We are doing an audit on user access. A test user is very restricted to only a handful of items in the menu tree (good), however when they log in and see the “Kinetic Home Page” in 10.2.700 they see links to a bunch of items like AR Invoice Entry and AP Invoice Entry, WHICH THEY CAN OPEN!
Re: AR Invoice Entry menu item
Financial Management: set to only selected groups
Accounts Receivable: set to only selected groups
General Operations: set to only selected groups
AR Invoice Entry menu item: set to “Allow All”
The test user in question is not part of any of the selected groups above. They are blocked from seeing the AR Invoice Entry in their menu tree, BUT it is on their “Kinetic Home Page” and they can open/use it.
Is this normal? Is there a setting to make the Kinetic Home Page read permissions the same as the menu tree?
Menu Security is not enough to secure people from doing transactions.
For what you are needing, you will have to also set the security at the individual menu items too.
However, that user may still have access to do things via REST. You will want to enable process security too.
On our test of 2023.1 a popup comes up and says Access Denied for the same user with the same permissions. I’m assuming at some point between 10.2.700 and 2023.1 Epicor changed the flow to cascade permissions down?
Is it best to then only assign security to actual programs in the menu tree, but leave the categories and subcategories wide open? Or to set security on every single item in the whole tree and ignore using the “allow all”?
