Dynamics GP
Dynamics GP
Organizer:
- JOSE Organized by
-
-
domain admin defaults to POWERUSER in web client
-
domain admin defaults to POWERUSER in web client
-
Is this by design? If I add the domain admin account as a “web client only” user it doesn’t seem to matter what I add to their security permissions it gives them access to everything. Also, the POWERUSER isn’t even listed as a security role for that user, but is for any other user..
——————————
Rob Klaproth
Sr. Dynamics GP Consultant
Armanino
San Diego CA
—————————— -
Hi Rob,
Something must be wrong with your security in GP… Adding an AD account to the GP user setup doesn’t provide any permissions other than linking the Windows Authentication to GP to provide single sign-on.. Everything else depends on GP security for the resource access (forms & reports)..
POWERUSER is available as a security role even to “Web Client Only” users.. no doubt about it. Now there might be some limitation on what a WCO user can do at the SQL level security roles, as there is _no_ SQL user created for such account.. Being a POWERUSER as a WCO and not having SQL account is a little absurd.. And in fact I just tested this and the essential fields to reset a user pwd when logged in as a WCO user, is just greyed out.. becaue of the lack of SQL security permissions.
I also tested the GP security with a brand new user as WCO, but with FULL license type and it behaves like any other regular GP user.. I can assign any security roles and it will stick to it, or I can give that user POWERUSER role and it will give me access to everything.. (except the tasks linked to specific SQL security permissions).
I’m doing all this in GP2016R2..
PS: I’ve not tested the case of a Full Domain Admin account, as I’m not in that group in AD, but I can check it out with one of my IT guys..
——————————
Beat Bucher
Business Analyst, Dynamics GP MVP
Ultra-Electronics Forensic Technology Inc.
Montreal QC/Canada
+1-514-489-4267
@GP_Beat http://dyngpbeat.wordpress.com/
Montreal QC GPUG Chapter Leader
GP2013R2 / MR2012 CU14
————————————————————————- -
Rob,
I did some additional tests with my IT guy.. I linked his GP account with his domain admin account and assigned him to the Fabrikam company.. When he logged in the first time, I was puzzled to see all the menu entries that he was having access to on the various pages.. and the most freihtning was that he could open everything (from GL Trx Entries to HR Employee cards) with no issues or warnings..
I then switched him back to the regular domain account, but low & behold, it was the same story.. And I checked twice that he had no POWERUSER role assigned, but only a limited IT Help Desk role that I created for our IT guys.
I then decided to assign him a regular company from our list and assigned the same security roles. Redid all the testing with the Domain Admin account and the regular account.. Surprise, everything is working as expected.. and he was not able to see anything from the other modules he was not supposed to see..
Conclusion: there seems to be a code settings somewhere in the DEMO company Fabrikam that bypasses all security for every type of users.. no matter which one.. when using the Web Client.. this doesn’t happen with the GP Full client, where the security behaves according the roles.
Someone should report that bug to Microsoft (preferably a partner).
——————————
Beat Bucher
Business Analyst, Dynamics GP MVP
Ultra-Electronics Forensic Technology Inc.
Montreal QC/Canada
+1-514-489-4267
@GP_Beat http://dyngpbeat.wordpress.com/
Montreal QC GPUG Chapter Leader
GP2013R2 / MR2012 CU14
————————————————————————- -
Beat,That’s some great testing you did! Unfortunately, for me, they were not logged into Fabrikam, they were logged into one of the client’s regular GP companies. So, the domain admin account, in GP2016R2 at least, is automatically given access to everything in the web client if you give them access to one of the GP companies (besides Fabrikam). Note: this user was setup as a “web client only user” so I could not test logging into the regular GP client.
——Original Message——
Rob,
I did some additional tests with my IT guy.. I linked his GP account with his domain admin account and assigned him to the Fabrikam company.. When he logged in the first time, I was puzzled to see all the menu entries that he was having access to on the various pages.. and the most freihtning was that he could open everything (from GL Trx Entries to HR Employee cards) with no issues or warnings..
I then switched him back to the regular domain account, but low & behold, it was the same story.. And I checked twice that he had no POWERUSER role assigned, but only a limited IT Help Desk role that I created for our IT guys.
I then decided to assign him a regular company from our list and assigned the same security roles. Redid all the testing with the Domain Admin account and the regular account.. Surprise, everything is working as expected.. and he was not able to see anything from the other modules he was not supposed to see..
Conclusion: there seems to be a code settings somewhere in the DEMO company Fabrikam that bypasses all security for every type of users.. no matter which one.. when using the Web Client.. this doesn’t happen with the GP Full client, where the security behaves according the roles.
Someone should report that bug to Microsoft (preferably a partner).
——————————
Beat Bucher
Business Analyst, Dynamics GP MVP
Ultra-Electronics Forensic Technology Inc.
Montreal QC/Canada
+1-514-489-4267
@GP_Beat http://dyngpbeat.wordpress.com/
Montreal QC GPUG Chapter Leader
GP2013R2 / MR2012 CU14
——————————
-
-
0 Replies
Sorry, there were no replies found.
The discussion ‘domain admin defaults to POWERUSER in web client’ is closed to new replies.
