Application security flaws

[Luvsql]

I just created a new user class and went through every single window and menu option with advanced security on Dyn 9 and removed everything but a few windows.

Good thing I logged in as a test user with this account. There are setup window and reports that they should NOT have access to: All the report lists per module: THey can basically print a report for all the financials, AR, AP etc. If they have no access to these reports, where is this security coming from and why is it turned on by default?

Why remove a user's access from going to Report > Financial, if they can just view the company's financial reports with this view?

How can we remove these?

THe other windows that they had access to was setup > purchaing > control account management, extender > maintenance > refresh cache, Tools > setup > setup checklist.

 

[winthropdc]

Advanced Security can only control windows in the "By menu" view if the menu command directly opens a window. If the menu command runs a script which in turn opens the window, then Advanced Security cannot stop it using the "By menu" view.

Open the window, find the window title and use the "By Dictionary" view to deny access.

Access to reports can be control by using By Dictionary >> [Dictionary] >> Reports or by denying access to tables used on the reports.


See my Advanced Security FAQ KB for more info:

https://mbs.microsoft.com/knowledgebase/KBDisplay.aspx?scid=kb;en-us;894705

David Musgrave [MSFT]
Escalation Engineer - Microsoft Dynamics GP
Microsoft Dynamics Support - Asia Pacific

Microsoft Dynamics (formerly Microsoft Business Solutions)

http://www.microsoft.com/Dynamics

Any views contained within are my personal views and
not necessarily Microsoft Business Solutions policy.
This posting is provided "AS IS" with no warranties,
and confers no rights.