Acumatica Security
Practical Steps to Help Protect Your Acumatica ERP System

Acumatica includes security tools designed to help protect your company’s financial, customer, vendor, inventory, and operational data. However, these tools are most effective when they are reviewed and maintained as part of your normal business process.

This page highlights practical security areas Acumatica customers should review, including password settings, multi-factor authentication, user roles, consultant access, integrations, and recurring security reviews.

The goal is not to make your team security experts. The goal is to help you identify common areas that may need attention before they become a problem, because apparently waiting until something breaks is still the most popular business strategy.

Key Areas to Review

Password Settings

Acumatica customers should review company-wide password settings to confirm they meet current security expectations.

Recommended areas to review include:

• Minimum password length
• Password complexity requirements
• Password expiration timing
• Password history
• Account lockout after failed login attempts
• Password reset procedures

A practical starting point is to require longer passwords, prevent repeated reuse of old passwords, and lock accounts temporarily after several failed login attempts.

Multi-Factor Authentication

Multi-factor authentication, commonly called MFA, adds another layer of protection beyond a password.

MFA should be strongly considered for:

• All users
• Administrators
• Finance and accounting users
• Remote users
• Consultants and outside support users
• Users with access to sensitive data

MFA is one of the most practical ways to reduce the risk of unauthorized access.

User Roles and Permissions

Acumatica uses role-based security, which means users should receive access based on their job responsibilities.

Examples may include:

• Accounts Payable Clerk
• Sales Manager
• Warehouse User
• Controller
• System Administrator
• Read-Only Executive User
• Outside Consultant

Users should only have access to the screens, reports, and functions needed to perform their job. This is often called the principle of least privilege, which is a fancy way of saying “do not give everyone the keys to the whole building.”

Administrator Access

Administrator access should be limited to a small number of trusted users.

Companies should regularly review:

• Who has administrator rights
• Whether administrator accounts require MFA
• Whether admin access is still needed
• Whether shared administrator accounts are being used
• Whether former employees or consultants still have access

Administrator rights should not be assigned casually or used for daily activity unless necessary.

Consultant and Partner Access

Outside consultants and partners may need access to your Acumatica system for implementation, support, upgrades, or project work. That access should be reviewed and controlled.

Best practices include:

• Use named consultant accounts
• Avoid shared logins
• Assign only the access needed
• Disable temporary accounts when work is complete
• Review consultant access regularly
• Remove access when a consultant is no longer supporting your account

Consultant and temporary project accounts should also be reviewed during project closeout.

Integration and Service Accounts

Integrations should use dedicated service accounts instead of regular employee logins.

This may apply to:

• eCommerce integrations
• EDI platforms
• Shipping systems
• Reporting tools
• Warehouse systems
• API connections

Using service accounts helps avoid problems when an employee leaves and makes it easier to understand which systems are connected to Acumatica.

Quarterly Security Reviews

Security should not be reviewed only when there is a problem. A quarterly review can help keep access clean and current.

A good quarterly review should include:

• Active users
• Former employees
• Administrator accounts
• Consultant accounts
• Security roles
• MFA settings
• Integration and service accounts
• Inactive users
• Login activity

This does not need to be complicated. A simple recurring review is often enough to catch issues before they turn into expensive little disasters with invoices attached.

Quick Acumatica Security Checklist

Use this as a starting point:

• Review all active users
• Disable former employee accounts
• Confirm MFA settings
• Review administrator access
• Review consultant access
• Review security roles
• Confirm integration/service accounts are documented
• Review login activity
• Schedule quarterly security reviews
• Include Acumatica in employee offboarding procedures

How ACC Can Help

ACC Software Solutions can help Acumatica customers review their current security setup and identify areas that may need attention.

ACC can assist with:

• Reviewing active users and inactive accounts
• Reviewing administrator access
• Reviewing consultant and partner access
• Reviewing security roles and permissions
• Discussing MFA and single sign-on options
• Reviewing integration and service accounts
• Helping document offboarding procedures
• Creating a recurring security review process

Our focus is to help customers improve security in a practical way without making the system harder to use.

Need Help Reviewing Your Acumatica Security Settings?

ACC Software Solutions can help your team review user access, MFA options, security roles, consultant accounts, integration users, and other Acumatica security best practices.

Contact ACC Support
Email: support@4acc.com
Website: www.4acc.com/support