We received a request from our Auditors to separate Power user role into two different roles
1. First role will have access to only User Security
2. Second Role will have access to all other modules.
We tried to creating new role to give access to only user security, for some reason we are having issues in making it work. What security tasks needs to be assigned for the role that will be able to create new user, assign roles to new user. (SQL level will have access to create new user and allow to give access to the database)
Please let us know how we can accomplish this task.
GP_Geek_ - any chance this is something you can help with?
GP Security can be complicated but once you get the hang of it, it's not so bad, it just can take a long time to get it right. With that said, I always use GP Power Tools for this type of situation - it's easy (and low price) to use - you basically turn on a 'recorder' and go to the areas you want access granted to, then turn it off and BAM! It creates a role for those areas.
There are some tricks to allowing a user to add new users - my friend Mark wrote a great article on this: https://www.gofastpath.com/blog/add-gp-users-without-sa
The idea of dropping power user is 100% the best path, putting the time in to get things set up will be worth it in the long run.
In general, many of these tasks are in the Product: Dynamics GP Type: Windows Series: Full
Also, there is a script I refer to on this blog post for creating a super user - this helps mitigate power user as well:
I welcome others to add additional color to this discussion but hopefully this is a decent start.
Microsoft MVP | Twitter | LifeHacks365.com
You would have to create 2 new Security one to just handle security objects and processes and another with everything checked except the users security objects.
You would need to narrow your focus to determine what is needed to work exclusively with users, user access, and user security and possibly the Admin module setup screen. The other would need everything except what you set to build the other.
Get together with your VAR partner and have them help you, you probably want to create the roles and then test them in a test company.
Shawn is right with his recommendation, and I can even add that if you download and install the GPPT for a 30-days trial, you're going to make your life much easier to analyse all the pitfalls of GP Security.. Right during installation, GPPT asks you if you want to create the SUPERUSER role in GP, which is not identical to POWERUSER, as it is a regular GP role, but provides access to everything.
GPPT does also have a nice function that allows you to build Security Roles & Tasks on the fly by just recording the resources a user goes thru during their activities. This way you can create really tight & custom security for GP.
In general, the default role IT_MANAGER* already provides a decent role to start with and allows management of user security in GP. Remember to assign those SQL users also specific SQL Security role 'SecurityAdmin' to be granted permissions to create user and reset passwords in GP.
The most recen tbuild of GP also added a Security Workflow, which prevents users to create / grant accesses without being supervised and approved first by upper authority in the company. That is a welcome safeguard that was missing in GP for years, as any sys admin could just go ahead and grant themselves or other users full access, without going much detected for a while (and this implies there are some external controls taking place on a regular basis).
Feel free to reach out if you need more help.