Thanks to some comments by a Fastpath user we identified A small security hole in Microsoft Dynamics GP (and a fix).
Follow the link for details on MSDynamicsWorld.
Why is this a “small” hole?
Primarily because it affects existing users, and only users with access to create GP users. Essentially the Copy Settings functionality available when creating users doesn’t respect security access rights to modify user permissions. If someone is allowed to create GP users, but NOT change permissions, this bug gives them a workaround. They could elevate a user or grant access to other companies by copying access from an existing user.
Be sure to check out the article for a fix.
Is Microsoft going to fix this?
I ran the problem and a recommended workaround as a fix by the GP team. They agreed that GP works as I’ve described and that the fix described will work. My sense is that they don’t plan to fix this…unless of course there is significant interest from the community on getting it fixed.