Explanation on BAQ Security in relation to Active Home Page

Hi! Hoping someone can help me understand BAQ security. We’ve never set security on any BAQs because it is just me and one other admin that has access to the Business Activity Query menu.

We are about to upgrade to 2021.2. While setting up some default home page layouts, I noticed that any user could figure out how to add a BAQ widget and see financials, etc. I need to fix this quickly!!!

Is there a way to mass update security on all BAQs? I don’t see an option in DMT.

I’m surprised we would have this kind of gap…am I just behind the times on BAQ security?? :sweat_smile: Or is there a different approach you’re taking to managing home page layouts?

1 Like

If the BAQ is used in a report or dashboard, I would set it to the same menu security group the report or dashboard has.

1 Like

Okay thanks, that makes sense. Do you know a way to do a mass update? All BAQs, even the standard Epicor ones, are showing up.

I did mine one by one, started with accounting, costing baq’s first, then the rest at my leisure.
I created a BAQ on the Ice.QueryHdr table, to list BAQs in the “Business Activity Query Designer” search that also display the security code field for the baq. This is how I monitor / manage the security codes assigned to baq’s.

Very nice, thank you so much!!

Hi Patrick - if you don’t mind me asking one more question, what did you do for the system BAQs? I am going through this exercise of adding the security IDs and realized there’s no way to edit/save the system ones. Can your users still see those from Active Home Page?

Just got off the phone with Epicor support about this and don’t have an answer yet but hoping they’ll come up with something.

wow yeah this should be changed for BAQs to be explicit grant to homepage instead of implicit grant… @Mark_Wonsil gonna have a cow thinking about this one I’m sure… I don’t like it one bit , never occurred to me but yeah we have zillions of BAQs that we would NEVER want to hand out to everyone… and we don’t via Menu security etc, but we don’t think about putting BAQ explicit menu security on every “supportive” BAQ we write…

EEK

There needs to be a CheckBox on the BAQ itself saying “Allow in Active Home Page” besides the BAQ security ID

CC: @Patrick.Ferrington

3 Likes

The only thing that can save us beside Obi Wan, is maybe a UD field on QueryHed and a BPM to block on the execute method. :person_shrugging:

But yes, Epicor might (or should!) have a way to do this out of the box.

1 Like

I like the “Allow in Active Home Page” checkbox idea. We ended up putting a BPM in place to assign our dev security ID by default so we don’t forget.

1 Like

Holly heck I just logged in with a very low level account and I was even able to add an External BAQ that has among other things zero built in territory / plant security and it right away returned data no questions asked.

I feel like this should be treated as a BUG… Or in the very least BAQs need to default to a very strict security manager Security ID…

The Tyranny of the Default

Still need a solution for System BAQs but I love the default idea you’re doing.

1 Like

It’s a security incident waiting to happen, which is higher than a :beetle:

The Jacqster got me to add a slide to my talk! Owe her a :beer: (root or otherwise)

3 Likes

Kinetic Idea already there
https://epicor-manufacturing.ideas.aha.io/ideas/KNTC-I-2397

#Vote!!

Though I honestly think this needs to be fixed now and not in the future consideration.

Epicor “It’s working as designed, and you can’t tell me any different.”

+3 votes from me. I updated my support case too with this feedback. While on the phone earlier, he said he was going to escalate to dev. Not sure what they can do quickly, but I’ll keep the everyone posted!

We are upgrading to 2021.2 this weekend. Thinking we’ll have to disable Active Home Page because of this.

2 Likes

I was wondering why my email was blowing up from comments on this Idea. I’m thinking, EpiUsers must be having a field day.

Sweet, we got the big guns on this one.

1 Like

You can even put them on classic using BAQ gadgets, so it’s not just the active homepage that has that problem.

Hello everyone. I see some concerns being expressed. I’m going to provide some details and in another reply some thoughts. I am also sensing some high emotions so I’m going to avoid a back and forth conversation for now.

First security as it exists today for BAQS:

  1. You CAN add a security code to a system BAQ - that need was recognized with the security code feature was added to the BAQ. It is one of the few properties that can be adjusted.
  2. BAQs enforce: Sales Territory Security, payroll security. Field level Security, company level security and I think plant level security by default. If the issue is a user having access to data you do not want them to see, enabling some of these security levels should help - that is what they are there for.
  3. External BAQs are by definition not DESIGNED to be run against the Kinetic database. Some customers have, when you expose it that way you are taking ownership of security using the capabilities in the DataSourceType, DataSource, and DataSource metadata forms. Additionally you can lock down the External BAQ designer to deny access to it as needed.
4 Likes

The original discussion here is around the ability to deny people the ability to select a BAQ to use with a personalization or even a customization widget. Some logic that would allow them to still run the BAQ on provided dashboards or other elements. That is a reasonable request though we’d need clear scope of areas everyone wants it applied.

But you should also keep in mind this is ‘selection’ criteria not server runtime criteria. If this was applied at the server level it would be too restrictive for what you are asking for, so it is more ‘where can I choose to consume’ a BAQ rather than restrictions on the ability to run the BAQ and see results.

2 Likes

Thanks Patrick

I’m more concerned with the “default” behavior where any new BAQ defaults to no security. I’m sure I’m not alone in never once remember to set that (I will from now on)

But we are 4+ years into an implementation and I know for a fact we have hundreds of BAQs very few BAQs with security IDs on them

2 Likes