We received a request from our Auditors to separate Power user role into two different roles
1. First role will have access to only User Security
2. Second Role will have access to all other modules.
We tried to creating new role to give access to only user security, for some reason we are having issues in making it work. What security tasks needs to be assigned for the role that will be able to create new user, assign roles to new user. (SQL level will have access to create new user and allow to give access to the database)
Please let us know how we can accomplish this task.
Shawn is right with his recommendation, and I can even add that if you download and install the GPPT for a 30-days trial, you're going to make your life much easier to analyse all the pitfalls of GP Security.. Right during installation, GPPT asks you if you want to create the SUPERUSER role in GP, which is not identical to POWERUSER, as it is a regular GP role, but provides access to everything.
GPPT does also have a nice function that allows you to build Security Roles & Tasks on the fly by just recording the resources a user goes thru during their activities. This way you can create really tight & custom security for GP.
In general, the default role IT_MANAGER* already provides a decent role to start with and allows management of user security in GP. Remember to assign those SQL users also specific SQL Security role 'SecurityAdmin' to be granted permissions to create user and reset passwords in GP.
The most recen tbuild of GP also added a Security Workflow, which prevents users to create / grant accesses without being supervised and approved first by upper authority in the company. That is a welcome safeguard that was missing in GP for years, as any sys admin could just go ahead and grant themselves or other users full access, without going much detected for a while (and this implies there are some external controls taking place on a regular basis).
Feel free to reach out if you need more help.