I’m new to Epicor and I’m trying to better understand this Security Manager feature. So based on what I’ve read and tested, there is no possible way to perform Menu Maintenance unless the user is flagged as a Security Manager, is that correct? I have copied all menu items under Security Maintenance into a new menu and it seems that most menu items (User Security, Security Group, Process Security) work without the user being flagged as a Security Manager with the exception of Menu Maintenance (the user can only see the menu items assigned to them and not the entire tree in order to maintain the security for every menu item). While I don’t expect us to be performing Menu Maintenance on a regular basis, I would really like to find a way to not have individuals flagged as a Security Manager since that gives full system access to every aspect of the system, including entering invoices, supplier/customer maintenance, entering journal entries, etc. This seems like it would be quite a violation of SOX and segregation of duties. Can anyone provide insight into what I may be missing and how other companies might be managing this? Does it get better in newer versions of Epicor?
Security Manager means you can access all menus.
If your staff can see menus you don’t want them to you need to use security groups.
I built a structure with the “you don’t have access to anything until provided” mindset. Out of the box Epicor menus & groups allow way too much access from my point of view.
edit Create a new security group and assign only one user to that group making sure that is the only group on that menu
Yes, the plan is to create Security Groups and assign them the applicable menu items based on each functional role and then it’s much easier to assign/maintain appropriate user access. But that Security Manager “feature” seems to be in conflict with SOX/SOD.
For a user to be able to assign permission to thing (menu maintenance) they have to see all the things. Telling a user that they don’t have access, but still giving him the keys, doesn’t really do anything.
Seeing all the things and being able to perform all things are two very different functions. I should be able to add the menu item Journal Entry to the GL User Security Group but I shouldn’t be able to enter a Journal Entry which is what the Security Manager access is allowing.
But the security manager can add the access because he’s the security manager. So that’s not really security. Other than a 2 key system, it’s not really possible.
You could get away with a couple of “admin” accounts that are not used by anyone on a day to day basis and only they have the security manager feature.
Epicor is an ERP system so really designed to meet inventory management not compliance based on a industry standard.
For your compliance requirements, instead of trying to prevent access you could set up monitoring reports that show any activity in screens by non-authorized users.
Having at least one person with Security Manager is an inherent part of Epicor. Not sure you will be able to get away from that.
I could be wrong, but can’t you just modify the security group used to access menu maintenance menu item by unchecking the security manager only checkbox and assigning whatever security groups you want to have access to the menu item?