System security, accounts and passwords can be a very broad and complex topic. I want to simplify it down a little as it relates specifically to the different kinds of Dynamics GP Application User Security Accounts and the SQL Server System Administrator account – and hopefully provide some understanding of the use, purpose and differences of these accounts.
There are 4 unique accounts described here:
- SQL Server System Administrator Account
- The DYNSA Account
- Dynamics GP User Accounts
- Dynamics GP ‘System’ password (not really an account)
SA – SQL Server System Administrator Account
Microsoft Dynamics GP uses application-based security. When the SQL Server Database Engine is installed for hosting the Dynamics GP SYSTEM and COMPANY databases – it’s internal Server Authentication mode is set to what is called ‘SQL Server and Windows Authentication mode’ (sometimes called ‘Mixed Mode’ security) – which allows NT Security for certain forms of SQL data access and application-based security for Dynamics GP user accounts. This is a prerequisite setting for hosting the Dynamics GP environment on your SQL Installation.
When the SQL Server Database Engine is installed –a System Administrator account called ‘SA’ is implemented with a password supplied by the installer. The SA account has the highest privileges for administering the SQL Server environment – and in general should only be used for that purpose.
The Dynamics GP application, however, can take advantage of the elevated privileges of the SA account (or the DYNSA account – described below) and allow you to log into Dynamics GP – and be able to administer some high-level security routines such as User Account adds/removes – or even make GP User Account password changes. The SA account will automatically be granted Power User privileges and access to all company databases while using the GP Application.
You may find it necessary on occasion to want to log into Dynamics GP with an account with elevated privileges like the SA or DYNSA account – to allow you to administer some security features that a regular GP Application User Account is unable to.
Changing the SA Account password is done through the SQL Server Management Studio interface and not from the Dynamics GP Graphical User Interface (GUI). This account password is case sensitive.
DYNSA – Dynamics GP Application Account with Elevated Privileges
It isn’t always best practice to provide the SA account to the Dynamics GP user community as it does provide the highest elevation of privileges. There is an alternate account which is implemented when the Dynamics GP application is first installed – it is called DYNSA.
The DYNSA account will provide just enough elevated privileges to the Dynamics GP user community for logging into the application and administering the User Accounts as required (without giving it any higher privileges as an SA account may have).
The DYNSA account is also automatically granted Power User privileges and access to all company databases while using the GP Application – but this can be managed using the GP Application Security Interface. The DYNSA account password is also managed from within the Dynamics GP Security interface. This account name and password is case sensitive.
GP Application User Accounts
When you install Dynamics GP, you add Application User accounts through the Microsoft Dynamics GP >> Tools >> Setup >> System >> User interface. You then grant those accounts access to specific Company Databases, as well as additional Security Roles and Tasks to permit them access to functions and screens depending on their individual responsibilities. These are the accounts that staff use when logging into Dynamics GP to process their day-to-day finance routines.
Remember when logging in with your Application User account – the account name and the password are both case sensitive.
You can define the User Accounts to take advantage of SQL Advanced Security options if the Enforce Password Policy check box is selected in the User Setup window – this will ensure certain domain password policies are enabled for this user’s Account security features if the policies are enabled in Active Directory.
Keep in Mind: The GP User Application accounts may in some cases resemble your Windows NT account (i.e. pceaser) – and you may even choose to use the same password as your Windows NT account – but they are not linked. There are Add-On products you can acquire that will provide an SSO (Single Sign On) experience for GP Users and those who administer the Active Directory and Windows NT Accounts.
The Dynamics GP System Area Password
The area of features/functions within the Microsoft Dynamics GP >> Tools >> Setup >> System menu is restricted by a <password>. A user would use this system area of features if they wanted to update some Registration Keys, or do some Application Security setup/changes – or set some system wide values such as Currency Values in use.
Anyone accessing this area is presented with a Password requirement – this is commonly called The System Password or sometimes The System Area Password. This password is set when Dynamics GP is initially setup – but it can be changed.
There are generally only a few individuals in any organization who should have access to this area of System Features so this password should not be widely distributed. The password is case sensitive and restricted to 15 characters long or less and should be set securely with a variety of upper/lower case characters, numbers and special characters. This System Password is not governed by the SQL Advanced Security functions or the Active Directory policies.
There is always a need to be more secure with passwords these days – and setting a password for SQL’s SA account is no exception. As this is a very important account which provides the highest level of access to the SQL environment, there is a tendency to want to make this password extremely long and complex – perhaps in excess of 25 characters long. Although this may make this password more secure – there is a 15-character restriction in the Application Account Password field on the log in screen for Dynamics GP – so if you wish to use the SA account to log into GP, you will need to provide its password to be 15 characters or less (there are still many secure combinations of characters you can use to make a fairly crack-proof SA password even using only 15 characters).
When initially setting regular GP User Application Passwords they should also be set to be somewhat complex, a mix of upper and lower-case characters, numbers and special keyboard symbols – but again ensuring these are 15 characters or less. GP Users can change their passwords to something else if they choose Dynamics GP >> User Preferences >> Password – but they should adhere to a certain minimum standard for password strength, length and complexity.
Additional resources to regarding SQL Server Security and Dynamics GP Security:
If you have any questions about Microsoft Dynamics GP, please contact us any time!
What is new in Dynamics GP 2016?
Get 9 premium pieces of content that will help you plan a Dynamics GP upgrade!Get The Upgrade Guide