Company Change Approaches on the Server


(Bart Elia) #21

Does this need to be for any user or only certain scenarios?

Why I am asking is there is the ‘On Behalf Of’ impersonation for delegated execution by a service account on behalf of other users. For example, the Task agent ‘user’ with impersonation rights. This allows for a service account running tasks to generate a report on behalf of any user. It’s also used by ECC and a few other server to server scenarios.


(Haso Keric) #22

Well the users executing this one would be regular Employees with no access to Corporate Company and If I could execute it as a Service Account (Fixed) that would be good, heck perhaps even use the Print Account since that one has access to all Co’s. It’s not On Behalf Of, but rather “As User” that I am looking for.

Similar to the BAQ Version:

**CallContext.TemporarySessionCreator.SetUserID("CyberBob").Create()**

Looking for a way to force a User OR have the Cross-Company BAQ ignore the User’s Company Access and force it to include a specific company, no matter what in its query. Perhaps a Temp Session in the UI?


(Bart Elia) #23

That level of full User spoofing is not something we have due to the security concerns - that’s a pretty quick slope if you can change users with a single line of code and have no rights delegation visible that an admin can control.


(Haso Keric) #24

I did get this.oTrans.Session.SetUser(“manager”, “manager”); to work, it works perfect - but acquiring the session takes 30 seconds and not sure what else I break in the process of switching users like this. Plus I have to revert back; unless I make a clone of the Session or my own Session Object with ILaunch

Perhaps I should be using Session.SetCredentials instead ?


(Bart Elia) #25

To be honest, I have not torn apart our Winforms security in a LONG time so you probably have fresher eyes on it than I.

I feel you are ‘architecting’ to the 99% here though trying to fight security. This really is one of those case you need a third party between the client and the db to control access to the data.

Of course the system is highly extensible and this community does a wonderful job of stretching limits and giving me (and Epicor) wonderful views into various options and needs. On this one, it’s pretty clear. You have a user with no rights to data trying to get data - full stop.

You need an intermediary (another account with rights) that will do limited work ideally on behalf of ?any user?. That’s nothing plumbed into the level you are discussing. I would almost look at standing up another service and calling into E10 as the user with rights. Kind of a poor mans azure function if you will. The alternate service would retrieve the data on behalf of this user. That other service account could even use impersonation granted through User Maintenance.


(Haso Keric) #26

USE Case: Sometimes you just want to Query something, mainly READ-ONLY from Corporate Company without giving the User Access to that Company - because If you do they also get the Menu Structure and configuring 10 Companies with Unique Menu Securities per Company is a pain.

I want the User to have Company Access to BOs, Data, etc… BUT not the Menu :slight_smile:

Typically it’s a BAQ Cross-Company that you want to include “controlled” data and present it to the user no matter what.

Usually we do Service Connect pass info down, but it just creates many dependencies.

Feature Request!: FIXED Company BAQ with DISCLAIMER as “Use at own Risk”. :slight_smile: I know there is External BAQ, perhaps use that. Run BAQ as User in BAQ Designer.


I’ll tinker around :slight_smile: As long as I clone the oTrans.Session i should be okay, don’t feel comfy messing with the original session User in Transaction.

E9 Reflection


(Pedro Marques) #27

Just trying to see a different way to go about this, but could you use external datasources with views?


(Haso Keric) #28

Might be the proper way… because hard-coding credentials in code is never good in plain-text. Plus what if the Service Account Password changes.

Thanks for the discussion and brainstorming @josecgomez @pmarques @Bart_Elia


(John Mitchell) #29

Why not create the view in SQL and just use an External BAQ?


(Josh Owings) #30

We do this with SSRS and side cart database with calls back to the Epicor database. Security is controlled in the SSRS folder access and security groups. You can also link the SSRS from a custom menu option in the application. Let the data source connection in SSRS have rights but the user can’t see or access the report unless they have proper permission.

**Josh Owings ** | JR Automation
ERP Applications Manager

O: +1 (864) 397-9193 | C: +1 (864) 884-6587


(Brandon Anderson) #31

Thinking outside the box, could you populate a UDtable using a user with the requisite access, with the applicable data that is populated in such a way that the users who need to see it can see it? Kind of like an external BAQ. You would just have to set up a refresh/populate process. Would this be something that executive cubes could be used for? (I haven’t been able to figure out how to use them yet)

All of that depends on what type of data you’re looking at and if a lag is acceptable or not.


(Mark Wonsil) #32

@hasokeric nails it here. What we want is a solution that works WITH the Framework and not in spite of it. Most of the proposed solutions won’t work in a SaaS environment which is antithetical to a growing portion to the market. A Cross-Company BAQ is the correct solution. The real problem here is getting finer control of the Menu and easier administration for the access.

There is already a way to provide a security ID on a BAQ. Now a little logic that says, “If no menu items are available under the company, hide the company” then you’re in business…

BTW, we have a use case where sales reps in one company want to know if others are quoting in their area. A cross-company BAQ would be quite useful here.

Mark W.


(John Mitchell) #33

I couldn’t agree more with working within the framework. What would prevent you from viewing or changing data for other companies (SAAS customers) since they all use shared resources?


(Mark Wonsil) #34

There are two flavors of SaaS: MT and DT. In Multi-Tenant, you’re not likely given access to other companies in the same database but you if you did, you still need to give access to each user a list of companies they have access to. A cross-company BAQ will not give access to a company if the company isn’t associated with the user. In Dedicated tenancy, this is still true but the database is not shared with other users.

External Queries require ODBC access to the database which: a.) SaaS users won’t have. b.) bypasses all Epicor security.

Mark W.


(Jose C Gomez) #35

Have you tried giving them access to the other company but completely restricting the menus so they don’t actually have access to anything? This would allow the cross company BAQ stuff to work while still keeping them out of there?


(Haso Keric) #36

Yes =) When you are SOX Compliant and have 100’s of Security Groups. It’s not a simple switch since certain Groups and Users can have Access by Role. Its like Spaghetti and Epicor’s Menu Maintenance is def not Multi-Company + SOX Compliance Friendly.

One thing we didn’t do; is name our Groups CompanyID_MtlHandlerAdmin and instead left it as MtlHandlerAdmin. But def not easy friendly, can be done but can also introduce headaches.


(Mark Wonsil) #37

Somebody on this group recommended that very practice. Our security groups lead with the company ID if company specific or a global prefix for all companies. Same with BAQ names with addition of DEV for BAQs in process.

Mark W.


(Bart Elia) #38

The discussion on Menu for ‘security’ (really for preferences) and real Security via the field/service restrictions being too complex are well heard. I don’t have anything to announce but UX around that domain are a hot topic.

If you look at where we are bringing password policy, account lockout, blank passwords being ‘banned’, Azure AD integration, https by default, REST not exposing exception details… that’s the reality of the tech world today. Security by default and then hopefully make the opt in as easy to administer as possible while maintaining security. It’s a tricky balance and something we treat seriously. Keep complaining and brainstorming and keep the discussion going. I or someone will have things announce as they become available. I appreciate the thoughts.


(Haso Keric) #39

@Bart_Elia and @josecgomez for years I was under the impression that despite a BPM being “Company Independent” I can only retrieve data from the companies where a “User” has access.

But running this BPM as a user that only has access to 1 company. I hard-coded our Corporate (Global) Company ID: 00300000 and it fetches data from it just fine.

var currentRow = ttABCCode.FirstOrDefault();

var x = (from global in Db.ABCCode where global.Company == "00300000" && global.ABCCode1 == currentRow.ABCCode select global).FirstOrDefault(); 

currentRow.StockValPcnt = x.StockValPcnt;

Mind Blown because I was trying to run Ice.Core.Session to authenticate as a Service Account. Next test, to see If I can update data in 0030000 despite not having access by using basic Db.Validate()

Can you confirm that this is acceptable to do and it isn’t just me being lucky in ABCCode :slight_smile:

Makes me wonder why we use Service Connect if we could just use LINQ Query and Db.Validate and possibly even TransactionScopes for the simple transfers.


(Chris Conn) #40

As I understand, that Db context is global.