User Security Setup

[GPSKid]

We are having a problem with User Security Setup.

We generally assigned a user a single Security Role ID such as AP Clerk or AR Clerk. However, no matter what ID they are assigned, they almost always wind up with access to the Financial Groups and Financial Transaction Matching by Account Inquiry Windows. Working our way through all the operations in Security Task Setup to fix this is an endless job so we are looking for a better solution. We are running Ver. 10.

Anyone else had this problem or knows of a solution?

Gene

 

[jazgeek]

you could deny them access to that window

-----------
and they wonder why they call it Great Pains!

jaz

 

[GPSKid]

Jaz, thanks for your help, but I am confused. As I understand Security in Ver. 10, users are denied access to a window or report unless access is checked. So yes I can deny access, but the system is allowing access by default. I do not know of a good way to seek out all of the places where access has been improperly allowed without looking through every task and role security screen for a particular security role. This is a very long process.

Am I missing something? Perhaps there a file that can be dumped that will show the windows and reports a user has access to and I can thus find all the places where access needs to be denied?

Gene

 

[jazgeek]

if you deny access to the screen, then they can't get to it from anywhere. ie I accidentally denied access to items lookup once and no one was able to access it from any module...sales,purchasing,inventory, bom.



-----------
and they wonder why they call it Great Pains!

jaz

 

[winthropdc]

This KB Draft I wrote should help you.... it will be published in a new v10 Security KB eventually.


How to identify the Security Tasks and Security Roles associated with a specific window or report
=================================================================================================

Summary
-------

Microsoft Dynamics GP Version 10 introduces a new Role based security model. This model is defined in the following way:

1) Access to all windows, tables, reports and miscellaneous permissions are classed as Security Operations.
2) A set of Security Operations required to perform a specific task are assigned to a Security Task.
3) Multiple Security Tasks required to perform a specific role are assigned to a Security Role.
4) Each User and Company combination can then have multiple Security Roles assigned to it.

Note: Operations may be assigned to multiple Security Tasks and Security Tasks may be assigned to multiple Security Roles.


In the situation when a system administrator knows which window (or report) they wish to grant access to a user, but does not know what Security Tasks or Security Roles are associated with the window, there is no simple method to obtain this information from within the application. It would be possible to scroll through each Security Task on the Security Task Setup window (Microsoft Dynamics GP >> Tools >> Setup >> System >> Security Tasks and check if the window is selected, but this is time consuming. The Print Operation Access report which can be printed after selecting the window will show which users have access to the window, but not how that access was obtained based on the Security Roles and Security Tasks.

To obtain the data we will use a new Security Resource Descriptions table (Technical Name: syCurrentResources (SY09400) table) which was added to v10.0 to create a SQL Query to obtain the information. This table is initially empty, but can be populated by running the Clear Data File Maintenance process on it. The system will then rebuild the contents based on the current installed dictionaries.


More Information
----------------

Below are the steps to populate the Security Resource Descriptions table:

1) Click Microsoft Dynamics GP.

2) Click Tools.

3) Click Maintenance.

4) Click Clear Data to open the Clear Data window.

5) From the Menu click Display, Click Physical.

6) Select System Series and insert the "Security Resource Descriptions" table.

7) Click OK and Yes to the confirmation.

8) When requested select to send the report to the screen.

9) Close the report.


Now that the Security Resource Descriptions table has been populated we can use it in a SQL Query from SQL Query Analyser (SQL Server 2000) or SQL Server Management (SQL Server 2005). The Query below will display the Security Roles and Security Tasks associated with a specific window or report as selected by changing the Display Name on the last line of the query.


SELECT ISNULL(A.SECURITYROLEID,'') AS SECURITYROLEID, ISNULL(M.SECURITYROLENAME,'') AS SECURITYROLENAME, --ISNULL(M.SECURITYROLEDESC,'') AS SECURITYROLEDESC,
ISNULL(O.SECURITYTASKID,'') AS SECURITYTASKID, ISNULL(T.SECURITYTASKNAME,'') AS SECURITYTASKNAME, --ISNULL(T.SECURITYTASKDESC,'') AS SECURITYTASKDESC,
R.PRODNAME, R.TYPESTR, R.DSPLNAME, R.RESTECHNAME, R.DICTID, R.SECRESTYPE, R.SECURITYID
FROM DYNAMICS.dbo.SY09400 R
FULL JOIN DYNAMICS.dbo.SY10700 O ON R.DICTID = O.DICTID AND O.SECRESTYPE = R.SECRESTYPE AND O.SECURITYID = R.SECURITYID
FULL JOIN DYNAMICS.dbo.SY09000 T ON T.SECURITYTASKID = O.SECURITYTASKID
FULL JOIN DYNAMICS.dbo.SY10600 A ON A.SECURITYTASKID = T.SECURITYTASKID
FULL JOIN DYNAMICS.dbo.SY09100 M ON M.SECURITYROLEID = A.SECURITYROLEID
WHERE R.DSPLNAME = 'Sales Transaction Entry'


Below are the example results based on a default installation for 'Sales Transaction Entry':


SECURITYROLEID SECURITYROLENAME SECURITYTASKID SECURITYTASKNAME PRODNAME TYPESTR DSPLNAME RESTECHNAME DICTID SECRESTYPE SECURITYID
----------------------- ------------------------------- ----------------------- ----------------------- ----------------------- --------------- ------------------------------- --------------- ------- --------------- ----------
BOOKKEEPER* Bookkeeper TRX_SALES_001* Enter SOP transactions Microsoft Dynamics GP Windows Sales Transaction Entry SOP_Entry 0 2 619
CUSTOMER SERVICE REP* Customer Service Representative TRX_SALES_001* Enter SOP transactions Microsoft Dynamics GP Windows Sales Transaction Entry SOP_Entry 0 2 619
OPERATIONS MANAGER* Operations Manager TRX_SALES_001* Enter SOP transactions Microsoft Dynamics GP Windows Sales Transaction Entry SOP_Entry 0 2 619
SHIPPING AND RECEIVING* Shipping and Receiving TRX_SALES_001* Enter SOP transactions Microsoft Dynamics GP Windows Sales Transaction Entry SOP_Entry 0 2 619


If there are no Security Roles assigned to the Security Tasks, they will show as blank. If there are no Security Tasks assigned to the Operation, they will also show as blank.


References
----------

Security Operations for a Security Task are stored in table sySecurityAssignTaskOperations (SY10700).
Security Tasks are defined in table sySecurityMSTRTask (SY09000).

Security Tasks for a Security Role are stored in table sySecurityAssignTaskRole (SY10600).
Security Roles are defined in table sySecurityMSTRRole (SY09100).

Security Roles for a User and Company combination are stored in table sySecurityAssignUserRole (SY10500).


David Musgrave [MSFT]
Escalation Engineer - Microsoft Dynamics GP
Microsoft Dynamics Support - Asia Pacific

Microsoft Dynamics (formerly Microsoft Business Solutions)

http://www.microsoft.com/Dynamics

Any views contained within are my personal views and
not necessarily Microsoft Business Solutions policy.
This posting is provided "AS IS" with no warranties,
and confers no rights.