For those who don’t want to read that: it’s an MES customization. We are using the client computer name to determine appropriate access to workstations on the shop floor; that is, employees should only be logging into workstations in their department.
The problem in Kinetic: client information doesn’t exist.
If I’m understanding this correctly. How much control do you have of the device sign-on? If you have dedicated accounts on these stations, you could then assign a user per-station then based on the login in the server BPM perform checks. Whether that be hardcoded checks, UD table, UD column, JSON, etc, you can fail the ClockIn call
Station1 → ClockIn
Grab Employee context on server, validate their dept against your source, fail with exception if invalid. client is immediately notified with the error, which also prevents the clock in.
You can ensure this further by making sure the BPM is only called from the DC module based on the callContext.
Future maintenance depends on how you store/retrieve this list, but essentially just a new list. No client changes required.
@zachg - our current classic Kinetic solution is almost that, linking station/hostname/client name to the employee and validating from there. But Kinetic Web does not have a station/client/hostname for web clients, so we don’t know “where” the connection is from. We don’t have unique MES logins, but it’s on the list of possible solutions. It has its own complications. We tried something like that before, and because our employees need to know the login (we can’t kiosk the stations b/c they are used for other apps), and they move around in the plant, they’ll learn the login for the station they can use and ‘cheat the clock’ at some other station. In general, the solution needs to be sneaky-human-proof.
@aosemwengie1 - we have a large, long facility and the employees are ‘cheating the clock’ by clocking in at the station closest to the employee entrance and not getting to their department for quite some time. Over a year’s time, it really adds up the non-productive payroll expense. So Mgmt doesn’t want to do the ‘timeclock at the entrance’ thing.
The browser has to see the Epicor UserID, so you essentially re-map the “where” to be based on a user, rather than a machine itself. This isn’t an easy change per-se, but there’s no reason not to use SSO org-wide. It doesn’t require any licenses which means service accounts / frontline are still easily supported.
Then you can’t be sneaky and switch the browser from SSO to user/pass - In our case, most of our users don’t even know the login page has a dropdown and just click the SSO button instinctively.
The craziest but not impossible thing you can do is deploy a local agent (like Epicor’s Edge Agent) and force the browser to communicate with this service, which can grab the local IP / info of the device. You just then have to maintain an entire new application.
Its probably just a few rest calls to clock in. You could make your own app for clocking in, and leave the MES for all other operations, but disable clocking in through it.
In general though, after you have cleaned up all the ways people can circumvent the process by accident or by lazyness, management needs to do their job. Mangers should know if their employees are attaining to the expected level of productivity, Epicor admins shouldn’t be building a digital police state. My 2 cents.
Yep - that was a direction on our list as well - but like you said - something else to keep up with.
And we totally agree - management AND the employees should just follow some simple rules 100% of the time. But when they refuse to, then limitations on the loss they create must be put in place.
No idea if this would work or is even possible, just spitballing here.
Can you turn each MES computer into a Workstation and then somehow assign each employee to a Workstation? I know the Workstation is for printing and stuff, but did not know if you could leverage the functionality.
@jkane - Yep - we worked that angle every which way, but the browser/OS security “wall” prevents any way to associate the login with the host/client/PC.
More spitballing. Don’t know if this is possible, but can’t you create custom urls that all resolve to the same place? So, you could have Kinetic1, Kinetic2, etc that all resolve to whatever the main address is. Then you could maintain something that says if George is logging in at Kinetic1, error as he should only log in at Kinetic5.
Add another employee entrance with a workstation at the far end of the building.
This sounds more like a management/supervision issue than an Epicor one. Can understand the “wasted time” aspect if they’re clocking in at one end of the building and slowrolling their way to their department 1000-2000 feet further into the facility. Not sure how many users we’re talking about here so hard to say what is/isn’t manageable. Add an MFA element to the workstation use…limit user access to the machine entirely. Or just tell the users to log in at their correct/local departmental workstation ontime, then use video surveillance to enforce the policy if needed.
Not sure if labor law would come into play, or if you clock in an out of operations, but I wonder if you could consider hours worked to be from clocking into the first op of the day and clocking out to be the last op they worked on for the day.
@MikeGross if you could find some conveyor somewhere you could build moving sidewalks to reduce the walking time and keep people moving to their correct workstation! lol
Trust me guys - I’ve been around the world with management (HR, Production, Executive) on this and all the reasonings they have for doing this.
Personally - this is against my beliefs (1) we don’t code for stupid or lazy and (2) people agreeing to a standard of behavior as part of the job should adhere to it, or lose the job. Honestly - do these things ever ring 100% true anywhere?
I lost the argument, no reason to rehash it all here.
@jkane We’re trying to figure out a way to identify the login location - that’s the key - but the browser keeps getting in the way. We’re looking at URL handlers, browser extensions, custom app on the MES station - all of which have been mentioned above - just trying to do something that doesn’t increase the IT load or violate the security rules.
That’s kinda what I was getting at with the non-Epicor suggestions like MFA at the workstation level. Sounds like managers don’t want to manage their people so it’s now an IT problem.
Don’t know if this is possible, but can’t you create custom urls that all resolve to the same place? So, you could have Kinetic1, Kinetic2, etc that all resolve to whatever the main address is. Then you could maintain something that says if George is logging in at Kinetic1, error as he should only log in at Kinetic5.
