Wednesday, June 1, 2011

Account Level Security and Advanced Search, Uh-Oh

It still amazes me that although I have been training for over 10 years, I still have students "discover" new "features" in Dynamics GP.  I just had a case pop up in class last month, regarding account level security and the advanced search feature in the account lookup window.

But, first, a little background for those of you not familiar with account level security (also referred to as organizational structures).  This feature of Microsoft Dynamics GP allows you to assign users and GL accounts to branches of your organization structure, thereby restricting the accounts that a user can access.  Companies use this for a variety of reasons including:
  • Ensuring that users don't post to incorrect accounts
  • Securing accounts that users shouldn't be able to view (e.g., balances or other information)
  • Simplifying the interface for a user so that they only see the accounts they use
So, let's assume in my example that I have configured account level security to display a restricted list of accounts for my payables clerks.

Note that when they use the Accounts lookup to select an account number, the first account listed is 000-6170-04 (the first account in their restricted list, NOT the first account in the complete chart of accounts).  This is working as designed, as we only want the payables clerks to see their expense accounts.  But....what happens if a user users the Advanced Search feature to locate an account?

So, in this example, I clicked the Advanced Search icon (the binoculars called out in the above screenshot) and chose to search by Account Number begins with 000-1.  And, surprisingly, I get back a list of accounts that meet that criteria but are NOT part of the restricted list that I am able to use due to acccount security.  If I try to pick one of these accounts, I get the following error:

So, although you can SEE the accounts, you still can't USE them if you don't have access to them.  I know you are probably wondering, well, what's the problem then?  Well, it is a minor one, but what this means is that users need to know that although the list is secure for posting, reporting, etc. it is NOT secure from viewing the account descriptions.  Account descriptions may contain sensitive information like names that users may assume can't be seen if a user doesn't have access to it.  But it can be seen.  So plan accordingly.

There is a problem report for this, but is a bit old and doesn't seem to be a popular definitely contact your Partner or Microsoft support if you want to be added to the list of customers experiencing this issue.  Here are the details:

MBS Great Plains 4799 - ‘Search Accounts’ returns all accounts, not just enabled

Have a great Thursday!

Christina Phillips is a Microsoft Certified Trainer and Dynamics GP Certified Professional. She is a supervising consultant with BKD Technologies, providing training, support, and project management services to new and existing Microsoft Dynamics customers. This blog represents her views only, not those of her employer.

No comments: