Use Users, Groups, and Roles to manage authentication, application access, feature permissions, data visibility, and security contacts in Epicor FP&A. User administration includes creating users, assigning licenses, managing instance access, organizing users into groups, assigning roles, and configuring security contacts.
You can access Users from the Administration section of the Left Nav pane.
In this article, we will cover:
Users, Groups, and Roles Overview
The Users, Groups & Roles area provides administrative control over application access and permissions.
| Area | Purpose |
|---|---|
| Users | Create and maintain user accounts. |
| Groups | Organize users into groups for easier administration. |
| Roles | Control feature access, Excel access, and administrative permissions. |
Licensed and Unlicensed Users
Users can be:
Licensed users who can sign in to the application.
Unlicensed users who can use limited functionality such as report subscriptions.
Understanding Security Responsibilities
Roles, data access, and workflow security serve different purposes.
Administrators Role
The Administrators role controls what users can do in the application. It determines which administrative features and menu options are available.
Membership in the Administrators role does not grant access to application data.
FullAccess Role
The FullAccess role controls what data users can see. Users in this role have unrestricted access to system data.
FullAccess removes data access restrictions but does not grant administrative permissions.
Organization and Workflow Security
For most users, data access is controlled through Organization & Workflow assignments and hierarchy-based security.
Creating a User
From the Left Nav pane, select Users.
The Users & Groups page is displayed.
Select the Users tab.
Select New User.
Enter the required user information.
Select the appropriate License Type.
Optional: Select Send an invite email.
-
Select Create User.
The system creates the user account and applies the selected license type.
Managing Users
Disabling a User
Open the user record.
Clear Enabled User.
Select Save.
Deleting a User
Open the user record.
Select Delete.
Confirm the deletion.
-
Save the changes.
Deleting a user permanently removes the account.
Resetting a Password
Open the user record.
Select Reset Password.
Generate a new password.
Optional: Select Send invite email.
Select Save.
Password Requirements
Passwords must contain:
At least 8 characters
At least one digit
At least one special character
At least one uppercase letter
At least one lowercase letter
Assigning a User to Additional Instances
Users can be granted access to additional instances owned by the same customer.
Assigned Instances Tab Availability
The Assigned Instances tab appears only when:
The user belongs to a Home Instance.
The customer owns multiple instances.
The tab is not available for users who are already assigned to a non-home instance or when only one instance exists.
Assigning an Additional Instance
Open Users.
Double-click the user.
Open the Assigned Instances tab.
Select Assign to Instance.
Select the target instance.
-
Confirm the assignment.
The user can access the assigned instance through My Instances.
Renewing Expired Instance Assignments
Global Administrators can renew expired user assignments in bulk.
Renewing Expired Users
Open Users & Groups.
Select the Users tab.
Select Renew Expired Users.
Select the users to renew.
-
Confirm the action.
The system extends the assignment expiration date by one year from the current date.
Renewal Rules
Only users with Assigned License Type are eligible.
Only Global Administrators can perform bulk renewals.
Expired assignments remain unavailable until renewed.
Creating a Group
Groups provide an optional method for organizing users. In many implementations, groups are not required.
Creating a Group
Open Users.
Select the Groups tab.
Select New Group.
Enter the Group Name.
Enter the Display Name.
Select Save.
Adding Users to a Group
Select the group.
In Group Settings, select Add (+).
Select the users.
Save the changes.
Disabling or Deleting a Group
Disabling a Group
Open the group.
Clear Enabled Group.
Select Save.
Deleting a Group
Open the group.
Select Delete.
Confirm the deletion.
About Roles
Roles control feature access, Excel access, and administrative permissions. Both users and groups can be assigned to a role.
System Roles
The following system roles are created automatically and cannot be deleted.
| Role | Purpose |
|---|---|
| All Users | Automatically includes all active users and controls default functionality and Excel access. |
| FullAccess | Provides unrestricted access to application data. |
| Administrators | Provides administrative access to the application. |
Creating a Role
Open Users.
Select the Roles tab.
Select New Security Role.
Enter the role name.
Select Save.
Deleting a Role
Open the Roles tab.
Select the role.
Select Delete.
Confirm the deletion.
Adding Users or Groups to a Role
Open the Roles tab.
Select the role.
Open the Members tab.
Select Add Members.
Select the users or groups.
Select Apply.
Select Save.
Removing Users or Groups from a Role
Select the role.
Open the Members tab.
Select the users or groups to remove.
Select Remove.
Configuring Feature Access
Use the Features Access tab to grant or remove application functionality.
Grant Feature Access
Select a role.
Open Features Access.
Select the features to grant.
Select Save.
Removing Feature Access
- Open Features Access.
- Clear the features to remove.
- Select Save.
Configuring Excel Access
Excel access is managed similarly to Feature Access through the Excel Access tab.
Examples of Excel permissions include:
Excel Access
Mobile Access
Send Data
Send Status
Open Assignments
Open Shared Workbook Library
Open Shared Report Library
Report Editor
Configuring Report Access Permissions
Three feature permissions control report-related actions.
| Permission | Description |
|---|---|
| Report Editor | Open and edit existing reports. Cannot create reports. |
| Report Creation | Create new reports and copy reports. Cannot edit existing reports. |
| Personal Report Creation | Create personal report copies editable only by the current user. |
Configuring Security Contacts
Security Contacts identify the people responsible for security, privacy, and data access activities. These contacts are assigned through Organization & Workflow positions.
Data Access & Connection Administrator
Responsible for:
Data access requests
Source system connection issues
Data integrity issues
Availability issues
Source data access issues
This role is also referred to as a Data Subject Access Request (DSAR) Administrator.
Data Protection Officer
Responsible for:
Data protection compliance
Privacy incident notifications
Security Administrator
Responsible for responding to security incidents.
Optional Security Settings
Additional security settings can be enabled by contacting Support.
Available options include:
Account lockout after five failed sign-in attempts.
System-generated passwords sent directly to users.
Password history restrictions.
Password expiration after 90 days.
Password recovery through corporate email.
Idle session timeout after 15 minutes.
Deploying Users and Roles Changes
After making changes to users, groups, or roles, deploy the configuration.
Deploying Users and Roles
Select the user menu in the upper-right corner.
Select Deploy.
Select Users & Roles.
Select Start Deploy.
Switching User
Administrators can view the application as another user.
Switching User
Open the user menu.
Select Switch User.
Select the user to impersonate.
Best Practices
Use the Administrators role for application administration only.
Use the FullAccess role only for users who require unrestricted access to data.
Manage most data access through Organization & Workflow security.
Use groups to simplify role assignments when managing large numbers of users.
Deploy Users & Roles after making security changes.
Review report permissions carefully when granting report creation or editing rights.