I anyone aware of a security flaw in Active Home Page?
Since we converted from Vantage in mid 2020, classic view is typically used by many employees who have been with the company for a while. Recently we have had users complaining that they don’t have the same ‘access’ in the active home page as they do in the classic view. As it turns out the Quick Launch page icons are greyed out for the standard user. An Epicor tech encouraged us to correct the situation by ‘adding’ icons and removing those that are greyed out. When testing this solution we randomly selected an app link, in this case BANK ADJUSTMENT, for a shop employee who has mostly tracker access.
this test shop employee was able to add a bank adjustment although he doesn’t have access to Accounts Payable, or General Operations. But Bank Adjustment has the "Allow Access to All Groups/Users checked in menu maintenance.
The tech said; “We can disable Active homepage for user by editing the sysconfig file on their machine”
This doesn’t make sense for us. 1. Is there some security feature that I am missing, that perhaps this tech doesn’t know about? 2. is there a way to disable the Active homepage for ALL users instead of each user?
I think that is your issue… Why would all users have access to Bank Adjustement menu ??? We created Financial groups of users who are the only one having access…
Just remove the check and add the appropriate group of users to access.
And maybe verify all your menu access at the same time… maybe other such errors such as this one exist elsewhere…
Understood, however, if the user doesn’t have access to Accounts Payable, then surely, Epicor should have reasoning programmed that he also does not have access to Anything within AP?
These “allow access to all groups/users” is prevalent throughout of the software. I guess I’d prefer everything to have NO security if this is how some of the security works. hmmmmmm.
Ahhh… you have made the same assumption that many have made. Security is not based on whether you can see an option in a menu. It is based on the actual menu items themselves and not the menu they exist in…
SOLUTION: you MUST secure EVERY menu option… not just the menu groupings.
EXAMPLE, you can HIDE the entire Sales Menu, but this does not restrict the user from running the Order Entry program. You then ask: “How would they run order entry?”… Answer: Have you tried right-clicking on an order number? If order entry program is not secured, then the user will be able to run it.
You are not the first person to make this assumption (and not the last).
I have done security audits with people who THINK that they have security applied correctly… I asked them to give me a user that only has Customer Tracker or Part Tracker… from there, I can right-click into Order Entry, Part Entry… from there, I can right-click into Product Groups, which gives me right-click into GL Structures. The door is wide open if you have not secured every menu option.
To do this yourself… go to any low-security person, pull up any tracker, and start right-clicking to see what you can run. Then go back and actually secure the actual end menu items and try again.
And this becomes even more important when people are not accessing resources through Menus at all. We need to think about access through DMT, Service Connect, and REST as well.
Ive had issues with getting DMT to be secure using menu securities. I went back and forth with Epicor support trying to get it to work and they acknowledged the same issue.
This was when we were on 10.2.200. I havent tried since upgrading to 10.2.700.
Never assume and make sure it is right, as you want it. If you originally installed Epicor via a CAM…or consultant, well he/thy did miss this important task of menu security setup…
Even for us we have created new menus for some dashboards, but had to create new sub-menu in order to place them, because , assigning them the group security for where the new dashboard was originnaly placed, was giving access to more menus than we wanted them to have…
So creating a specific sub menu allowed us to limit access…
Epicor has informed me that this flaw is corrected in 10.2.500.40 and above, I guess that equates to all versions in sustaining status. Unfortunately, not us.
