Well the title says it all. I need to know if there is a way to - for example - exclude financial modules and only give access to the rest while being a super user with security manager checked?
Thanks,
I was under the impression (someone correct me if I’m wrong), that being a Sec Manager overrides all other security settings (menus, fields, processes, etc…)
Yep, sec. manager overides all restrictions.
You could make BPMs that check for that user, and throw exceptions.
It’s not true security, because that user wold be able to alter the BPM. But that BPM could included an email widget to notify someone else that the initial attempt to access it occurred
.
The real question is, does that user really need to be a Sec Manager?
I need to create a user that can have access to menu forms, update them, write customizations and so on but except for financial module.
Those are all setting on the user’s security. The only thing that would be time consuming would be updating all the menu securities. But don’t just add this user to the disallow of each menu security. Create a Sec Group for “Power Users w/o Financial access”.
Now if you let them make BAQ’s they are going to be able to see financial data. Unless you use field security too.
Your suggestion is the closest solution for us, on the other hand this is a big flaw on Epicor’s side where you cannot create super users per department and so on from the security level in one action.
Thanks for your suggestion, I think I will go with it.
It does.
Super user status is for epicor admins… it is really so that the IT Staff can have access to all menu items without adding them to security groups.
Typically I recommend that you create a superuser security group for each department, and then assign those to the dept users that you want to give that access to… then go to the menu options and apply that group to the menu. This also allows you to create BPM security using the groups which would also override the standard superuser setting… the superuser flag does NOT override any BPM security that you setup.
@ckrusen - I think there is DMT for this. You even gave detailed steps to someone on updating the IDs IIRC.
1 Like
Just FYI, I believe as of 10.2.400, there is now available something called Access Scope which “groups one or more ERP Services, specific Service Methods, Function Libraries, Functions, and/or Business Activity Queries (BAQs) under an Access Scope ID.” You can then apply this Access Scope to a user and only allow them access to those items above that you’ve added to that group.
I’m sure it would be too much work to build one for someone that you want to give access to everything except Finance Modules. But this has been pretty nice to use on Integration Accounts for external applications that use REST to connect to our Epicor DB.
Maybe it would be nice if Access Scopes not only allowed access but could also deny access for whatever was added to them too…
Have to give credit to @Chris_Conn for introducing us to this feature.
4 Likes
Didn’t know that was a thing… thanks for sharing. Not sure if it’s something we will use. But definitely going to look into.
1 Like
You could set up a separate environment for the developer that does not contain the sensitive financial data (ie Education database or a stripped down database with only relevant data) and use the solution workbench to export the customizations. Then have someone with financial access load the solutions. Unfortunately, there are a couple of things that the solution workbench cannot do so those actions would need to be manually taken. I would not advise taking this path, just a thought of one way to accomplish this.
1 Like