All of these are bad:
- sa is the SQL Server system administrator account and should only be used for the initial implementation of Dynamics GP, when Dynamics GP is moved between servers, or when configuring some ISV products.
When Dynamics GP is implemented, an account called DYNSA is created; this is the Dynamics System Administrator account which is intended for use by the people/team administering Microsoft Dynamics GP.
However, most of the admin is actually creating or maintaining users and this can be done with any user account, once it has been configured with the relevant permissions.
- The System Password should only be known to those people who have a need to know it. It protects access to some windows in the system which can cause problems if used incorrectly.
- POWERUSER* is a role which gives access to all windows in Microsoft Dynamics GP; combined with users knowing the System Password can be a recipe for disaster. New security roles should be created and assigned to users which give them access to the windows they need.
Even when users have security roles rather than POWERUSER*, I still recommend clients review the access rights to ensure that people have access they need; this is true for all users. I recommend everyone review their security every year or two to ensure that the changing needs of the business are being met.
We do a fair bit of work for clients assisting them in reviewing the security, but not everyone has a partner they can work with on this type of project. And not everyone has the budget for a full-scale security review with their partner.
One other option, to involving your partner, is to pick up a copy of the Microsoft Dynamics GP Security and Audit Field Manual: Dynamics GP 2016 book by MVP Mark Polino and Andy Snook. This book is for the 2016 version of Dynamics GP, but still fully applies to Microsoft Dynamics GP 2018 (as well as earlier versions).