Power User vs. Super User, Who Can Protect GP?
If you must have a Power User, create a Super User instead. We’ve written about minimizing the ‘sa’ user in the past, and about how to setup users without Being ‘sa’. That’s a great start for improving security. The next step is to address Power Users. In Dynamics GP, Power User isn’t a role in the traditional sense. The Power User role simply skips the security check.
Because the Power User role effectively ignores security, it doesn’t have any tasks explicitly assigned to it. This means that users with Power User access don’t show up on security reports. Because of this, handing an auditor a security report, and assuring them that the report contains the full breath of user security, could be a career limiting move.
A leading practice is to deny Power User access to anyone. Ideally administrator tasks should be explicitly assigned and split between a few users. But if a company absolutely, positively has to give someone Power User access, there is a better way. Create a Super User role.
In this context a Super User works like a Power User, they have access to everything, but the access is provided explicitly, not accidently. Essentially, every box is checked to provide access to all of the security elements in GP. That way, Super Users, and their access, will show on security reports.
Creating a Super User in GP isn’t hard, but there are a few quirks, and it does require SQL access and elevated GP privileges for the initial creation. No, you don’t have to actually check every security box.
How to create a Super User role with Power User-like properties:
1. Clear the SY09400 table.

f. Send the report to the screen, it should report back with ‘No errors found’
This repopulates the table with the current security resources. There is additional code that runs GP Power Tools is installed to add items beyond just forms and reports.

A Super User isn’t ideal. It still provides more access than even an administrator should have on a day to day basis, but at least the access is explicit and visible to reporting, not hidden in a Power User role. If this was helpful, you may want to check out our webinar, "HOW THE [EXPLETIVE DELETED] DO I CREATE GP USERS WITHOUT 'SA'?"