Cannot "Copy User" - Error related to Allow Session Impersonation

Kinetic ERP
,
1

I’m creating new users and when trying to use the “Copy User” functionality, I’m getting an error. It’s the super unhelpful generic “Correlation ID” error. I went and downloaded the log and found the guid, and now I’m even more confused.

Here’s the error (company ID redacted):

<Op Utc="2026-02-25T15:30:11.1224354Z" act="Ice:BO:UserFile/UserFileSvcContract/CopyUser" correlationId="f8235454-2d19-4750-b675-52b554015aba" dur="544.0551" cli="10.13.1.4:50732" usr="manager" machine="REDACTED" pid="28852" tid="162">
  <BpmCustomization Source="BO" BpMethodCode="Ice.BO.UserFile.Update" Type="BO Customization" Duration="0" />
  <Exception><![CDATA[Epicor.Exceptions.EpicorFrameworkException: Only users with the GSM role are allowed to modify the 'Allow Session Impersonation' setting.

Two very weird things jumping out at me on this:

First is that I am logged in as Manager, so I assume the “GSM role” mentioned in the exception shouldn’t be a problem. Assuming that means “Global Security Manager”, being logged in as manager should mean I have that permission.

Second is that this appears to be a BPM, based on the BpmCustomization Source="BO" BpMethodCode="Ice.BO.UserFile.Update" Type="BO Customization" line. I definitely have not created any BPMs related to this BO. I double checked and no Data Directives or Method Directives exist (in BPM designer) in any companies.

Any ideas on this?

Edit: Also, I can’t seem to change the Allow Session Impersonation field on any users, whether from Manager or my own (security manager) user:

image
image850×418 14.3 KB

1 Like
2

Its a new restriction. You can’t control the allow session impersonation setting anymore. Instead you have to put in a support case to turn that on or off.

4 Likes
3

Well that’s pretty obnoxious, since it blocks the “Copy User” functionality if it’s enabled.

4

And because it increases friction without any security benefit whatsoever. Security theater at the expense of our efficiency.

1 Like
5

I saw a story about it in 2026.1 to copy user just without this flag. To prevent this error.

3 Likes
6

Yep that’s working for now, thank you.

7

I thought only the cloud admins (i.e. their email ends in @epicor.com) were GSMs. But my knowledge is based on 8 years ago…

Also, wow.

8

These BPMs run in Company 000000 (Master Cloud Tenant) and are not accessible to you/us in typical ways. They are typically data directives and check for things like Global Security Manager (which is not a setting exposed to us in the UI, so we cannot ourselves make any user a GSM)

There is a similar BPM on SysTasks to prevent you from scheduling an MRP Run with full logging now too, for example.

3 Likes
9

I see… well to be fair full logging probably isn’t necessary for 95% of the MRP runs we are doing… I imagine you can create a ticket to turn it on to troubleshoot?

10

GSMs are set in the Epicor Admin Console, which cloud users do not have access.

image
image1040×596 53.9 KB

3 Likes
11

…maybe? I’m quite sure that they decided to block it to reduce resource load on their end, hence why it’s a thing/locked down in Cloud/SaaS. So it’s probably more a policy thing that they won’t schedule a full logging run than anything. I can imagine their response would be to set your alarm and fire it off manually…