13 March 2007

GP 10: Role Based Security

For as good as the keynotes were, there's still some confusion around roles based security. So I went to the session and I have to say that I was a little disappointed. This is a sore area and while version 10 makes some big strides, the Q&A afterwards left me with more questions than answers.

What I do know is:

It's Role Based
There are operations (lowest level, a window, report, etc.) for example an AP Window
that are grouped into tasks like processing AP

Which are grouped into a role like an AP clerk.

How is this different from classes? Well the third level makes huge difference. The task is essentially a function. So I can build security functions (enter AP, Cut AP checks, Post AP, etc) that are pretty independent of the user and then as the role changes, I can give and take away tasks without having to drill down to the operation level.

So an if an AP clerk gets promoted to an AP supervisor, I just change the role. But if an AP clerk is now going to post their own AP, I simply add a task to the role. There's no delegation per se, but it should be easy to do for things like vacations. Simply add a task to a role during the vacation period, then remove it.

Roles can be different in different companies and there is lots of copying functions to make your life easier.

It's Pessimistic Not Optimistic
GP 10 security assumes you can't do anything and requires explicit permission to an operation. This is a change from Optimistic security in previous versions that required specific removal of permission.

You will need to convert security during the upgrade (or rebuild all your users). Users get their own role during the upgrade that keeps all their existing security allowing you to migrate users to new roles in a more leisurely manner.

Reporting is Better
Reporting appears to be better in GP 10. You may actually be able to give your auditor a security report. Then again, it was fun handing them a 500 page security printout. The looks were priceless!

What's Not in There
In the Q&A we learned that currently there is no import/export for security settings. As one user mentioned, they use this to setup security in a test environment and then migrate the settings via import/export to reduce security related user calls. I'm guessing this will be back in by the final version.

I asked about speed. As much as I love the GUI for Advanced Security, it's slow. I know why it's slow. I completely understand, but it's still slow. There didn't seem to be a recognition from the GP team that speed was an issue, even though the rest of the crowd clearly thought so.

Bottom Line, it looks much better. I still worry that the team doesn't quite get it but it's closer to the right solution.