A small security hole in Microsoft Dynamics GP (and a fix)

Recently a client of ours identified a security issue in Dynamics GP. The good news is that it's a relatively narrow issue and there is a simple mitigation process. The bad news is that it's prevalent in all current GP versions.

The hole relates to the Copy Settings functionality available in User Setup. In short, the Copy Settings functionality does not respect rights set via User Security. If an administrator has rights to create a user, they can then assign company access and security rights using the Copy Settings button, even if they don't have rights to assign security with User Security.

In most organizations running Dynamics GP, an administrator who can create users is also allowed to assign security to users. In a scenario like this, the security hole doesn't apply because the user has rights to both functions anyway. Where it becomes a problem is for companies trying to segregate user creation from user security assignment. This process is considered a best practice, even if it is not particularly common in companies running Dynamics GP. 

For example, management decides that John should be allowed to create users, but only Mary can assign companies and security roles. This helps ensure that John is not creating phantom users and assigning them inappropriate security rights. Unfortunately, as GP stands now, John can create a user and copy security and company assignments from an existing user,

effectively cutting Mary out of the loop and bypassing the control.

There is a relatively easy, if imperfect fix for this. Field Level Security can be ...