So, after working with Canadian payroll from before it was purchased by Microsoft until today, I thought I had seen it all. This module is weak in so many ways, and report poor in so many others. I have spent countless hours defending this application and still to this day, will defend it as a 'solution that will work, if you "Mr Customer" will bend and change your process to meet the application short comings.
I have been asked by a client if 'we can restrict access for certain groups of employees in canadian payroll, so that executive payroll can not been seen by other payroll entry staff, other than expressly granted'
Oh, I was so happy to say that "Yes, that is a feature we can do"
So, after spending the better part of an hour, finding the Menu options that, well are really not menu options, in the "Add Window" security (not really security) section, and then having to add two of these - one to create the rules for the employee filter and one window to assign the GP user to that filter.
Now, the filtering is pretty robust - I can choose by department, I can choose only hourly in a department I can choose a lot of different options and get it down to a very fine set of rules. Then I apply that rule set to my Department One, Hourly Only Payroll clerk - cause we all have that fine a need for security - and we say, go for it. You can not find the CEO pay - haha and good luck if you do.
We left this person, who had been using payroll for all of 2 hours prior to this, and within 10 minutes she showed me a report that lists ALL OF THE EMPLOYEES details, what they make, what they made last year and well I craped a brick and we went balistic.
We figured no way she cheated, she learned SQL and or SSRS and in 10 minutes broke out and busted the report - no that is not possible.
We figureed she got the Controller to give her access and No, wait the Controller was with me.
So we asked her to show us the CEO Employee Card - she could not do that, the CEO was not in the list of possible employee ID's to choose from. She went onto show us that all she did was run a report - in this case a Summary Range Report for the prior year - no filters on the report but the Year - and ran the RevGen Employee report. There in all the glory that is data, was the CEO and all other employees in the company, laid bare for all to see.
Well we figured we did something wrong, we figured we had a bad set of code. It is 3:00 am and I am not sure how many times I have tried this, but, it still lets me see the data no matter what I do.
The controller sent me an email at 11:00 pm saying to open it only after I was sure it was not code. So, I did, and WOW am I pleased to report that Microsoft Tech site states - Employee Level Security does not extend to reports.
Pardon me, but what are we doing - that is the most rediculous feature / lack there of / that I have ever seen in my entire professional life. What part of that is not good does no one understand. If you sell a feature is security, it has to extend past the simple list filter.
Now that I have ranted for so long, I wonder how many others have wasted so much time on this option only to get smashed down in the end and admitted that this is not a feature that they would recommend to anyone under any circumstances.
If someone asks you, after reading this, can you do Employee Level Security, the only possible answer is NO - unless you would consider creating a whole other database and only lettting certain people into that database. BUT WE KNOW THAT IS NOT PRACTICAL
Any one from Microsoft care to comment, prove me wrong, show me the errors of my way?
