Power User vs. Super User, Who Can Protect GP?

03/09/2017

power user.jpgIf you must have a Power User, create a Super User instead. We’ve written about minimizing the ‘sa’ user in the past, and about how to setup users without Being ‘sa’. That’s a great start for improving security. The next step is to address Power Users. In Dynamics GP, Power User isn’t a role in the traditional sense. The Power User role simply skips the security check.

 

Because the Power User role effectively ignores security, it doesn’t have any tasks explicitly assigned to it. This means that users with Power User access don’t show up on security reports. Because of this, handing an auditor a security report, and assuring them that the report contains the full breath of user security, could be a career limiting move.

 

A leading practice is to deny Power User access to anyone. Ideally administrator tasks should be explicitly assigned and split between a few users. But if a company absolutely, positively has to give someone Power User access, there is a better way. Create a Super User role.

 

In this context a Super User works like a Power User, they have access to everything, but the access is provided explicitly, not accidently. Essentially, every box is checked to provide access to all of the security elements in GP. That way, Super Users, and their access, will show on security reports.

 

Creating a Super User in GP isn’t hard, but there are a few quirks, and it does require SQL access and elevated GP privileges for the initial creation. No, you don’t have to actually check every security box.

 

how to create gp users without 'SA' How to create a Super User role with Power User-like properties:

 

1. Clear the SY09400 table.

a. Go to Microsoft Dynamics GP > Maintenance > Clear Data
b. Click Display on the toolbar and click Physical
c. Select System under Series
d. Click Security Resource Descriptions under Tables to highlight it and click Insert to add it to the Selected Tables list
security resource descriptions Dynamics gp
e. Click OK, then Yes to the pop up message asking you if you’re sure that you want to clear data from the table
f. Send the report to the screen, it should report back with ‘No errors found’

This repopulates the table with the current security resources. There is additional code that runs GP Power Tools is installed to add items beyond just forms and reports.
 
2. Run the SQL Script below.
This adds a Super User role and assigns security to all of the items, even if the description hasn’t been added to the SY09400 table. I still can’t swear that this catches absolutely everything, but it should and it has worked in testing. 
 
a. Create SUPERUSER Task
Insert into SY09000 (SECURITYTASKID,SECURITYTASKNAME,SECURITYTASKDESC,SECURITYTASKCATEGORY,DEFSECTASK,CRUSRID,CREATDDT,MDFUSRID,MODIFDT)
Values (‘SUPERUSER’,’SUPERUSER’,’Super User task to replace Power User role’,7,0,’sa’, cast(getdate() as date), ”, ‘1/1/1900’)
 
b. Assign all security items to SUPERUSER taskInsert Into SY10700 (SECURITYTASKID,DICTID,SECURITYID,SECRESTYPE)
Select distinct ‘SUPERUSER’,a.DICTID,a.SECURITYID,a.SECRESTYPE from
(select distinct DICTID,SECURITYID,SECRESTYPE from SY10700
union
select distinct DICTID,SECURITYID,SECRESTYPE from SY09400) a
 
c. Create SUPERUSER RoleInsert into SY09100 (SECURITYROLEID,SECURITYROLENAME,SECURITYROLEDESC,SECROLETYPE,CRUSRID,CREATDDT,MDFUSRID, MODIFDT)
Values (‘SUPERUSER’,’SUPERUSER’,’Super User Role to replace Power User role’,2,’sa’,cast(getdate() as date), ”, ‘1/1/1900’)
 
d. Assign SUPERUSER Task to SUPERUSER Role
Insert into SY10600 (SECURITYROLEID,SECURITYTASKID)
Values (‘SUPERUSER’,’SUPERUSER’)
 
3. Remove a user’s access to Power User and assign access to Super User.
a. In GP select Administration > System > User Security
b. Select a user and company
c. Uncheck Power User
d. Check Super User
security role id Dynamics GP
 

A Super User isn’t ideal. It still provides more access than even an administrator should have on a day to day basis, but at least the access is explicit and visible to reporting, not hidden in a Power User role. If this was helpful, you may want to check out our webinar, "HOW THE [EXPLETIVE DELETED] DO I CREATE GP USERS WITHOUT 'SA'?"