Technical Desk - Setting Up Selective Synchronisation

One of the most powerful capabilities of the Commence Workgroup is Selective Synchronisation, however, configuring this facility is not always easy. We are often asked to provide assistance in making the correct settings for Selective Synchronisation. 

This article looks at what is meant by "Selective Synchronisation" and the scenarios where it is appropriate or indicated to use this feature. We provide a couple of examples, and work through all the steps to configure the Commence Server for a Selectively Synchronised Workgroup.

Defining Selective Permissions for a shared category allows control over exactly what items a user can view and change. For example, if a user should not be able to view all items in a category, the Commence Administrator may set the Read permission to Selective for the specific category. The user will then receive only those shared items to which they are authorised to see.  This allows confidential data to be shared only with those users who are authorised to view it.

Using selective permissions is a powerful way of giving users access to items in a shared category on a per-item basis. Simply put:

• If a shared item is assigned to synchronise to a user, that user can view, modify, or delete the item (provided they have the appropriate Read, Write and Delete permissions). 

• If the shared item is not assigned to synchronise to a user, then no access is granted. 

The Server Database contains all shared data, even though Clients may receive only a subset of the shared data. 

It may be easier to understand usage of Selective Synchronisation by considering two examples.

Account Manager Example

In this example you have category called Contacts, that contains sales contact information, and a group of Sales Reps.  You want to allow each Sales Rep access to only those contacts related to him.  

Contacts Category

Sales Rep Category

The company has two Sales Rep's, John and Tom. Each Rep operates independently of the other, so is only allowed to see the information for their own contacts. John sees the information for Fred Smith and Jane Hughes. Tom sees the information for Angela Bloggs and Greg Clark.

By using Selective Synchronisation, Commence can be configured to only synchronise the contact items to the appropriate Sales Rep.

Note: This way of setting up the Selective Synchronisation,  tends to be the scenario described in Commence Server manual.

[For more info - refer to the technical note http://www.commence.com/support/files/tn4311.exe]

Business Unit Example

The other typical Selective Synchronisation scenario, is where you have a subset of employees who need access to information on a departmental or business unit basis. 

You might want to separate the sensitive information based on the business unit that the users belong to. So the way you could achieve this is to create a Business Unit category, which specifies which Business Unit/s the user is a part of. Each Business Unit can maintain control and access to data they "own". Selective Synchronisation is then used to control data access based on the connection to the Business Unit.

Contacts Category

Business Unit Category

Staff Category

Each Business unit can have multiple staff that are part of that Business Unit. By using Selective Synchronisation, we ensure that only Staff within the Business Unit have access to Contact information "owned" by that Business Unit. So any Acme Computers staff (John & Tom) have access to Acme Computers'  contacts; Mick Jones, Tony Foo & Jane Hughes. Any Acme Software staff (Alex) have access to Acme Software Contacts; Ann Smith.

In a real situation, there would of course be several categories of information, like Contacts, that are Selectively Synchronised. There would potentially be thousands or tens of thousands of items in each category, with Commence providing full control over access to the contacts and other information in this way.

The remainder of this article will continue to use this scenario, in listing the steps to set up Selective Synchronisation.

Selective Synchronisation is an extension of category permissions, so before continuing with the discussion on Selective Synchronisation, we need to understand how the Commence Server controls the permissions.

The Commence Server can control what information each user is able to view and modify within a Shared Database. There are two levels of permissions that can be configured.

• User Level - defines whether users can modify the underlying database architecture (we always recommend setting to "User").

• Permissions - define whether users can access data in each shared category or desktop. 

In this discussion, we are mainly concerned with the "Permissions" settings.

Category Permissions: Category Permissions determine whether shared items in each category can be viewed, modified, or deleted. The following permissions can be specified:

• Read Permission - determines whether items can be viewed.

• Write Permission - determines whether items can be added or modified.

• Delete Permission - determines whether items can be deleted. 

The following choices for each of the Read, Write and Delete Permission, determine how items in the selected categories are handled:

• All - All items in the category are synchronised to the user (no Selective Synchronisation).

• Selective - A subset of items in the category are synchronised to the user (Selective Synchronisation).

• None - No items in the category are synchronised to the user. The user receives an empty category.

In general, you should set the Permission to either All or None - this will usually be all you need to control your workgroup (in other words you are not Selectively Synchronising). The permissions control all items in a category, and the user will have the same access to all items in a category.

However, if you need to control access to specific items for specific users, then you will need to use Selective Synchronisation. In other words Selective Synchronisation adds control at the item level. To configure the selected category for Selective Synchronisation, you will need to set the Permission to either Selective or None.

Desktop Permissions: Desktop Permissions allow you to control which desktops will synchronise to each user. 

Only the Read Permissions can be controlled; Write and Delete permissions do not apply to desktops. Selective Synchronisation does not apply to desktops.

All users are assigned the default category and desktop permissions, however the default permissions can be overridden on a per-user basis.

Guide To Configuring Selective Synchronisation

The recommended technique for setting up Selective Synchronisation is to make these settings the default permissions for all users. Then when some users should receive all items (i.e. no Selective Synchronisation for that user), the default permissions can be overridden on a per user basis.  

Data Considerations

Selective Synchronisation does require certain categories and connections to exist. You need to have a category which is defined as the control over which items selectively synchronise. Then by making or removing a connection to items in that category, user permissions on that item are defined. 

In our business unit example, we set up the Business Unit category to control the Selective Synchronisation. We have two business units defined; "ACME Computers" and "ACME Software". The company policy is that each business unit should only see and edit their own contacts. So by connecting a particular contact to say "ACME Computers", all ACME Computers users will  have access to that contact. Likewise "ACME Software" contacts are connected to the ACME Software business unit, and those contacts will synchronise to all ACME Software users.

1. Create the shared Business Unit category, which will become the basis for selective synchronisation

2. Add the items "ACME Computers" and "ACME Software" to the Business Unit category

3. Make a connection between the Business Unit category and all other categories which are going to selectively synchronised (eg Contact). Call the connection "sync" - so for example you will have a paired connection to the Contact category:
   Contact sync Business Unit
   Business Unit sync Contact

For every item which is Selectively Synchronised, the connection between the item and business unit needs to be made. In this example it is assumed that this connection is made manually. At the end of this article, we provide a technique to make the connection between categories automatically (see Advanced Selective Synchronisation).

Commence Server Configuration

Make a backup of the Commence Server (including Workgroup settings) and disable syncing before making any changes. (If you are not sure how to backup the workgroup settings, you can follow the steps described in the section "Steps for moving a Commence server database from one PC to another", in the article http://crmtimes.aus.com.au/1203/technical.htm).

1. Server Administration
   On the Commence Server, go to Customise > Workgroup and the Customize Workgroup - Server Administration welcome screen will appear as follows: 

Click on the Next button. 

2. Database Options 
   The Customize Workgroup - Database Options screen appears. 

3. Default Permissions
   Click on the Default Permissions... button. The Authorization Defaults screen appears as follows:

   

   Set the Default User Level to User if it is not already. Then for each category to be Selectively Synchronised, set the Read, Write and Delete to either Selective or None. 

   In general, we recommend setting Read Permission and Write Permission to Selective and Delete Permission to None. This means that users that are granted access to items by virtue of connecting that item to their business unit, will be able to read and edit those items, but they will not be able to delete the item (i.e. they cannot inadvertently delete an item - that must be done at the server or by an administrator).

   When you are done, click on the Save button and this screen will close.

4. Assign Users to Commence Items 
   Back in the "Customise Workgroup - Database Options" screen, click on the Assign Users.. button, and the Assign Users to Commence Items screen appears: 

Note: In the left hand pane of this form, "Users" means the user names (or more correctly, Commence client names) as defined in Comadmin. The Users in this list are not the same as users that may be defined in the database, for example in a category called Staff, Sales Rep, Employees, Users, etc.

Set the "Person Category:" = Business Unit. You will see the Business Unit's that have been set up, now appear in the Person Items list in the right hand pane. You need to assign each User to one of the Business Unit's from the list on the right. 

When you are done, click on the OK button and this screen will close.

5. Select Connections
   Back in the "Customise Workgroup - Database Options" screen, click on the Select Connections.. button. The Select Connections for Selective Permissions screen appears:

For each category which is selectively synchronised (for example Items category), select it from the Category combo box, and then set the connections for Read, Write and Delete to be "sync Business Unit". 

When you are done, click on the OK button and this screen will close.

Back in the "Customise Workgroup - Database Options" screen, click on Next button.

6. Permissions. (Overriding the default permissions)
   The Customize Workgroup - Permissions screen will appear:

You can omit this step if all users will be Selectively Synchronised.

So far, we have set the default permissions that will apply. Now we can override those defaults for selected users. This is useful, for example, where some managers or perhaps administrators should have access to all items and not be subject to selective synchronisation.

In the "Set Permissions for" list, go through all the users in the list and select those that will not use the default permissions. Then click on the Edit Permissions.. button, and the Edit Authorizations screen will appear as follows:

Go through all of the categories, and set the Read, Write and Delete permissions, to the required non-default settings. Typically this will mean setting Read and Write to All, and setting Delete to None.

When you are done, click on the Save button and this screen will close.

7. You have now completed all the configuration necessary for Selective Synchronisation, and you do not need to modify any of the remaining Customise Workgroup settings. Back in the "Customise Workgroup - Permissions" screen, Click on the Finish button to save your new settings. 

Now when you enrol a new Commence client, it will become a Selectively Synchronised client by default. 

To test the configuration, you should have at least one client set up as an "Acme Software" Business Unit, and another set up as an "Acme Computers" Business Unit. On the server, add some items (say contacts), with some connected to  "Acme Software", and others connected to "Acme Computers". Verify that those items only synchronise to the required clients.

You should also be able to add items on a client, and make the connection to the required Business Unit, then observe that the items always synchronise to the server, but only to the specified clients in the connected Business Unit.

Alternate Scenario

In the previous guideline, we made Selective Synchronisation the default for all workgroup clients. In some workgroups where the majority of users are not subject to Selective Synchronisation, this approach may not be appropriate, and it may be better to make Selective Synchronisation the exception to the default (i.e. override the default settings for Selectively Synchronised clients).

To achieve this, follow the steps above with the following exceptions:

1. Default Permissions
   The Customize Workgroup - Database Options screen appears:

Click on the Default Permissions... button. The Authorization Defaults screen appears as follows:

Set the Default User Level = User if it is not already. Then set the Read, Write and Delete permissions to either All or None (not to Selective). Typically you will want to set Read and Write to All, and set Delete to None.

When you are done, click on the Save button and this screen will close

2. Edit Authorisations. (Overriding the default permissions)
   Back in the "Customise Workgroup - Database Options" screen, click on Next button and the "Customize Workgroup - Permissions" screen will appear.

In the "Set Permissions for" list, go through all the users in the list and select those that are to Selectively Synchronise. Then click on the Edit Permissions.. button, and the Edit Authorizations screen will appear as follows:

Go through all of the categories that are to be Selectively Synchronised, and set the Read, Write and Delete permissions, for Selective Synchronisation. Typically you will set Read Permission and Write Permission to Selective and Delete Permission to None.  These permissions will override the default settings, and will ensure that only the users in a particular Business Unit can access the items for that Business Unit. 

When you are done, click on the Save button and this screen will close.

3. Back in the "Customise Workgroup - Permissions" screen, Click on the Finish button to save your new settings. 

Selective Synchronisation considerations

Selective Synchronisation is a powerful tool and is essential to the correct workgroup operation for many organisations. However, it is important to understand the implications for development of your database and maintenance of the workgroup, if you decide to use Selective Synchronisation.

• Consider the significant System Administrator overhead required to set-up and maintain a selectively syncing workgroup:

  • There is another layer of architecture that must be set up in the database, to provide the connection that will control Selective Synchronisation

  • Configuration of the Commence Server is significantly more complex, and the Administrator needs to understand all the issues presented in this article, before proceeding with configuration

  • Troubleshooting synchronisation problems will be more difficult

  • You need to create two sets of permissions for every category; one for selective syncing users and one for normal users. 

• Every item that is added to a Selectively Synchronised category, must be correctly connected the category that controls Selective Synchronisation (Business Unit in our example). Alternatively, scripting must be developed to automate this process, as described below.

• Selective Synchronisation does not extend to the field level. You cannot control the permissions for access to selected fields, for certain users. Selectively Synchronisation only extends to the record level. (There are various solutions we can offer in scripting to provide control to the field level.)

• The existence of duplicate names may cause problems. You might have a contact called "Fred Bloggs" in the contact category (which is Selectively Synchronised), for more than one Business Unit, for example in both Acme Software and Acme Computers. In general, your category should not allow duplicates, and this will be fine for each of the clients in Acme Software and Acme Computers. However at the Commence Server, this will cause a problem, as duplicates are not allowed: one of these contacts will be automatically renamed, typically to Fred Bloggs2. It may be necessary to develop a unique naming scheme to address this.

Advanced Selective Synchronisation

So far in this article, we have talked about manually making the connection between the Selectively Synchronised item, and the category that controls Selective Synchronisation. In practise of course, this is unlikely to be workable. It would be too easy to forget to make the connection, or perhaps have an unauthorised person make or remove the connection. Thankfully this process can be fairly easily automated through Form scripting.

Setting Personal Information at the Client

In step 4 above ("Assign Users to Commence Item"), we had to make the Commence users map to the Business Unit on the Commence Server. This is the way it must be setup on the server for the Selective Synchronisation to work. The next step is to enrol the user in the workgroup, and as part of this process, the server uses the "Assign Users to Commence Item" to set up the information under Customise > Preferences Personal Information on the client. So the category is set to be the Business Unit category, and the user name is set to the Business Unit item (e.g. "Acme Software"). The problem with this is that any automated operations which need to get the users details, such as connecting items (e.g. a note or phone log) automatically to the user, will now be getting the Business Unit name instead of the user's actual name. This is not what you will usually want to happen. So to ensure these automated operations work correctly, you need to set the Personal Information correctly on each client after enrolling.

Assume all user names are in a category called Employee. To make the Personal Information setting, at each client, go to Customise > Preferences, and click on the Personal Information tab. In our example, the category will be set to Business Unit; change the category to be Employee (or whatever category lists your user names). Then select the correct  user name from the Employee category. Finally, select all the connections to Employee that should be automatically set in an Add Item operation (typically all of them).

You have now associated the user with the Business Unit.

GetBusinessUnit() Function

This function uses the User name set under Customise > Preferences > Personal Information to determine the current user and the Business Unit they belong to.

Function GetBusinessUnit 
'Uses -Me- to find out the correct business unit to connect to 
'Must examine existing value of Business Unit, and only set 
'the connection if there is not already a connection.

If Connection("sync", "Business Unit").ConnectedItemCount() = 0 Then

Dim sBusUnit 
sBusUnit = GetMe("part of Business Unit") 
' MsgBox(sBusUnit) 
Connection("sync", "Business Unit").SetConnection _
   sBusUnit, "" 
GetBusinessUnit = sBusUnit

End If
End Function 'GetBusinessUnit

Function GetMe(ByVal FieldName)
'--- Function to return current user details

Dim lDB, lCursor, lQRowSet, lIndex, lResult
Set lDB = Application.Database
Set lCursor = lDB.GetCursor(0, "Employee", 0)
lResult = lCursor.SetFilter("[ViewFilter(1, F, , Name, _
   Equal to, ""(-Me-)"")]", 0)
Set lQRowSet = lCursor.GetQueryRowSet(1, 0)
lIndex = lQRowSet.GetColumnIndex(FieldName, 0)
GetMe = lQRowSet.GetRowValue(0, lIndex, 0)

End Function 'GetMe

Calling GetBusinessUnit()

All that remains now, is to call GetBusinessUnit(). Typically it would be called when the form is first opened, to ensure the Business Unit is always set. So if the tab order specified that the Date field was the first field entered in the form, your code may look like

You may also want to have some code that prohibits the user from entering the "sync Business Unit" field, so the value in this field cannot be changed.

Summary

Selective Synchronisation is a powerful tool to ensure the security of your Commence data. This article has covered many of the issues that an Administrator needs to be aware of in developing a Selectively Synchronised workgroup, as well as presenting a set of practical guidelines for Server Configuration.

Advanced User Systems provides support and consulting to set up Selectively Synchronised workgroups. Please refer to our web site, www.aus.com.au or our feedback page for more information or assistance.