web
You’re offline. This is a read only version of the page.
close
Skip to main content

Notifications

Announcements

No record found.

News and Announcements icon
Community site session details

Community site session details

Session Id :
Dynamics 365 Community / Forums / Microsoft Dynamics GP (Archived) / To minimize the use of...
Microsoft Dynamics GP (Archived)

To minimize the use of SA account in GP

(0) ShareShare
ReportReport
Posted on by Community Member

Hi,

 The problem we are trying to solve is for Great Plains. we need to minimize the use of SA account.

Auditor Says “Multiple individuals within the Accounting and Finance department have Power User access to Great Plains. Two individuals Craig Zalinsky, Finance Controller and Tom Beach, VP of Finance have knowledge of the SA account within the SQL Server. Having knowledge of the sa password allows individuals to create new users as well as have full control over the SQL database.  This creates a segregation of duties violation. The risk associated with this relates to the ability to add and create unauthorized user accounts within the  Great Plains application.”

 We have told them that there are downstream finance controls which will make sure that no unauthorized users are created and the auditors are fine with the response but I still wanted to see if we can minimize the usage of SA account. The problem is that when installing Microsoft Dynamics GP, the Microsoft SQL Server environment on which the databases are installed must use mixed mode authentication. In this environment, the ‘sa’ user is required and has full access to the entire SQL Server environment. This user has full privileges including creating and dropping databases, users, and tables and by you and Tom knowing the SA account password, you get all rights. I think we need to find a way to reduce ‘SA’ privileges and grant someone else the access required to perform provisioning and administrative tasks.

 

Please help me out on this.

*This post is locked for comments

I have the same question (0)
  • Suggested answer
    Redbeard Profile Picture
    Redbeard 12,931 on at

    There is and always will  be a struggle to balance usability and security. This core question you are asking above is a much discussed and contentious topic.

    In the realm of SOX compliance it comes up quite a bit. One of these days someone will write the definitive blog post on this topic and no one will agree with them.

    I am not a fan of Accounting folks controlling the SA and DYNSA user accounts. Especially in large companies, where a segregation of duties and compliance come into play. I believe, technical folks in IT should control them. They should also track and audit their use and a log should be maintained describing the explicit purpose of the use of the SA account in any instance it is used.

    Very few people need or should have this kind of power.

    Within the IT group, team members must train on Dynamics GP administration, and be ready to support tasks like backing up and restoring databases, creating test databases, provisioning and retiring databases and users, making changes using Professional Services Tools Library (PSTL), which require the use of administrator accounts.

    For instance, IT folks should know that GP does not support a SA password greater than 15 characters long. Only the SA account password can be changed using SQL and still function in GP because of password encryption inherent to GP... If these things are news to you, then you need to go to school on GP Administration, especially if you want to recommend or insist you be tasked to support it, which is what it sounds like you are recommending.

    Make no mistake, GP contains your corporations financial, HR and Payroll data, SOX and PCI compliance are not the only concern here. Damage to the system, leaks about pay rates, disciplinary actions and medical conditions are just a few considerations outside the scope of SOX and PCI compliance.

    IT also needs to be able to provide the level of service expected by users - instant gratification is a must, within the scope of reasonable controls.

    It is also worth noting there are 3rd party applications, which absolutely require the SA password to perform administrative tasks.

    Finally, it is my professional opinion that the POWERUSER security role cannot be used when SOX compliance is necessary. The POWERUSER role is not the permission to do everything within Dynamics GP, it is literally the absence of any security control or reporting on users who have this Role assigned. It is best used in small companies with no segregation of duties when one or more users perform all tasks in GP.

    I agree with the premise, IT should control the sa and DYNSA users and manage the tasks these users are required to perform. Especially in large companies, where compliance is a consideration. But be careful what you wish for, you just might get it.

    Hope this helps.

  • Jim Lines Profile Picture
    Jim Lines 4 on at

    Harry,

    This is a great post and will help in my upcoming meeting with our data team.  Thank you!

    Jim

  • Suggested answer
    Redbeard Profile Picture
    Redbeard 12,931 on at

    Fastpath has a white paper on limiting the use of the 'sa' user in concert with Dynamics GP. Their recommendations detail how to setup unique users with appropriate permissions to separate the duties of User Setup and User Access. Additionally, they make the point that while some administrative tasks, like new company creation, running utilities after installs, etc. do require System Admin access, they do not require the 'sa' user to be used. Again they recommend setting up specific users, with the appropriate security to perform these task.  It is definitely worth a read.  These suggestions should be considered "best practices" where compliance is a necessity, and a solid approach to the problem outlined in this post in complex or sensitive environments.

    http://gofastpath.com/Portals/0/Documents/MinimizingTheUseOfSAInMicrosoftDynamicsGP.pdf

Under review

Thank you for your reply! To ensure a great experience for everyone, your content is awaiting approval by our Community Managers. Please check back later.

Helpful resources

Quick Links

Responsible AI policies

As AI tools become more common, we’re introducing a Responsible AI Use…

Neeraj Kumar – Community Spotlight

We are honored to recognize Neeraj Kumar as our Community Spotlight honoree for…

Congratulations to the November Top 10 Community Leaders!

These are the community rock stars!

Leaderboard > 🔒一 Microsoft Dynamics GP (Archived)

#1
mtabor Profile Picture

mtabor 1

Last 30 days Overall leaderboard

Featured topics

Product updates

Dynamics 365 release plans