Epicor Mobile CRM Security Maintenance

Epicor support keeps referencing CRM Security Maintenance but I don’t see that as a program in E10. Anyone have experience with Epicor Mobile CRM security? We want to restrict what a sales rep can see.

What we have set up is each Customer is linked to a Sales Territory, each Sales Territory is assigned to a Salesperson, the Salespersons these are setup using Work Force and are linked to an Authorized User. When the Sales Rep uses Mobile CRM they only see their Customer Accounts.


That’s exactly how we have our environment setup. But when a rep uses the Mobile CRM they can see only their customers but can see all orders and quotes. We want the rep to only see their customers, orders, and quotes.

I will have a check why but our Reps only see their Customers Orders.
Another option is that Mobile CRM connects using Rest APIs to BAQs, you can create custom versions of these BAQs and add extra rules and restrictions as you require. The BAQs all start zCRM and if you create a version with the same name and then _custom on the end, then the custom version of the BAQ is used. It is also worth noting that the most of the BAQs are updatable type so you can also control fields that you want to prevent users from changing.

Did you have to customize anything to have Mobile CRM only show the reps own customer, quotes, etc.?

I was looking at our setup and noticed one thing that may be different. We have two types of work force We have our outside reps and then our internal sales team setup as reps. We then have our territories setup and have the outside reps assigned to the territory as the primary sales rep. On the work force record the user account for the outside rep is set as the primary authorized user. We then have all the internal sales team setup as authorized users on the outside reps.

Looking at a quote, the territory is set correctly based off location. The one thing i noticed is that the primary sales person on the quote is not the outside sales rep assigned to that territory. It’s an inside sales rep that’s an authorized user of the outside sales rep. Could this be the issue? Does the outside sales rep need to be listed as the primary sales rep?

Do you have View all Territories checked in Workforce? What do your customers have for the Salesperson? I am assuming this might be the internal based off your last post.

1 Like

The View all Territories is only checked for our internal sales reps. On the customer record the outside sales rep is listed as the primary sales person.

Looks like the standard BAQ does not follow the Workforce security model. We have created a customer version and changed the Join type between OrderHed and Customer to a Matching rows type and also removed all the references to Company in the Joins from OrderHed and now the Orders list only shows the Salespersons orders.

1 Like

My experience is that standard BAQs do follow the Workforce security model. External BAQs or direct access views to the database have to add that capability manually.

That’s gotta be a bug. Why would anyone want it to default that way?

I tested running the standard BAQ zCRM-OrderHed in Epicor logged as the Salesperson and it shows all orders for all Salepersons, but hides Customer names, addresses etc for Orders that are not the Saleperson you are signed in as. You can also apply the standard filter “My Orders” which hides all the orders for other Salespersons completly
Our custom version with the joins modified as described earlier only shows orders for the logged in Salesperson, this is the same in the Mobile CRM app.
Depends what you want the Salespersons to be able to see.

1 Like

@mark.yates - I just took a look and agree that the query joins are ‘incorrect’ and technically should be ‘rows matching’ but I would have left the company link in there… But I also agree with @Mark_Wonsil in that the underlying security structure of Territory+Workforce should have prevented your salesperson from seeing any sales order that wasn’t in his territory, or a territory for which he is an authorized user (even by proxy via another sales rep’s authorized user setting).

I personally have battled epicor a handful of times and come up against the Dev’s who say this ‘territory security’ will never change (at least not like I wanted it).

I am going to guess that you may have one more thing in your setup that is causing that behavior as we had the same problem (almost) when we started using the mobile app (our guys do not log into the client really, so we never saw it there). I would venture that it is a checkbox or authorized user setting that causes this behavior and you should take another look.

You mean like this :slight_smile:

We have that on but it doesn’t work. The reps using Mobile CRM can still see everything.


I did not test this in .300 but I know in .400 and .500 it works correctly with a base setup - meaning base BAQs. I can test it in .300 and see what happens.

We are on 10.2.400. No customs around sales reps.

Are you using the most up-to-date CRM BAQs? I know you’re new at 10.2.500 but they did change at .300 and there was a solution we had to import. You can grab it on EpicWeb under downloads/Epicor Mobil CRM/Version 10.x


Being SaaS users, Epicor does this stuff for us but maybe you need to as well. :man_shrugging:

Try it out in your Test/Pilot before Live…etc.

We are actually on 10.2.400. I contact Epicor support about the BAQs when we first setup Mobile CRM and they said they were all included. I’ll take a look at these in a test environment and see if they match what we have.

We did upgrade from 10.2.200. I wonder if those BAQs didn’t get updated. I just thought about that.