With security being the words on every small businesses' lips in recent months, in the last few days, a minor security vulnerability has been discovered in Dynamics GP which impacts on all Dynamics GP users no matter what version of GP a business is using.
So just what is the security vulnerability in Dynamics GP?
The security vulnerability highlighted in Dynamics GP is related to the Copy Settings functionality available within the User Setup.
Essentially, the Copy Settings functionality does not respect the permissions that have been setup via User Security. What this means is that if any administrator has the permissions to create a user, they are able to provide company access and security rights through the use of the Copy Settings button, even if they don't have the permissions to assign security with User Security.
The security vulnerability in Dynamics GP becomes an issue when a business looks to try and segregate user creation from user security assignment. Using this process is still widely considered as best practice, even if it is not common in businesses that are using a Dynamics GP solution.
Let's run through an example, your senior management team decides that Steve should have the permissions to be able to create new users, but Philip is only able to assign companies and security roles. This makes sure that Steve is not able to abuse his position by creating rogue users and providing inappropriate security rights. As it stands with Dynamics GP now, Steve will still be able to both create a user as well as being able to copy security and company assignments from an existing user which means that Philip won't even be able to see it happening.
Am I affected and how can I resolve this?
Yes – you're affected. It doesn't matter which version of Dynamics GP you are on, this security vulnerability affects all the current versions of Dynamics GP. There is no need to panic though as this is a relatively minor security vulnerability but will still need to be resolved.
If your Dynamics GP solution is supported by Advantage, we would recommend that you get in touch with your designated GP account manager who will be able to get this resolved for you.
For those of you that are not currently with Advantage and are unsure how to proceed with addressing this minor security vulnerability within Dynamics GP or require some additional GP support, we encourage you to get in touch with us today.