We are in the process of upgrading our Epicor installation to 10.2.300 from 10.1.500.
We started playing around with the new Active Homepage to see if it’s something we should consider training our end-users on.
While playing around with it, we noticed that ANYONE (no matter how limited their permissions are) has the ability to add ANY BAQ to their homepage. This includes sensitive financial information like labor rates.
Has anyone else noticed this? Are we doing something wrong? Can we turn off the BAQ grid for specific permissions groups?
While they may be able to add them, when they try to view them, do they get information in the grid? Some tables have security where the BAQ will be visible, but it won’t return any rows.
But like @josecgomez said, I would set the security on the BAQ level as well, because not everything has this security.
Reminder - Hiding things in the UI is not security - that’s ease of use.
If you care about data, you need to secure it. Learn the data and method security areas. It’s easy to use rest to url at data and 2 lines of code to access via integration approaches going back to V8.
SOOOO many people think doing something to a menu or now AHP is security. Not sure how many times that has come up.
I think a big part of this is just how big a PITA security setup was in Vantage and E9.
When you have to take the time to set security rights across not only the menu tree itself, but the applications in there (and there are hundreds), very rarely can you get the time needed to do that.
Especially when different business units control different areas of the menu. Program X shows up in 3 places, and Manager Y says “Only my team gets Program X!” so you remove it from everyone else, only to find out it’s integral to a business process that Manager Z and their team have done for decades.
Yes I am a Security Manager.
I see it in our 10.2.200.14 testing database - we’re still in the testing phase but hope to go live on it soon!
Thanks again for your reply!
Sorry to bring up this old post. We’re in the process of adding security to all our BAQs to prevent any user to see sensible data in their active homepage (which is not an easy tasks since we have tons of BAQs to go through).
Seems that Epicor’s built-in BAQs have the Security ID field greyed out. How can someone set security on those?
Suggestion: Would be nice if one can decide if a BAQ can be on homepage or not. Would have save us lots of work I think.