System security, accounts and passwords can be a very broad and complex topic. I want to simplify it down a little as it relates specifically to the different kinds of Dynamics GP Application User Security Accounts and the SQL Server System Administrator account – and hopefully provide some understanding of the use, purpose and differences of these accounts as well as offer insight into account password policies.
Table of Contents
- SQL Server System Administrator Account
- The DYNSA Account
- Dynamics GP User Accounts
- Dynamics GP ‘System’ Password
- Account Password Policies
SA – SQL Server System Administrator Account
Microsoft Dynamics GP uses application-based security. When the SQL Server Database Engine is installed for hosting the Dynamics GP SYSTEM and COMPANY databases – its internal Server Authentication mode is set to what is called ‘SQL Server and Windows Authentication mode’ (sometimes called ‘Mixed Mode’ security) – which allows NT Security for certain forms of SQL data access and application-based security for Dynamics GP user accounts. This is a prerequisite setting for hosting the Dynamics GP environment on your SQL Installation.
When the SQL Server Database Engine is installed –a System Administrator account called ‘SA’ is implemented with a password supplied by the installer. The SA account has the highest privileges for administering the SQL Server environment – and in general should only be used for that purpose.
The Dynamics GP application, however, can take advantage of the elevated privileges of the SA account (or the DYNSA account – described below) and allow you to log into Dynamics GP – and be able to administer some high-level security routines such as User Account adds/removes – or even make GP User Account password changes. The SA account will automatically be granted Power User privileges and access to all company databases while using the GP Application.
You may find it necessary on occasion to want to log into Dynamics GP with an account with elevated privileges like the SA or DYNSA account – to allow you to administer some security features that a regular GP Application User Account is unable to.
Changing the SA Account password is done through the SQL Server Management Studio interface and not from the Dynamics GP Graphical User Interface (GUI). This account password is case-sensitive.
Note: It is not recommended to change the password on the SA Account unless absolutely necessary.
DYNSA – Dynamics GP Application Account with Elevated Privileges
It isn’t always best practice to provide the SA account to the Dynamics GP user community as it does provide the highest elevation of privileges. There is an alternate account which is implemented when the Dynamics GP application is first installed – it is called DYNSA.
The DYNSA account will provide just enough elevated privileges to the Dynamics GP user community for logging into the application and administering the User Accounts as required (without giving it any higher privileges as an SA account may have). The DYNSA account usually has the ‘Security Admin’ SQL Role applied to it.
The DYNSA account is also automatically granted Power User privileges and access to all company databases while using the GP Application – but this can be managed using the GP Application Security Interface. The DYNSA account password is also managed from within the Dynamics GP Security interface. This account name and password are case-sensitive.
GP Application User Accounts
When you install Dynamics GP, you add Application User accounts through the Microsoft Dynamics GP >> Tools >> Setup >> System >> User interface. You then grant those accounts access to specific Company Databases, as well as additional Security Roles and Tasks to permit them access to functions and screens depending on their individual responsibilities. These are the accounts that staff use when logging into Dynamics GP to process their day-to-day finance routines.
Note that current versions of Dynamics GP use a “role” based security paradigm.
Remember, when logging in with your Application User account – the account name and the password are both case-sensitive.
You can define the User Accounts to take advantage of SQL Advanced Security options if the Enforce Password Policy check box is selected in the User Setup window – this will ensure certain domain password policies are enabled for this user’s Account security features if the policies are enabled in Active Directory.
Keep in Mind: The GP User Application accounts may in some cases resemble your Windows NT account (i.e. pceaser) – and you may even choose to use the same password as your Windows NT account – but they are not linked. There are Add-On products you can acquire that will provide an SSO (Single Sign On) experience for GP Users and those who administer the Active Directory and Windows NT Accounts.
Further Resources Regarding User Application Accounts:
- Difference Between Full, Limited, and Self Service User Types
- Microsoft Dynamics GP Application Level Security Blog Series
The Dynamics GP System Area Password
This area of features/functions within the Microsoft Dynamics GP >> Tools >> Setup >> System menu is restricted by a password. A user would use this System area of features if they wanted to update some Registration Keys, or do some Application Security setup/changes – or set some system-wide values such as Currency Values in use.
Anyone attempting to access this area is presented with a password requirement – this is commonly called the System Password or sometimes the System Area Password. This password is set when Dynamics GP is initially setup – but it can be changed.
There are generally only a few individuals in any organization who should have access to this area of System Features so this password should not be widely distributed. The password is case sensitive and restricted to 15 characters long or less and should be set securely with a variety of upper/lower case characters, numbers and special characters.
Note: This System Password is not governed by the SQL Advanced Security functions or the Active Directory policies.
There is always a need to be more secure with passwords these days – and following best practices for setting passwords for SQL’s SA account or Dynamics GP Application Accounts is no exception.
Dynamics GP application account passwords should be set to a mix of upper and lower-case characters, numbers and special keyboard symbols – while ensuring the overall password length is 21 characters or less. GP Users can change their passwords to something else if they choose Dynamics GP >> User Preferences >> Password – but they should adhere to their specific company’s policy regarding standards for password strength, length, and complexity.
As SQL’s SA account provides the highest level of access to the SQL environment, there is a tendency to want to make this password extremely long and complex – perhaps in excess of 32 characters long. Although this may make this password more secure, there is a 21-character restriction in the Application Account Password field on the login screen for Dynamics GP, so if you wish to use the SA account to log into GP, you will need to make its password 21 characters or less (there are still many secure combinations of characters you can use to make a fairly crack-proof SA password even using only 21 characters).
Account Password Policies
Certain Active Directory (AD) domain password policies can apply to Microsoft Dynamics GP User Application Accounts if you take advantage of the Advanced SQL Server Options in the User Setup window.
You can use the Advanced SQL Server options in the User Setup window to integrate the Active Directory service domain password policies with Microsoft Dynamics GP. The domain password policies apply to Microsoft Dynamics GP users.
When the Enforce Password Policy check box is selected in the User Setup window, the following domain password policies are enabled if the policies are enabled in your network’s Active Directory:
Enforce Password Policy
Mark this option to force users to adhere to the same password policies that have been established on the Windows Server domain.
Change Password Next Login
Mark this option to force users to change their passwords the next time they log in to Microsoft Dynamics GP.
Enforce Password Expiration
Mark this option to force users to change their passwords after the number of days that is defined by the Windows Server domain password policies. The Dynamics GP Application includes a notification feature to let you know when your password is about to expire – so you have 7 days to think of a new password.
Additional resources regarding SQL Server Security and Dynamics GP Security:
- Microsoft Password Guidance
- The Scoop on Dynamics GP’s Application Password System
- Advanced SQL Server Options
- Security Planning
If you have any questions about Microsoft Dynamics GP, please contact us any time!
Webinar - Dynamics GP Coffee Break | Changes in Charts, Vendors, Customers & Items in Dynamics GP
Did you know that Dynamics GP offers the ability to change and merge accounts, items, vendors, and customers to clean up your data for more efficient use?
9:00 am – 9:25 am PST
Webinar - Charts, Vendors, Customomers in GP
9:00 am – 9:25 am PST