Seriously though, I agree. A security model should allow specific users to view or change a portion of complex business objects (Part, Customer, Supplier, etc.) at the server. The only way I can think of doing that is what @Banderson is proposing, which is having a security broker of some kind that restricts behavior and performs the work on behalf of the user. Smarter people than I may know a better way.
We have fields set to read only for everyone like Fed ID number. The idea was to set Finance Group to see these fields so they print on the 1099’s correctly.
Epicor told me today that only the Security Manager will be able to see these fields once they are masked.
Not giving Security Manager rights to a finance person… I put in an idea to fix the security on this.
Idea # KIN-I-4356
I hope they’ve fixed this… but I’ve run into issues with the masking (for SS numbers) that for the people that are masked, it properly shows it, BUT, Epicor then takes the masked value and saves in in the database over the actual value 
for example
real number
1236-45-1234
masked
***-**-****
user makes an unrelated change, and now the value in the database:
***-**-****
hmmm. 
that’s a problem.
Now I haven’t checked this in a while, so hopefully it’s fixed. But it’s another issue with field security.
After fighting with Support for a couple weeks about Data Masks should not be applied in BPMs on the server as it prevents any data validation, they have decided that it is working as intended and that I should create an Epicor Idea for it. So if you are interested in using data masking but still want to access the true value in your Method and Data Directives, please give my idea a vote:
Datamasks should not be applied on the | Epicor Kinetic Ideas Portal (aha.io)
Just a quick update. EpicCare have confirmed that it’s a defect, and will seek to address in a further update. No timescale though.
1 Like