Hi. I need to know the best practice for the account that may have a Global Security Manager Access ! Currently, in my env. this is given to few std. accounts as well as Epicor Administrator only.
This could be a question to accumulate few more Best Practices in Epicor. Any one can add more thoughts.
Yasir
Here is a snippet from a Security Course Guide from Epicor.
“… it is a good business practice to NOT give yourself Security Manager access on your normal user account. This ensures the menu choices you make on your normal login are appropriate for your typical daily routine. It also ensures that other employees do not grant security access to themselves when you are away from your computer. Instead, create a separate Security Manager account that you use for security tasks”.
This is solely for multi-tenant hosted cloud, right? Like, I think no mortal can have this title.
It certainly means more for the Cloud Team but on-prem people still have it. You assign it in the Epicor Admin Console in app server config.
even if you can, do not do it
It is for cloud
The only place that we needed it for was to Enable Token Authentication. Being on 10.1.600, ours wasn’t enabled and needed Global Admin to enable it in order to run REST. Support had us enable it. For versions higher than 10.1.600, it may be possible to Enable Token Auth without Global Security Manager. 
But I would certainly follow Olga’s and others’ sage advice and stick to least privilege.
that was fixed so long ago 
usually code checks for Saas and then checks for GSM. Otherwise checks for SM.
So if you try to use GSM without Saas, it does not make any sense.
2021.2 launch weekend is coming up!!! 
I understand it, however, in case, if there are two administrators, sharing same GSM Acct between two will not help to identify the actual person for respective activites. We are not on cloud - yet !
There is a difference between Global Security Manager and Security Manager. There is absolutely NO need for an On-Prem user to have GSM anymore.
The best practice, which doesn’t yet exist, is to have a Security Manager security identity (not tied to a person) grant temporary Security Manager access to a user with approval from another user, and then remove it as soon as possible. When the user gets the access, any commands might require MFA. During the access time, all commands would be immutably logged outside of the Epicor database.
Agreed !