I’m new to Epicor Kinetic Cloud and we’re currently planning to restructure our security groups and roles .
Coming from an SAP background, I’m used to having standardized, role-based security models aligned to business functions (e.g., Procure-to-Pay, Order-to-Cash, Finance, Manufacturing, etc.).
I wanted to check with the community:
Are there any Epicor best practices for designing role-based security in manufacturing environments?
Do you typically structure roles by business function, module, or user persona ?
Are there any standard role templates or frameworks that organizations commonly follow?
Any documentation, guides, or real-world examples you can share would be extremely helpful.
Also, for those who have gone through this exercise:
The are a lot of posts here on the topic as well as several spreadsheets and BAQs to assist,
Most important I guess is the fact that security ids are tied to multiple menus so you can effect the access to menus in unexpected ways if you are not careful
In a nutshell,
Arrange user security groups as roles, then apply the groups to the Menu security Ids.
Probably not much help with the above information.
Just for a bit of confusion roles on workforce records have no relation ship to menu security, however authorised users on Buyer and Workforce records can effect access to data.
I believe there are some topics in the ELC on the topic also.
We base it around business function, with a policy of least required access and paying attention segregation of duties.
We have these groups:
AP Administrator
AR Administrator
Management Accountant
Finance Accountant
Finance Controller
Buyer
Senior buyer
Sales Administrator
Sales Supervisor
Production Manager
Production Engineer
Production Operative
Design Engineer
Engineering Manager
Stores Opertaive
Stores Manager
Once you have your groups you need to detemrine what functions each role should have and grant the security for the menu item to the security group.
Custom items like dashboards, should follow Epicor’s approach and create a dedicated security code for each custom item.
I don’t recommend changing the epicor base menus as I don’t think it matters what menu branch a user access a function via and longer term it keeps things vanilla in terms of upgrades.
We set the ‘Disallow Access to All Users’ for any menu functions that we don’t use.
We document access via some outputs from BAQ’s around menus, menu security, security groups and and user assinged security groups. These outputs are run through a python script that determines what menu items a security group can access.
It is reasonably straightforward to define a segregation of Duty conflicts via modules. For example, we have a defined SOD Conflict of ‘Vendor Management + Authorization + Payment’, this requires Supplier Entry, and AP Payment. Using the output detailed above you can check and demonstrate that no single security group has access to both modules.
We synchronize our Microsoft Entra ID groups and user membership with Kinetic every 2 hours. All menu security is assigned to one or many of these Entra groups.
The benefit to this is when a new employee is hired or changes position in the company, they automatically get the correct security. There is one source of the truth.
I don’t know how many employees you have, so this may be overkill.