You can declare Windows Accounts or Windows Groups in the system and give them access to your applications.

You can create groups and organize them in a hierarchy. Each group can contain sub-groups, username/password accounts or Windows accounts. You can grant a role to a group. In this case all the users in this group and in its sub-groups will have this role.

In production, the user starts a Windows session as usual. When he opens an application, Visual Guard uses the current Windows account to authenticate the user against Active Directory. As a result, the user does not provide his credentials to enter the application. This process is called Single Sign-On.

With this Visual Guard feature, you can provide several types of accounts to the users of your application(s). For instance, you may authenticate internal users with their Windows Accounts, and external users with username/password accounts.

For better security, you can declare rules that Visual Guard will enforce when the user defines his password.

You can federate several websites that may be placed in several independent networks or companies. The user logs in once when entering the first website. Then, he can jump to another website without entering his credentials again.

You can federate several Active Directory repositories belonging to distinct networks or companies. Administrators declare Windows accounts or Windows groups from these Active Directories in a central Visual Guard Repository. Then, the corresponding users can access the applications secured by the system. As a result, you get one central security system, although users are spread over several independent Windows domains.

If a Windows application (Winform or WPF) is executed from a remote post (for example, a PC connected to the internet that does not belong to the same domain as the user’s Windows account), the user will enter their Windows credentials and Visual Guard will authenticate them.

If using a Winform or WPF application, the user can always enter the application, even if it cannot access the Visual Guard Repository: Visual Guard includes an offline store that contains the user permissions on the client-side and logs the user's operations in the application. When the application regains access to the Server, the offline store is automatically synchronized with the Visual Guard Repository.

You can manage permissions to define how a user can access and use each application.
Permissions are grouped into Permission Sets. Permission Sets are granted to Roles. Roles are granted to users or groups.

Each permission corresponds to one or several actions that will activate deactivate or modify the application's functionalities.
With static permissions, these actions are coded into the application: the application calls Visual Guard to receive the user's permissions and then executes the appropriate actions to adapt the application to the user's privileges.

Each permission corresponds to one or several actions that will activate deactivate or modify the application's functionalities.
With dynamic permissions, these actions are defined in Visual Guard only. They will then be dynamically applied by the Visual guard run-time. This means that the application code is unchanged and does not contain any instructions for the definition of permissions.

Visual Guard permissions (static or dynamic) may hide or deactivate components of your applications’ user interface. More generally, permissions can modify any property of a .NET or PowerBuilder component. For dynamic permissions, these modifications are dynamically performed by Visual Guard, without any need to modify the application code.

You can restrict user access to a subset of the application data.
For example, you can filter a list or table according to the user profile.

You can define a role that groups together all a user's permissions for one application

You can define a role that groups together all a user's permissions for multiple applications.

You can assign a role to a user with either a username/password account or a Windows account.

You can assign a role to a Visual Guard group. All the accounts contained in this group and sub-groups will have this role. You can also give a role to a Windows group. In this case, all the Windows accounts in this Active Directory group will have this role.

Visual Guard administrators and auditors can generate reports based on the current security data (users, groups, roles, permissions...)

You can save all sensitive operations users have performed in applications secured by Visual Guard. You can then generate reports on these operations (who has done what, when, etc...)

You can save all operations Visual Guard administrators have performed (create accounts, give permissions, etc...)
You can then generate reports on these operations (who has done what, when, etc...)