Skip to main content

A small security hole in Microsoft Dynamics GP (and a fix)

by Mark Polino
Director of Client Services, Fastpath, Integrated Business Group

Recently a client of ours identified a security issue in Dynamics GP. The good news is that it's a relatively narrow issue and there is a simple mitigation process. The bad news is that it's prevalent in all current GP versions.

The hole relates to the Copy Settings functionality available in User Setup. In short, the Copy Settings functionality does not respect rights set via User Security. If an administrator has rights to create a user, they can then assign company access and security rights using the Copy Settings button, even if they don't have rights to assign security with User Security.

In most organizations running Dynamics GP, an administrator who can create users is also allowed to assign security to users. In a scenario like this, the security hole doesn't apply because the user has rights to both functions anyway. Where it becomes a problem is for companies trying to segregate user creation from user security assignment. This process is considered a best practice, even if it is not particularly common in companies running Dynamics GP. 

For example, management decides that John should be allowed to create users, but only Mary can assign companies and security roles. This helps ensure that John is not creating phantom users and assigning them inappropriate security rights. Unfortunately, as GP stands now, John can create a user and copy security and company assignments from an existing user,

effectively cutting Mary out of the loop and bypassing the control.

Microsoft Dynamics GP Copy User Settings

There is a relatively easy, if imperfect fix for this. Field Level Security can be ...

FREE Membership Required to View Full Content:

Joining gives you free, unlimited access to news, analysis, white papers, case studies, product brochures, and more. You can also receive periodic email newsletters with the latest relevant articles and content updates.
Learn more about us here

About Mark Polino

Mark Polino is a Certified Public Accountant (CPA) and a former Microsoft MVP (2007-2018) for Business Solutions. He is the author or coauthor of 5 books related to Microsoft Dynamics GP.  Mark also maintains the Dynamics GP focused website He speaks and writes regularly about ERP related topics. Mark has been a controller and CFO for a division of a publicly traded company and he has  worked as a consultant implementing ERP solutions. Mark holds additional certifications including Certified Information Technology Professional (CITP), Certified in Financial Forensics (CFF) , Chartered Global Management Accountant (CGMA). Dynamics Credentialed Professional for Dynamics GP 2015 (Core Install and Core Financials), Xero Certified. He holds a bachelor's degree in accounting from the University of Central Florida and an MBA from Rollins College. Mark lives with his family in Florida.

More about Mark Polino