Menu Security Bug?

utaylor · September 16, 2025, 1:55pm

Has anyone ever had this before?

I tried to change a security group called “production” to “allow” on a menu security for production management and then all of a sudden anyone in the “Customer Service” security group couldn’t see production management anymore…

Then I said okay, that’s weird, I’ll just go and add the person in question directly to that menu and see what happens. So I went to that user and changed their access to “allow”. All of a sudden the same CSRs called me back and said they couldn’t see production management anymore… Anyone ever seen this? And these customer service people did not have anything but the one security group assigned to them… a security group I wasn’t changing anything on.

Daniel_White · September 16, 2025, 2:04pm

I’m sure i read something on this recently elsewhere, allowing and dis-allowing security groups and strange activities thereafter. I will see if i can find it again.

leonardpothier · September 16, 2025, 2:14pm

What is the default action for the Menu Security ID? I feel like I’ve seen similar awesomeness in Kinetic Menu Security like this and it had to do with the default and then the group ‘override’.

EricJActivate · September 16, 2025, 3:26pm

We had a similar issue to this right after the 2025.1 update and the issue seemed to stem from the “Default Access” setting in Menu Security.

We had to change the “Default Access” setting to “None”, and then specifically change the User Group access to “Allow” or “Disallow” to fix it.

klincecum · September 16, 2025, 5:29pm

I would argue the entire Epicor concept of menu security was a bug, but that’s just me.

utaylor · September 16, 2025, 5:34pm

Yeah that’s the thing I feel like the default, which is set to allow, is what throws this whole thing off

utaylor · September 16, 2025, 5:35pm

yep, that’s what I was telling the company we had to do too, because I’ve seen that work 100% of the time, no oddness, no questions.

Kevin_Barrow · September 19, 2025, 4:16pm

I won’t argue this.

So, for anyone who doesn’t know this, the way Menu Security works is by following a set of precedents.

IIRC, they are as follows, with items to the right overriding or taking precedence over those further on the left. e.g, company-specific records taking precedence over global records.

Global (10), Tenant (5), Company (0)
None, Default, entry (allow), noentry (disallow)

Inherited (implied), explicit.

Allow and Disallow permissions are included in the entrylist and noentrylist table columns for menu security.

Setting the default to Allow or Disallow adds ‘*’ to the appropriate column.

So when you have ‘Default’ instead of ‘None’ in Tenant or Company records, it is pulling ’ * ', by default, from the next higher permission, and adding it to the current record during parsing, which likely results in something like ‘,,*,production’(simplified) somewhere in the back end.

Should Epicor be able to handle this? Sure, but you are essentially explicitly telling Epicor to ‘Allow all, Allow All, Allow Production,’ and it’s applying a complex set of overlapping hierarchies.

I imagine that the challenge is that Epicor struggles with processing the defined AllowAll (10) explicit-default, AllowAll (5) inferred-inherited, AllowAll (0) inherited, Allow Production (explicit)

Now that I’ve rambled and possibly over-explained, I hope you all have a great day.

Best regards,
Kevin

Randy · September 19, 2025, 4:39pm

Busch Beer GIF by Busch