D365 Finance & Operations and Dynamics AX Forum

New to AX 2012 and trying to lock down security. I noted that there are 4 generic users with the Sys Admin role: Admin, BCProxyU, Dynamic1 and wfexc. Are these built-in users to support future enhancements/hot fixes, etc?

I don't want to remove anything, but need to confirm security.

------------------------------
Margaret Trissel
Rogers Memorial Hospital
Oconomowoc WI
------------------------------

The Admin is a built-in roll.  The BCProxyU account is most likely running your AOS Service.
I suspect the wfexc is from a third party app that you're running, possibly used on some server.  The Dynamics1 may be left over from a previous upgrade.

Check the login history for to see if the accounts are being used to access AX via the client. I would disable the Dynamics1 & wfexc and see what happens.

I use the following T-SQL query to monitor who is a Sys Admin and if they are enabled or not. 

SELECT
UI.ENABLE as Enabled, ' ' as ' ', UI.name as 'System Admin'
FROM
IIMAK_AX2012_R2_Prod.dbo.SECURITYUSERROLe SUR
join IIMAK_AX2012_R2_Prod_model.dbo.SECURITYROLE SR on SUR.SECURITYROLE = SR.RECID
join IIMAK_AX2012_R2_Prod.dbo.userinfo UI on SUR.USER_ = UI.id
WHERE
AOTNAMe = '-SYSADMIN-' order by ui.name

Regards,

Mike

New to AX 2012 and trying to lock down security. I noted that there are 4 generic users with the Sys Admin role: Admin, BCProxyU, Dynamic1 and wfexc. Are these built-in users to support future enhancements/hot fixes, etc?

I don't want to remove anything, but need to confirm security.

Hi Mike,

Thanks for sharing the SQL . I ran the query in our environment and the results did not match with what I see through client. what could be the reason?

The Admin is a built-in roll.  The BCProxyU account is most likely running your AOS Service.
I suspect the wfexc is from a third party app that you're running, possibly used on some server.  The Dynamics1 may be left over from a previous upgrade.

Check the login history for to see if the accounts are being used to access AX via the client. I would disable the Dynamics1 & wfexc and see what happens.

I use the following T-SQL query to monitor who is a Sys Admin and if they are enabled or not. 

SELECT
UI.ENABLE as Enabled, ' ' as ' ', UI.name as 'System Admin'
FROM
IIMAK_AX2012_R2_Prod.dbo.SECURITYUSERROLe SUR
join IIMAK_AX2012_R2_Prod_model.dbo.SECURITYROLE SR on SUR.SECURITYROLE = SR.RECID
join IIMAK_AX2012_R2_Prod.dbo.userinfo UI on SUR.USER_ = UI.id
WHERE
AOTNAMe = '-SYSADMIN-' order by ui.name

Regards,

Mike

New to AX 2012 and trying to lock down security. I noted that there are 4 generic users with the Sys Admin role: Admin, BCProxyU, Dynamic1 and wfexc. Are these built-in users to support future enhancements/hot fixes, etc?

I don't want to remove anything, but need to confirm security.

New to AX 2012 and trying to lock down security. I noted that there are 4 generic users with the Sys Admin role: Admin, BCProxyU, Dynamic1 and wfexc. Are these built-in users to support future enhancements/hot fixes, etc?

I don't want to remove anything, but need to confirm security.

New to AX 2012 and trying to lock down security. I noted that there are 4 generic users with the Sys Admin role: Admin, BCProxyU, Dynamic1 and wfexc. Are these built-in users to support future enhancements/hot fixes, etc?

I don't want to remove anything, but need to confirm security.

You might want to differentiate between roles (users are assigned to roles) and users. From a admin perspective there are at least two roles with admin functions - system administrator and security administrator. I have not toyed with the security administrator function and am not sure what it provides above and beyond the system admin role. I do know we had to use that role for some users and the management reporter functionality. I am thinking a sys admin does not need security admin.

New to AX 2012 and trying to lock down security. I noted that there are 4 generic users with the Sys Admin role: Admin, BCProxyU, Dynamic1 and wfexc. Are these built-in users to support future enhancements/hot fixes, etc?

I don't want to remove anything, but need to confirm security.

Security Administer is the admin role for management reporter and enables that user to maintain security settings in MR.

Before you disable any of those accounts you should check your batch jobs to find out if any jobs were set up under those accounts. In the past batch jobs set up under a user account have stopped working when the user is inactivated. This is a good reason to set up organization wide jobs to execute under a sysadmin account that will never be disabled.

You might want to differentiate between roles (users are assigned to roles) and users. From a admin perspective there are at least two roles with admin functions - system administrator and security administrator. I have not toyed with the security administrator function and am not sure what it provides above and beyond the system admin role. I do know we had to use that role for some users and the management reporter functionality. I am thinking a sys admin does not need security admin.

New to AX 2012 and trying to lock down security. I noted that there are 4 generic users with the Sys Admin role: Admin, BCProxyU, Dynamic1 and wfexc. Are these built-in users to support future enhancements/hot fixes, etc?

I don't want to remove anything, but need to confirm security.

Thanks everyone...Scott, you had that one right. Our consultants were directed to back out of their Admin access and change their roles, resulting in some batch jobs suddenly not running any longer!

Security Administer is the admin role for management reporter and enables that user to maintain security settings in MR.

Before you disable any of those accounts you should check your batch jobs to find out if any jobs were set up under those accounts. In the past batch jobs set up under a user account have stopped working when the user is inactivated. This is a good reason to set up organization wide jobs to execute under a sysadmin account that will never be disabled.

You might want to differentiate between roles (users are assigned to roles) and users. From a admin perspective there are at least two roles with admin functions - system administrator and security administrator. I have not toyed with the security administrator function and am not sure what it provides above and beyond the system admin role. I do know we had to use that role for some users and the management reporter functionality. I am thinking a sys admin does not need security admin.

New to AX 2012 and trying to lock down security. I noted that there are 4 generic users with the Sys Admin role: Admin, BCProxyU, Dynamic1 and wfexc. Are these built-in users to support future enhancements/hot fixes, etc?

I don't want to remove anything, but need to confirm security.