26 November 2010

Weekly Review: Managing GP Security Without SA

Many firms don't want to distribute the SA password used with Dynamics GP and for good reason. Sometimes there are other applications on the same server. Sometimes its simply the exercise of a best practice or the desire to monitor who is doing what. Yet, SA is still important in administering Dynamics GP. So what are the alternatives to allow SA type access without using SA?
  • Make any user a member of the SYSADMIN fixed role in SQL Server and ensure that they are a member of the DYNGRP in the Dynamics DB
  • Assign the built in DYNSA user to the SECURITYADMIN fixed server role and use DYNSA instead of SA.
  • Make any user part of the SECURITYADMIN fixed server role and also put it in the DB_Owner database role for the DYNAMICS DB. In this scenario, DYNSA must be the DB owner of all Dynamics GP databases
  • Make any user part of the SECURITYADMIN fixed role and add them to the DB_AccessAdmin and DB_SecurityAdmin roles in Dynamics DB. In this case again, DYNSA must be the DB owner of all Dynamics GP databases.
More detail is available in the Planning for Security guide for Dynamics GP. This section starts on page 37.

Originally posted by Mark at 9/15/2008 10:00:00 AM