Minimizing the use of sa in Microsoft Dynamics GP. Copyright Fastpath, Inc. 2011



Similar documents
How To Create A Microsoft.Com/Sql Server 2000 Instance For Act! (For A Powerpoint) For A Powerline.Com (For Microsoft) Or A Microscientific.Com Or A Windows


These notes are for upgrading the Linko Version 9.3 MS Access database to a SQL Express 2008 R2, 64 bit installations:

1 of 10 1/31/2014 4:08 PM

In this topic we will cover the security functionality provided with SAP Business One.

for Networks Installation Guide for the application on the server August 2014 (GUIDE 2) Lucid Exact Version 1.7-N and later

for Networks Installation Guide for the application on the server July 2014 (GUIDE 2) Lucid Rapid Version 6.05-N and later

Achieving PCI COMPLIANCE with the 2020 Audit & Control Suite.

MS SQL Express installation and usage with PHMI projects

MICROSTRATEGY 9.3 Supplement Files Setup Transaction Services for Dashboard and App Developers

MAGIC THipPro - SQL Server Installation - using the example of

QUANTIFY INSTALLATION GUIDE

SQL Server Hardening

Print Audit 6 - SQL Server 2005 Express Edition

Larger, active workgroups (or workgroups with large databases) must use one of the full editions of SQL Server.

Microsoft SQL Server Staging

User Setup for SQL Security

How To Set Up Safetica Insight 9 (Safetica) For A Safetrica Management Service (Sms) For An Ipad Or Ipad (Smb) (Sbc) (For A Safetaica) (

Microsoft SQL Server 2005 How to Create and Restore Database (GRANTH3) Manually

Setting Up ALERE with Client/Server Data

Dell InTrust Preparing for Auditing Microsoft SQL Server

Setting up an MS SQL Server for IGSS

Update and Installation Guide for Microsoft Management Reporter 2.0 Feature Pack 1

May 17, 2011 SQL SERVER SECURITY GRANTING, CONTROLLING, AND AUDITING DATABASE ACCESS. Mike Fal -

SpectraPro. SLQ Server databases

4cast Server Specification and Installation

0651 Installing PointCentral 8.0 For the First Time

INSTALLATION GUIDE. Snow License Manager Version 7.0 Release date Document date

Installing Cobra 4.7

General DBA Best Practices

Microsoft Corporation. Project Server 2010 Installation Guide

Microsoft SQL Server 2005 How to Create and Restore Database (GRANTH3) Manually

Notes Transfer instructions INTRODUCTION More information

BUILDER 3.0 Installation Guide with Microsoft SQL Server 2005 Express Edition January 2008

Immotec Systems, Inc. SQL Server 2005 Installation Document

Installation Manual Version 8.5 (w/sql Server 2005)

SQL EXPRESS INSTALLATION...

for Networks Installation Guide for the application on a server September 2015 (GUIDE 2) Memory Booster version 1.3-N and later

SQL Server 2008 R2 Express Edition Installation Guide

The manual contains complete instructions on 'converting' your data to version 4.21.

ADO and SQL Server Security

Installation & Configuration Guide

Microsoft SQL Server Security & Auditing. March 23, 2011 ISACA Chapter Meeting

Sync your schedule and work orders with SME & Microsoft Outlook

Upgrading from MSDE to SQL Server 2005 Express Edition with Advanced Services SP2

Support Debugging Tool for Microsoft Dynamics GP. Training Workbook

Training module 2 Installing VMware View

Setup and configuration for Intelicode. SQL Server Express

IMPORTANT: The person who installs and sets up the PCS Axis database on the central database server

Migrating helpdesk to a new server

SolarWinds Migrating SolarWinds NPM Technical Reference

Moving/Restoring the StarShip SQL database

How To Upgrade Your Microsoft SQL Server for Accounting CS Version

Management Reporter Integration Guide for Microsoft Dynamics GP

PLEASE NOTE: The client data used in these manuals is purely fictional.

Installation Instruction STATISTICA Enterprise Small Business

Automated backup. of the LumaSoft Gas database

SQL Server Hardening

TROUBLESHOOTING GUIDE

PRIME Installation Guide

GFI White Paper PCI-DSS compliance and GFI Software products

ControlPoint. Advanced Installation Guide. Publication Date: January 12, Metalogix International GmbH., All Rights Reserved.

Password Reset Server Installation Guide Windows 8 / 8.1 Windows Server 2012 / R2

Workflow Conductor for SharePoint 2010

STATISTICA VERSION 12 STATISTICA ENTERPRISE SMALL BUSINESS INSTALLATION INSTRUCTIONS

Burst Technology bt-loganalyzer SE

Installing SQL Express. For CribMaster 9.2 and Later

Step-by-Step Setup Guide Wireless File Transmitter FTP Mode

Eylean server deployment guide

NNT CIS Microsoft SQL Server 2008R2 Database Engine Level 1 Benchmark Report 0514a

INTRODUCTION: SQL SERVER ACCESS / LOGIN ACCOUNT INFO:

Enterprise Server Setup Guide

Moving Components of an Amicus Premium Installation

TROUBLESHOOTING GUIDE

System Area Management Software Tool Tip: Integrating into NetIQ AppManager

Installing Autodesk Vault Server 2012 on Small Business Server 2008

Dream Report Version 4.5

SEER Enterprise Shared Database Administrator s Guide

WhatsUp Gold v16.3 Installation and Configuration Guide

Secret Server Installation Windows 8 / 8.1 and Windows Server 2012 / R2

Microsoft Dynamics GP Audit Trails

Installation and Upgrade Guide

Installing Lumension Endpoint Management and Security Suite (L.E.M.S.S.) Using a Remote SQL Server

Preparing to Install SQL Server 2005

Technical Note: How to Move AccountMate for SQL/Express to a Different Server

How To Create An Easybelle History Database On A Microsoft Powerbook (Windows)

Define ODBC Database Library using Management Console

SQL Server Hardening

Installing LearningBay Enterprise Part 2

Xcalibur Global Version 1.2 Installation Guide Document Version 3.0

Installation Instructions for Hospital ERP System (AP) Installation Instructions for Hospital ERP System (AP)

3. On the Accounts wizard window, select Add a new account, and then click Next.

Auditor With E-Sign For Dynamics GP 2013 Documentation dated August 29, 2014

Backing Up CNG SAFE Version 6.0

STEP BY STEP IIS, DotNET and SQL-Server Installation for an ARAS Innovator9x Test System

Verbatim Secure Data USB Drive. User Guide. User Guide Version 2.0 All rights reserved

Appendix L: Running Hazus-MH with SQL Server 2005

Transcription:

Minimizing the use of sa in Microsoft Dynamics GP Jeff Soelberg, CRISC 11/1/2011

Synopsis: Out of the box, Microsoft Dynamics GP creates the sa user with full privileges to create, modify and delete any and all data within the SQL database and the GP application. There is a common misconception that this approach is the best and/only way to manage administrative level security. This document is designed to explain the access rights and risks of the sa user as well as the best practice approach for setting up administrative rights to create a more secure environment. The Problem: When installing Microsoft Dynamics GP, the Microsoft SQL Server environment on which the databases are installed must use mixed mode authentication. In this environment, the sa user is required and has full access to the entire SQL Server environment. This user has full privileges including creating and dropping databases, users, and tables. In addition, the out of the box sa user is assigned to the SQL fixed server role of sysadmin. This assignment makes the sa user the only GP user who is able to create users and assign them to GP companies as well as create new companies and assign users to those new GP companies. The dependence on the sa account creates significant financial, system and organizational risk. First, sa is a generic account name and not a named account. This makes it difficult to isolate who used the sa account to make critical changes and verify if those changes were authorized. Second, the sa account can view, update and delete data from within Dynamics GP, SQL Server Management Studio and any other tools that provide database connectivity including Microsoft Excel. Finally, sa access enables the user to make sweeping and powerful changes to critical data. This increases the risk of malicious or unintentional database catastrophes. There is a common conception that the sa account is required to create users, create companies and perform various maintenance processes within Microsoft Dynamics GP. This is false and the remainder of this document is designed as a guide to minimizing the use of, access to and reliance on the sa account. The Solution: Before reducing sa privileges from the Dynamics GP environment, it is necessary to grant a Dynamics GP named user the access required to perform provisioning and administrative tasks. Ideally, to achieve segregation of duties, the GP user provisioning would be divided amongst 3 users: one to create the user and add that user to a company database, one to assign security roles to a user and one to maintain role and task definitions. Using additional controls such as activity tracking or audit trails, the provisioning may divided between 2 users. The remainder of this document will describe the 2 user scenario using a GP Security Administrator and a GP Access Administrator. 1

The GP Security Administrator is a named GP user responsible for: a. Assigning Users to Roles, as well as their Mod-Alt profile b. Assigning Tasks to Roles and creating or deleting Roles c. Assigning Windows and Reports to Tasks and creating or deleting Tasks d. Managing Mod-Alt profile setups e. This user should NOT have the ability to create GP Users, or assign them to GP Companies f. Activity of this user should be tracked by Audit Trails, or Activity Tracking. The GP Access Administrator is a named GP user responsible for: a. Creating and deleting all Dynamics GP users b. Assigning users to companies in your Dynamics GP environment c. Resetting forgotten user passwords d. This user should NOT have access to assign security rights from within Dynamics GP. Setup GP Security Administrator Required Dynamics GP Application Access The GP Security Administrator is a Dynamics GP user with limited GP access. Create a named user in Dynamics GP with access to all Dynamics companies. Assign this user access to the following Dynamics GP forms: a. User Security b. Security Tasks c. Security Roles d. Alternate/Modified Forms and Reports Ensure that this user does not have access to the following Dynamics GP forms: a. User Setup b. User Access The user may be assigned other access outside of the forms listed above. 2

Setup GP Access Administrator Required Dynamics GP Application Access The GP Access Administrator is a Dynamics GP user with limited GP access. Create a named user in Dynamics GP with access to all Dynamics companies. Assign this user access to the following Dynamics GP forms: a. User Setup b. User Access Ensure that this user does not have access to the following Dynamics GP forms: a. User Security b. Security Tasks c. Security Roles d. Alternate/Modified Forms and Reports e. Any access that would allow maintenance of GP data through the GP client. Examples include: VBA, Modifier, Smartlist Builder The user may be assigned other access outside of the forms listed above. Required Microsoft SQL Server Access This user will require elevated SQL Server permissions. Because GP encrypts the SQL passwords for all GP application users except sa the GP Access Administrator user will not have access to financial data via applications like SQL Server Management Studio, Microsoft Access, Microsoft Excel, or any other connection via ODBC. Grant the SQL Login associated to the GP Access Administrator user the securityadmin SQL fixed server role. In addition, the SQL User needs to have db_securityadmin, db_accessadmin, and the DYNGRP roles assigned in the DYNAMICS database and All GP company database. The DYNGRP role is automatically assigned when the user is created in Dynamics GP. 3

To assign the user s login to the securityadmin role in SQL Server, open Microsoft SQL Server Management Studio, maximize the Security folder and the Logins subfolder. Double-click on the user login to open the Login Properties window. Select the Server Roles page and mark the securityadmin role. 4

To assign the user s login to the db_securityadmin and the db_accessadmin role in SQL Server, open Microsoft SQL Server Management Studio, maximize the database, Security folder, and the Users subfolder. Double-click on the user to open the Database User window. Mark the db_securityadmin and db_accessadmin roles. Since the SQL user you are granting the SQL fixed sever roles is a Dynamics GP user with an encrypted password, this user cannot gain direct access to the SQL environment or the SQL tables. The only way for this user to access the SQL data is via the Dynamics GP application. 5

Setup sa access to Dynamics GP By default, the sa user is assigned the Dynamics GP application role Poweruser. Poweruser is a programmatic role meaning that it provides access to all areas of Dynamics GP and is not subject to application security. Users assigned Poweruser will not appear in the standard GP security reports. Because of this risk, it is recommended that no user be assigned the Poweruser role. A new role titled Administrator should be created and all tasks should be assigned to this role as required. It is not required to assign the sa account Poweruser role or an Administrator role. The sa account is only required in and should be limited to the following places in Dynamics GP: a. Performing 3 rd party upgrades (Not all 3 rd parties require sa ) b. Using Professional Services Tools Library The following are functions that do not require the sa account: a. Creating an ODBC connection b. Creating reports using Smartlist Builder c. Creating new GP companies d. Upgrading GP, or apply service packs Any member of the SysAdmin fixed server role can upgrade from a previous release or install Microsoft Dynamics GP. The SysAdmin fixed server role should be granted by the SQL Server administrator to a GP user on an as needed basis, and should be revoked after the task is complete. 6

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information