A way to manage user accounts without security manager

(Derek Drozdzak) #1

We would like to give our level 1 service desk the ability to reset Epicor passwords and create user accounts without giving their Epicor User the Security Manager access checkbox permissions. Is there a way to do this? It seems silly that just to reset passwords for other users that it requires Security Manager that essentially gives permissions to everything in the system. Anyone have easy solutions?

(Jeff Gehling) #2

There is no way as far as I know using internal Epicor security.

However, if you are able to you could implement AD authenticated SSO. Therefore Epicor will use AD credentials and auto login the user. Your level 1 staff will then only need to reset windows login passwords as normal.

(Bart Elia) #3

Correct. If you do not have security access, you are hard coded blocked in code by design (Or my SaaS Ops folks would be chewing all over me).

If you need external control, Azure AD or Windows AD on premises is the better model for you.

(Bruce Larson) #4

First Customize the User Account Process where you disable the Security Manager Check box.
Save the customization
Open up Menu Maintenance and copy the menu item to somewhere else on the menu by changing the parent Menu ID
Last - either create a new security ID or select another and put it on the menu.
Make sure to uncheck the security manager required on the new security ID.

(Simon Hall) #5

Have you looked at users in the admin console? I had often thought that that’s a great place, just manage the basics of user management, particularly where the people you need to do the task only know MMC, but then again they have to have access to the appserver to do this, which could be another world of pain.

Failing that perhaps PowerShell?

(Calvin Krusen) #6

Just spitballing, but a script to cal DMT might work.

(Calvin Krusen) #7

Here’s a power shell script file (untested) that might work (after you make the appropriate changes)

Param(  [string]$UserID)

$DMTPath = "C:\Epicor\ERP10\LocalClients\app_server\DMT.exe"
$User = "_glbl_epicor"
$Pass = "pasword_for_above"

$Source = "temp.csv"

echo "Company","UserID","ClearPassowrd" > $Source
echo "mc","$UserID",1  >> $Source

#Load Data
Start-Process -Wait -FilePath $DMTPath -ArgumentList "-NoUI -User $User -Pass $Pass -Update -Import User -Source $Source "

You’ll need to change the values for:$DMTPath, $User, $Pass, and the company value in that 2nd “echo” line

I’m no PowerShell expert so use that more as guidance than gospel.

(Dan Edwards) #8

This is only an example of how you could do it using a simple customization and a BPM.
You can create a customization that displays the User IDs and then a button to reset the password. Use the button click to initiate a method directive that performs the following. You will to change the SetUserID(“epicor” to an account that is a security manager. You can pass the User ID using the BPM context.

using (CallContext.Current.TemporarySessionCreator.SetUserID("epicor").Create()) 
  using (Ice.Contracts.UserFileSvcContract userFileSvc = Ice.Assemblies.ServiceRenderer.GetService<Ice.Contracts.UserFileSvcContract>(Db))
      userFileSvc.GetByID("manager"); // Pass in user ID
      Ice.Tablesets.UserFileTableset userFile = new Ice.Tablesets.UserFileTableset(); 
      Ice.Tablesets.UserFileRow userFileRow = new Ice.Tablesets.UserFileRow();       
      userFileRow.ClearPassword = true;
      userFileRow.PasswordEmail = "test@test.com"; // Set to user email
      userFileRow.RowMod = "U";
      userFileSvc.Update(ref userFile);