Have you ever ran into the error message "You don't have security privileges to this window. Contact your system administrator for assistance" and stumbled upon KB 857086 but you weren't sure on the best way to use it?  Below I have instructions that I have used to resolve this message on countless occasions.  All you have to do is run a dexsql.log of the security error message popping up and go through the steps below. This will tell you every role and task in SQL that contains that window. The Steps below are based on Resolution 4 of this KB:  http://support.microsoft.com/kb/857086/EN-US

1.  Populate the Security Resource Description table (SY09400) to translate the Security ID value to a window name or to a report name. To do this, follow these steps:

  • Log on to Microsoft Dynamics GP as the 'sa' when no other users are logged on.
  • Click Microsoft Dynamics GP, point to Maintenance, and then click Clear Data.
  • On the Display menu on the menu bar, click Physical.
  • In the Series field, click System in the drop-down list.
  • Click the Security Resources Description table, click Insert, and then click OK to process.
  • Print the report to screen, and then check for errors.

2. Get a DEXSQL.log of the error.  KB 850996 has instructions on this if needed.

https://support.microsoft.com/en-us/help/850996/how-to-create-a-dexsql-log-file-to-troubleshoot-error-messages-in-micr

a. Open the Dexsql.log file in Notepad, scroll to the bottom, and then look for the last call to the User Security table (SY10000).  If you are at the bottom you can do a Find Previous on the SY10000.  For example, the last call would appear as follows:

{ CALL DYNAMICS.dbo.zDP_SY10000SS_1 ( 'sa', -1, 0, 390, 2 ) }

b. The parameters of this call are as follows:

'sa' is the ID of the user whose security is being checked.

-1 is the Company ID where the security is being checked.

0 = (DICTID) is the Product ID of the window or the report that is opened.

390 = (SECURITYID) is the Unique ID for the window or the report that is opened.

2 = (SECRESTYPE) is the Resource type. A value of 2 = Window, and a value of 23 = Report.

3.  Using the information from step 2, run the following SQL statement replacing my values with yours:

SELECT * FROM DYNAMICS..SY09400
WHERE DICTID = 0
AND SECURITYID = 390
AND SECRESTYPE = 2

4.  Take the ‘Display Name’ that you find in the SY09400 from step 2 and put it into the query below to see all roles and tasks that have security to this window or report in them already.

SELECT ISNULL(A.SECURITYROLEID,'') AS SECURITYROLEID, ISNULL(M.SECURITYROLENAME,'') AS SECURITYROLENAME, ISNULL(M.SECURITYROLEDESC,'') AS SECURITYROLEDESC, ISNULL(O.SECURITYTASKID,'') AS SECURITYTASKID, ISNULL(T.SECURITYTASKNAME,'') AS SECURITYTASKNAME, ISNULL(T.SECURITYTASKDESC,'') AS SECURITYTASKDESC, R.PRODNAME, R.TYPESTR, R.DSPLNAME, R.RESTECHNAME, R.DICTID, R.SECRESTYPE, R.SECURITYID FROM DYNAMICS.dbo.SY09400 R FULL JOIN DYNAMICS.dbo.SY10700 O ON R.DICTID = O.DICTID AND O.SECRESTYPE = R.SECRESTYPE AND O.SECURITYID = R.SECURITYID FULL JOIN DYNAMICS.dbo.SY09000 T ON T.SECURITYTASKID = O.SECURITYTASKID FULL JOIN DYNAMICS.dbo.SY10600 A ON A.SECURITYTASKID = T.SECURITYTASKID FULL JOIN DYNAMICS.dbo.SY09100 M ON M.SECURITYROLEID = A.SECURITYROLEID WHERE R.DSPLNAME = 'Display_Name'

 

5.  Assign the user to tasks or roles as desired.

If the Display Name in step 3 doesn't sound like the window or report that you are looking for, then go back to step 2a, and do a find on the SY10000 and run through the steps on the second to last occurrence you see.

One other thing to remember is if are missing security roles or tasks on new features after you upgrade, to see the following blog, which is referenced in the upgrade documentation as well.

https://community.dynamics.com/gp/b/dynamicsgp/archive/2016/06/17/new-security-roles-and-tasks-are-missing-when-upgrading-to-microsoft-dynamics-gp-2016-rtm