Enterprise Search vs Security

Hi everyone,

One life mystery to me is Enterprise Search security. By example, this user doesn’t have access to Financial Management.

image853×620 38.4 KB

image856×618 46.4 KB

Thank you

@Alexandre_Pothier I thought the user could see the data but wouldn’t be able to launch the form without the menu security? Does it ignore menu security when launching the form?

Is that the standard epicor context menu in ES?
Where have you set your menu security? On the folder or on the menu item(s) or both?

If only on the folder then context menu item can circumvent what isnt seen in the menu or menu search
Same goes for menu favourites.

I confirm, the form is launched.

Let’s say I don’t use the context menu. If I click on the invoice number it opens the form.

About the security, it’s on the folder. It’s not viable to go through each single menu item.

The Invoice Tracker is in various places on the menu. You need to confirm that the correct form has security access for the user. So in this example when you right click on the ES record and open up Invoice Entry. Click on Help > About > System Info. In the Software Environment tab scroll down to ProcessID. The value is what needs security access.
So in this example its OMGO3010. This is called from the Order Management > General Operations > Invoice Tracker.
So in Menu Maintenance make sure that the user doesn’t have access to this menu item.

I tested in Menu Maintenance and gave my user disallow access to OMGO3010 in the security. When I login I don’t get the option for Invoice Tracker.

@afabian Do you guys have a list of all of the Menu ID’s that are used?

It sounds like it’s using the default Context Menu record but when I look for those I’m not finding anything in our ICE.ContextMenuItem table. Even though that’s where the field help claims it is.

Its in Context Menu Maintenance (System Setup / System Maintenance) for InvcHead.InvoiceNum.

image704×364 14.1 KB

I mislead everyone with the context menu. Sorry about that. My main concern is how can I prevent the user from opening the invoice tracker screen by clicking on the invoice number from the Enterprise Search result, since he doesn’t even have access to the whole financial management module, including invoice tracker?

image1327×477 81.3 KB

@Alexandre_Pothier It’s using the context menu. So in this case the Invoice Tracker is launching from the Order Management (OMMN0000) - General Operations (OMMN3000) - Invoice Tracker (OMGO3010)

I’m assuming it would block access if they didn’t have access to Order Management though.

@afabian I’m just trying to get a list of all of the default context menu items.

image760×399 19 KB

@Alexandre_Pothier. You need to add security to the particular menu item item that Invoice Tracker is calling. It is not calling the Invoice Tracker under Financial menus but from Order Management.

image1018×680 45.8 KB

@John_Mitchell I don’t understand what you mean by a list of all default context menu items. These are all in the Context Menu Maintenance by the key field. So for example it its a part, then it would be Part.PartNum, if a Sales Order, it would be OrdeHed.OrderNum, etc.

@afabian That should be saved in the DB somewhere. We should be able to query that table and return all Conext menu’s and which MenuID they are pointing to. When I look at the Field Help it is referencing the ContextMenuItem table but when I look at that table in my DB it’s empty.

@Alexandre_Pothier You should be able to change all of the Default Context Menu Process ID’s to the ones that you want and have it respect the security that you expect.

Epicor’s menu security doesn’t work that way (more’s the pity). If you remove Order Management from someone’s menu, they will still be able to use Context Menu access to open things you wish they couldn’t. To prevent that, you need to use the Disallow List on each program.

This can of worms has been open for quite some time, but Enterprise Search has brought it to a whole 'nother level.

It looks like you all have most of it all lined up. Let me try to help with some of the confusing points:

1. ES does use the context menu - so if you made a Dashboard that showed that record they could right click there and do the exact same thing. Important point - the concern is not enterprise search it is the context menu
2. Those tables in the ICE db… OK so before I was involved the gist of it is someone started to clean this area up unofficially and got as far as creating the tables but their stand alone project died there and has not be renewed - they are currently orphaned tables.
3. Context menu. The base context menu ships in a file called ContextMenu.xml yes it is an xml file. You can locate in the Client\Res directory on your box.

• now when you customize the context menu it copies that files contexts into a DB record and applies your modifications to that copy.
• This is a very old pattern that has served Epicor well for decades. And is not how we would do it if we wrote it today in a cloud environment.

If it is tied to a menu item in the normal menu I could see submitting an enhancement request to have it honor the parent menu security. However we would need to be careful because it has worked this way for a very long time and it could spawn a series of - why did I suddenly loose my context menu item from support - that is why I suggest enhancement not bug.

hope this helps with some of the confusion.