User Security Access for audit

Year end IT/Finance audit is in full swing. The auditors want a report of all the access all users have.

Every year I fight with this and every year it’s such a time suck and a mess. I’m currently printing out the Menu Security Report for all the screens that I’ve noted as high risk (master data screens & transactional data screens). But it’s a pain because sometimes it just shows the group that has access to that screen. So now I need to export out all the users and all the groups they have on their profile.

To make matters worse, we use a combination of security groups, but also give some users specific menu item access.

Has anyone found a better/easier way to do this?


1 Like

Hi Mach,

We also wrestle with this yearly.
We have not found Epicor’s security reports useful at all.
So far the best we have is a BAQ that we download to Excel and do a pivot (colorcoded to note access, see screenshot) and ask managers to review modules that are under their management area. This is the check on whether the security group has appropriate program assignments. After that, we run a list of user assignments to security groups and ask managers to review whether their people are assigned to appropriate security groups and any additional access (e.g. BAQ designer etc.).

Be careful to eliminate datarows for modules not in use. I currently do this after taking data to Excel.


That looks super complicated (the pivot table part), but I’ll give it a try.

Also, do you guys use the disallow security feature?

We do not use the disallow. We use either allow all or only selected groups. The asterisk in the Allow list in the data is the “allow all”.
If you’d like a copy of the xl workbook w sample data let me know how to email you. It’s not as nasty as it looks. I think the nasty is the sheer number of programs/security assignments really :slight_smile:


1 Like

If you could email that to me, that would be amazing!


I was curious could you send me more information on how you created this BAQ? I am able to follow along with the screen shot you provided however I was hoping to see if you could send screen shots of the table criteria and display fields? More specifically i am not finding the allow list field. I went through all the tables and still couldn’t find it.

Hi Robert,

Here’s the column list and the BAQ phrase build. Does this help?




This is great! THANK you very much for the extra documentation and quick response. Have a great week!

1 Like

How do you get the individual user names that have access? Say if i wanted to find all users that have access to the part entry or order entry? Can anyone share the links between, Menu, Groups, User and program in question? I did see some variants but none parsed the user names, I see that the user groups are separated by , and ~ in the tables.

1 Like

Hi Chet,

We do not do our security review on the user to menu item basis. It would be a very large blown up dataset… and then there’s the tilda delimited problem. We review all security groups for appropriate menu functional assignments and then review each user for appropriate security group assignment. I think some folks in this group have successfully used subqueries to extra the tilda delimited values and then join them to top level.

I wondered if the E10 Menu Security report might help you get what you want. I input a user id on the filter. It’s still running a half hour later, I think it’s broken.


If you could email that XL Workbook I’d appreciate it! We are reviewing and changing security here and that will help.

1 Like

Thanks Nancy, Yes we tried running some out of the box reports but the information was not what we wanted. I would like to assume this is a fairly regular audit request and would like to hear how others have achieved this.
Generic comments -
Anyone at Epicor can shed light on whether this aspect will be changed in the future releases? It could be as simple as Read/Update/All/Delete based on groups, menus or individual programs. So is it safe to assume that if the user has Menu access he has all access to that program?

From my experience, as an Epicor guy, the only way to get the information to review security is a time consuming process. Nancy is right! A BAQ is needed to loop in each level of security, level 1 main folders, level 2 sub folders and so on. This is not an easy BAQ and it will give you what security groups have access to what menus.

Once you have this information you are then able to do another BAQ to put up any security on service and/or field security. This will give you the data needed to see what security groups have access to what area of the program. Keep in mind that you may bring up more modules / folders than what you have licenses to. At least I did when I ran this.

I then ran another BAQ for what each user has access to what groups. From these 4 spreadsheets I had to go line by line to review each menu , service or field security and what groups had access to what. I then reviewed each user for what access they had and if it was warranted.

As you can see it is not easy to do an in depth review of security. For that reason the recommendation is to always keep it simple as process when setting security. Not only for upkeep in the long run but also for these purposes here.

From what I know that this is not something that is being looked into changing.

I hope this helps.

Also side note that if a user has access to the top level folder than they have access to all the levels below it also. You have to lock down each module/ or menu item. This is also why you are not able to just hide the menu item. If you do not lock it down then the user is able to, in some instances, still get access through right click and using the quick menu items.

Robert is spot on, you have to do more than just Menu security. Epicor gives you the ability to control:

  • Services (Method Security on Business Objects)
  • Field Security
  • BAQ Security
  • Authorized users (Buyer, Work Force, …)
  • User Options (SSRS Designer, Advanced BAQ, …)
  • REST Security through API Keys/Scope (10.2.400+)
  • Conditional Security via BPMs

Understand, but all we are trying to get to is who has access to what programs and it looks like that does not exist in a simple form of Read, Write, All etc. Perhaps Security was an after thought from Epicor’s perspective:roll_eyes:

I’m finding that security is just not easy. The world is complex and simple reports for security just don’t exist. I think Epicor has done a good job adding security as needed - especially around REST but I think only BAQ security wasn’t there from the beginning.

Like you, I wish there was an easier way to manage this complex topic!

1 Like

I use the attached, I then export to Excel and then pivot in Excel.

CobraUser1_0.baq (23.8 KB)