SQL: Assigning Microsoft Dynamics GP Users to SSRS Database Roles

As I begin to wrap up a Microsoft Dynamics GP 2010 R2 production upgrade from Microsoft Dynamics GP 9.0, I ran into a small issue at my client. After deploying the new SSRS reports, and as users were getting ready to try them out, we realized that some 15 logins needed to be assigned to a number of the 24 default database security roles created for the SSRS reports.

User Mappings (some information blurred to protect the client's identity)

This would be a bit cumbersome giving the share number of clicks required to accomplish this feat. In addition, we had just setup Microsoft Dynamics GP security, and given that the SSRS database roles were similar to those in GP, something needed to be done to automate the assignment of these roles based on Microsoft Dynamics GP security roles.

As a result, I created the following script:

-- Created by Mariano Gomez, MVP
--  This code is licensed under the Creative Commons 
--  Attribution-NonCommercial-ShareAlike 2.5 Generic license.
use DYNAMICS;
go

DECLARE @userid varchar(50), @companyid varchar(5), @securityroleid varchar(200), @ssrsRole varchar(200);
DECLARE @sqlStmt varchar(255);

DECLARE c_reportsecurity CURSOR FOR 
	SELECT a.USERID, b.INTERID, a.SECURITYROLEID FROM SY10500 a
		LEFT OUTER JOIN SY01500 b ON (A.CMPANYID = b.CMPANYID)
	WHERE a.USERID not in ('sa', 'DYNSA', 'LESSONUSER1', 'LESSONUSER2') and a.SECURITYROLEID NOT LIKE ('MBS%')
	ORDER BY a.USERID;

OPEN c_reportsecurity;
FETCH NEXT FROM c_reportsecurity INTO @userid, @companyid, @securityroleid;

WHILE @@FETCH_STATUS = 0
BEGIN
	SELECT @ssrsrole = 
		CASE 
			WHEN @securityroleid = 'ACCOUNTING MANAGER*      ' THEN 'rpt_accounting manager'
			WHEN @securityroleid = 'AP CLERK*                ' THEN 'rpt_accounts payable coordinator'
			WHEN @securityroleid = 'AR CLERK*                ' THEN 'rpt_accounts receivable coordinator'
			WHEN @securityroleid = 'BOOKKEEPER*              ' THEN 'rpt_bookkeeper'
			WHEN @securityroleid = 'CA AGENT*                ' THEN ''
			WHEN @securityroleid = 'CA MANAGER*              ' THEN ''
			WHEN @securityroleid = 'CA STAKEHOLDER*          ' THEN ''
			WHEN @securityroleid = 'CERTIFIED ACCOUNTANT*    ' THEN 'rpt_certified accountant'
			WHEN @securityroleid = 'CL AGENT*                ' THEN ''
			WHEN @securityroleid = 'CL DISPATCHER*           ' THEN 'rpt_dispatcher'
			WHEN @securityroleid = 'CL MANAGER*              ' THEN ''
			WHEN @securityroleid = 'CL STAKEHOLDER*          ' THEN ''
			WHEN @securityroleid = 'CUSTOMER SERVICE REP*    ' THEN 'rpt_customer service rep'
			WHEN @securityroleid = 'DP MANAGER*              ' THEN ''
			WHEN @securityroleid = 'DP STAKEHOLDER*          ' THEN ''
			WHEN @securityroleid = 'DP TECHNICIAN*           ' THEN ''
			WHEN @securityroleid = 'FA MANAGER*              ' THEN 'rpt_accounting manager'
			WHEN @securityroleid = 'FA STAKEHOLDER*          ' THEN 'rpt_certified accountant'
			WHEN @securityroleid = 'IT OPERATIONS MANAGER*   ' THEN ''
			WHEN @securityroleid = 'MBS DEBUGGER ADMIN       ' THEN ''
			WHEN @securityroleid = 'MBS DEBUGGER USER        ' THEN ''
			WHEN @securityroleid = 'OPERATIONS MANAGER*      ' THEN 'rpt_operations manager'
			WHEN @securityroleid = 'ORDER PROCESSOR*         ' THEN 'rpt_order processor'
			WHEN @securityroleid = 'PAYROLL CLERK*           ' THEN 'rpt_payroll'
			WHEN @securityroleid = 'PM AGENT*                ' THEN ''
			WHEN @securityroleid = 'PM MANAGER*              ' THEN ''
			WHEN @securityroleid = 'PM STAKEHOLDER*          ' THEN ''
			WHEN @securityroleid = 'POWERUSER                ' THEN 'rpt_power user'
			WHEN @securityroleid = 'PURCHASING AGENT*        ' THEN 'rpt_purchasing agent'
			WHEN @securityroleid = 'PURCHASING MANAGER*      ' THEN 'rpt_purchasing manager'
			WHEN @securityroleid = 'RT AGENT*                ' THEN ''
			WHEN @securityroleid = 'RT MANAGER*              ' THEN ''
			WHEN @securityroleid = 'RT STAKEHOLDER*          ' THEN ''
			WHEN @securityroleid = 'SHIPPING AND RECEIVING*  ' THEN 'rpt_shipping and receiving'
			WHEN @securityroleid = 'WAREHOUSE MANAGER*       ' THEN 'rpt_warehouse manager'
			WHEN @securityroleid = 'WENNSOFT SMS CONTRACTS*  ' THEN ''
			WHEN @securityroleid = 'WENNSOFT SMS DISPATCHER* ' THEN ''
			WHEN @securityroleid = 'WENNSOFT SMS POWER USER* ' THEN ''
			WHEN @securityroleid = 'WENNSOFT SMS SETUP*      ' THEN ''
			WHEN @securityroleid = 'WSJC ACCOUNTANT*         ' THEN ''
			WHEN @securityroleid = 'WSJC ACCOUNTING MANAGER* ' THEN ''
			WHEN @securityroleid = 'WSJC ADMIN*              ' THEN ''
			WHEN @securityroleid = 'WSJC BILLING CLERK*      ' THEN ''
			WHEN @securityroleid = 'WSJC POWERUSER*          ' THEN ''
			WHEN @securityroleid = 'WSJC PROJECT MANAGER*    ' THEN ''
			WHEN @securityroleid = 'WSTT PAYROLL CLERK*      ' THEN ''
			WHEN @securityroleid = 'WSTT POWERUSER*          ' THEN ''
		END
	
	IF (@ssrsRole <> '') 
	BEGIN
		SET @sqlStmt = 'USE ' + rtrim(@companyid) + '; EXEC sp_addrolemember ' + QUOTENAME(@ssrsRole, '''') + ',' + QUOTENAME(rtrim(@userid), '''');
		EXEC(@sqlStmt);
	END
	FETCH NEXT FROM c_reportsecurity INTO @userid, @companyid, @securityroleid;
END

CLOSE c_reportsecurity;
DEALLOCATE c_reportsecurity;

The script looks at the Security Assignment User Role table (SY10500) and retrieves the physical company database from the Company Master table (SY01500), then assign an SSRS database security role to each of the Microsoft Dynamics GP default roles. If a role does not exist, you can choose to leave the assignment blank.

The script then proceeds to evaluate the database security role obtained, then creates a SQL string that can be executed. The SQL string uses the sp_addrolemember system stored procedure to add the corresponding SQL login to the role. A cursor is used to loop through each user, company, and security role combination to obtain and assign the proper SSRS database role.

You can choose to add custom security roles or roles for third party applications that deploy their own SSRS reports to the above script.

This definitely helped saving some time... phew!

Until next post!

MG.-
Mariano Gomez, MVP
IntellPartners, LLC

Comments

Beat BUCHER said…
Hi Mariano,
That was exactly the response that I never got from MS when asked in Fargo during the GP Tech Conference... It seems that there is a gap that MS forgot to fill between the GP security and the SSRS report security... Yes they create all those SQL roles when the wizard installs the GP reports, but the security does not get assigned at all... Thanks for that script that I'll use to adjust accordingly to my GP security roles :-).
Have a great time.
Beat
August 8, 2011 at 10:32 PM
Anonymous said…
There is something I do not understand. The script assigns the sql user associated to the GP Userid to the role but GP SSRS reports are set up to work with windows authentication as the default. So, assigning the role to the GP sql user doesn't have any effect with the GP user lunches the report. am I missing something?
September 16, 2011 at 12:03 PM
Mariano Gomez said…
Maybe I should have clarified. My customer's GP users match their domain users and I guess what I meant to indicate was that you would have to go through that same process of matching the user IDs too if they were different. But that's a lot easier if you create a simple table that correlates the domain user with the GP user ID.

MG.-
September 16, 2011 at 1:44 PM
ron.mcvicar said…
Mariano,
What a great post (as usual) and thanks. Now that it has been a while any update or future thoughts since the post?
I want to start migrating my company's SSRS reports for Dynamics GP to GP Security so certain user can only access certain reports / data based upon their Dynamics GP 2010 Role.
December 21, 2012 at 12:09 PM
Post a Comment

Popular posts from this blog

DBMS: 12 Microsoft Dynamics GP: 0 error when updating to Microsoft Dynamics GP 2013 R2

Image
Hello all! It's been quite a while since I've actually written anything of remote interest to anyone who follows my blog, but at the same time, you will be pleased to know that I've been quite busy in the consulting front, with upgrades, server migrations, complex multi-instance postings involving 10's of thousands of transactions, wrapping up some Field Service Automation projects, and the list goes on and on. This time around I want to bring to the forefront, an issue I encountered updating  from Microsoft Dynamics GP 2013 SP2 to Microsoft Dynamics GP 2013 R2 plus the latest service pack. Background My client requested a server migration to a new environment where they wanted to deploy Dynamics GP 2013 R2 web client (plus the latest service pack) and upgrade their relational database management system to Microsoft SQL Server 2014. This is something I'm absolutely comfortable with (for the most part) given also that my client was sitting at Microsoft Dynamics
Read more

Cannot insert the value NULL into column 'CONTACT' error when clicking on Items List in Navigation Pane

Image
Moving on from my previous article on a similar subject - see Cannot insert the value NULL into column 'BASEUOFM' error when clicking on Items List in Navigation Pane , I recently came across this error,  Cannot insert the value NULL into column 'CONTACT' when clicking on the All Purchasing Transactions list under the Purchasing Navigation Pane option, after performing an upgrade from Microsoft Dynamics GP 9.0 to Microsoft Dynamics GP 2010 R2. All Purchasing Transactions list error - Purchasing Navigation List The name of the global temp table - in this case, tempdb.dbo.##2093338- varies in almost all cases, but the end result of the error is the same. The issue has been identified running Microsoft Dynamics GP 2010 RTM, SP1 or SP2. Upon further review, the issue is due to bad data in the Vendor ID (VENDORID) column in the Purchasing Receipt History table (POP30300). In summary, if you have a purchasing receipt with a blank vendor ID or a vendor ID that doe
Read more

How to uninstall Microsoft Dynamics GP 10.0 if you cannot uninstall it by using the "Add or Remove Programs" feature

INTRODUCTION This article describes how to uninstall an existing Microsoft Dynamics GP v10 system if you cannot uninstall it by using the Add or Remove Programs feature (or Programs and Features in Windows Vista) in Control Panel. It is recommended that you verify that you cannot uninstall by using Add or Remove Programs first. MORE INFORMATION First, verify that you cannot uninstall Microsoft Dynamics GP by using Add or Remove Programs (or Programs and Features) To verify that you cannot uninstall Microsoft Dynamics GP by using Add or Remove Programs (or Programs and Features in Windows Vista), follow these steps. For Windows XP or Windows Server 2003: 1. Click Start, click Run, type control appwiz.cpl in the Open box, and then press ENTER. 2. Click to select Microsoft Dynamics GP 10.0 product from the application list, and then click Remove. For Windows Vista: 1. Click Start, type Programs and Features in the Search box, and then press ENTER. 2. Click to select the product to be un
Read more