To keep a company ITAR complant, a group of users cannot have access or view a predefined list of Parts in Epicor. Company is integrating foreign users that must not have access to a list of Parts. About 20 Parts in Total.
So far, added a UD field to Part table to identify these Parts. Created BPMs which remove rows on Post Directive for GetByID and GetList if User belongs to ITAR group and record is ITAR flagged.
This works for Part Mtc., but am finding that not all forms use these to fill data on a form which shows Part… Sales Order Line for example…
Any ideas on how this can be achieved ? Just identifying all areas that Part can be seen is incredibly daunting… Your Input is much appreciated. Epicor field level security blocks access to all Parts, ITAR users need to interact with non ITAR Parts.
I would offer that ITAR is more strict than that. I could easily be wrong, but I thought the user who have access need to comply with ITAR regulation. If I am wrong, then you have a large job ahead of you.
There are so many places you will need to secure (think Part Transaction History, SO Entry, PO Entry, Job Entry, etc)
I’m not sure you can separate this simply. First off, ensure the users do not have any menu access that they should not.
interesting
what access is required? view stock? purchase / receive ? order / ship?
and is it just the parts - what about the vendors and customers?
if it’s simple inquiry, then custom dashboards and menu security is the way i would do this. if it is more than that - maybe you ought to consider separation using one of the multi-plant/multi-company features.
Initially, all of epicor was requested for access. Come to find this is a enormous task as
epicor has no built in function to separate part access by user / group. Trying to push a defined
set of functions per ITAR user. Then in combination with Form customization and BPM I have
a chance. The multi plant solution would face the same limitations as single, given that they would need to see the same data, I think…
Thanks for your input. Anyone else with a breakthrough solution ?
Not in E9, but in 10.2.400, Epicor introduced something called Access Scope which really let’s you lock down a user login to a subset of services/methods/BAQs. It’s an explicit list of things a user can do.
fyi
have also considered a mirror like solution via sql, stripping out the ITAR parts nightly.
BUT, am sure this would break transaction using that part …
The tricky part will be by part access still but this prevents you from blocking every other object. But if you could restrict the ITAR uses to just updatable BAQs for the basic functions they need then I think you could do it.