We’re initiating a cleanup of our security permissions and groups for the first time. This year we upgraded from Vantage 8 to Kinetic and during the install we didn’t have the time to do a cleanup of our users.
We’re looking to do a ground up rebuild of everything security related to ensure compliance and to align user access with real life need.
I’m coming into this project having never done a cleanup like this before. I’ve done some research and feel I have a handle on the basics of what we should be doing. However, I’m wondering if anyone who has gone through this process could share any best practices or potential roadblocks we may come across during this transition. In particular I’m interested in if Epicor has a way to audit what screens are being used and by who so we can ensure as few issues as possible with new access once we push this update.
In Activity Tracking Detail, there is the Menu ID type. If you have the log detail enabled you can see who opening the screen. This is also very useful to see if the dashboards you spent a long time creating aren’t being used. This won’t be retroactive if you don’t have it currently enabled. It’s been very useful to determine which screens I can get rid of when we go full in the browser.
There was recently a useful webinar about this that you can likely access through Epicweb that is worth a watch:
[Live Webinar] Back to Basics: Role-Based Use of Epicor Kinetic — User Setup & Responsibilities
I have gone through this process when I first started with Epicor and am going through it again before we upgrade from 2021.2 to 2025.2.
When I redesigned ours security permissions, I went with a role-based setup creating a new security group for each job title requiring Epicor access. I believe they recommend something similar and it works out fairly well, but I think that would depend heavily on the size of the company.
A few tips I’d look into:
-I found it easier to use “allow access” only, I removed any disallow permissions
-I kept sensitive menus like setup menus accessible by separate security groups so they can be assigned separately*
-I tried to get rid of any disconnected or company-specific menus, currently battling how to set multi-company permissions* for different scenarios now though
Most of our “reports” were also written with SQL queries, they could be done in BAQ now that I’m more familiar but the way the tables for security permissions work took me a lot of time to understand. There is a particular thread on here I used that helped me separate security groups for users and menus, I’ll see if I can find it and post it as it helped me a lot when I first started this project some years ago.
