How are GP customers "disabling" users?

(0) Share

Report

Posted on by Devin

1,797

How are customers "disabling" users since there is no disable function within GP?

A user is established through the steps of 1) create a user, 2) grant access to a company(ies), and 3) assign a role(s). Disabling a user would involve undoing one and/or more of these steps. Deleting a user would involve undoing all three.

I would argue that a user should never be deleted in GP so that 1) audit can recall who created transactions under the “Jdoe” username and 2) IT doesn't assign the “Jdoe” username to another user and it become impossible to distinguish between the two individuals' transactions.

So, this leaves us with removing the user's assigned role(s) and/or access to company(ies). Is there a best practice out there amongst customers? Thanks!

*This post is locked for comments

All responses (13)

Answers (0)

Community Member Microsoft Employee on at

Like (0)

Report

Re: How are GP customers "disabling" users?

I realise this jas pretty much been covered to death now, but I thought I'd add my tuppence anyway...

My preferred solution is one that has already been mentioned - i.e. revoking access to the companies through Tools >> Setup >> System >> User Access. I also tend to recommend creating a user class called "INACTIVE" or something like that, and assigning the user to it, so as to provide a quick way of finding all inactive users.

One alternative approach that became possible in SQL 2005, is to simply prevent the user from logging on to SQL as follows:

ALTER LOGIN [andrew.cooper] DISABLE

This will leave all of the users company access and security access in place, but will prevent them from connecting to the SQL Server.

It's not the best, because it can't be done through the GP UI without mods, but it will give you what you want.

Cheers,

Andrew Cooper
L Vail 65,271 on at

Like (0)

Report

Re: Re: Re: Re: Re: Re: Re: Re: Re: How are GP customers "disabling" users?

If you want to keep the GP security trail alive (sort of), you could create a new empty company and then copy the user's security over to that company. Then, if you remove the user's access to the live company, you can still reference what his/her security was by looking at the empty company.

Or, as I think was suggested earlier, remove the access at the SQL level.
Mariano Gomez 26,225 on at

Like (0)

Report

Re: Re: Re: Re: Re: Re: Re: Re: How are GP customers "disabling" users?

Previous roles are not restored, so you would have to assign the user to such roles -- or new ones if they are back to doing new functions.
Devin 1,797 on at

Like (0)

Report

Re: Re: Re: Re: Re: Re: Re: How are GP customers "disabling" users?

Mariano, should removing company access from a user, then reinstating that same company access also restore their previous role(s)? In my experimentation I found that the user's previous roles are lost when the company access is reinstated.
L Vail 65,271 on at

Like (0)

Report

Re: Re: Re: Re: Re: Re: Re: How are GP customers "disabling" users?

Just thought I would add my vote.

I'm for disabling user access to the databases. Retains the user information and is easy. I like easy. Oh, and it requires no additional purchase.

Kind regards,

Leslie
Mariano Gomez 26,225 on at

Like (0)

Report

Re: Re: Re: Re: Re: Re: How are GP customers "disabling" users?

As I said before, if your users are assigned to specific roles, there is no need to copy a user security, even in 2010. The purpose of roles and tasks is to preserve security settings.
Imtiaz Ahmed - Axone 45 on at

Like (0)

Report

Re: Re: Re: Re: Re: How are GP customers "disabling" users?

If you set up a user with "no access rights", you can copy that user over to an existing user in GP 2010 using the new copy function.
Mariano Gomez 26,225 on at

Like (0)

Report

Re: Re: Re: Re: How are GP customers "disabling" users?

Richard has a good point, because removing a user's access from a company in V10 and V2010 just got a whole lot better since the security is now role based. So in theory, as long as a user belongs to a security role (security class in versions prior to v10) he/she should not loose the access to objects that they had access to prior to being removed access from the company.
Richard Whaley 25,195 on at

Like (0)

Report

Re: Re: Re: How are GP customers "disabling" users?

A "Disable" function, while it would be nice, is broad. It would disable the user from all companies. (Hey, why don't you just remove company access for the user?) OK, I'm having a wacky day, yes that was suggested and is the best option. Plus, it allows you to keep information for audits and potentially to reinstate the employee.

Be careful deleting the user. I have not tested this in 10 or 2010 but in prior versions if you deleted user FRED (even after wiping out access, etc) and re created a new user ID FRED for a different FRED, the new fred inherited all of the short cuts of the old Fred. Imagine the surprise if the old Fred was in accounting and the new Fred is in shipping!
Devin 1,797 on at

Like (0)

Report

Re: Re: How are GP customers "disabling" users?

Thank you for your replies! Ideally, GP would have an "inactive" status and would allow us to retain who the user was (beyond "Jdoe" transactions), what companies he had access to, and what roles were assigned to him within each company. There would also be a way to quickly determine whether a SQL level user corresponded to a GP user and whether the GP user tied to the SQL user is active or inactive. (In a perfect world we would also have a history of all changes to this security structure.)

@GoFast - thank you for the link. I'd never seen your products before.

@Sagi88 - it would be laborious to produce sufficient documentation to show that a password was changed after a user was terminated. I'd never thought of removing the DYNGRP role from the DYNAMICS database for the user. I experimented with it and it does appear to block a user from logging in. Unfortunately, the user still appears to be an active user in the application's security reports.

@Victoria - yes, it is correct that the user record is disconnected from the user transaction history and that the transaction history would be retained when the user record is deleted but there would be no descriptive record of who "Jdoe" was in the system. This would be especially bad if GP user ids were being reused on new individuals and another individual processed transactions under the same user id.

We went live with GP just a few months ago. We have based our GP user ids on our Windows network ids. I built a Help Desk security role and was writing a security manual for them when I was informed by our network admins that in the past they have recycled network ids of terminated users. (Hopefully, this will be discontinued in the future.)

In my previous postition as an IT auditor, GP was always interesting to audit because of all its caveats. Documentation had to be located describing how GP has SQL level users, the users cannot be logged into, their passwords are encrypted, and the password requirements are enforced by the domain/SQL Server. The GP SQL level users had to be separated from the non-GP SQL level users, the GP SQL level users had to be reconciled to the GP users, and all SQL level users and permissions had to be documented and approved by the client (who was generally oblivious to GP's technical workings). And that was just for ids/passwords in the database!

How are GP customers "disabling" users?

Helpful resources

Quick Links

December Spotlight Star - Muhammad Affan

Top 10 leaders for November!

Tips for Writing Effective Suggested Answers

Leaderboard

Featured topics

Product updates

How are GP customers "disabling" users?

Helpful resources

Quick Links

December Spotlight Star - Muhammad Affan

Top 10 leaders for November!

Tips for Writing Effective Suggested Answers

Subscribe to

Leaderboard

Featured topics

Product updates