Active Homepage - Any user can add any BAQ to their homepage? (10.2.300.6)

Hello! First time posting here, long time lurker.

We are in the process of upgrading our Epicor installation to 10.2.300 from 10.1.500.

We started playing around with the new Active Homepage to see if it’s something we should consider training our end-users on.

While playing around with it, we noticed that ANYONE (no matter how limited their permissions are) has the ability to add ANY BAQ to their homepage. This includes sensitive financial information like labor rates.

Has anyone else noticed this? Are we doing something wrong? Can we turn off the BAQ grid for specific permissions groups?

Thanks!

-Jon

You should put security on your sensitive BAQ’s there’s a security ID field in the BAQ make sure that is getting set properly.

2 Likes

While they may be able to add them, when they try to view them, do they get information in the grid? Some tables have security where the BAQ will be visible, but it won’t return any rows.

But like @josecgomez said, I would set the security on the BAQ level as well, because not everything has this security.

1 Like

Ah good point, we will have to do that.

We’ve just been setting permissions to dashboards that pull the BAQ’s, and only IT can create/edit BAQ’s.

Thanks Jose! and Thanks Brandon!

1 Like

Basically, if it showed up in the list of BAQ’s to pick, it was pulling all the data that BAQ could pull. I didn’t notice any columns missing.

We weren’t setting any permissions at the BAQ level though. So at least we have the ability to hide the REALLY sensitive BAQ’s.

Reminder - Hiding things in the UI is not security - that’s ease of use.

If you care about data, you need to secure it. Learn the data and method security areas. It’s easy to use rest to url at data and 2 lines of code to access via integration approaches going back to V8.

SOOOO many people think doing something to a menu or now AHP is security. Not sure how many times that has come up.

2 Likes

I think a big part of this is just how big a PITA security setup was in Vantage and E9.

When you have to take the time to set security rights across not only the menu tree itself, but the applications in there (and there are hundreds), very rarely can you get the time needed to do that.

Especially when different business units control different areas of the menu. Program X shows up in 3 places, and Manager Y says “Only my team gets Program X!” so you remove it from everyone else, only to find out it’s integral to a business process that Manager Z and their team have done for decades.

3 Likes

Dumb question, how do you set security on the BAQ level?

1 Like

In the BAQ editor.

Thanks, Brandon. Mine doesn’t look like that. Is that in a newer version? We are on 10.1.400

image

1 Like

I am on 10.2.200.13. I guess I’m not sure when it was added :thinking:

1 Like

No worries at all. I’ll figure it out. Thanks for the reply!

Are you set up as a security manager? I wonder if that has something to do with it?

Yes I am a Security Manager.
I see it in our 10.2.200.14 testing database - we’re still in the testing phase but hope to go live on it soon!
Thanks again for your reply!

Sorry to bring up this old post. We’re in the process of adding security to all our BAQs to prevent any user to see sensible data in their active homepage (which is not an easy tasks since we have tons of BAQs to go through).

Seems that Epicor’s built-in BAQs have the Security ID field greyed out. How can someone set security on those?

Suggestion: Would be nice if one can decide if a BAQ can be on homepage or not. Would have save us lots of work I think.

thanks,