Section §4
User roles and permissions
6–8 roles, RACI-shape matrix, permission boundaries.
4.1 Named roles
MES-Plus distinguishes seven user roles in the running configuration. Five are vendor-shipped; two are customer-defined.
| Role | Headcount | Vendor / customer | Database object |
|---|---|---|---|
| Production planner | 2 | Vendor | role_planning |
| Shop-floor operator | 30 (terminal logins; 42 distinct named users on rotation) | Vendor | role_shopfloor |
| Procurement | 2 | Vendor | role_procurement |
| Accounting | 3 | Vendor | role_accounting |
| Quality / inspection | 1 | Vendor | role_quality |
| Period-close lead | 1 (the head of accounting wears this hat) | Customer-defined 2014 | role_close_lead |
| System administrator | 1 (internal IT) | Customer-defined 2014 | role_sysadmin |
In addition, three service accounts exist:
svc_broker— used by the integration broker to read and write transactional tablessvc_ssis— used by SSIS packages for batch ETLsvc_reporting— used by the BI export and the Crystal Reports runtime
4.2 Permission boundaries
Permissions in MES-Plus are organised as screen access plus field-level edit rights plus, separately, database-level grants on the underlying tables. The two layers are not perfectly aligned. The auditor verified inline that the application-layer rules and the database-layer grants agree for the seven application roles. They do not always agree for the three service accounts. [DB, OBS]
The matrix below summarises application-layer permission shape. R = read, W = write, A = approve, ✓ = full, — = no access.
| Module | Planner | Operator | Procure | Accounting | Quality | Close lead | Sysadmin |
|---|---|---|---|---|---|---|---|
| Customer orders | R/W | R | R | R | — | R | ✓ |
| Production orders | R/W | R/W (own only) | — | R | R | R | ✓ |
| Inventory transactions | R/W | R/W (issue/receive) | R/W | R | R/W (quality holds) | R | ✓ |
| Item master | R | R | R/W | R | R/W (quality data) | R | ✓ |
| Bills of material | R/W | R | — | R | R | R | ✓ |
| Routings | R/W | R | — | — | R | R | ✓ |
| Purchase orders | R | — | R/W/A | R | — | R | ✓ |
| Supplier master | R | — | R/W | R/W | — | R | ✓ |
| Goods receipt | R | R/W (warehouse) | R/W | R | R/W (quality) | R | ✓ |
| Sales invoicing | — | — | — | R/W | — | R | ✓ |
| Supplier invoicing | — | — | R | R/W/A | — | R | ✓ |
| GL postings | — | — | — | R/W (own period) | — | R/W/A (all periods) | ✓ |
| Period close | — | — | — | R | — | R/W/A | ✓ |
| Cost rollup | — | — | — | R | — | R/W | ✓ |
| Master data: cost centres | — | — | — | R | — | R/W | ✓ |
| Master data: chart of accounts | — | — | — | R | — | R/W | ✓ |
| Reports | All standard | Production only | Procurement | Accounting | Quality | All | All |
4.3 Approval chains
Three workflows include formal approval steps:
- Purchase order release. Threshold-based: under €5 000, Procurement self-approves. Over €5 000, Period-close lead countersigns. Over €25 000, the managing director (who does not have a MES-Plus account; approval is captured on a printed PO that Procurement scans back into a notes field). [OBS, INT]
- Supplier invoice approval. Three-way match (PO + GR + invoice) is performed in MES-Plus. If the match is clean, Accounting approves. If there is variance > €500 or > 5 %, Period-close lead reviews.
- Period close. Period-close lead is the only role that can transition a period from
open→closed. The system enforces this at the database level via a stored procedure check. [DB]
4.4 Notable permission anomalies
Three findings worth recording:
-
role_shopfloorcan updatecustomer_order_lines.delivery_datethrough one screen (the production-confirmation form, when a confirmation is registered against an order with a missing or future-dated planned-completion). This is almost certainly an unintended consequence of a 2015 form modification by the consultant who is no longer engaged. Operators are not aware they have this right and have not exercised it as far as the change log shows. [DB, change log scan] Severity-2 risk, see §11. -
svc_brokerhasdb_owneron the MES-Plus database. This was granted in 2014 during integration setup as the path of least resistance and never narrowed. The integration broker therefore has unrestricted access including DDL. Severity-2 risk, see §11. -
The
sysadminrole retains the original 2008-deployment default password on therole_sysadmin_legacySQL login which still exists in the database. The application no longer uses this login (it was deprecated in the 2017 upgrade to a Windows-authentication scheme) but the SQL login remains enabled withdb_owner. Severity-1 risk, see §11.
4.5 Identity and authentication
MES-Plus authenticates users via Windows Authentication (since the 2017 upgrade). Each user is a member of one of seven Active Directory groups, which map 1:1 to the seven application roles.
Password policy is inherited from Active Directory: 8 characters, complexity required, 90-day rotation, 5-attempt lockout. Service accounts use long random passwords stored in a customer-internal password vault (KeePass shared file on the IT share). [CFG]
There is no multi-factor authentication on MES-Plus access. The customer’s AD does not enforce MFA generally; only the VPN to the customer LAN enforces MFA. Once on-LAN, MES-Plus auth is single-factor. [CFG, INF]
4.6 Audit trail of permission use
A user_activity_log table records login events and a subset of high-value actions (period-close transitions, supplier-master changes, PO approvals). Retention is 24 months and is enforced by a nightly purge job. [DB]
The table does not record:
- Read access to financial reports
- Inventory transaction reversals (only the original transaction is logged)
- Master-data deletes (the row is soft-deleted but the deleting user is not captured)
- Service-account activity (the broker and SSIS accounts run “as service”; their actions are logged with
user = svc_*but the originating action is not always reconstructable)
A reader using the user_activity_log for a forensic question about “who changed this supplier’s bank account last Tuesday” would, in the auditor’s tracing, succeed in approximately 70 % of plausible questions. The remaining 30 % require database-level transaction-log forensics, for which the customer has no current capability. Severity-2 risk, see §11.