System Security

Some companies using proxy servers that restrict access to some sites may also block APS.

Exceptions should be created for APS URLs such as:

http://[server name]:[port]/ServerManager.soap
http://[server name]:[port]/PTBroadcaster.soap
http://[server name]:[port]/PTInterface.soap
http://[server name]:[port]/UpdateFileManager.soap

Additionally, the following measures should be taken to avoid security conflicts:

  • On the Server
    • Allow incoming and outgoing APS communication through the firewall. Ports 7991 and say 8001 through 8020 (for 4 instances). Note: Port 7991 is the most secure port to use. 
    • Administrator rights for installing ServerManager and Enterprise Client are required.
    • Administrator rights are also required for using the Enterprise Client.
  • On the Clients
    • Allow incoming and outgoing APS communication through the local firewall.
    • Note: The Clients are installed in the user's directory so no permission changes required.
  • General
    • Allow communication through any proxy servers.
    • Depending on settings, may need to be added to trusted zones.
    • Internet Options --> Internet Security --> .NET reliant component --> Run components signed with Authenticode should be enabled.

Note: Port 7990 is hosted if the "Enable Compatibility Connections" is checked in the instance manager. However, this port should not be used for new installations. Port 7991 is the most secure port. 

User-Related Security

Although the different user types automatically lock certain features based on their level of scenario access, the following options can be assigned to the users regardless of scenario access:

  • Control:
    • Administrator: This user can maintain users and permissions. 
    • Scenario Access Level: Master Scheduler, View All, ViewPublished, etc.
  • Scheduling:
    • Can Lock: This user is able to lock and un-lock jobs. 
    • Can Anchor: This user is able to anchor and un-anchor jobs.
    • Can Expedite: This user is able to expedite jobs. 
    • Can Change Job Status: Marks the user for future deletion.
    • Can Hold Jobs: This user is able to hold and un-hold jobs. 
    • Can reserve CTPs in Live Scenario: This user can create CTPs with reservations in the Live scenarios. All users with What-If access can create What-If CTOs and can reserve CTPs in What-If scenarios.
    • Can Reschedule Purchases: This user is able to reschedule purchases using the Dock Schedule Board.
    • Can Schedule Plant: This will affect UI actions and visibility.
    • Can View Jobs: If not enabled, this will hide jobs from this plant from the jobs grid and the activity grid.
    • Can View Inventory: If not enabled, this will hide inventory from the inventory plant and CTP. 
    • Can Set Priorities: Permits changing of priorities for jobs, manufacturing orders, and customers.
  • Data:
    • Can Undo ERP Actions: If true then ERP actions can be undone and redone by the user. 
    • Can Maintain Forecasts: Permits access to forecast functions. 
    • Can Maintain Jobs: Permits access to job maintenance functions. 
    • Can Maintain Resources: Permits access to maintenance functions for plants, resources, calendars, cells, and capabilities. 
    • Can Maintain Inventory: Allows access to purchase orders, sales orders, and the items grid.
    • Can Maintain Scenarios: Allows converting scenarios to the Live scenario, managing system-wide options, and viewing certain logs. 
    • Can Maintain Interface: Permits access to the Interface Wizard to modify interface settings. 
    • Can Maintain Customers: Permits access to customer maintenance functions. 
    • Can Run Interface: Permits execution of the interface to import data. 


Passwords can be set for users when they log into the client portal. These are case sensitive and only required if they have been entered for the specific user. Any number of failed login attempts is permitted.

Note: Password saving can be disabled for increased security. To do this:

  1. Open the instance manager settings. Go to the "Clients" tab.
  2. In the Active Directory section, uncheck the "Allow Password saving" checkbox.


  1. Set "AllowPasswordSaving" to "false" in the Client.exe.config file stored in the Program Data files on the Server. (Setting it locally will only work temporarily until the next client session when the Client Updater overwrites the local file.)
  2. Restart the Client Updater Service on the Server so that the updated config file is loaded into memory. Failing to do so will cause the old settings to continue to be used by clients. 

Connection String Security

In Instance Manager Versions 12.0.50 and later, connection strings are not shown in plain text to avoid displaying the database password.

The connection string can be created and edited, but will not be displayed.

Password Reset

Users can reset their own passwords by selecting "Reset My Password" from the user drop-down menu in the upper-right corner of the main screen. 


Administrators can also require the following regarding passwords:

  • Require Passwords To Be Changed Periodically: If enabled, users will be prompted and required to reset their passwords after the number of days specified. Repeating the current password is disallowed.
  • Require Strong Password: If enabled, all user passwords must conform to the strong password requirements of:
    • Eight (8) character minimum
    • At least one (1) upper case character
    • At least one (1) lower case character
    • At least one (1) number or special character

Note: These User Security settings can be found in Settings | System Options | User Security.

  • Require Password Reset at next login: When new users are created, an administrator can check this box in the user dialog to require that the user resets their password on their next login. 

User Windows Authentication 

Logging in with windows credentials can also increase the security of the system.


  • Select the "Use Active Directory" checkbox on the client login window. 
  • Specify the Active Directory Type:
    • Specify Credentials: This option allows you to log in with any valid user account.
    • Use Current Credentials: This option will use the account currently logged in. 

Note: To use the active directory, go to the Clients tab of the instance manager setting, and check the "Use Active Directory" checkbox. The default is set to deny (the box is unchecked).