How to Deal with the Dangers Posed By the "sa" Account for Microsoft Dynamics GP

Microsoft Dynamics GP has long required the ‘sa' (system administrator) account to perform several tasks, including user management, maintenance and installation of third party products.   It is also widely used as a "do everything" User ID by companies and consultants.

Use of the ‘sa' account creates audit risk in both the IT department and the Finance department.  A user with access to this account may make changes to financial data and eradicate any trace of the change that was made.  Additionally, users without appropriate SQL training may modify SQL objects or settings that impact data and performance.

Auditors are keenly aware of the widespread use of ‘sa' in Dynamics GP environments and want to put systems and processes in place that monitor its use.  Failure to demonstrate control of this account will often lead to a negative opinion on the audit review.

Here are some actions that can be taken to monitor the permissions and usage of the ‘sa' account:

1. To better monitor and control direct access to the database, do not allow any users to connect to a Dynamics database with the ‘sa' account.   Grant appropriate administrative rights to Windows logins and require users to log into SQL Server Management Studio using Windows Authentication.  This will help lock down the ‘sa' password and provide better audit trails.

2. Eliminate ‘sa' from user management by granting another user DB access to create Dynamics GP users.  Instructions for doing this are listed in the Microsoft GP Planning for Security white paper that can be found at here.

3. There is a common misconception that the ‘sa' user needs ...