<img height="1" width="1" style="display:none;" alt="" src="https://dc.ads.linkedin.com/collect/?pid=523033&amp;fmt=gif">
Request a Demo
Contact Us

Power User vs. Super User, Who Can Protect GP?

Mark Polino

power user.jpgIf you must have a Power User, create a Super User instead. We’ve written about minimizing the ‘sa’ user in the past, and about how to setup users without Being ‘sa’. That’s a great start for improving security. The next step is to address Power Users. In Dynamics GP, Power User isn’t a role in the traditional sense. The Power User role simply skips the security check.

 

Because the Power User role effectively ignores security, it doesn’t have any tasks explicitly assigned to it. This means that users with Power User access don’t show up on security reports. Because of this, handing an auditor a security report, and assuring them that the report contains the full breath of user security, could be a career limiting move.

 

A leading practice is to deny Power User access to anyone. Ideally administrator tasks should be explicitly assigned and split between a few users. But if a company absolutely, positively has to give someone Power User access, there is a better way. Create a Super User role.

 

In this context a Super User works like a Power User, they have access to everything, but the access is provided explicitly, not accidently. Essentially, every box is checked to provide access to all of the security elements in GP. That way, Super Users, and their access, will show on security reports.

 

Creating a Super User in GP isn’t hard, but there are a few quirks, and it does require SQL access and elevated GP privileges for the initial creation. No, you don’t have to actually check every security box.

 

how to create gp users without 'SA'How to create a Super User role with Power User-like properties:

 

1. Clear the SY09400 table.

a. Go to Microsoft Dynamics GP > Maintenance > Clear Data
b. Click Display on the toolbar and click Physical
c. Select System under Series
d. Click Security Resource Descriptions under Tables to highlight it and click Insert to add it to the Selected Tables list
security resource descriptions Dynamics gp
e. Click OK, then Yes to the pop up message asking you if you’re sure that you want to clear data from the table
f. Send the report to the screen, it should report back with ‘No errors found’

This repopulates the table with the current security resources. There is additional code that runs GP Power Tools is installed to add items beyond just forms and reports.
 
2. Run the SQL Script below.
This adds a Super User role and assigns security to all of the items, even if the description hasn’t been added to the SY09400 table. I still can’t swear that this catches absolutely everything, but it should and it has worked in testing. 
 
a. Create SUPERUSER Task
Insert into SY09000 (SECURITYTASKID,SECURITYTASKNAME,SECURITYTASKDESC,SECURITYTASKCATEGORY,DEFSECTASK,CRUSRID,CREATDDT,MDFUSRID,MODIFDT)
Values (‘SUPERUSER’,’SUPERUSER’,’Super User task to replace Power User role’,7,0,’sa’, cast(getdate() as date), ”, ‘1/1/1900’)
 
b. Assign all security items to SUPERUSER taskInsert Into SY10700 (SECURITYTASKID,DICTID,SECURITYID,SECRESTYPE)
Select distinct ‘SUPERUSER’,a.DICTID,a.SECURITYID,a.SECRESTYPE from
(select distinct DICTID,SECURITYID,SECRESTYPE from SY10700
union
select distinct DICTID,SECURITYID,SECRESTYPE from SY09400) a
 
c. Create SUPERUSER RoleInsert into SY09100 (SECURITYROLEID,SECURITYROLENAME,SECURITYROLEDESC,SECROLETYPE,CRUSRID,CREATDDT,MDFUSRID, MODIFDT)
Values (‘SUPERUSER’,’SUPERUSER’,’Super User Role to replace Power User role’,2,’sa’,cast(getdate() as date), ”, ‘1/1/1900’)
 
d. Assign SUPERUSER Task to SUPERUSER Role
Insert into SY10600 (SECURITYROLEID,SECURITYTASKID)
Values (‘SUPERUSER’,’SUPERUSER’)
 
3. Remove a user’s access to Power User and assign access to Super User.
a. In GP select Administration > System > User Security
b. Select a user and company
c. Uncheck Power User
d. Check Super User
security role id Dynamics GP
 

A Super User isn’t ideal. It still provides more access than even an administrator should have on a day to day basis, but at least the access is explicit and visible to reporting, not hidden in a Power User role. If this was helpful, you may want to check out our webinar, "HOW THE [EXPLETIVE DELETED] DO I CREATE GP USERS WITHOUT 'SA'?"
Mark Polino

Mark Polino

Mark Polino is an experienced Certified Public Accountant (CPA) with additional certifications in information technology (CITP) and financial forensics (CFF). He is also a Chartered Global Management Accountant (CGMA). Mark holds a Bachelor of Science degree in Accounting from the University of Central Florida and a Master of Business Administration from Rollins College. His work has focused on the intersection of accounting and technology for the last 20 years. Mark is the author or coauthor of fourteen ERP and security focused books and two novels. He maintains an online presence at DynamicAccounting.net and can be found on twitter as @mpolino.

You Might Also Like

Managing Security & Compliance In SAP: Single and Composite Roles

Frank Vukovits

Learn More

Managing Security & Compliance In SAP: Risks Between SAP ECC & SAP CRM

Frank Vukovits

Learn More

Managing Security & Compliance In SAP: Other Identity Management Solutions

Frank Vukovits

Learn More

Security. Audit. Compliance.  We're Here to Help

4093 NW Urbandale Drive / Des Moines, IA 50322 (515) 276-1779 Fax: (515) 864-0318
Read Our Blog

© 2019 Fastpath, Inc. All rights reserved. Privacy Statement | Terms of Use