Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations Chris Miller on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Advanced Security FAQ

Configuring Your System

Advanced Security FAQ

by  winthropdc  Posted    (Edited  )
Advanced Security FAQ
=====================

Where is the Advanced Security module located in Microsoft Great Plains or in Microsoft Dynamics GP?
----------------------------------------------------------------------------------------------------

To access the Advanced Security module, take one of the following actions:
* In Microsoft Dynamics GP 9.0 and in Microsoft Great Plains 8.0, click Tools, point to Setup, point to System, and then click Advanced Security.
* In Microsoft Great Plains 7.5 and in Microsoft Great Plains 7.0, click System on the Setup menu, and then click Advanced Security.


Does Advanced Security extend to the Great Plains Security model?
-----------------------------------------------------------------

No. Advanced Security is just a new interface for the existing security model. Advanced Security uses the same tables that Standard Security uses. It provides an Explorer interface to the resources which can have security applied to them and can work with multiple users or classes and multiple companies at the same time.


What are the differences between Advanced Security and Standard Security?
-------------------------------------------------------------------------

Standard Security uses seperate windows which allow you to control security for a single resource for a single user and company or for single class at a time. To set security to a window, you need to know the actual name of the window and to what series it belongs to. To set security for modified, alternate or modified alternate windows you need to change views. Setting access to Smartlist favourites uses a third window.

Advanced Security provides an explorer style interface which allows security to be set for multiple users, Companies and/or classes at the same time including Smartlist security. It provides multiple views, including the by menu view which security to be set using the navigation model and changes at higher levels of the tree are automatically rolled down to child resources. Access to Modified, Alternate or Alternate Modified resources can be selected by choose the dictionary to use without changing view.


What are some of the benefits of using Advanced Security?
---------------------------------------------------------

Among the benefits of using Advanced Security are the following:

* Changes to security at the class level are automatically rolled down to users of that class, without overwriting user level security changes.
* It has a By Alternate, Modified and Custom view which only displays security for customised resources to make it easier to control access to customisations. When granted security back to resources, it has the option to automatically select Alternate and/or Modified resources if they exist.
* It can hide external or missing resources from the security model and provides a number of options on whether unregistered resources can be seen or modified.
* It can quickly show what resources the selected user and company have access to and at the same time show what other users in the same company have access to the selected resource.
* It can Copy security settings to other companies or users.
* It can roll down class security settings down to selected users of a class with the option to overwrite user level changes (by using the revert first option).
* It can roll up a user's security settings to a class.
* It can Verify security settings to ensure that they are valid and that all customisations pointed to actually exist.
* It can Revert security settings back to their initial state, as per when the user was first created.
* It can export and import security settings between systems or for backup purposes using xml files.
* It can selectively print out the security settings for a user and company or class.
* It can use interactive dialogs to allow security settings to altered or temporarily overridden by the Administrator using the System Password.

Note: You must have a System Password configured as this password must be entered before the interactive dialogs will make any security changes. This allows the security to be altered by the System Administrator without having to change logins or use a different machine. In versions 8.0 and 9.0, this dialog can be controlled and is turned off by default.


What does the Advanced Security Accelerator do?
-----------------------------------------------

The accelerator table is a cache of the status of every node in the security tree for every user/company/class combination in your system. Without it Advanced Security would be so slow it would be unusable. It allows the status of a node to be obtained quickly without having to read all the levels of child nodes.


What Advanced Security Accelerator options should be checked or unchecked, and what do they mean?
-------------------------------------------------------------------------------------------------

It is preferred that you leave the accelerator on, but it is important to have the settings set for best performance. Open the Options window from Advanced Security to check your settings:

Run accelerator in background while Advanced Security is open should be checked. It is worthwhile leaving Advanced Security open for a while so it can complete the accelerator processing. Even though you can still use Advanced Security while it is processing it is faster once the background processing has completed.

Reset accelerator on window close (temporary cache) should be unchecked. If checked, the accelerator will be re-creating itself from scratch every time you open the window.

Keep accelerator synchronised at all times should be checked. This will ensure that any changes using the old windows will be updated into the accelerator. However, please note that using the old windows (in particular, the class setup window) will cause sections of the accelerator to be dropped. It was quicker to rebuild the sections next time you go into Advanced Security rather than try and update the records at the time. It is not recommended to use the old security or class windows to change security once Advanced Security is in use, hence the warnings.

v7.X only: Use external accelerator tables for better performance should be checked. The Default path should point to a shared location (UNC path) available to all workstations, however, it is best if that location is local to the machine doing most of the security settings (especially, the initial creation of the accelerator). The Local Path should be blank on all workstations, except for the one workstation where the Default path is actually local. Then you can put in the local path (non UNC path) and avoid the network subsystem.

Note: V8.0 of Advanced Security does not have the external accelerator option and is 10 to 20 times faster using a SQL based accelerator table.


What occurs if I turn off the Advanced Security Accelerator?
------------------------------------------------------------

If you turn the accelerator off, you will lose the ability to see or change security settings at all but the very lowest levels of the tree. You will not be able to roll down security from a menu to all the entries on that menu, nor see whether access is granted or denied without drilling right down.


How do I turn off the Advanced Security Accelerator?
----------------------------------------------------

To turn off the Advanced Security Accelerator, follow these steps:
1) Within Advanced Security, click Options.
2) Click Do not use accelerator and do not display status of parent objects.
3) When you are prompted whether you want to reset the accelerator, click Yes.
4) Click OK to close the Advanced Security Options dialog box.


Why does Advanced Security process the Accelerator every time I open the window?
--------------------------------------------------------------------------------

If background processing is on the accelerator will run when you open the Advanced Security window, it will refresh some high level information to check if you have added any customisations and will then continue processing users/company/class entities until it has processed all combinations. It will eventually stop and will be very fast when you open the window in future.


Why is Advanced Security faster when I turn the Accelerator off?
----------------------------------------------------------------

It may feel like turning off the accelerator increases performance, but it is also turning off functionality. If we turned off the accelerator and still tried to show the status of nodes on all levels of the tree, the user interface would be unusable.

When you turn the accelerator off, you are also turning off the ability to change or view security at all but the lowest level of the tree.

If you are happy to lose this functionality, you might find it better to run without the accelerator. Make sure you reset the accelerator when you turn it off.


Why does Advanced Security still update the Accelerator when I turned it off?
-----------------------------------------------------------------------------

Turning the accelerator off asks not to use it for the display. However, if accelerator records exist they will be maintained so that they will still be valid if the accelerator is turned back on.

To Fix: Turn the accelerator back on and then turn it off again. When asked say yes to reset the accelerator and clear the records.


What tables are used by the Accelerator?
----------------------------------------

The Accelerator is made up of three tables, two lookup tables to map information and the main accelerator table:

The WDC_Security_Children_Menu_REL (WDC51102) maps the three 16 bit integers which are a menu's unique identifier to an internal single 32 bit number. This is because Advanced Security could handle two 16 bit integers but not 3 as needed for the v8.0 (or later) menus.

The WDC_Security_Children_MSTR (WDC51100) maps a User/Company combination or a User Class to an Entity ID. This Entity ID is then used in the main cache table. The number of Entities in a system can be worked out with the following query:

SELECT (SELECT COUNT(*) FROM SY60100) + (SELECT COUNT(*) FROM SY40400)

The WDC_Security_Children_TEMP (WDC51101) table is the cache of the status of every node in the security tree for every Entity ID in the system. The Accelerator table also functions as a 3 way linked list with each node (record) in the table knowing what its parent node is in the 3 views (By Menu, By Dictionary, & By Custom). There are about 5000 records stored for each Entity ID. The exact number varies between systems depending on the products installed. You can use the query below to check how many records are stored for an Entity on your system.

SELECT COUNT(*) FROM WDC51101 WHERE WDC_Entity_ID = 1

To estimate the total records in the Accelerator, you can multiply the results on the two previous queries:

SELECT (SELECT COUNT(*) FROM WDC51101 WHERE WDC_Entity_ID = 1) * ((SELECT COUNT(*) FROM SY60100) + (SELECT COUNT(*) FROM SY40400))

The actual number of records contained in the Accelerator can be seen on the bottom left corner of the Advanced Security Options window.


What can I do when the Accelerator becomes too large?
-----------------------------------------------------

On large systems with many companies and users, the WDC_Security_Children_TEMP (WDC51101) table can grow to contain a very large number of records. In these situations there are 3 alternatives for how we can set up the Accelerator Options.

1) Check the Do not use accelerator and do not display status of parent objects option and say yes to Reset. This will stop using the Accelerator and delete the records from the tables. This will also decrease the functionality offered.

2) Uncheck Run accelerator in background while Advanced Security is open, uncheck Reset accelerator on window close (temporary cache) and check Keep accelerator synchronized at all times. This will stop Advanced Security from populating the Accelerator in the background and will only create records on demand for the Entities being edited. If the Accelerator starts to get too large you can click Reset Accelerator to delete the records. This is the recommended settings for larger systems.

3) Uncheck Run accelerator in background while Advanced Security is open and check Reset accelerator on window close (temporary cache). This will automatically reset the Accelerator when Advanced Security is closed. While this keeps the Accelerator from growing, it does mean that all Entities will have to be re-read on demand each time Advanced Security is used.


Why does Advanced Security stop me logging off or changing Company?
-------------------------------------------------------------------

While Advanced Security is open and the Accelerator is processing in the background, you are still able to work in the foreground, albeit a little slower. When you close the Advanced Security window, the Accelerator will complete the section it is working on and then stop. This may mean you will need to wait a short time after close Advanced Security before you can log off or change company. A small window is displayed while the processing completes to notify of this.


What is the difference between the views in Advanced Security?
--------------------------------------------------------------

The views in Advanced Security allow you to see the different areas of the system for which security can be controlled. The "By Menu", "By Dictionary" and "By Alternate, Custom and Modified" views are all looking at the same data. So a change in any one of those views will be reflected in the other views.

"By Menu" provides a view based on the navigation model of Great Plains and is the safest way to apply security. Using "By Menu" you will not deny access to hidden or system resources or lookups by accident.

"By Dictionary" provides a view of every resources in the system sorted by Dictionary, Type and Series. It can be used to fine tune security for resources not on the navigation model.

"By Alternate, Custom and Modified" shows just the resources which have been customised. The customisations can be by the end user; modified forms and reports or custom reports, or by a developer; alternate forms and reports. In this view an alternate window will show under the dictionary it exists in rather than under the original.


Where do I find my Alternate and Modified windows and reports?
--------------------------------------------------------------

Alternate and Modified windows are shown underneath the original window. Find the original window in the "By Menu" or "By Dictionary" view and click on the plus sign to display the dictionaries that window exists in. You can then select which version you would like used.

Another way to view alternate and modified windows and reports is to change the view by clicking the down arrow and then clicking By Alternate, Modified and Custom.

Note: If a product has no windows of its own and only has alternate windows or reports, it will not show in the "By Dictionary" view.


How do the Grant Security to Alternate and Modified windows and reports options work?
-------------------------------------------------------------------------------------

These options work when access is being granted back to a resources when it was previously denied. If there is a single alternate, it will be chosen rather than the original dictionary if the Alternate option is selected. If there are more than one alternate, Advanced Security cannot decide which to use and will stay with the original version. Once the dictionary is decided, if there is a modified version of the resource and the Modified option is selected, then it will be selected.


How can I select Classes in Advanced Security?
----------------------------------------------

By default, the list in the lower-right section of the Advanced Security dialog box shows users only. You can change the view by clicking View and then clicking Users and Classes or Classes Only. The default view can be changed on the Advaned Security Options window.


How can I Speed up changes by User Class?
-----------------------------------------

When making changes to security settings by User Class there is no requirement to select a company. The changes made on the Class will be automatically rolled down to all companies of all users assigned to that Class.

The performance can be improved while making the changes by unchecking the "Display class changes on affected users" checkbox in the Advanced Security Options window.

Unchecking this option means that you will not see the changes made on Classes as you make them, but they will still be rolled down when you click OK or Apply. The time to apply the changes will still be the same, but the rolldown to users will not happen while you are making changes to the Class.


How can I use Advanced Security to quickly give access to Customisations?
-------------------------------------------------------------------------

From the Advanced Security options window turn on the Grant Security to Alternate and Modified windows and report options. Then change the view to the "By Alternate, Custom and Modified" view. Then remove access to the resources shown in this view and grant access back. This will grant access to the customisations where they exist.

Note: You will need to check for situations where more than one alternate window or report exists and manually select which one you wish to use.


What does it mean when no dictionary radio button is selected for a window or report?
-------------------------------------------------------------------------------------

If none of the possible dictionaries are selected for a window or report, it means that the security record is pointing to a dictionary which is not currently loaded on this machine, or that a modified version does not exists on this machine. This can be caused either by removing dictionaries or modified versions of windows, or by not ensuring that all dictionaries and customisations are installed on all workstations.


Can I hide menu options to which a user does not have access?
-------------------------------------------------------------

In Microsoft Great Plains 8.0 and in Microsoft Dynamics GP 9.0, users do not see menu options to which they do not have access. In Microsoft Great Plains 7.5 and in Microsoft Great Plains 7.0, you must select the Hide windows on palettes when denied security option to hide palette choices to which users do not have access.

Note: Make sure that security is active for all companies within Microsoft Great Plains and Microsoft Dynamics GP. To verify this, click Tools, point to Setup, point to Company, and then click Company. Make sure that the Security option is selected.


Why do I lose access to my customisations when I use Revert?
------------------------------------------------------------

Revert is designed to restore the security to the state it was when a user is first created. It will grant access to the original versions of all resources, with the exception of the advanced lookups which are automatically selected from the Smartlist dictionary. This means that access to alternate or modified versions of forms and reports will be removed and access to the original granted again.


What does Revert Security First mean?
-------------------------------------

The Copy, Rollup and Rolldown features of Advanced Security have an option to revert security first. If this option is checked, the target entities will be reverted (access granted to original for all resources) before the copying takes place.

The copying only copies non-default security, ie. security for which records exist in the table.

So, if revert first is used, the target entity will have access granted back to all resources and then the denied and alternate/modified security copied in. This will give an exact duplicate of the source security.

If revert first not used, all the security on the target entity is kept and all the denied and alternate/modified security from the source entity is copied over the top. This will actually combine the security records for the target and the source. However, this is combining the non-default security, so if access to one entity is granted and but denied in the other, the result will be denied. For more information see the next question.

NOTE: Default security is for access to be granted to the original resource. Non-default security is when access has been denied or access has been granted to a modified, alternate or modified alternate version of a resource.


Can I merge security from two users or classes together?
--------------------------------------------------------

While it is possible to combine security for two users and/or classes together, it might not behave in the manner you wish. When copying, rolling down or rolling up security the Revert Security first checkbox controls whether you are making an exact duplicate or whether you are combining the security settings of the source entity (user/company or class) into the target entity (user/company or class).

If you have revert security first selected (default behaviour) it will make an exact copy of the source entity completely replacing the target entity's settings. This is because it will revert the target entity back to default before copying. Note: The default setting is access to all original forms (with exception of the Advanced Lookup alternate windows in the Smartlist dictionary).

If you do not use revert first, you will combine the entities but you are combining the non-default security with the source entity's settings overwriting the target entity's settings. Please see the chart below for details:

Source Target Result
--------------- --------------- ---------------
Original Original Original
Original Denied Denied
Original Alternate2 Alternate2
Original Modified2 Modified2

Denied Original Denied
Denied Denied Denied
Denied Alternate2 Denied
Denied Modified2 Denied
Alternate1 Original Alternate1
Alternate1 Denied Alternate1
Alternate1 Alternate2 Alternate1
Alternate1 Modified2 Alternate1
Modified1 Original Modified1
Modified1 Denied Modified1
Modified1 Alternate2 Modified1
Modified1 Modified2 Modified1

In summary, the Source entity's security settings will be applied, except where it has access granted to the original. In those cases the security settings will be left with the target entity's previous setting.


When using Import/Export, what does the Only import non-default security option do?
-----------------------------------------------------------------------------------

By default, with the Only import non-default security option unchecked, Advanced Security will import all settings from the xml file thus making an exact copy of the security in the xml file.

When the Only import non-default security option is checked, Advanced Security will only import the non-default security from the xml file. You can leave the Revert security first option checked to ensure an exact copy is imported, or uncheck the option to combine or merge the security settings as described in the previous question.

Having both the Only import non-default security option and the Revert security first option checked will produce the same result as having neither option checked but may have better performance.

NOTE: Default security is for access to be granted to the original resource. Non-default security is when access has been denied or access has been granted to a modified, alternate or modified alternate version of a resource.


Can I use regular security after Advanced Security has been used?
-----------------------------------------------------------------

Yes. You can use both regular security and Advanced Security. However, if you make a change to one security window, you must make sure that the other security window is not open.

When you use the old Class and Security dialog boxes, the accelerator must process every time that you change back to the Advanced Security dialog box. When you use the old Class and Security dialog boxes, sections of the accelerator are dropped. Therefore, these sections of the accelerator will be reread the next time that you use Advanced Security. It is faster to drop sections of the accelerator table and then reread the data when the data is next required than it is to try to keep the accelerator synchronized record by record.


What are some tips and tricks for setting up security within Advanced Security?
-------------------------------------------------------------------------------

Advanced Security allows security to be setup on multiple users, companies and classes at the same time. When class changes are made, it does not overwrite user level changes. But, the best part is that Advanced Security allows you to set security based on the navigation model (ie. menus).

So the steps to setup security would be to:

1) Revert the user to reset security to access to all resources.
2) Use the By Alternate, Custom and Modified view to give access to customised resources.
3) Use the By Menu (by Toolbar in v7.x) view to remove access to sections of the menu navigation.
4) Then use the By dictionary view to fine tune access to windows not directly on the menus.

In v8.0 and 9.0, Users automatically will not see menu choices that they do not have access to. In v7.x, use the "Hide windows on palettes when denied security" option to hide palette choices that users don't have access to.

Note you will need to ensure that Security is active for all companies in your system. Check Setup >> Company >> Company and ensure the Security checkbox is selected.


What is the best way to optimise performance for Advanced Security?
-------------------------------------------------------------------

Here are some ways to improve performance in Advanced Security.

1) Turn off the accelerator. However, doing this will mean that you can no longer view or change security settings at all but the lowest level of the tree.

or

2) Optimise the acccelerator settings (see below for more info on the Accelerator).
a) Use the external accelerator and store the tables on a share available to all machines. You can use an UNC pathname.
b) On the machine on which the external accelerator is hosted, set a local path for the accelerator. This bypasses the network subsystem for that workstation.
c) Perform the major security maintenance on the machine which the external accelerator is hosted.
d) Depending on number of users * companies + classes in your system: If we are talking less than say 300, use Background processing and allow the processing to complete. If we talking more than 500, turn Background processing off and let the system cache on demand. Note: you can continue to work with Advanced Security while the background processing is continuing.

3) Be aware that if you select multiple users and/or classes at one time, it will take longer to process changes.

4) If using classes, you can opt to turn off showing class changes on the users as they are made. This will improve performance and the changes will still be applied to the users when the Class changes are applied.


What does Advanced Security's Checklinks do?
--------------------------------------------

Advanced Security's Checklinks feature will remove data that is for missing companies or users, ie. orphan records. It will also suggest that Verify is used for situations where there are possible dictionary related errors.


What does the Yellow Question Mark mean in Advanced Security?
-------------------------------------------------------------

Advanced Security will display a yellow question mark in the By Menu (By Toolbar) view of the Security tree (left hand pane) when the menu option represented in the view is one of the following:

1) an external resource, such as a macro or an external application (for v7.X).
2) a script which can perform various actions including opening a form (for v8.0 onwards).
3) a form from a dictionary which is not installed on the current workstation.

Advanced Security is only is open able to correctly show a resource in the By Menu (By Toolbar) view when it refers directly to a Form which is available in the dictionaries loaded on the current workstation.

A yellow question mark can also be displayed in the Security tree when there are no users or user classes selected in the User list (lower right hand pane).

Finally, a yellow question mark can be displayed in the User List and the Company List when there is no company selected or when the selected resources in the Security tree is already a yellow question mark due to one of the reasons already given.

In summary, a yellow question mark is displayed when Advanced Security is unable to control the resources, either due to the resource type itself or because of the current selections.


What does the red circle with the line through it mean in Advanced Security?
----------------------------------------------------------------------------

Advanced Security will display a red circle with a line through it in the By Menu (By Toolbar) or By Dictionary views of the Security tree (left hand pane) when displaying a form which belongs to a module which is not registered and control of unregistered modules is not enabled.

Advanced Security has 3 options for how to handle forms from unregistered modules:

1) Advanced Security can hide forms from unregistered modules from the tree. To select this mode make sure the Advanced Security option "Do not display unregistered modules" is checked.

2) Advanced Security can display forms from unregistered modules on the tree, but not allow settings to be changed. To select this mode make sure the Advanced Security options "Do not display unregistered modules" and "Enable control of unregistered modules" are both unchecked. This is the mode which can show the red circle with the line through it.

3) Advanced Security can display forms from unregistered modules on the tree and allow settings to be changed. To select this mode make sure the Advanced Security option "Do not display unregistered modules" is unchecked and the option "Enable control of unregistered modules" is checked. In this mode a form from an unregistered module is not treated differently from any other form.



What does Advanced Security's Verify feature do?
------------------------------------------------

Verify can fix issues where security points to resources that don't exist. Such as Modified or custom reports which have been deleted without adjusting security back to the original report, or products which have been uninstalled.

You must ensure that the workstation used has all dictionaries and customisations installed. This does not happen automatically with Checklinks as we need the user to make decisions of which issues to fix and how to fix them.


How can I identify a form causing a security privileges error?
--------------------------------------------------------------

If you are receiving a "You don't have security privileges to open this window. contact your system administrator for assistance." or "Not privileged to open this form." error and do not know which form, report or table is causing the problem. You can use Advanced Security's interactive Dialogs to help identify the resource causing the problem and to fix the issue on-the-fly. Go to Advanced Security Options and tick the "Allow security override using the system password" checkbox. Then next time the error occurs, Advanced Security will identify the resource and provide options to change the security settings. You can disable the option after the security issue is fixed or leave it active if you so desire.

Note: You will only be allowed to change the security settings if there is a System Password and it is entered correctly.


Why are there Checkboxes on both the left and right hand panes of Advanced Security?
------------------------------------------------------------------------------------

The checkboxes on the resource tree (left pane) allow you to see and change the security settings for the currently selected users/companies and classes (right pane).

The checkboxes on the user list (right pane) allow you to see and change the security settings for the currently selected node in the resource tree (left pane).

This gives us two views into the same data, for example: "What access does this user have?" AND "Who else has access to this item?".


Why Does the By Menu view not work for some menu choices?
---------------------------------------------------------

Some choice on the menus run scripts which may in turn open a form. Because they are not directly linked to a form, Advanced Security cannot identify the form to control the security. For these forms, please use the By Dictionary view to change their Security settings.


David Musgrave [MSFT]
Senior Development Consultant
Escalation Engineer - Great Plains
Microsoft Dynamics Support - Asia Pacific

Microsoft Dynamics (formerly Microsoft Business Solutions)
http://www.microsoft.com/Dynamics

Any views contained within are my personal views and
not necessarily Microsoft Business Solutions policy.
This posting is provided "AS IS" with no warranties,
and confers no rights.

KB 894705
Register to rate this FAQ  : BAD 1 2 3 4 5 6 7 8 9 10 GOOD
Please Note: 1 is Bad, 10 is Good :-)

Part and Inventory Search

Back
Top