Account Security Settings are Controlling Employee Access in MES

The main problem I want to fix is employees with boxes checked for their MES security groups (below) aren’t able to use all apps for their corresponding tabs.

For example, an employee is marked as a Material Handler but not all apps under the Material tab are available. Many apps are grayed out (see second and third pictures).

In the new version of MES (Kinetic MES?), the user logs into an account and then logs/clocks in with their employee ID. If the person logs into different accounts but with the same employee ID, the access is different. This wasn’t expected.

Example:

Test employee has these security groups checked: Material Handler, Shop Supervisor, Shipping/Receiving, Production Worker, Warehouse Manager.

Logged-in account is in the Inventory and Logistics security groups.

MES_Material_Inventory_Logistics1842×472 31.5 KB

Logged-in account is in the All Plant Workers security group.

MES_Material_All_Plant_Workers1836×473 30 KB

Honestly, I think I messed up menu permissions when I imported them. I set a bunch of things to disallow all because I didn’t realize menu security maintenance contained anything other access to menus.

I’ve set all menu security codes that start with “SECPR” to allow all (the pictures above are post-setting procedures to allow all), but that wasn’t enough. Is there a way to see which MES menu items are associated with which menu security codes?

The easiest fix is to give the account the logged-in account Security Manager access in order to see all the apps for their respective tabs, but giving everyone full access isn’t a long-term solution.

Doesn’t Handheld/MES Security menu item play a part in this as well as the employee record?

Definitely. All the apps in the MES and MES Mobile trees have one or more security roles assigned to them in MES Security. I’m honestly not sure what EMWW is.

The test user has everything but Service Technician selected (we don’t use the service tab at this time), so we expected the employee would have access to all the apps granted to them by MES Menu Security.

image1343×538 32.9 KB

I noticed this change too. I am thinking that the Classic MES did not look at the user who signed into MES and was just hard coded to open the screens. Now it appears that the user who signs into MES is what controls the security.

As an example, our users could no longer use the Job and Part trackers in MES. They got some error about invalid access or something. I checked what screen was being called on click and checked to see if the user had access to that screen. They did not, but they did have access to the same tracker in a different place, so I changed the click to open that one instead and all was good.

This is another place that I believe Epicor could do a better job communicating the changes. They actually changed the Menu IDs in one of the releases. I only figured it out because Open With and buttons were no longer working. Once I figured it out, I changed the Context to point to the new ID. Then, with another release they changed it all back! I had to re-change them all again because they were not working again. Very frustrating!! I have wasted too much time working on these security issues that could have been avoided with some communication.

Oh My that might explain some peculiarities here… Thanks @jkane for pointing that out.

Has anyone encountered this issue before and how have they solved it?

You have to update your security to allow the account that is logging in to MES to have access to those screens.

Do you use a generic account to have the workers log in?

We use a couple generic accounts for employees to log into.

Is there a way to make the generic accounts work for us?

Yes, you need to give those accounts access to the screens that are being called from MES. If you go into Application Studio, you can see what Menu ID is being called for the button clicks and then check to see if the account they are signing into MES with has access.

I would love to hear something from Epicor on these security changes and what their direction is going to be, but I am not holding my breath.

Understood. Thank you for helping, especially the Application Studio/Menu ID tip.

For anyone else reading this:
I was having trouble finding it in Application Studio before. I was trying to look at the data binding for the answer, but I clicked on the On Clicked trigger and saw the program name and searched for that in Menu Maintenance. I made that column come up in the Kinetic view with the Personalize Columns option.

I’m pretty sure this issue is related to the same one where Epicor broke the Kinetic home pages,
because they are now enforcing security down to the menu level. Same fix was applied there.
re-adding the shortcuts to ones the user had access to.

We’re in our first week of using Epicor company-wide. We went live on Monday morning. Security permissions have been a headache for sure.

I did notice yesterday that users couldn’t access apps unless they had access to the the folders those apps were in. Same thing with folders in folders.

Correct, that is the security model. The user account must have access to all folders above what you want them to have access too.

We are currently on 10.1.600 in Production but are preparing to go live on Kinetic 2023.1. In 10.1.600, I never figured out how MES menu security worked beyond the check boxes on the Employee record.

I have now figured out that Epicor added the MESMenu and MESMenuSecurity tables in the Erp schema. I also now understand that the MES Security is actually applied at two levels: Using the User Menu security for the user that logs into MES as well as the MES Menu Security applied through the Employee Role checkboxes using the permissions applied in the HandHeld/MES Security Maintenance. The MES Menu Security determines what buttons the Clocked In Employee can click on (which ones are enabled), beyond that, the user that logged into MES needs to have access to the MenuID that is associated with the MES Menu Item.

I wrote the SQL query below to display the resultant security from both Ice.Security as well as Erp.MESMenuSecurity:

SELECT DISTINCT S.[SecCode]
	  ,M.MenuID
	  ,M.MenuDesc
      ,IIF(S.[SecurityMgr] = 1, 'TRUE', 'FALSE') AS [SecurityMgr]
      ,IIF(S.[EntryList] = '*', 'TRUE', 'FALSE') AS [AllowAll]
      ,REPLACE(S.[EntryList], ',', '~') AS [AllowAccess]
	  ,COALESCE(MESProdSec.ProdWorker, '') AS ProdWorker
	  ,COALESCE(MESMHSec.MHWorker, '') AS MtlHandler
	  ,COALESCE(MESSvcSec.SvcWorker, '') AS SvcWorker
	  ,COALESCE(MESShipSec.ShipWorker, '') AS ShipRecv
	  ,COALESCE(MESSupvSec.SupvWorker, '') AS Supervisor
      ,'FALSE' AS [DisAllowAll]
      ,'TRUE' AS [AllCompanies]
  FROM [Ice].[Security] AS S
  LEFT JOIN Ice.Menu AS M ON S.Company = M.Company AND M.SecCode = S.SecCode
  INNER JOIN Erp.MESMenu AS MESMenu ON MESMenu.MenuID = M.MenuID AND MESMenu.MenuType = 'M'

  LEFT JOIN (SELECT MM.MenuID, 'X' AS ProdWorker FROM Erp.MESMenuSecurity INNER JOIN Erp.MESMenu AS MM ON MM.MESMenuID = MESMenuSecurity.MESMenuID
  WHERE MESMenuSecurity.Role = 'PRODUCTION' AND MESMenuSecurity.Company = 'AGR') AS MESProdSec ON MESProdSec.MenuID = M.MenuID

  LEFT JOIN (SELECT MM.MenuID, 'X' AS MHWorker FROM Erp.MESMenuSecurity INNER JOIN Erp.MESMenu AS MM ON MM.MESMenuID = MESMenuSecurity.MESMenuID
  WHERE MESMenuSecurity.Role = 'MATERIAL_HANDLER' AND MESMenuSecurity.Company = 'AGR') AS MESMHSec ON MESMHSec.MenuID = M.MenuID

  LEFT JOIN (SELECT MM.MenuID, 'X' AS SvcWorker FROM Erp.MESMenuSecurity INNER JOIN Erp.MESMenu AS MM ON MM.MESMenuID = MESMenuSecurity.MESMenuID
  WHERE MESMenuSecurity.Role = 'SERVICE' AND MESMenuSecurity.Company = 'AGR') AS MESSvcSec ON MESSvcSec.MenuID = M.MenuID

  LEFT JOIN (SELECT MM.MenuID, 'X' AS ShipWorker FROM Erp.MESMenuSecurity INNER JOIN Erp.MESMenu AS MM ON MM.MESMenuID = MESMenuSecurity.MESMenuID
  WHERE MESMenuSecurity.Role = 'SHIPPING_RECEIVING' AND MESMenuSecurity.Company = 'AGR') AS MESShipSec ON MESShipSec.MenuID = M.MenuID

  LEFT JOIN (SELECT MM.MenuID, 'X' AS SupvWorker FROM Erp.MESMenuSecurity INNER JOIN Erp.MESMenu AS MM ON MM.MESMenuID = MESMenuSecurity.MESMenuID
  WHERE MESMenuSecurity.Role = 'SUPERVISOR' AND MESMenuSecurity.Company = ',YourCompany') AS MESSupvSec ON MESSupvSec.MenuID = M.MenuID

  ORDER BY M.MenuID

Thanks John!