to edit planned shift	User is allowed to edit planned shift on Dcu06. It is not included in any standard role.
Dcu06nesmiUzavrit	Dcu06 - User may not Close the record	For standard inputs (without approval) user with this right is not able to press Open / Close buttons
Dcu06nezobrazitZdroje	Dcu06 - Without button [Restrict data]	It is not included in any standard role.
Dcu06nezobrazitFunkce	Dcu06 - Without button [Function and Selections]	It is not included in any standard role.
Dcu06SmazatVse	Permission to delete all records of Dcu06	Used for accessing the [Delete month] button in form Dcu06. It is not part of any standard role.
Dcu06schvalit	Accessibility of the [Approve], [Disapprove]	Use the [Approve] and [Disapprove] buttons to access the Dcu06 form. When it was created, it was not embedded in any of the standard roles.
Dcu06ZobrazProtokol	Dcu06, Show protocol	When the Launch option is enabled, use the Protocol icon on the Dcu06 form. The right is not automatically assigned to any of the standard roles.
Dcu06HromZmenaSlm	Access to Mass changes of WgCodes in Dcu06	Access the [WgCode change] button in the Functions and Selections menu to run the mass overtime WgCode change function on Dcu06. The right is not automatically assigned to any of the standard roles.
Dcu06ZakazUzavrit	User right to buttons : Close / Open	With the "May start" setting, the user is not allowed to use the Close / Open buttons on the Dcu06 form. The right is not automatically assigned to any of the standard roles.
Dov056emp	Vacation approval - Functionality employee	Group objects for typed roles used in vacation approval functionality - workflow Vacation approval (see also WflowAdmin)
Dov056koor	Vacation approval - Functionality coordinator
Dov056ved	Vacation approval - Functionality manager
Dov056ved1	Vacation approval - Functionality manager 1
Dov056KalJenPlusDov	Request for vacation with positive balance only (IA 21)	It will not allow the user to send a request if the currently evaluated claim is exceeded (Dov_uzdoc / Dov05)
Dov056KalJenPlusPVol	Request for day off positive balance only (IA 26,5151)	ditto
Dov056KalJenPlusPlan	Request plan for time off/vacation with positive balance only (IA 21,26,5151)	ditto
Dov056KalNV	Request for compensatory time off, checking for balance	Activation of NV drawdown control on the current NV balance, when saving / sending the approved SLM from the form Dov05 / Dov06 / Dcu06. The deviation is saved / sent even if the condition is not met, after the message is displayed. The right is not automatically assigned to any of the standard roles.
Dov056KalNVJenPlus	Request for compensatory time off, checking only for positive balance	Activation of NV drawdown control on the current NV balance, when saving / sending the approved SLM from the form Dov05 / Dov06 / Dcu06. The deviation is saved / sent even if the condition is not met, after the message is displayed. The right is not automatically assigned to any of the standard roles.
Epr01Admin	Access to records of all users	Write access to records of all users
Epr01Insp	Read access to records of all users	Read access to records of all users (own eProposals remain for Write)
Epr01EprPosledniho	Access to records where user approves to status 30	Allow to "Transfer into the root personal data" for seeable eProposal for user approving the last step, even if he hasn't Epr01Admin
Epr01Protected	Read access to records of all users	Allow to fill "Protected workflow" item for new eProposal.
Epr01Kopie	Access to Copy this eProposal	Enables the "Copy this eProposal" functionality
fDokPrivat	Access to all documents of Employment	Access to documents not set as public.
fEditDochUzavDoch	Editing attendance in period closed for attendance (status 3)	Self-explaining
fEditDochUzavMzdy	Editing attendance in period closed for payroll (status 9)	Self-explaining
fexportXLS	Export to Excel	Enabling interactive feature Export to Excel spreadsheet (in local menu).
fGenKal	Generation of calendars	Permission to generate all calendars via Vyp02
fHodOdemkni	Unlock assessment	Permission to Unlock assessment on Hod01
fHodZamkni	Lock assessment	Permission to Lock assessment on Hod01
fKopCis	Monthly copy of wage code tables and structures	Permission to run Monthly copy of wage code tables and structures on Vyp02
fKopCisSlm	Monthly wage codes copy	Permission to run Monthly copy of wage code tables on Vyp02
fKopCisStr	Monthly structure copy	Permission to run Monthly copy of structures on Vyp02
fKopCisMulti	Monthly copy of code tables - permission for multiorg.	Permits: Run Monthly copy of code tables to multiorganizational db user limited by organization respectively Run it at one-organizational multiAU db to user limited by AU.
fKopPV	Emp. monthly copy on pay day	Permission to run Emp. monthly copy on pay day on Vyp02
fLang_cs, fLang_sk, fLang_en	User interface language	Language switch icon: The user is offered languages that are assigned by the profile assignment, and possibly the basic languages ("en", "en", "en") enabled by the fLang * object. If there are more than one, there is an icon for switching.
fonlyHTML	Only HTML report formats are available (web in tab)	User with this permission can choose only HTML report format. Valid only when report supports HTML format. Report is displayed in tab regardless of the setting in Adm21
fonlyPDFplug	Only PDF report formats are available (web in tab via plugin)	User with this permission can choose only PDF report format. Valid only when report supports PDF format. Report is displayed in tab regardless of the setting in Adm21
fPlanSmenZobrazNeprit	Shift plan, view absences	Absence display mode from attendance records in Dcp03. not assigned to any of the standard roles
fPvDochHist	Show in navigation list Attendance in history all employees accessible now.	User with this permission can see more people in history, also employees belonging in history out of his scope.
fReaPrijHrom	Onboarding - mass	Button Rea01 / Onboarding HR / Onboarding of all applicants from list
fReaPrijInd	Onboarding - individual	Button Rea01 / Onboarding HR / Onboarding
fSchvalSLMPoznamka	Obligation to fill field Note when sending request	Obligation to fill in the WFL note when sending the SLM from the eligibility Slm02.DOCH03.H-Offic from the form Dov05, Dov06 or Dcu06.
FtpAdmin	FIle exchange - admin	User with this permission doesn't need to be assigned in Ftp02 to activities with declared folders (reading, downloading, deleting)
fUrepImpDelAll	Permission to delete user imports of other users	Object is used for user import reports. It allows delete import batches made by concrete report by other users.
fUzavMes	Monthly settlement - calculation/cancelling	Permission to run Monthly settlement on Vyp02
fUzavRoc	Annual settlement - calculation/cancelling	Permission to run Annual settlement on Vyp02
fUziAdmin	Administration of user-defined reports	Permission to interactively create user reports (local menu on selected menu objects in left navigation menu - std. client) and permission to delete all user reports.
fUziCrea	Creation of user-defined reports	Permission to interactively create user reports (local menu on selected menu objects in left navigation menu - std. client) and permission to delete own user reports
fVsechnaRazitka	In payroll reports offer all stamps	It allows listed and is applicable to stamps covering the entire payroll office and not a specific person. The object is not in any standard role.
fVypBlok	Right to calculate / cancel calc. payroll even when blocked.	The Chief Payroll Officer (ie a user with this right) may block the calculation of wages on others by Vyp02 / Blocking, but may perform it himself.
fVypListHrom	Permission for mass wage slip print	Permission for outsourcing pay slips Vyp11fq (CZ) a Vyp31fq(SK) enabling their mass creation & emailing.
fVypStatusAdmin	Permission to set any pay day status value	Used on Vyp02 form.
fVypZrus6	Permission to restore pay day with released pay slips (status 6). Permission to delete pay day (Pay day should have status < 4)	Used on Vyp02 form.
fVypZrusHrom	Mass calculation and cancelling thereof	Permission to run Mass calculation and cancelling thereof on Vyp01, Vyp02, Vyp03 When combined only with the fVypStazeni object permission, it enables printing in the payroll period status for states 4–9.
fVypZrusInd	Individual calculation and cancelling thereof	Permission to run Individual calculation and cancelling thereof on Vyp01, Vyp03. Permission also enables print of pay day reports for Pay Day with status 5, When combined only with the fVypStazeni permission, it enables printing in payroll term status for states 4–9. When combined with the fVypZrusHrom permission, it enables printing for states 1–20.what is not accessible to end users. (working at standard pay slips, form Vyp25, Vyp26, reports Dan03, Das03, Vyp11, Vyp11fq, Vyp31, Vyp31fq and some customer pay slips)
fVypStazeni	Payslip download option available in states 4–9	The permission allows downloading employee payslips in calculation states 4–9.
Gen01expimp	Query generator - query export/import	Permission to Import and Export a query into and from file at form Gen01.
Jpc01locEditOnly	Edit Single-field Codetables from local menu only
Kal01GenTypDne11x12	Kal01 update for type of the day 11…,17	The generation function of calendar shift schedule (Kal01, Adm53/33, Kal09, …). Allowing re-generation shift records with replace of shift (the type of the day = 11 till 17) The mode is allowed to run. The right not assigned to any of the standard roles.
Kva06_noinsert	Forbidding inserting/deleting on Kva06/Basic data	Only permission what removes the functionality. Set Kva06 into regime, in which is not allowed to create new Educational (or other) action. To create this is a task for Kat01 only then.
MENU_Fav, MENU_All	Favorites Events, queries, navigation	Default menu items. User has them although not in profile. Admin can ban them via user role - right value -1 - Withdrawal
nav_Pv_seznam_datnar	Date of birth, IU, cat., from, until, Emp.type	Rights for the Employee navigational lists (Pv) – Osb02, Opv01...
nav_Pv_seznam_druh_od_do_pm	Emp. type, from, until, POS, Org.
nav_Pv_seznam_druh_prof	Emp. type, Job, Org.
nav_Pv_seznam_druh_rp	Emp. type, from, until, structure by row rights
nav_Pv_seznam_odruh_od_do_pred	Emp.type, from, until, exp.term.date
nav_Pv_seznam_pm_so	POS, IU
nav_PvD_seznam_5_str_rp	Standard + structure by row rights	Rights for the Employee attendance navigational lists (PvDOCH) – Dcd01, Dcm01...
nav_PvD_seznam_6_druh_so_prof	Emp.type, IU, Profession
Nav01bezMana	Nav01 - suppress adding managers to the str. name for str. from Adm21/2 and 8	Restrictive object - suppress showing of the manager in to line of organization center and project
Nav01vsechnyOsoby	Nav01 - all employees from org. regardless row rights	Right to list all employees from user's organization (attached on profile attachment)
Nav01spojeni	Nav01 - tree -1 with company e-mail and phone Nr.	Restrictive object - removes tree -1 - Communication
Opv05vlaICO	Opv05 shows in first page table only employees from the same organization ID (IČO)	Restrictive object. To protect data of other organizations. Use only if necessary.
Opv06fvseAdmin		Is allowed to edit all user's data on Opv06fvse
Opv07fvseAdmin		Is allowed to edit all user's data on Opv07fvse
Opv08fvseAdmin		Is allowed to edit all user's data on Opv08fvse
Opv08fvseInsp		Is allowed to read all user's data on Opv08fvse
Opv09fvseAdmin		Is allowed to edit all user's data on Opv08fvse
Opv09fvseInsp		Is allowed to read all user's data on Opv09fvse
Opv02zpet	Access to all historical tariffs	Opv02 shows with date restriction. Typical is transfer of employee between IU referents. When new referent should see old tariffs, this permission provides it.
Poj15email	Acces to send data of report Poj15 to employee email
Rtf10all	RTF templates administration	Permission to access all RTF templates in db evidence. Standard is that user see only templates, he inserted.
Str01CopyTree	Copy of org. structure tree - permission	Permission to copy a subtree to another node on Str01 / Hierarchical structure / Detail / Copy tree branch
Vst10Admin	Access to records of all users	Access in Vst10 also to the records where I am not in item User.
Vst13Admin	Access to records of all users	Access in Vst13 also to the records where I am not in item User.
Vyk62Admin	Access to all records on form Adm62	Access to all records for user of organization (Organization unit, Internal unit)
VypTypVT	Access to default pay day types	Access to basic payroll pay days set (<=10) E.g. for reports with parameter pay day. See also CepTypVT
WflowAdmin	Workflow administrator	User with this permission is allowed to set the workflow status directly (e.g. on Cep01 / Administration tab). Normally status is maintained via workflow. On form Wflow user can see All workflows and is allowed also to cancel them (button Cancel workflow)
WflowHrom	Workflow mass approval	Workflow mass approval allows mass approval of the workflow 2, 3, 4, 11-20 (for 11, 14 only approve the trip and advances only)

8 Mail merge

Mail merge apparatus is based on Rtf10 codetable and standard reports Rtf11, Rtf12, Rtf13. Customer clones are also often used. For well configured java client (office on windows) there is possible to read the Rtf10 template and together with data send to MS WORD and start mail merge there (chap. 8.3).

Previous form Rtf01 is also accessible. It also offer data export. Form is not changeable and can't be extended or can't use Rtf10 template directly.

Tab "Personální údaje" ("Personal data") offers data excluding sensitive data of payroll nature, these are on the contrary included at second tab "Personální a mzdové údaje" ("Personal and payroll data"). Tabs are subject to access rights. Therefore there's difference, from which tab the user calls the export.

Created file is subsequently used as data source for mail merge tool in office package, which supports its processing (typically MS Office, OpenOffice). Implementation of EGJE may also include modification of templates for mail merge.

8.1 Using MS Office

If you want to create form-based letters, address labels, envelopes, address books and distribute e-mails and faxes in groups, use sub-window of tasks for "Hromadná korespondence" ("Mail merge") tasks. Proceed according to the following basic steps:

Open or create master document.
As data source use the XLS file where you have exported data about persons.
Add or edit merge fields in master document:
Open the mail merge tools panel. It includes button "Vložit sloučená pole" ("Paste merged fields").
Merge data from data source into a new document and create a new merged document.

When the document is created and edited, follow this procedure:

Open form Rtf01 and relevant tabs.
Possibly execute or import selection above the PV axis.
Perform export to XLS file (it is listed in the document header, the form remembers its previous location) by pressing the button "Export do XLS osoba" ("Export to XLS person") or button "Export do XLS vše" ("Export to XLS all").
Note: At this moment no Word document, which uses it as data source may remain open (you will make no mistake when you close it).
Open MS Word and previously created document for mail merge with positive answer to query whether to run SQL select from Data$. Then select data source, in the item "název souboru" ("file name") by clicking on arrow Word remembers last used data source, it will therefore remember also yours, created in point 3.
Word will now import data and display the document related to a single person (PV). If you want to create document, which would include all persons from data source, call function (press button) "Sloučit do nového dokumentu" ("Merge to a new document"). Now you may print or save the created document.

Note: If the created Word document includes this message "Chyba! V záznamu záhlaví nebylo nalezeno pole SlučPole." ("Error! MergeField not found in header records."), most probably you exported the data file from the first tab, while the merging document uses fields included in the second tab.

Date display format in MS Word. Instead of the default American format which is often desirable to specify the continental date field format. Ex. { MERGEFIELD DAT_NAST \@ "d.M.yyyy"}
While switching to the format for displaying and editing the field codes, use Alt + F9.

Microsoft Word, Excel and Windows are trademarks or registered trademarks of Microsoft Corporation Inc.

8.2 Using OpenOffice

Merged letters in OpenOffice's application Writer are created by means of "Průvodce hromadnou korespondencí" ("Mail merge guide"). As data source select the XLS file where you exported the data about persons. Principle is identical as with MS Office.

8.3 Rtf reports and user reports - direct MS Office call

8.3.1 Technological requirement

Apparatus needs:

· OS MS Windows

· Installed MS Office (2016, 2019, 2021), Microsoft 365

· Changed template egje*.egje for starting EGJE

For 32-bit JVM you should add element

and you should have this library in egjelib directory (of the ews template).

· For 64-bit JVM you shouldn't use this arch limitation in starting *.egje file. So:

alternatively you can use arch="x86 amd64".

Note: egje with 64-bit Office is not tested

· Running from bat you should add parameter to the command line:

-Djava.library.path=./egjelib

and into egjelib directory you should copy file jacob-1.16.1-x86.dll

resp. jacob-1.16.1-x64.dll (for 64-bit JVM environment)

Ex.:

start javaw -splash:elanor.jpg -Xmx700m -Djava.library.path=./egjelib -cp egjelib/eman.jar;egjelib/egjelib.jar cz.elanor.eman.sgui.navig.RunGui -Cconfig_jar=egjelib/config_egje.jar

Note. Parameters before cz.elanor.eman.sgui.navig.RunGui are considered as parameters for the JVM. Parameters behind cz.elanor.eman.sgui.navig.RunGui are the application parameters. For proper functioning must be java.library.path set as a parameter for the JVM.

The parameter -ea makes sense only in a test environment in production should not be set.

8.3.2 Usage

Usage of RTF reports offers:

· to store the template into database

· encapsulation specific template and data source into EGJE customer report

· EGJE calls the Microsoft Word and start an action to connect master data and the template

Templates are stored into the db using the form Rtf10.
By default, the user can make their own templates, and if he has the right Rtf10all he can use all templates.
Template selection is a report parameter.
Report Rtf11 is the template provides the same data as the first tab Rtf01. Report offers templates identified as 1 - Personnel.
Report Rtf11 is the template provides the same data as the second tab Rtf01. Report offers templates identified as 2 - Personnel and payroll.
For user reports is the type 6 - Other.

Creating templates.

The best way to create a template is to edit other template or to use a template wizard (MS Word 2021, Microsoft 365)

To create a template the xls data file is needed.

You get the xls data file from the report (e.g. Rtf12) as "XLS format (only data)".

Standard "RTF format" file also creates this xls file, but only as a temporary in Temp, and then after the merge in MS Word is automatically erased.

8.4 Mail merge – Documents DOCX ELA

The disadvantage of traditional patterns of "RTF" for example. Rtf11, Rtf12 is:

- Less comfortable usage from EGJEWEB2,

- Is fully in MS Word, it is not possible to take the result and store somewhere,

- Java client - technological dependence on the proper configuration of EGJE starters and installing the correct version of MS Word (32/64) at the station,

- MS Word Mail Merge cannot work with bulk structures of the type of records, but only with linear data e.g. Struktura1, Struktura2.

Reports Rtf21, Rtf22 work differently:

DOCX templates are also used, but their treatment is purely in the EGJE application.

It performs processing even when calling from EGJEWEB2, and also enables to create (Employee "sliced") documents and store them into Opv31.

Documents do not use the "fields" within the meaning of MS Word, but purely textual substitution, so

e.g. instead of «PRIJMENI» resp. {MERGEFIELD „PRIJMENI“}

you write plain text {{SURNAME}} Thus, in the double braces.

Printing from multiple records is enabled using the macro {{REPEAT}}.

More described in Rtf_uzdoc chapter Rtf21, Rtf22.

9 User reports

9.1 Schema

User reports are stored in a database. The user prepares them in the user directory using JasperSoft Studio editor tool and a text editor.
The company Elanor also has apparatus that allows report created by Elanor to send to customers (administrators) outside the term release or patch.
The whole apparatus is accessible by the object rights element "fUziCrea" - “Creation of user-defined reports”.
It is appropriate that the user has among his profiles assigned a user role (> = 500, Adm03, Adm02). This role is used to assign rights to the newly created report.

9.2 Apparatus description

User can edit report files directly in folder or from the report parameters form (in edit regime - button “Edit report”).

In second case is necessary to set the user reports file and paths to editors used for editing the user reports.

Menu "Nastavení / Uživatelská nastavení / parametry" ("Preferences / User settings / Parameters"):

JasperSoft Studio - in version identical with version of jasperreports used by the system. Currently:

6.6.0

XML editor – for editing *.xml files. For example:

C\:\\Program Files\\PSPad editor\\PSPad.exe

To direct edit in folder user needs also these tools and also the editor to edit .properties files (e.g. PropertiesEditor.jar)

User also needs to have Java JDK installed (i.e. not only JRE, which otherwise would be sufficient for the module) and the system variable PATH must include path to it (to javac translator). For example: C:\Program Files\Java\ jdk1.7.0_67\bin

Note:

When report is being edited, files needed for the report are copied from the user reports file to folder %USER_HOME%/Dokumenty/Eman/userreports/ (In "Preferences / User settings / Parameters / Export folder" user can change this folder).

9.3 User report creation and distribution

User reports are created by means of a guide, which will display after selecting the item "Nová sestava" ("New report") in context menu in left navigation pane. In the first step we may select whether we want to create completely new report or whether we want to create a copy of existing report. In the second step we define name of the report, its code, menu, under which the new report will be listed and access rights for the new report. New report will be created by pressing the button "Dokončit" ("Finish"). If this button is inactive, it means that code of the report has wrong format or report or form with selected code already exists.

The rule is that report code should consist of 3 characters then 2 numbers then on 6-th position "u" (user).

We don't recommend change user (customer) reports made by Elanor (6-th position "f"). It is better to do a clone with "u".

If you even so decide to change the "f" report, please, send it back to Elanor via helpdesk with short change description.

User reports are edited using button "Uprav sestavu" ("Edit report") from report run window. This choice is also available in context menu in upper left navigation panel.

Table 1 – User reports editing

Action CZ	Action EN	Description
Uprav datový zdroj	Edit datasource	Opens data source of the report in text editor
Vytvoř Jasper soubory	Create Jasper files	Creates basic version of report with standard header, footer, etc. It overwrites only non-existing files
Spusť JasperSoft Studio	Run JasperSoft Studio	It calls report editor – program JasperSoft Studio – and opens the current report in it.
Kompiluj	Compile	Translates the report to compiled form (xml => jasper)
Zobraz složku	Show folder	Shows folder containing the report.
Uprav název sestavy	Edit report name	Allows to rename the report
Edituj texty	Edit tests	In text editor, opens the file with extension .properties, which contains localized texts used in the report.

Finally do not forget to save the report back to db by the "Save report" button!

9.3.1 Transfer the user report to another db

Custom reports can be exported by selecting Export from the context menu, the report called directly from this report in the navigation menu.

The new db upload it using Adm51 standard way (see next section)

9.4 The distribution of Elanor user report

User report made by Elanor is distributed as jar file Assemblies including report and change script.

Note: former way was 2 files, second with a change script.

Upload the file and run it in Adm51 / Db Change / "Make change in Db / install user report ".

The report will load into the system.

Report is ready to use after next login to EGJE.

9.5 The previous version of the report

If they are stored in the db previous versions of the report, they are available from the context menu at the bottom. The report is shown with the date of insertion or recent change.

Warning - not all reports identified as a user reports (i.e. the letter f on 6-th position) are technologically created as custom reports. Some of them are part of the standard solution and described user reports functionality is not available for them.

10 Release and Patch installation with SuperConfigurator utility

This utility offers:

Install (into installed EGJE system) patch and releases.
Monitor running AS and EGJEWEB servers
Run change script or install user reports against more db in one batch
Generate data change scripts from configuration codetables.

Utility doesn't offer first EGJE installation in new environment.

10.1 Patche - release installation:

inform users to logout
stop the servlet container Tomcat running the application(s) EGJEWEB2 to upgrade
stop the Application servers to upgrade
run SupoerConfigurator from release/patch directory (during the first launch the user can assemble the installations list - more in 10.2)

on tab Release, Patch installation with button "..." choose the release/patch directory (indicated by patch.properties file to choose)
in installation list choose an appropriate installation

Installation makes programs installation and runs the change script
From change script run is provided log file "patch_DB_date.html" - in case of error send it to elanor support
Whole installation in logged into file egje_patch_protocol.txt

Manual documentation installation - only when item Configurator / General / "Http resp.disk folder for help files" is filled
Manual installation egjews-embed.jar - customers using EGJEWeb2 services server
start Tomcat and EGJE application servers

As part of the installation, a WAR package of the web application is generated.

Depending on the installed Tomcat version (9.0.x or 10.1.x), it is necessary to use the Configurator utility to correctly specify which version the web application should be deployed to.

At the same time, the appropriate distribution package for the selected Tomcat version must be downloaded, as the WAR package will not be created otherwise.

Note: Please note that Tomcat Manager can not properly uninstall the EGJEWEB2 running application (because it cannot stop it completely). Tomcat manager can be used only for the first installation of the application, respectively you must restart tomcat after installation via tomcat manager.

10.2 Utility installation

SuperConfigurator utility installation is made by Elanor staff. Process consists of parts:

· Choose server and directories with file access to installed EGJE applications

Change of the SuperConfigurator batch in this directory, copy actual eman.jar, egjelib.jar files;

or change the interface language (parameter -DEGJELANG=en )

egje_instalace.txt file creation
It contains a list of the file path to the config_egje.jar files.
When we list a lint to AS client config file or web server, this installation is in SuperConfigurator listed in tab Servers monitor.
When we list a file path to std. client without AS or AS itself these ones are listed in tab Installation and offers to install patches/releases and run change script.

The prerequisite is the path to java program. In terms of OS Windows java.exe that standard Java JRE installation records in Windows \ System32 / SysWOW64 directory. From version java 8 into \ProgramData\Oracle\Java\javapath directory.

Resp. you need to have in the Environment Variables / Path setting the path to the directory javaJRE \ bin respectively. javaJDK \ bin.

Triggered version of java you will find from the OS command line via command java -version

10.2.1 SuperConfigurator - restriction to run using Adm51 form

Administrators can restrict/reduce the SuperConfigurator functionality via three items in Adm51 / Reverification of authentication:

Run change script from SuperConfigurator

Run Codetable export from SuperConfigurator

IP addresses to run SuperConfigurator

Is it because this utility is not subject of authentication EGJE administrator may want e.g. to restrict usage to specific IP addresses.

The first two parameters are Yes / No and allow you to set restriction on the specific activity, while the last parameter allows you to limit where the utility is allowed to be called.

In case of first two restrictions the function button is disabled (Install selected, Launch selected, or Export).

In case of restrictions on the IP address has an entire line (ie. the database) in the column Application version text "Invalid IP address."

By default, the SuperConfigurator functionality is allowed.

10.2.2 Run SuperConfigurator without parameter

SuperConfigurator is primary designed to run with parameter - text file with configurations list.

Running without parameter has following functionality.

Typical is to run SuperConfigurator batch from installation folder the EGJE release (not from patch, it hasn't egjelib.jar usually).

Utility leads the user to create the text configuration file (egje_instalace.txt) and also offers the update of the egjeweb war file.

Functionality:

Create text file with egje installations (egje_instalace.txt)
Choose the already existing configuration file and remember it for next utility usage (stores information in user home folder)
Update war file of the egjeweb - tab "Příprava EGJEWEB.war" "Preparation of EGJEWEB.war". Smart defaults are also used here.

10.3 Other functionality

Monitoring

AS monitoring

in egje_instalace.txt should be link to client config_egje.jar file (containts an AS connection)

EGJEWEB monitor

in egje_installation.txt should be a link to http(s)_address_of_web_appl.

Codetables export

The principle is that: the export creates a change script.

It is signed, so that it cannot be changed.

The script then the user can go on another database(s), typically using this utility – Launch change script.

Data areas:

Wage codes (Slm01)

Create script from whole codetable or selected wage codes (separated by comma and "-" for ranges)

Voluntarily the file can contain attendance wage code attributes.

Selecting "all" for Wage code codetable before inserting into target db ends the validity of current WgCodes to 2000-01 period and switch " Can be created in input" to No. So WgCodes that aren't in export remain ended.

Wage code groups (Slm02)

Also all or selected includabilities.

Then before insert to new db the old includabilities of the group are deleted.

At the end the "Includability actualization" is automatically run.

Transformation to accounting (Uct01)

Includability UCTO is inside.

Before processing old content of this includability, the old content is deleted (on the target db).

Wage tariff codetable (Cmt01)

Before processing old content of this includability, the old content of all tabs (except Tariff level and Archives) is deleted (on the target db).

But New Tariff levels are inserted and existing ones are updated.

Structures (Str01)

All or selected types.

On target db at first the valid structure of selected types are ended to date 1.1.2000. Bindings among selected types structure elements are deleted and then the now ones are inserted.

This export/import is more suitable for starting import or for customers having in Str01 current state and monthly history in Str05 in Payroll.

Transferred are also data from tabs: Structure usage, Name of structure and levels (from selected structure types).

Export works with identification of the organization. In mode of a unique code within the database (Adm31 / Other Conf.), It is possible, that export / import from one environment will report an error when changing the organization at the record in one of the environments. In this case, before importing in the target environment you should delete such record and run import again.

JPČ – single field codetables (Jpc01)

Also all or selected codetables.

Then before insert to new db the old codetable values are deleted.

Roles (user, with number over 500)

Content of transferred roles is deleted before inserting new content. Other not transferred roles are without any change.

Error messages

Export user messages importance preferences.

When all is checked the target former complete setup is deleted before install a new one.

Report batches

Always (regardless of the setting all) sends and updates only the batches from source database.

Calendars

Export template days, template sections, limit checks codetable, rounding type codetable and also the Calendars codetable itself.

Always (regardless of the setting all) sends new records and updates the record with the same code.

More about exporting structures

This export is primarily designed for the initial database filling

But can be used during operation of a system. Structures can be transferred to the test environment, edit and transfer back.

Export transmits links only between those structures that are included in the export.

Also, the assignments employees - structures are not transmitted.

There is a good idea to try it all out in direction from Operational to Test environment.

11 List of permitted formats for uploading to the system

For security reasons, these formats are the allowed list that can be uploaded to the system:

· docx, doc, rtf, pdf, txt, odt, xlsx, xls, xlsm, ods, xml, jpg, jpeg, png, gif, tif, tiff, pfx, cfd

Attachment A1. Installation of Oracle version

Installation of EGJE to the db is performed by Elanor employee according to internal methodology.

Installation includes roughly the following steps:

database version, patches
unicode code page for database instance (standard characters and NCHAR characters)
XML_DB component
block size (db_block_size) minimally 8192.
initializing parameter open_cursors set minimally to 1000
EMANOWNER role
real-use and testing database in a form of owner or independent instance
objects owner versus user for connection of applications
objects owner creates context
user for connection of applications owns trigger after logon
import

solution of LOB items during import to different tablespace

objects re-created after import

EMANUSER_xxx role
(db procedure CE_CREA_ROLE run by object owner)

setup of Oracle statistics update job (Adm51/Oracle statistics/Create/renew statistical update job)
we prefer this job than other statistics update on the db level

Attachment A2. Installation of MS SQL version

Installation includes roughly the following steps:

database version
codepage, sorting
SQL server authentication
nested triggers
creation of databases (real-use and testing)
creation of logins and users
structure and data

We recommend to switch the database into mode: read_committed_snapshot on

Database than uses row versions in TEMPDB and uses less locking. Locking is often problem of MS SQL. In standard mode when writing limits reading of other users.

In EGJE some users calculates and others do reports and exports.

From 8.10.2015 also our template database is set with it.

Customer older installations can set this mode with script:

use [master]

alter database <DB EGJE> set single_user with rollback immediate;

alter database <DB EGJE> set multi_user;

alter database <DB EGJE> set read_committed_snapshot on with no_wait

Script is made for SQL Server Management Studio for SQL administrator.

Replace <DB EGJE> with your real EGJE database name. Script cancels all other connection to this DB, so you should chose appropriate time to run it.

Attachment B. Installation of software equipment (java client)

Installation of software equipment EGJE is performed by Elanor employee according to internal methodology.

Basic points are as follows:

server selection

intranet web server (recommended)
file server

selection of layout for relationship application – database

standard layout is as follows:

Installation of template to run std. client via EWS

The EWS-EGJE Web Start is released as a standalone distribution, and its functionality is described in the document "EWS – Documentation" within the EWS distribution package.

1. Creating a directory structure from the internal Elanor installation media (spec/1inst version)

(usually in two sharp and test directories)

2. Configure the web server - access the egje directory in each version (under the name evoking a production and test version)

3. Editing all EGJE files for EGJEweb start

Create a boot .egje file for a production and test environment.

Copy and edit the EWS sample file EWS\egjevzor.egje

Usually just set the correct <jnlp codebase =

and consider max-heap-size = (approx. 550m - 1000m)

and decide if generate icons (desktop or Start menu).

4. Start the configuration program to fill the db connection

a) configurator_egje.bat

Http / file address for distribution folder - checking the parameter already set in codebase=,

parameter editing (connection to AS or db, authentication)

5. Editing links to the egje file in default.htm, resp. their location on the intranet - emphasize the production and test version (or file server representative)

This completes the template - then administrator runs the EWS EgjeWS-1.0.4.msi (current version) on the user's PC, to install the egje EWS runtime egje (registering the .egje extension and installing its own ews program that downloads, updates and runs the application).

Installation – standard EGJE client via batch files

EGJE can be started also directly via java/javaw or via batch file.

Target of this way is Citrix terminal installation.

Direct run:

e.g. shortcut or citrix exported application
"C:\WINDOWS\system32\javaw.exe" -splash:elanor.jpg –Xmx512m -Djava.library.path=./egjelib -cp egjelib/eman.jar;egjelib/egjelib.jar cz.elanor.eman.sgui.navig.RunGui
-Cconfig_jar=egjelib/config_egje.jar

where "Start in" directory is EGJE on shared disk.

Note: instead of C:\WINDOWS\system32\javaw.exe can be called javaw.exe from upacked java.zip (see below java11)

if you want to add parameters you can add them behind the end (behind config_egje.jar)

e.g. -CLaF="jGoodies Plastic3D font +2" -f Dca02

We support also to run EGJE via batch file. Example batch is configurator\sample_egjew.bat in installation directory.

start javaw -splash:elanor.jpg -Xmx800m -Djava.library.path=./egjelib -cp egjelib/eman.jar;egjelib/egjelib.jar cz.elanor.eman.sgui.navig.RunGui -Cconfig_jar=egjelib/config_egje.jar

exit

When you have more config files, it is necessary to edit batches so they call the appropriate config file (parameter -Cconfig).

Note. Parameters before cz.elanor.eman.sgui.navig.RunGui are considered parameters for the JVM. Parameters behind cz.elanor.eman.sgui.navig.RunGui are the application parameters. . For proper functioning must be java.library.path set as a parameter for the JVM.

The parameter -ea makes sense only in a test environment in production should not be set.

From e201611 subdirectory "launcher" is a part of the version installation directory. It is the third way how to run the EGJE java client in Windows. It is a starting batch file consisting of two phases - the first is to version check and download onto your local disk (user's home directory ".javacache"), the second is a custom boot from the local cache, a similar principle as uses Java Web Start, but usable only from a mapped drive. More in the launcher\launcher_popis.txt.

There was a problem with the JGoodies appearance when running with JAVA 17. Therefore, if the client wants to use these appearance, it is necessary to add a parameter to the startup file: --add-exports=java.desktop/com.sun.java.swing.plaf.windows=ALL-UNNAMED The same must be added to the batch file when launching through a batch file.

It may be important to set a proxy in the batch (for example, for Adm24 Courses), see Chap. 3.3

java 9, 11: When running with a batch command / launcher, some parameters must also be added (as parameters of java (javaw), before the current -D):

-XX:+IgnoreUnrecognizedVMOptions --add-modules=java.xml.bind --illegal-access=permit

where the first parameter is used in the case where a portion of the users runs through the java 8 and part through the java 9, 11.

java 11 and using html editors in EGJE:

Html editor is used by those who have set Yes in

Adm21 / Par.komun / HTML editors for Wflow, Mail :, resp. HTML Editors for Descriptions:

However, the HTML editor is not part of java 11, but java FX.

Instead of OpenJDK 11, the administrator unpacks java.zip on the server, which is a html editor from java FX, and runs javaw from that directory in the boot command.

Java 11.0.20 and 17.0.8 and higher:

For these JAVA versions it is necessary to increase size of expected MANIFEST.MF, which is part of eman.jar. The size increases by adding a JVM parameter to the batch file :

-Djdk.jar.maxSignatureFileSize=16000000

Installation - common programs for more databases

EGJE can be run also in this model.

Structure of this installation is in the internal installation medium Elanor - file vzorMultiDB.zip.

In this case one program installation is used for more EGJE db.

It is recommended to consult this installation with Elanor technical support.

Installation - standard client run parameters

look & feel (skin)

Administrator can set the appearance of the application for all users. This option may be used for example to distinguish the production and the test environment.

The set value takes precedence over the user settings in the Local setting.

It is implemented by setting the system variable LaF

Ex. -CLaF = " jGoodies Windows font +1" for the bat

respectively for JNLP (in application-desc element):

Options:

Parameter LaF values

Windows

Windows +1

Windows +2

Windows +3

Metal

Motif

jGoodies Windows

jGoodies Windows font +1

jGoodies Windows font +2

jGoodies Windows font +3

jGoodies Plastic3D

jGoodies Plastic3D font +1

jGoodies Plastic3D font +2

jGoodies Plastic3D font +3

jGoodies Plastic

jGoodies PlasticXP

Nimbus

Nimbus font +1

Nimbus font +2

Nimbus font +3

Nimbus font +4

Tiny Look&Feel - Golden

Tiny Look&Feel - Silver

Tiny Look&Feel - Plastic

Tiny Look&Feel - Forest

Tiny Look&Feel - Nightly

Tiny Look&Feel - Unicode

Tiny Look&Feel - Unicode font +1

Tiny Look&Feel - Unicode font +2

Tiny Look&Feel - Unicode font +3

Tiny Look&Feel - Golden - old ico

Tiny Look&Feel - Plastic - old ico

jGoodies Plastic3D - new ico

jGoodies Plastic3D font +1 - new ico

jGoodies Plastic3D font +2 - new ico

jGoodies Plastic3D font +3 - new ico

Other parameters

All parameters Settings / Local settings can be set using startup parameters. Even in this case, the administrator has the following parameter set precedence and the user cannot change. Only exception are parameters with directory/file path. In case when the path on user PC is not valid, user will be able to change them.

Parameters:

With value of the folder path:

-Cacrobat - PDF viewer

-CviewerRtf - RTF, DOCX, ODT viewer

-CviewerXls - XLS viewer

-CviewerTxt - TXT viewer

-CviewerHtml - HTML viewer

-Cireport - JasperSoft Studio editor

-Cxmleditor - XML editor

-CadresarProExport - Export folder

With list of values:

-CExpForm - Export format - list of values csv, xlsx, xls, (ignores capitalization, when set incorrectly, xls will be used)

With values true/false:

-CCloEgje - Exit EGJE application without dialog

-CSmDirCle - Smart output directory cleanup

-CCretSubDir - Output to subdirectories with org.code name

-CRelGrFr - Reload for data after activating different form

Note:

Local input parameters setting in the application are stored in a file

%USERPROFILE%\.eman\config_local_user.properties

The administrator should have in mind that when you change, rename or move the user account, the folder in parameter adresarProExport may not be valid.

Attachment C1. Installation of EGJEWeb2

Procedure:

java (OpenJDK, Oracle SE Subscription JDK) installation.

Installation of Tomcat 9.0.x and 10.1.x on server (Windows or Linux)

For version of Tomcat 9.0.x we recommend using the minimum version 9.0.102, for version 10.1.x then 10.1.40.

EGJEWeb2 you can install to tomcat 8. For EGJEWeb it is not recommended (tomcat 8 has problems with deploying applications with unpackWAR="false". It uses EGJEWeb, but not EGJEWeb2.

For linux installation we recommend to add run parameter

-Dfile.encoding=Cp1250

Best place is setenv.sh. When not set, there will be problems with protocols from server has wrong diacritics.

On Windows, the code page is often set in the OS. If not and Tomcat is installed as a service, you must set the CP1250 as its parameter (tomcat properties / Java / Java Options)

In the case of incorrect text encoding (eg, months in date editors), you need to (usually on Windows) set in the basic web.xml in the default of the servlet, ie in the

<servlet-name>default</servlet-name>

parameter

<init-param>

<param-name>fileEncoding</param-name>

<param-value>UTF-8</param-value>

</init-param>

Memory configuration for Tomcat

(parameters for maximum memory pool -Xmx and for PermSize -XX: MaxPermSize

on windows in Java panel e.g.:

java options -XX:MaxPermSize=768m

Initial memory pool 768 MB

Maximum memory pool 2560 MB)

Https configuration.

Max upload file size configuration (for Tomcat manager)

file /webapps/manager/WEB-INF/web.xml
parameter <max-file-size> to minimally 300 MB => 307200

<max-request-size> dtto

Application EGJEWeb2:

1 Creation of the Tomcat application:

Via configurator_egje(_en) utility (is on installation media in folder configurator) you prepare config_egje.jar for EGJEWeb2 application.

You also can use already created file for java klient (AS) and write into it only changes for EGJEWeb2.

For Tomcat 10.1.x, you need to set “Install on Tomcat 10: Yes” in the “Version/Patch Installation” tab of the Configurator.File config_egje.jar you should copy to the Tomcat server. Running tomcat should have access to it.

2 Run SuperConfigurator form installation folder.

You choose the last tab "Preparation EGJEWEB2(HR Portál).war" and there choose First installation, fill the path to config_egje.war (from the tomcat server view)

To the field "War file save to (without path - act.folder):" you fill the target application name (without spaces and underscore). It is usual to choose different name for production and test environment.

Button "Update EGJEWEB2*.war file" then creates the Tomcat application with link to the configuration file (WEB-INF/web.xml).

Note: The alternative to the graphical environment SuperConfigurator

is a batch file buildEGJEWeb2Example.bat (sh) poalternatively forTomcat 10.0.x buildEgjeweb2Example_tc10.bat(sh). You adjust in it:

the name of the created war file
path to config_egje.jar (from the Tomcat view)

2a When updating an already installed application, it may be necessary—depending on the version of Tomcat in use—to check the “Install for Tomcat 10” option.

3a If you have to the installation environment (where you are now running SuperConfigurator) connected the Tomcat server and filesystem, it is possible to "War file saved to" put the right the path to the Tomcat / webapps. If you do it so, tomcat must be unconditionally stopped when you perform the action button "Update EGJEWEB2*.war file"!

3b If the target tomcat filesystem is not accessible, you'll create a war file and install it to the Tomcat (Tomcat manager deploy).

When you install via copying, the Tomcat should be off and before copying you should delete war file and also subdirectory with a name of the warfile (also in webapps) and also subdirectories temp and work. If not, you'll run the mix of current and previous application!

Technical notes for manual configuration and installation:

o whole app. For Tomcat 9 is in egjeweb2.war

o whole app. For Tomcat 10 is in egjeweb2_tc10.war

o each package from ESP is downloaded separately

o WAR packages are not compatible with Tomcat versions other than the ones were built for.extraction web.xml z egjeweb2.war\WEB-INF\web.xml

o edit web.xml

· add/configuration parameters „config_jar“ - link to server configuration file of EGJE (maintained via Configurator)

· configuration of parameter „<display-name>“ - name of application for Tomcat

o return file web.xml to egjeweb2.war\WEB-INF\web.xml

o possible renaming of egjeweb2.war (especially if more egje web applications is on one server)

o deploy application to servlet container Tomcat (see 3b)

Important: Do not copy the web.xml file from the old to the newly installed application! Web.xml file can be different and the difference is quite difficult to discover, as typically only part of the application does not work.

Linux "headless" servers

There are problems with data exports from forms and with export reports to excel in this configuration.
In case of problems you can try to set java environment variable

java.awt.headless=true

Typically in tomcat script setenv.sh

11.1.1 Rozdíly v instalaci Tomcat 9 a Tomcat 10

As part of the EGJE distribution, specific WAR packages are released for Tomcat 9 and Tomcat 10 series.

This is due to the transition from Java EE to Jakarta EE.

For each Tomcat version, a separate ZIP file must be downloaded and extracted into the same folder as the EGJE distribution package. The distribution contains the following WAR files, egjeweb2.war for Tomcat 9 and egjeweb2_tc10.war for Tomcat 10. Each WAR package also includes a script for manual installation: buildEgjeweb2Example.bat (.sh) and buildEgjeweb2Example_tc10.bat (.sh)

Configuration in the Configurator Utility

If the application is to run on Tomcat 10, you must check the “Install on Tomcat 10: Yes” option in the “Version/Patch Installation” tab of the Configurator utility.

Installation Using the SuperConfigurator Utility

The behavior of the SuperConfigurator utility varies depending on how it is used:

· Launched without an installation list file:

o The tab “Prepare EGJEWEB2 (HR Portal).war” is available.

o For a “First Installation”, you must specify the path to the configuration file, which determines whether the WAR package for Tomcat 9 or 10 should be used.

o When choosing the option “EGJEWEB2 (HR Portal) application…”, the configuration file is not specified. In this case, if needed, you must check the “Install for Tomcat 10” checkbox manually.

· Launched with an installation list file and direct installation for selected environments:

o The Tomcat package selection is determined by the configuration file.

o In this window, you can also open the Configurator for the selected environment and make further configuration adjustments.

11.1.2 Tomcat and SSL/TLS

While someone is running an internal network of tomcat directly under the http protocol, it is common to place the certificate into Tomcat and use traffic over https.

The description is also on tomcat pages: https://tomcat.apache.org/tomcat-8.0-doc/ssl-howto.html

The http protocol on any port can be disabled in server.xml or redirected to https. This can be done using either a tomcat or a reverse proxy.

Using tomcat, it is done by defining the redirect Connector (eg 8080 to 8443) in the server.xml, and then the paragraph is added to the global web.xml to redirect all servlet mappings.

Typical:

<security-constraint>

<web-resource-collection>

<web-resource-name>Restricted URLs</web-resource-name>

<url-pattern>/*</url-pattern>

</web-resource-collection>

<user-data-constraint>

<transport-guarantee>CONFIDENTIAL</transport-guarantee>

</user-data-constraint>

</security-constraint>

Note: We do not support adding this redirect to the application's web.xml.

11.1.3 Tomcat and cookie – attribute SameSite

For Tomcat, it is possible to configure it to set the SameSite attribute for all cookies. More information about the attribute values can be found at https://tomcat.apache.org/tomcat-9.0-doc/config/cookie-processor.html

The setting itself is done in the Tomcat /conf folder and in the context.xml file by adding the following line between the <Context> and </Context> elements:

We recommend setting the value to lax.

The setting of the SameSite attribute is possible starting from Tomcat version 9.0.21.

Operation EGJEWeb2 via loadbalancer

Loadbalancer is not included in EGJE delivery. In principle is possible to run EGJEWeb2 with it and some customers do it.

In the loadbalancer configuration you should consider several requirements

1. Setting the correct path for a cookie JSESSIONID,

See directive ProxyPassReverseCookiePath

2. Setting the correct path for the header of X-GWT-Module-Base:

the simplest way of dealing with is the setting of the same relative URL on the loadbalancer as and on the individual web servers.

see discussions on https://groups.google.com/forum/#!topic/google-web-toolkit/y0W90PgoVns and https://groups.google.com/forum/?fromgroups#!searchin/google-web-toolkit/proxypass$20serialization/google-web-toolkit/3wE9yWLMJo4/Mebd0XgW1EIJ

3. Tying client with the web server on which its session is.

It can be implemented in several ways. We have tested a variant with cookie value ROUTEID

Internally, we tested loadbalancer Apache httpd 2.4

In the configuration, the following modules were permitted

LoadModule headers_module modules/mod_headers.so

LoadModule lbmethod_bybusyness_module modules/mod_lbmethod_bybusyness.so

LoadModule lbmethod_byrequests_module modules/mod_lbmethod_byrequests.so

LoadModule lbmethod_bytraffic_module modules/mod_lbmethod_bytraffic.so

LoadModule lbmethod_heartbeat_module modules/mod_lbmethod_heartbeat.so

LoadModule proxy_module modules/mod_proxy.so

LoadModule proxy_balancer_module modules/mod_proxy_balancer.so

LoadModule proxy_http_module modules/mod_proxy_http.so

LoadModule slotmem_shm_module modules/mod_slotmem_shm.so

Celá konfigurace loadbalancingu

BalancerMember "http://xxxsrv:8090/EGJEWeb2" route=xxxsrv

BalancerMember "http://xxxsrv2:8080/EGJEWeb2" route=xxxsrv2

ProxySet stickysession=ROUTEID

</Proxy>

Header always add Set-Cookie "ROUTEID=.%{BALANCER_WORKER_ROUTE}e; path=/" env=BALANCER_ROUTE_CHANGED

ProxyPass balancer://mycluster

ProxyPassReverse balancer://mycluster

ProxyPassReverseCookiePath / /EGJEWeb2/

</Location>

Safety filter

The Tomcat HTTP Header Security Filter is integrated into the application.

Application web.xml includes, among other things, the following security features:

- banning HTTP methods OPTIONS and TRACE

- setting HSTS headers for SSL access (httpHeaderSecurity filter)

The HSTS filter has these configuration parameters (config_local.properties)

from the filter documentation we list:

egjeweb.httpHeaderSecurity.blockContentTypeSniffingEnabled

Should the header that blocks content type sniffing (X-Content-Type-Options) be set on every response. If already present, the header will be replaced. If not specified, the default value of false will be used.

egjeweb.httpHeaderSecurity.xssProtectionEnabled

Should the header that enables the browser's cross-site scripting filter protection (X-XSS-Protection: 1; mode=block) be set on every response. If already present, the header will be replaced. If not specified, the default value of true will be used.

egjeweb.httpHeaderSecurity.hstsEnabled

Will an HTTP Strict Transport Security (HSTS) header (Strict-Transport-Security) be set on the response for secure requests. Any HSTS header already present will be replaced. See RFC 6797 for further details of HSTS. If not specified, the default value of true will be used.

egjeweb.httpHeaderSecurity.hstsMaxAgeSeconds

The max age value that should be used in the HSTS header. Negative values will be treated as zero. If not specified, the default value of 0 will be used.

egjeweb.httpHeaderSecurity.hstsIncludeSubDomains

Should the includeSubDomains parameter be included in the HSTS header. If not specified, the default value of false will be used.

egjeweb.httpHeaderSecurity.hstsPreload

Should the preload parameter be included in the HSTS header. If not specified, the default value of false will be used. See https://hstspreload.org for important information about this parameter.

egjeweb.httpHeaderSecurity.antiClickJackingEnabled

Should the anti click-jacking header (X-Frame-Options) be set on the response. Any anti click-jacking header already present will be replaced. If not specified, the default value of true will be used.

Setting Apache httpd headers (Apache Hypertext Transfer Protocol Server)

The EGJE application does not work correctly in the Chrome and MS EDGE browsers for the following header settings in the Apache Server:

· Header set Feature-Policy with the parameter sync-xhr ‘none‘ – we recommend not filling this parameter in the header

· Header always set X-Frame-Options ’DENY‘ - we recommend setting the parameter value to SAMEORIGIN instead of DENY.

Attachment D. Installation of EGJE Application server

Procedure:

AS is installed as a service realized by wrapper on Windows or Linux/Unix based server.

Server is equipped by the same java environment as a client

(To monitor server via jvisualvm is necessary to install it from https://visualvm.github.io/).

Note: Since e201905, AS can also be started under Tomcat / EGJEWeb2 (see 6.1.2 Web server mode in the Configurator)

Starting, stopping, restarting AS is then common with the web application, ie. Tomcat manager Reload reloads EGJEWeb2 and AS.

Server is described in wrapper.conf file:

# Java Application

wrapper.java.command=java

#resp. je možná i konkrétní cesta k java do příslušného JRE

wrapper.java.classpath.1=../lib/wrapper.jar

wrapper.java.classpath.2=../lib/eman.jar

wrapper.java.classpath.3=../lib/egjelib.jar

wrapper.app.parameter.1=cz.elanor.eman.sgui.navig.RunServer

wrapper.app.parameter.2=-Cconfig_jar=../lib/config_egjeas.jar

wrapper.console.title=EGJEAS EMANEVMA

# Maximal Java Heap Size (in MB)

# except this memory you should consider also memory PermgenSpace

# and memory for operating system.

# In other case you can think that AS freezes.

wrapper.java.maxmemory=1024

#recommended log file limits

wrapper.logfile.maxsize=10m

wrapper.logfile.maxfiles=30

for windows

# Name of the service

wrapper.ntservice.name=EGJEAS_EMANEVMA

# Name of the service

wrapper.ntservice.name=EGJEAS_EMANEVMA

# Display name of the service

wrapper.ntservice.displayname=EgjeAS EMANEVMA

for linux add

wrapper.java.additional.1=-Dfile.encoding=Cp1250

add wrapper.app.parameter.2 =-Cconfig_jar =.. / lib / config_egjeas.jar

to this file, you need to have set configurator.bat and need it fill the necessary information, especially db connection and authentication.

If an administrator wants to create / use wrapper.conf without reference to the config jar *,

the possible key values he adds directly into wrapper.conf

E.g.

wrapper.app.parameter.1=cz.elanor.egjews.server.RunServerWithWS

wrapper.app.parameter.2=-CrmiPort=10089

wrapper.app.parameter.3=-CDBurl=jdbc:oracle:thin:@prgxxx:1521:egje8

wrapper.app.parameter.4=-CDBuser=eman

wrapper.app.parameter.5=-CDBpassword=lkajdfkjaoqezroqw

wrapper.app.parameter.6=-CDBOwnerPassword=eurzoqiuezroquw

wrapper.app.parameter.7=-CSQLAdapter=cz.elanor.eman.datasource.SQLOracle

wrapper.app.parameter.8=-CDBdriver=oracle.jdbc.driver.OracleDriver

wrapper.app.parameter.9=-Cauthentification=NTLogin2

wrapper.app.parameter.10=-Cdomain=XXXX

wrapper.app.parameter.11=-CdomainControllerIP=10.29.29.29

Details about installation wrapper are on http://wrapper.tanukisoftware.org/

For Windows service installation is made batch bin/InstallApp-NT.bat

(then is managed by services.msc, net start, net stop)

We recommend to run the service under special user, created for that purpose. Don't use Local System Account.

It is necessary to setup TEMP variable to free non-protected folder (with write permissions)

This can also be set only for java and AS. E.g.:

wrapper.conf:

wrapper.java.additional.1=-Djava.io.tmpdir=c:\tmp

Using authentication mswin* you should copy to wrapper\lib folder from the egjelib.jar library

\com\sun\jna\win32-amd64\jnidispatch.dll resp. \com\sun\jna\win32-x86\jnidispatch.dll

When system hasn't this library in the path, every time unpack this library into the TEMP folder (under the unique name) and initializes it.

Service can be deleted with sc delete service_name

E.g. sc delete EGJEAS_EMANEVMA

Linux service you can install as follows:

create user egjeas

edit bin/egjeas

# Application

APP_NAME="EGJEAS_EMANEVMA"

APP_LONG_NAME="EGJEAS EMANEVMA "

RUN_AS_USER=egjeas

in /etc/init.d create link as_emanevma to file in bin/egjeas
(ln -s ....resp. you can use service as_emanevma install)

set runlevel with chkconfig

chkconfig as_emanevma on

service as_emanevma start (stop, restart,status, install, remove)

The optional parameter

with parameter retrydb=true

it is possible to initiate the mode in which at startup if AS has not accessible databases, applications still will start up and every 10 minutes then will try again, if db is accessible.

When yes, it completes the initialization.

E.g. wrapper.app.parameter.nn=-Cretrydb=true

Linux "headless" servers

There are problems with data exports from forms and with export reports to excel in this configuration.
In case of problems you can try to set java environment variable

java.awt.headless=true

Set this variable in wrapper.conf

e.g. wrapper.java.additional.2=-Djava.awt.headless=true

Java 11.0.20 and 17.0.8 and higher:

· For these JAVA versions it is necessary to increase size of expected MANIFEST.MF, which is part of eman.jar. The size increases by adding a JVM parameter to the batch file:
wrapper.java.additional.x=-Djava.awt.headless=true

Attachment E. Logging - AS, EGJEWEB2

Logging EGJE can be divided into operational and data.

Application data logging is scattered in many places across aplication, according to data jurisdiction.

See Adm_uzdoc form Adm52, Adm54 and logging tabs on other forms Adm10, Adm11, Adm12, Adm53, Vyp01, Vyp12, Dcm01, Dcd01.

Data retention in these audit tables is adjustable in Adm21.

Here, however, we will focus on operational logging.

AS and EGJEWEB2 create a text file logs.

They have an operational character, capture operating and error states of the EGJE server.

Their shape and naming conventions are indebted to the environment - it is either a file created by Tanuki wrapper that uses AS, or it is a standard logging of the Tomcat container.

Location of logs for AS defined in wrapper.conf, Default is logs folder.

For EGJEWEB2 is the definition in Tomcat Logging tab. Default is logs folder.

If the administrator wants to redirect the logs to the other location:

AS - set wrapper.conf wrapper.logfile = .. /logs/egje.log

EGJEWEB2 – tomcat setting:

· Logging levels

Via parameter log4jConfigFile you could control logging with external configuration XML file log4j.

It is another way to redirect destination files or for any parts of SW set different logging level.

(config_egje.jar / config_local_properties / parameter "log4jConfigFile")

e.g. log4jConfigFile=/opt/egje/log4j.local.xml

<?xml version="1.0" encoding="UTF-8"?>
<Configuration xmlns:xi="http://www.w3.org/2001/XInclude" status="warn" >
    <Appenders>
        <Console name="Console" target="SYSTEM_OUT">
            <PatternLayout pattern="%-5p - %d{yyyy-MM-dd HH:mm:ss,SSS} - session:%X{sessionID} - wID:%X{wID} - lognameWithUid:%X{lognameWithUid} - prof: %X{kod_profilu} - db: %X{db_inst_name} - %-26.26c{1} - %m\n" />
        </Console>
       <File name="File" fileName="/=opt/logs/all.log" immediateFlush="true" append="true">
            <PatternLayout pattern="%d{yyy-MM-dd HH:mm:ss.SSS} [%t] %-5level %logger{36} - %msg%n"/>
        </File>
    </Appenders>
    <Loggers>
        <logger name="cz.elanor.eman">
            <level>info</level>
        </logger>
        <logger name="cz.elanor.eman.datasource">
            <level>debug</level>
        </logger>
        …. další loggery

Note: The setting too much logging information dramatically reduces an application performance!

· AS logging

Log AS contains also the user identification (logname:).

Standard row template is:

...conversionPattern= %-5p - logname:%X{logname} - %-26.26c{1} - %m\n

· EGJEWEB2 logging

In EGJEWEB2 log there is 10 characters from HTTP Session ID (session:), identification of the window in browser (wID:) and identification of the user logon (logname:).

Standard row template is:

...conversionPattern=%-5p - %d{yyyy/MM/dd HH:mm:ss,SSS} - session:%X{sessionID} - wID:%X{wID} - logname:%X{logname} - %-26.26c{1} - %m\n

· Client logging to AS

Using the senLog2AS parameter, it can be set so that logged events in the client part of the application are sent to the server and subsequently logged on the server as well. Messages have to have the same logging level for the given logger both on the client and on the server. It is important to set it only in Java client with a connection to the AS.

(config_egje.jar / config_local_properties / parametr "sendLog2AS")

e.g. sendLog2AS=true

Attachment F1. JRE settings for servers - AS, EGJEWEB2

We recommend for AS and EGJEWEB2 Tomcat to setup the virtual machine parametr

-XX:-OmitStackTraceInFastThrow

The reason is, that without this parameter the server stackTrace listing is not complete.

For AS the parameter is written into wrapper.conf to additional parameters

e.g. wrapper.java.additional.7=-XX:-OmitStackTraceInFastThrow

(where 7 current nr, use max + 1 to add new parameter)

For tomcat:

linux - into setenv.sh to the line export CATALINA_OPTS=

e.g. export CATALINA_OPTS="-Dfile.encoding=Cp1250 -Xmx3000m -XX:MaxPermSize=512m -XX:-OmitStackTraceInFastThrow"

windows - utility program tomcat7w with parameters //ES//jmenoServeru

tab java / Java Options - add -XX:-OmitStackTraceInFastThrow

Attachments G.-J1. about monitoring are available in Czech and Slovak language only.

Attachment K. EGJE and Web Services

is available in Czech and Slovak language only.

Attachment L. More messages in any logs

Some processes, which generate log during its running, can start debugging mode temporarily. Then the protocol contains some debugging messages. These messages are only in Czech and aren’t for permanent using, only for error finding in cooperation with helpdesk Elanor.

Included actions:

· Monthly settlement (Vyp02)

· Interface for Accounting (Uct02)

· Yearly settlement (Vyp02)

· Import Wage Codes (Vst06) – it is planning

· Registrations NP CZ (Poj18, Poj19) – it is planning

How to set it:

· Call forth (with link on this attachment of documentation) the script (via HelpDesk) /eman/z_cust/a_debug_ela/debug_ela.xml

· Execute this script (via Adm51 or SuperConfigurator)

· After new login – on Vyp02 – there is new flag Debug ELA

· For the right period check the actions, in which you want the detail log

· Start the action – the log is extended for the messages starting with DEBUG_

· These messages can explain process of some actions for you or for HelpDesk Elanor

Note: The report and possibility to start it is only for one day – for the day of starting because of the riks of overloaded databases or disk system. And also for unnotices in logs.

Attachment M. Basic description of databases’s locks

The source of description of database’s locks: https://www.sqlshack.com/locking-sql-server/

Exclusive lock (X) - This type of lock ensures that a page or row is reserved exclusively for the transaction that established the exclusive lock, for as long as the transaction holds the lock. An exclusive lock is enforced by a transaction when it intends to modify the data on a page or row, which occurs in the case of DML commands such as DELETE, INSERT, and UPDATE. An exclusive lock can only be placed on a page or row if there is no other shared or exclusive lock already placed on the target. This effectively means that only one exclusive lock can be applied to a page or row, and once it is in place, no additional locks can be placed on the locked resources.

Shared lock (S) -

This type of lock, once applied, reserves a page or row for read-only access, meaning that no other transaction can modify the locked record while the lock is active. However, a shared lock can be established by multiple transactions on the same page or row simultaneously, allowing several transactions to share read access to the data, as the reading process does not alter the current data on the page or row. Additionally, a shared lock permits write operations but disallows any DDL changes.

Update lock (U) - This lock is like an exclusive lock but is designed to be somewhat more flexible. An update lock can be placed on a record that already has a shared lock. In this case, the update lock adds another shared lock on the target row. Once the transaction holding the update lock is ready to modify the data, the update lock (U) is converted to an exclusive lock (X). It is important to note that the update lock is asymmetric in relation to shared locks. While an update lock can be applied to a record that has a shared lock, a shared lock cannot be applied to a record that already has an update lock.

Intent locks (I) - This lock is a mechanism that a transaction uses to signal its intention to acquire a lock to other transactions. The purpose of this lock is to ensure proper data modification by preventing another transaction from locking a higher-level object in the hierarchy. In practice, when a transaction wants to lock a row, it first acquires an intent lock on the table, which is the higher-level object. By acquiring an intent lock, the transaction prevents other transactions from obtaining an exclusive lock on that table (otherwise, an exclusive lock set by another transaction would override the row-level lock).

Příloha N. Další Security opatření

Configure parameter noshowserverinfo – used values true/false. Default false.

By setting the configuration parameter noshowserverinfo to true, you prevent certain potentially sensitive information from being displayed to the end user in EGJE. This typically includes details describing the network infrastructure, such as which server the database is running on, among others. In the "About application" window, the values of these configuration items are masked with asterisks, and in other parts of the application, their display is completely suppressed. This includes, for example, the profile selection window, the web application window title, and other locations.

The following are considered sensitive configuration items: dburl, domain, domaincontrollerip, domaincontrollername, ldapsslurl, proxyhost, proxyport, rmiservers.

Preventing the display of detailed error information for unauthenticated users in a web application.

The EGJE web application does not display detailed error information to the user in the event of a failed login attempt. Instead, a limited version of the error information is logged on to the web server. The user only receives a general notification indicating that an error has occurred.

Cookies of the EGJE web application

The EGJE web application sets cookies in the browser with the Secure and HttpOnly attributes enabled. It is recommended that web server administrators also configure the SameSite attribute. However, this attribute is not set by the application itself; it requires appropriate configuration at the web server level. See Appendix C1, section 10.3.2 for details.