Skip to main content

Notifications

Announcements

No record found.

News and Announcements icon
Dynamics 365 Community / Forums / Microsoft Dynamics GP (Archived) / To minimize the use of...
Microsoft Dynamics GP (Archived)

To minimize the use of SA account in GP

(0) ShareShare
ReportReport
Posted on by Community Member Microsoft Employee

Hi,

 The problem we are trying to solve is for Great Plains. we need to minimize the use of SA account.

Auditor Says “Multiple individuals within the Accounting and Finance department have Power User access to Great Plains. Two individuals Craig Zalinsky, Finance Controller and Tom Beach, VP of Finance have knowledge of the SA account within the SQL Server. Having knowledge of the sa password allows individuals to create new users as well as have full control over the SQL database.  This creates a segregation of duties violation. The risk associated with this relates to the ability to add and create unauthorized user accounts within the  Great Plains application.”

 We have told them that there are downstream finance controls which will make sure that no unauthorized users are created and the auditors are fine with the response but I still wanted to see if we can minimize the usage of SA account. The problem is that when installing Microsoft Dynamics GP, the Microsoft SQL Server environment on which the databases are installed must use mixed mode authentication. In this environment, the ‘sa’ user is required and has full access to the entire SQL Server environment. This user has full privileges including creating and dropping databases, users, and tables and by you and Tom knowing the SA account password, you get all rights. I think we need to find a way to reduce ‘SA’ privileges and grant someone else the access required to perform provisioning and administrative tasks.

 

Please help me out on this.

*This post is locked for comments

  • Suggested answer
    Redbeard Profile Picture
    Redbeard 12,931 on at
    RE: To minimize the use of SA account in GP

    Fastpath has a white paper on limiting the use of the 'sa' user in concert with Dynamics GP. Their recommendations detail how to setup unique users with appropriate permissions to separate the duties of User Setup and User Access. Additionally, they make the point that while some administrative tasks, like new company creation, running utilities after installs, etc. do require System Admin access, they do not require the 'sa' user to be used. Again they recommend setting up specific users, with the appropriate security to perform these task.  It is definitely worth a read.  These suggestions should be considered "best practices" where compliance is a necessity, and a solid approach to the problem outlined in this post in complex or sensitive environments.

    http://gofastpath.com/Portals/0/Documents/MinimizingTheUseOfSAInMicrosoftDynamicsGP.pdf

  • Jim Lines Profile Picture
    Jim Lines 2 on at
    RE: To minimize the use of SA account in GP

    Harry,

    This is a great post and will help in my upcoming meeting with our data team.  Thank you!

    Jim

  • Suggested answer
    Redbeard Profile Picture
    Redbeard 12,931 on at
    RE: To minimize the use of SA account in GP

    There is and always will  be a struggle to balance usability and security. This core question you are asking above is a much discussed and contentious topic.

    In the realm of SOX compliance it comes up quite a bit. One of these days someone will write the definitive blog post on this topic and no one will agree with them.

    I am not a fan of Accounting folks controlling the SA and DYNSA user accounts. Especially in large companies, where a segregation of duties and compliance come into play. I believe, technical folks in IT should control them. They should also track and audit their use and a log should be maintained describing the explicit purpose of the use of the SA account in any instance it is used.

    Very few people need or should have this kind of power.

    Within the IT group, team members must train on Dynamics GP administration, and be ready to support tasks like backing up and restoring databases, creating test databases, provisioning and retiring databases and users, making changes using Professional Services Tools Library (PSTL), which require the use of administrator accounts.

    For instance, IT folks should know that GP does not support a SA password greater than 15 characters long. Only the SA account password can be changed using SQL and still function in GP because of password encryption inherent to GP... If these things are news to you, then you need to go to school on GP Administration, especially if you want to recommend or insist you be tasked to support it, which is what it sounds like you are recommending.

    Make no mistake, GP contains your corporations financial, HR and Payroll data, SOX and PCI compliance are not the only concern here. Damage to the system, leaks about pay rates, disciplinary actions and medical conditions are just a few considerations outside the scope of SOX and PCI compliance.

    IT also needs to be able to provide the level of service expected by users - instant gratification is a must, within the scope of reasonable controls.

    It is also worth noting there are 3rd party applications, which absolutely require the SA password to perform administrative tasks.

    Finally, it is my professional opinion that the POWERUSER security role cannot be used when SOX compliance is necessary. The POWERUSER role is not the permission to do everything within Dynamics GP, it is literally the absence of any security control or reporting on users who have this Role assigned. It is best used in small companies with no segregation of duties when one or more users perform all tasks in GP.

    I agree with the premise, IT should control the sa and DYNSA users and manage the tasks these users are required to perform. Especially in large companies, where compliance is a consideration. But be careful what you wish for, you just might get it.

    Hope this helps.

Under review

Thank you for your reply! To ensure a great experience for everyone, your content is awaiting approval by our Community Managers. Please check back later.

Helpful resources

Quick Links

Congratulations 2024 Spotlight Honorees

Kudos to all of our 2024 community stars! 🎉

Meet the Top 10 leaders for December

Congratulations to our December super stars! 🥳

Start Your Super User Journey

Join the ranks of our community heros! 🦹

Leaderboard

#1
André Arnaud de Calavon Profile Picture

André Arnaud de Cal... 291,711 Super User 2024 Season 2

#2
Martin Dráb Profile Picture

Martin Dráb 230,458 Most Valuable Professional

#3
nmaenpaa Profile Picture

nmaenpaa 101,156

Leaderboard

Featured topics

Product updates

Dynamics 365 release plans