Security & User Administration

GP client access architecture, user roles, security policies, and compliance governance for the Aidacare MS-GP deployment.

Source: Aidacare ERP MS-GP Infrastructure Details.docx (QR-IT-INF-001 V0.1) · Policy Docs folder Scope: GP Client (v18.6.1728), SQL Server 2019, Integrations — excludes HR/Payroll (ReadyPay HR3) and non-GP systems

Security Scope: GP client (v18.6.1728), SQL Server 2019, integrations (SmartConnect, eConnect, PanatrackerGP, Docuphase, etc.), custom forms/reports, and access via Citrix/RDC. Excluded: HR/Payroll (ReadyPay HR3) and non-GP systems.

Access Flow

Source: Aidacare ERP MS-GP Infrastructure Details.docx

All users access Microsoft GP exclusively through the Citrix and Remote Desktop pathway. Direct server access is restricted.

User Workstation
Any corporate endpoint

Citrix VA&D
AIDADC02V — 2203 LTSR

Remote Desktop (RDC)
Citrix-brokered session

AIDAGPDEV01V
GP App Server

GP Client 18.6.1728
Microsoft Dynamics GP

SQL Server 2019
AIDASQL01P — 27 DBs

Access Principles

Rule Access GP via Citrix and RDC only — direct server access is restricted for all users.
Rule No direct SQL writes to GP databases — use eConnect for all programmatic integration.
Integrations Service accounts used for integrations: SmartConnect, eConnect, ODBC connections.
Databases 27 GP databases on AIDASQL01P including DYNAMICS, HANDR, TWO and company databases.

Key Infrastructure Components

GP Client Version 18.6.1728 Citrix Server AIDADC02V — Citrix Virtual Apps & Desktops 2203 LTSR GP App Server AIDAGPDEV01V (10.26.21.43) SQL Server AIDASQL01P — SQL Server 2019 Database Count 27 GP databases (DYNAMICS, HANDR, TWO + others) Access Method Citrix VA&D → Remote Desktop Connection (RDC) Direct Server Access Restricted No direct server access for end users Integration Access SmartConnect, eConnect, ODBC via dedicated service accounts

Full user and roles list: Available in Aidacare ERP MS-GP Users and Roles List.xlsx (TechCodebase root). This file is a source document and has not been copied into the portal assets — access via the TechCodebase directly or request from Aidacare IT. See also: AidaCare Role Task Mapping.xlsx available separately.

Known Role Categories

Detail requires Aidacare validation

Role Category	Modules / Access	Notes	Status
Finance Users	AP, AR, GL, Management Reporter, SmartView reporting access	Period-close and posting permissions included	TBD — exact roles require Aidacare confirmation
Warehouse / Inventory Users	PanatrackerGP, Inventory module — receiving, picking, stocktake, transfers	Barcode scanner access via Panatracker app on AIDABCODE01V	TBD — exact roles require Aidacare confirmation
Sales / SOP Users	Order entry, quote management, SOP module access	CRM integration users may have additional external system access	TBD — exact roles require Aidacare confirmation
Admin / IT	Full GP admin access — all modules, system settings, user management	GP SA account and system administrator profiles	TBD — exact roles require Aidacare confirmation
Read-Only / Reporting	Management Reporter, SmartView, SmartList, Popdock — enquiry and export only	No posting or transactional write access	TBD — exact roles require Aidacare confirmation

Source: Aidacare ERP MS-GP Users and Roles List.xlsx (TechCodebase root) · AidaCare Role Task Mapping.xlsx

Integration Service Accounts

SmartConnect Dedicated service account for SmartConnect (eOne v21.1.0.10) integration jobs eConnect Service account for eConnect GP posting API — no direct DB writes ODBC ODBC service accounts for read-only reporting tools (SmartView, Popdock) PanatrackerGP Service account on AIDABCODE01V (10.26.21.85) for barcode scanning integration

Policy documents are stored in TechCodebase/Policy Docs/. Download links point to the portal's local copies in assets/docs/Policy Docs/.

Identity & Access Management Policy

IAM

Governs user provisioning, deprovisioning, role assignments, access reviews and authentication standards for Aidacare systems including GP.

Download Policy

Incident Management Policy

Security Incidents

Defines the process for identifying, reporting, escalating and resolving IT security incidents across Aidacare systems.

Download Policy

Change Management Policy

Change Control

Change control procedures for GP modifications, infrastructure changes, integrations and configuration updates.

Download Policy

Backup Policy

Data Protection

Backup schedules, retention periods, storage requirements and recovery validation for GP databases and application servers.

Download Policy

Disaster Recovery Policy

DR / BCP

Disaster recovery procedures, RTO/RPO targets, and business continuity planning for GP and supporting infrastructure.

Download Policy

Vulnerability & Patch Management Policy

Patching

Patch management schedules, vulnerability scanning requirements and remediation timelines for GP servers, SQL Server, and OS.

Download Policy

Consolidated RACI Matrix

For Discussion

Responsibility, Accountability, Consultation and Information matrix covering IT and ERP roles across Aidacare. Marked "For Discussion" — confirm final version with Aidacare IT governance team.

Download RACI Matrix

Document References

GP Security Doc Ref QR-IT-ERP-001 V0.1 Infrastructure Doc Ref QR-IT-INF-001 V0.1 RACI Matrix Aidacare - Consolidated RACI Matrix (For Discussion).xlsx — available for review in Policy Docs Users & Roles Register Aidacare ERP MS-GP Users and Roles List.xlsx (TechCodebase root) Role Task Mapping AidaCare Role Task Mapping.xlsx (available separately)

Compliance Items

Validation Required

Segregation of Duties TBD — Requires Aidacare validation. SoD controls not documented in TechCodebase. Audit Logging TBD — GP SQL audit logging configuration not documented. Confirm with Aidacare IT. Access Review Cycle TBD — Periodic access review schedule not documented. Refer to IAM Policy for guidance. Password Policy TBD — GP and Windows AD password policy details not documented in TechCodebase.

These risks and open items are sourced from the TechCodebase review. See the full Risks & Gaps Register for all items.

Security Risks & Open Items

ID	Risk / Item	Severity	Description	Recommendation
RISK-001	SQL Server Developer Edition in Production	High	Infrastructure doc notes SQL Server 2019 Developer Edition — not licensed for production use.	Validate SQL Server licence type; confirm Standard or Enterprise is in use.
RISK-008	POS direct SQL access to HANDLR bypasses GP logic	High	POS (Envisage) connects directly to HANDLR SQL DB — GP business rules not enforced for these writes.	Review what data POS reads/writes directly; ensure GP data integrity is maintained.
RISK-010	PayWay API credentials not documented	High	PayWay integration credentials (AIDACARE.DIC) not documented in TechCodebase.	Ensure credentials are stored in secure vault; document recovery procedure.
RISK-009	POS source code held by Envisage	Medium	Aidacare has no access to POS source code — full dependency on Envisage for all changes.	Negotiate source code escrow or documented interfaces.
TBD-001	MobileTech access controls	Medium	MobileTech (WennSoft field service app) access controls not documented in TechCodebase.	Confirm MobileTech user authentication and access control configuration with Aidacare IT.
TBD-002	ECHIA AWS-hosted — limited direct access	Medium	ECHIA is hosted on AWS by Envisage. Limited direct access for security audit by Aidacare IT.	Confirm SLA with Envisage; document escalation path and security controls.
GAP-002	User roles and permissions detail incomplete	Medium	Users and Roles List.xlsx exists but role-by-role permission detail is not documented in TechCodebase.	Extract role permissions from GP and document per role.

Source: Aidacare ERP MS-GP Infrastructure Details.docx · POS@Aidacare.docx · PayWay Credit Card Payment Integration.docx · ECHIA@Aidacare.docx