I have a challenge to all of the code-slinging techno-wizards of Epicor!! You know who you are.
I’m wondering if you are able to code around Field Security. 
It is pretty well documented that you can get around BO security through code, but have any of you ever tried getting around Field security? Consider yourself challenged.
And maybe reply via messaging…
… man, a one sentence emotional roller coaster!
Sorry @dcamlin , I thought the Title would have clued people in. To be fair, you won’t see me accepting this challenge.
Just use the Db Object to bypass field security, vs. writing with the BO.
That’s a good idea.
Will that work? @GabeFranco , there is a reason why I put a challenge out instead of taking it on myself. 
It’s been a while since I needed to do it, but the last time I did this, if I recall correctly I set up a pre/post on update and/or masterupdate,
In pre I over-rode the RowMod = “U”/“A” line with the default, so that it wasn’t attempting to write that column, then i stuffed the value in callcontext.
Then in the post, I did a manual LINQ Query using the Db Object and .SaveChanges() - this bypasses field security (it is applied at the business object layer)
If you wanted to keep the BO safety/logic, perhaps a function with user impersonation could be a way to go.
Yes, I can.
Can the average user? Probably not.
That is all I will say.
Now that you’ve been given a gun, wanna let us know who you plan to shoot? 
Provide “safe harbor” policy regarding vulnerability reporting
Acknowledging exploits about a company that makes no effort to hear about security oversights can be risky depending on which way they decide to respond in the moment. Proceed with caution.
When a company deletes exploit reporting, stop until they’ve demonstrated a compelling commitment away from adversarial escalation and towards ethical response.
Not planning on shooting anything. Just trying to see if doing Field security in Epicor would get you close to Least Privilege.
Field Security works at the Business Logic Layer. Db.Context bypasses it (but you’d have to be a BPM / Functoin admin to use Db.context)
You can also do so wiht UBAQs but again… UBAQ priviledges required.
Wow, turns out you don’t even need to be a hacker to bypass field security. I made all of the shipping tables read-only and was still able to create a pack with a user that did not have write access. I just used all of the buttons in Customer Shipment Entry and was able to get everything filled in and saved. The only thing I could not actually do was mark the pack as Shipped. But that is frightening that I was able to get as far as I did.
I don’t think it works the way you think it does..
Sadly, I don’t understand it enough to enlighten you. 
