We received a request from our Auditors to separate Power user role into two different roles
1. First role will have access to only User Security
2. Second Role will have access to all other modules.
We tried to creating new role to give access to only user security, for some reason we are having issues in making it work. What security tasks needs to be assigned for the role that will be able to create new user, assign roles to new user. (SQL level will have access to create new user and allow to give access to the database)
Please let us know how we can accomplish this task.
GP Security can be complicated but once you get the hang of it, it's not so bad, it just can take a long time to get it right. With that said, I always use GP Power Tools for this type of situation - it's easy (and low price) to use - you basically turn on a 'recorder' and go to the areas you want access granted to, then turn it off and BAM! It creates a role for those areas.
There are some tricks to allowing a user to add new users - my friend Mark wrote a great article on this: https://www.gofastpath.com/blog/add-gp-users-without-sa
The idea of dropping power user is 100% the best path, putting the time in to get things set up will be worth it in the long run.
In general, many of these tasks are in the Product: Dynamics GP Type: Windows Series: Full
Also, there is a script I refer to on this blog post for creating a super user - this helps mitigate power user as well:
I welcome others to add additional color to this discussion but hopefully this is a decent start.
Microsoft MVP | Twitter | LifeHacks365.com