Microsoft Dynamics GP User? Then Review Your Security

Microsoft Dynamics GPIn recent times we have taken over a few clients from other partners and one common theme we are running into is poor security practices. For a lot of these new clients, we find that a lot of people know the sa password, the vast majority know the System Password and all users have the POWERUSER* role assigned.

All of these are bad:

  1. sa is the SQL Server system administrator account and should only be used for the initial implementation of Dynamics GP, when Dynamics GP is moved between servers, or when configuring some ISV products.

    When Dynamics GP is implemented, an account called DYNSA is created; this is the Dynamics System Administrator account which is intended for use by the people/team administering Microsoft Dynamics GP.

    However, most of the admin is actually creating or maintaining users and this can be done with any user account, once it has been configured with the relevant permissions.

  2. The System Password should only be known to those people who have a need to know it. It protects access to some windows in the system which can cause problems if used incorrectly.
  3. POWERUSER* is a role which gives access to all windows in Microsoft Dynamics GP; combined with users knowing the System Password can be a recipe for disaster. New security roles should be created and assigned to users which give them access to the windows they need.

Even when users have security roles rather than POWERUSER*, I still recommend clients review the access rights to ensure that people have access they need; this is true for all users. I recommend everyone review their security every year or two to ensure that the changing needs of the business are being met.

We do a fair bit of work for clients assisting them in reviewing the security, but not everyone has a partner they can work with on this type of project. And not everyone has the budget for a full-scale security review with their partner.

One other option, to involving your partner, is to pick up a copy of the Microsoft Dynamics GP Security and Audit Field Manual: Dynamics GP 2016 book by MVP Mark Polino and Andy Snook. This book is for the 2016 version of Dynamics GP, but still fully applies to Microsoft Dynamics GP 2018 (as well as earlier versions).

Microsoft Dynamics GP 2018 RTM Web Client Prerequisites: Bind SSL Certificate to IIS Web Site

Microsoft Dynamics GPMicrosoft Dynamics GP 2018 RTM has now been released. In a series of posts, I am be stepping through the installation of Microsoft Dynamics GP and additional products ; the series index for this series of posts is here and will automatically update as posts go live.

I am taking a small break (sort of) from that post, to cover the installation/configuration of the prerequisites for the installation of the Microsoft Dynamics GP 2018 RTM web client (the installation of which is part of the Hands On series.

This is the first of the posts on installing and configuring the web client prerequisites; in this post I am going to cover the binding of the self-signed security certificate (created in the last post).

To bind the certificate, launch Internet Information Services (IIS) Manager, expand the server node, the Sites node and click on Default Web Site (I am just using the default website in IIS for the web client) and then click Bindings in the Action pane:

Internet Information Services (IIS) Manager

Continue reading “Microsoft Dynamics GP 2018 RTM Web Client Prerequisites: Bind SSL Certificate to IIS Web Site”

Microsoft Dynamics GP 2018 RTM Web Client Prerequisites: Create Self Signed SSL Certificate

Microsoft Dynamics GPMicrosoft Dynamics GP 2018 RTM has now been released. In a series of posts, I am be stepping through the installation of Microsoft Dynamics GP and additional products ; the series index for this series of posts is here and will automatically update as posts go live.

I am taking a small break (sort of) from that post, to cover the installation/configuration of the prerequisites for the installation of the Microsoft Dynamics GP 2018 RTM web client (the installation of which is part of the Hands On series).

This is the first of the posts on installing and configuring the web client prerequisites; in this post I am going to cover the creation of a self-signed security certificate.

The web client is a web based service, which requires a security certificate to be created and bound to the web site. Once IIS has been installed, it is a simple process to create a self-signed security.

To do so, launch Internet Information Services (IIS) Manager and click on the server name in the navigation pane. in the detail pane, double click on Server Certificates:

Internet Information Services (IIS) Manager

Continue reading “Microsoft Dynamics GP 2018 RTM Web Client Prerequisites: Create Self Signed SSL Certificate”

eConnect 18 Prerequisites: Set Service Account as Local Administrator

Microsoft Dynamics GPMicrosoft Dynamics GP 2018 RTM has now been released and I am in the middle of a series of Hands On posts. As part of thsat series, I am about to cover the installation of the eConnect additional product on a server configured for receiving messages via the MSMQ. However, there are two prerequisites which need to be dealt with before eConnect can be installed on the server.

Usually, when doing Hands On posts, I only cover the core installs and only mentioned prerequisites such as this, referring back to old posts were necessary, but it appears I’ve only made references previously to what you have to do, without actually blogging about it. So, this series on the eConnect prerequisites, is going to be a brief diversion from the Hands On series, which will resume tomorrow.

The eConnect 18 Prerequisites series index can be found here.

Before installing eConnect, the service account it will run under needs to be configured as a local administrator. Do this by launching the Computer Management Control Panel applet.

Expand the following nodes in the navigation tree:

  1. System Tools
  2. Local Users and Groups
  3. Groups

Double click on the Administrators group in the central list of groups:

Computer Management - System Tools  - Local Users and Groups - Groups

Continue reading “eConnect 18 Prerequisites: Set Service Account as Local Administrator”

MDGP 2018 RTM Feature of the Day: Copy User Access Across AA Dimensions

Microsoft Dynamics GPThe Inside Microsoft Dynamics GP blog has started a series Feature of the Day posts for Microsoft Dynamics GP 2018 RTM; as the most recent versions have been, these posts are in the form of PowerPoint slides; I am reposting them here so they can be read more easily as well as adding my own commentary.

The series index for this series of posts is here.

The fifteenth Feature of the Day is Copy User Access Across AA Dimensions. A new button has been introduced to the User Access to Trx Dimensions window which allows setup to be copied between users:

User Access to Trx Dimensions

All alphanumeric dimensions in AA need to have access configured on a per user basis; this can mean a lot of work to both setup and maintain. This new functionality should at least make it a little easier by allowing you to copy settings between users.

Click to show/hide the MDGP 2018 RTM Feature of the Day Series Index

MDGP 2018 RTM Feature of the Day: System Password Remembered

Microsoft Dynamics GPThe Inside Microsoft Dynamics GP blog has started a series Feature of the Day posts for Microsoft Dynamics GP 2018 RTM; as the most recent versions have been, these posts are in the form of PowerPoint slides; I am reposting them here so they can be read more easily as well as adding my own commentary.

The series index for this series of posts is here.

The thirteenth Feature of the Day is System Password Remembered.

One of the big frustrations for people who maintain security in Microsoft Dynamics GP is having to type the System Password every single time a password protected window is opened.

This feature sees a change whereby the System Password, ocnce entered, is remembered for the rest of the session.

This feature is well overdue and is going to save so much frustration from having to enter the system password so many times when creating security roles and tasks.

Click to show/hide the MDGP 2018 RTM Feature of the Day Series Index

Missing Security Roles In Microsoft Dynamics GP 2018 RTM

Microsoft Dynamics GPThe Dynamics GP Support and Services Blog has a post on the missing security in Microsoft Dynamics GP 2018 RTM; this is the new security roles and tasks created for the new functionality.

For features which are being enhanced, the new security tasks may be being added to roles which already exist and are assigned to users, the security is not automatically updated with the upgrade, but instead scripts are made available to add the missing security; this places the onus on the client to determine if the roles should be updated or not.

I have updated my original post with the new script, but you can also download it here.

Security Views For Use In SmartList Designer: Group Based Company Access In Management Reporter

Microsoft Dynamics GPA while ago, I did a series of views on the Microsoft Dynamics GP security model. Well, a little after that I wrote a couple of scripts to allow the security configuration of Management Reporter to easily be enquired upon.

This, the second Management Reporter security script, shows security for users as granted by their Group membership. the previous post, on Friday, showed the user based company access.

The view is configured to read the security from a database called ManagementReporter and assumes the user who runs the report has select permissions on this database and relevant tables.

IF OBJECT_ID (N'uv_AZRCRV_GetManagementReporterGroupBasedSecurity', N'V') IS NOT NULL
	DROP VIEW uv_AZRCRV_GetManagementReporterGroupBasedSecurity
GO
CREATE VIEW uv_AZRCRV_GetManagementReporterGroupBasedSecurity AS
/*
Created by Ian Grieve of azurecurve|Ramblings of a Dynamics GP Consultant (http://www.azurecurve.co.uk)
This code is licensed under the Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International (CC BY-NC-SA 4.0 Int).
*/
SELECT
	['Security User'].UserName AS 'Username'
	,['Security User Principal'].Name AS 'Domain Name'
	,['Security User'].LastLoginAttempt AS 'Last Login Attempt'
	,CASE ['Security User'].RoleType
		 WHEN 2 THEN
			'Viewer'
		 WHEN 3 THEN
			'Generator'
		 WHEN 4 THEN
			'Designer'
		 WHEN 5 THEN
			'Administrator'
		ELSE
			'None'
		END AS 'Role'
		,['Security Group Principal'].Name AS 'Group Name'
		,['Security Group Principal'].Description AS 'Group Description'
		,['Control Company'].Code AS 'INTERID'
		,['Control Company'].Name AS 'Company Name'
 FROM 
	Reporting.SecurityUser AS ['Security User'] WITH (NOLOCK)
INNER JOIN
	Reporting.SecurityPrincipal AS ['Security User Principal'] WITH (NOLOCK)
		ON
			['Security User'].UserID = ['Security User Principal'].ID
LEFT JOIN
	Reporting.SecurityGroupUser AS ['Security Group User'] WITH (NOLOCK)
		ON
			['Security User'].UserID = ['Security Group User'].UserID
LEFT JOIN
	Reporting.SecurityPrincipal AS ['Security Group Principal']  WITH (NOLOCK)
		ON
			 ['Security Group User'].GroupID = ['Security Group Principal'].ID
LEFT JOIN
	Reporting.SecurityCompanyPermission AS ['Security Company Group Permission'] WITH (NOLOCK)
		ON
			['Security Group Principal'].ID = ['Security Company Group Permission'].PrincipalID
LEFT JOIN
	Reporting.ControlCompany AS ['Control Company'] WITH (NOLOCK)
		ON
			['Security Company Group Permission'].CompanyID = ['Control Company'].ID
GO
GRANT SELECT ON uv_AZRCRV_GetManagementReporterGroupBasedSecurity TO DYNGRP
GO

Click to show/hide the Security Views For Use In SmartList Designer Series Index

Security Views For Use In SmartList Designer: User Based Company Access In Management Reporter

Microsoft Dynamics GPA while ago, I did a series of views on the Microsoft Dynamics GP security model. Well, a little after that I wrote a couple of scripts to allow the security configuration of Management Reporter to easily be enquired upon.

This first script returns the security based on how the user is configured; the view I will post on Monday shows Group based security.

The view is configured to read the security from a database called ManagementReporter and assumes the user who runs the report has select permissions on this database and relevant tables.

IF OBJECT_ID (N'uv_AZRCRV_GetManagementReporterUserBasedSecurity', N'V') IS NOT NULL
	DROP VIEW uv_AZRCRV_GetManagementReporterUserBasedSecurity 
GO
CREATE VIEW uv_AZRCRV_GetManagementReporterUserBasedSecurity AS
/*
Created by Ian Grieve of azurecurve|Ramblings of a Dynamics GP Consultant (http://www.azurecurve.co.uk)
This code is licensed under the Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International (CC BY-NC-SA 4.0 Int).
*/
SELECT
	['Security User'].UserName AS 'Username'
	,['Security User Principal'].Name AS 'Domain Name'
	,['Security User'].LastLoginAttempt AS 'Last Login Attempt'
	,CASE ['Security User'].RoleType
		 WHEN 2 THEN
			'Viewer'
		 WHEN 3 THEN
			'Generator'
		 WHEN 4 THEN
			'Designer'
		 WHEN 5 THEN
			'Administrator'
		ELSE
			'None'
		END AS 'Role'
	,['Control Company'].Code AS 'INTERID'
	,['Control Company'].Name AS 'Company Name'
FROM 
	ManagementReporter.Reporting.SecurityUser AS ['Security User'] WITH (NOLOCK)
INNER JOIN
	ManagementReporter.Reporting.SecurityPrincipal AS ['Security User Principal'] WITH (NOLOCK)
		ON
			['Security User'].UserID = ['Security User Principal'].ID
LEFT JOIN
	ManagementReporter.Reporting.SecurityCompanyPermission AS ['Security Company Permission'] WITH (NOLOCK)
		ON
			['Security User Principal'].ID = ['Security Company Permission'].PrincipalID
LEFT JOIN
	ManagementReporter.Reporting.ControlCompany AS ['Control Company'] WITH (NOLOCK)
		ON
			['Security Company Permission'].CompanyID = ['Control Company'].ID
GO
GRANT SELECT ON uv_AZRCRV_GetManagementReporterUserBasedSecurity TO DYNGRP
GO

Click to show/hide the Security Views For Use In SmartList Designer Series Index

Dynamics GP Tech Conference 2017: New User Experience Features

Microsoft Dynamics GPThis post is part of the series I am doing on the Dynamics GP Tech Conference 2017.

One of the areas being focused on in the 2018 version of Microsoft Dynamics GP, is the user experience. The announced enhancements are:

  • Add sort to Receivables Transaction Inquiry – by Customer
  • Add sort to Receivables Transaction Inquiry – by Document
  • Add sort to Payables Transaction Inquiry – by Vendor
  • Add sort to Payables Transaction Inquiry – by Document
  • System password is remembered for the duration of the user session – the only downside is if you need to grant access to a window such as the VAT Return to a user, but then need to monitor them to make sure they then close Dynamics GP before continuing with other work.
  • Rename of Payables windows to say Payments instead of Checks – I can;t find the post, but this was a request from Mariano Gomez and is well overdue. Pretty much all payments in the UK are by EFT, so it was getting seriously embarrassing having all the windows with Cheque in the name (UK language pack changes it from Check).
  • Autocomplete added to the web client
  • SmartList Favourites – unique password protection – this is by popular request after the password for SmartList Favourites globally was added in GP 2016 R2.
  • SmartList shortcut on toolbar in web client
  • Bank Reconciliation maximise window in web client
  • Adding additional sorting in Bank Reconciliation window
  • Update help icons to link to tagged online support documents

The enhancements to the user experience listed above should be of benefit to users of Dynamics GP, and follows Microsoft’s ethos of evolution, not revolution in the improvements they are making.

Click to show/hide the Dynamics GP Tech Conference 2017 Series Index