Stephen Smith's Blog

Musings on Machine Learning…

User Roles and Security in Sage 300 ERP

with 9 comments


Role based security and user roles are terms that are in vogue right now in many ERP systems. Although Sage 300 ERP doesn’t use this terminology, it is essentially giving you the same thing. This blog looks a bit at how you setup Sage 300 ERP application security and how it matches role based security.


First you create your Sage 300 ERP users. This is a fairly straight forward process using the Administrative Services Users function.


Here you create your users, set their language, initial password and a few other security related items.

Security Groups

Security Groups are your roles. For each application you define one of these for each role. For instance below we show a security group for the A/R Invoice Entry Clerk role. In this definition we define exactly which functions are required for this role.


Some roles might involve functions from several applications in this case you would need a security group for each application, but they can all be assigned together for the role.

User Authorizations

User Authorizations is where you assign the various roles to your users. Below I’ve assigned myself to the A/R Clerk role.


If multiple applications are involved then you would need to add a group id for each application that makes up the role.

Thus we can create our users. We can create our roles which are security groups in Sage 300 ERP terminology and then assign them to users in User Authorizations. As you can see below signing on as STEVE now results in a much more uncluttered desktop with just the appropriate tasks for my role.


Further Security

As you can see above in the Users screen there are quite a few security options to choose from depending on your needs. One thing not to forget is that there are a number of system wide security options that are configured from the Security… button in Database Setup.


Also remember to enable application security for the system database for you companies. For many small customers, perhaps application security isn’t an issue. I’ve also seen sites where everyone just logs in as ADMIN. But if you have several users and separation of duties is important then you should be running with security turned on.


Where is Security Implemented?

In the example above we see how security has affected what the user sees on their desktop. Generally from a visual point of view we hide anything a user does not have access to. This means setting up security is a great way of uncluttering people’s workspaces. However this is a visual usability issue, we don’t want people clicking on things and getting errors that they aren’t allowed. Much better to just provide a cleaner slate.

But this isn’t really security, perhaps at most it’s a thin first layer.  The real security is in the business logic layers. All access to Sage 300 functions go through the business logic layer and this is where security is enforced. This way even if you run macros, run UIs from outside the desktop, find a way to run an import to something you don’t have access to, it will all fail if you don’t have permission.


Sage 300 ERP security is a good mechanism to assign users to their appropriate roles and as a result simplify their workspace. This is important in accounting where separation of duties is an important necessity to prevent fraud.

9 Responses

Subscribe to comments with RSS.

  1. […] Introduction Role based security and user roles are terms that are in vogue right now in many ERP systems. Although Sage 300 ERP doesn’t use this terminology, it is essentially giving you the same …  […]

  2. If you delete a user under one company do you need to reallocate rights to the user in the other companies the user has rights to or it only affects the company that there are currently logged in


    July 23, 2015 at 9:49 pm

    • A user spans all the companies. If you delete the user he will be deleted from accessing Sage 300 for all companies.


      July 23, 2015 at 10:29 pm

      • Ok I recreated that user in th test company that he didn’t have rights to and checked if his rights were affected in the other companies he had access to but I did not try to process anything I just checked if he could view transactions like the history. But I had to assign new rights to him in the test company.My question is do i have to assign rights to him in the other companies he had rights to or they will be allocated automatically


        July 24, 2015 at 3:48 am

      • Yes you need to assign the rights for each company. The security groups are shared across the companies but individual rights are by company.


        July 24, 2015 at 3:13 pm

  3. where is storage user authorizations? in dump there is not.


    March 1, 2017 at 4:16 pm

    • Its in one of the files in the site folder, but it’s encrypted. There isn’t a way to get this from the API due to security concerns.


      March 1, 2017 at 4:49 pm

  4. Is there a maximum of security group that we can create in sage 300?


    October 19, 2018 at 9:16 am

    • Only based on having unique keys, which is a pretty big list. Keep in mind that the list attached to the security authorization for a user has to be loaded into memory when a database link is opened. Usually this isn’t a problem.


      October 19, 2018 at 10:58 pm

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: