Here is a snippet from a Security Course Guide from Epicor.
“… it is a good business practice to NOT give yourself Security Manager access on your normal user account. This ensures the menu choices you make on your normal login are appropriate for your typical daily routine. It also ensures that other employees do not grant security access to themselves when you are away from your computer. Instead, create a separate Security Manager account that you use for security tasks”.
The only place that we needed it for was to Enable Token Authentication. Being on 10.1.600, ours wasn’t enabled and needed Global Admin to enable it in order to run REST. Support had us enable it. For versions higher than 10.1.600, it may be possible to Enable Token Auth without Global Security Manager.
But I would certainly follow Olga’s and others’ sage advice and stick to least privilege.
There is a difference between Global Security Manager and Security Manager. There is absolutely NO need for an On-Prem user to have GSM anymore.
The best practice, which doesn’t yet exist, is to have a Security Manager security identity (not tied to a person) grant temporary Security Manager access to a user with approval from another user, and then remove it as soon as possible. When the user gets the access, any commands might require MFA. During the access time, all commands would be immutably logged outside of the Epicor database.