A way to manage user accounts without security manager


(Derek Drozdzak) #1

We would like to give our level 1 service desk the ability to reset Epicor passwords and create user accounts without giving their Epicor User the Security Manager access checkbox permissions. Is there a way to do this? It seems silly that just to reset passwords for other users that it requires Security Manager that essentially gives permissions to everything in the system. Anyone have easy solutions?


Can assign a user other than a Security Manager to reset passwords for other users?
(Jeff Gehling) #2

There is no way as far as I know using internal Epicor security.

However, if you are able to you could implement AD authenticated SSO. Therefore Epicor will use AD credentials and auto login the user. Your level 1 staff will then only need to reset windows login passwords as normal.


(Bart Elia) #3

Correct. If you do not have security access, you are hard coded blocked in code by design (Or my SaaS Ops folks would be chewing all over me).

If you need external control, Azure AD or Windows AD on premises is the better model for you.


(Bruce Larson) #4

First Customize the User Account Process where you disable the Security Manager Check box.
Save the customization
Open up Menu Maintenance and copy the menu item to somewhere else on the menu by changing the parent Menu ID
Last - either create a new security ID or select another and put it on the menu.
Make sure to uncheck the security manager required on the new security ID.


(Simon Hall) #5

Have you looked at users in the admin console? I had often thought that that’s a great place, just manage the basics of user management, particularly where the people you need to do the task only know MMC, but then again they have to have access to the appserver to do this, which could be another world of pain.

Failing that perhaps PowerShell?


(Calvin Krusen) #6

Just spitballing, but a script to cal DMT might work.


(Calvin Krusen) #7

Here’s a power shell script file (untested) that might work (after you make the appropriate changes)

Param(  [string]$UserID)

$DMTPath = "C:\Epicor\ERP10\LocalClients\app_server\DMT.exe"
$User = "_glbl_epicor"
$Pass = "pasword_for_above"

$Source = "temp.csv"

echo "Company","UserID","ClearPassowrd" > $Source
echo "mc","$UserID",1  >> $Source

#Load Data
Start-Process -Wait -FilePath $DMTPath -ArgumentList "-NoUI -User $User -Pass $Pass -Update -Import User -Source $Source "

You’ll need to change the values for:$DMTPath, $User, $Pass, and the company value in that 2nd “echo” line

I’m no PowerShell expert so use that more as guidance than gospel.


(Dan Edwards) #8

This is only an example of how you could do it using a simple customization and a BPM.
You can create a customization that displays the User IDs and then a button to reset the password. Use the button click to initiate a method directive that performs the following. You will to change the SetUserID(“epicor” to an account that is a security manager. You can pass the User ID using the BPM context.

using (CallContext.Current.TemporarySessionCreator.SetUserID("epicor").Create()) 
{
  using (Ice.Contracts.UserFileSvcContract userFileSvc = Ice.Assemblies.ServiceRenderer.GetService<Ice.Contracts.UserFileSvcContract>(Db))
  {
      userFileSvc.GetByID("manager"); // Pass in user ID
      Ice.Tablesets.UserFileTableset userFile = new Ice.Tablesets.UserFileTableset(); 
      Ice.Tablesets.UserFileRow userFileRow = new Ice.Tablesets.UserFileRow();       
      userFileRow.ClearPassword = true;
      userFileRow.PasswordEmail = "test@test.com"; // Set to user email
      userFileRow.RowMod = "U";
      userFileSvc.Update(ref userFile);
  }
}

(Derek Drozdzak) #9

I appreciate these responses. Keep in mind its not just the resetting the password we need. We also need to have them be able to create new user ids, add groups, add company access. All without their own ids having the security manager checkbox enabled. I think Active Directory single sign on is where our internal discussions ended up. But that still only resolves the password reset part of the problem. That doesn’t provide creating new user ids in Epicor. I wish Epicor would just have another function similar to Security Manger that would only allow the creation of User IDs and pw resets capabilities.


(Calvin Krusen) #10

You can create - even by copying an existing user - in the Epicor Admin Console(EAC) on the App Server.

Since 99% of requests for a new user account seem to include, “With the same rights as ________ …”, using the copy user function in EAC, kills several birds with one stone.

BTW - Using AD to create the users can have issues if the AD data is bigger than the Epicor User data’s field. We couldn’t use AD to create users, because the telephone number in AD was bigger than the telephone user in the Epicor User table.


(Derek Drozdzak) #11

Giving Level 1 Service Desk associates access to the Admin Console will not work in our environment. That is too much risk for us to assume. But I never knew you could do that. I got some error that the client application is not defined in the settings when attempting to see the properties of a user account.