3rd Party Access to My Online file (without breaching security protocols)

Hi ChrisMYOB 

Thanks Chris - it worked the way I thought it would/should and as you have alluded to.

However I will write this post for others as there is an inherent security breach problem here if this process is not fully understood by allowing generic 3rd party connection through the API to your file.

We are implementing a 3rd party Wage system and though I have no criticism of their process of implementation - it has been very good - but the person tasked to do the "integration" of their internet based software to our MYOB file, very polite and very professional - but they had 'ABSOLUTELY NO IDEA WHAT THEY WERE TALKING ABOUT WITH REGARD TO SECURITY, CONNECTION' and actually understanding what they were asking me to let them do!!!!!!!!!!

That is the problem - the person (neutral gender - very 'woke am I') said 

         "To connect to your file we 'JUST NEED YOUR ADMINISTRATION LOGON' !!!!!  (I didn't say this but I thought it (wow - nope you don't mate))

My reply - "hmm - let me review your request - I am loathe to give you the keys to the crown jewels as I think this is unnecessary just to look at them!"

I was right and 'the person' in retrospect admitted he went and talked with his software guys and they agreed the 'admin'  logon is unnecessary.

And when we did the connection process he 'screenconnected' to my server and I showed him the permissions area of MYOB and how to tighten down Roles and limit access.

Get this - HE HAD NEVER SEEN THIS BEFORE AND DIDN'T KNOW IT EXISTED - oops !!!!

Be careful about just handing out the keys to your crown jewels.

How did I tighten down their access so they can only get the information I want them to have.

1.  Setup a new email account just for this permission - lets just say your email account is @bigtractors.com.au  and you are using this 3rd party wage system called 'WagesOnTheNet'   create a new email account called

wagesonthenet@bigtractors.com.au  and have this email account directed to your main email account.

2. Setup a new user in MYOB called 'wagesonthenet@bigtractors.com.au' but do not make them administrator - this is for payroll - so just tick payroll 'ROLE'for the moment and tick the box this user will sign on with my.myob account

3. The invite will come to you as the new email is a redirect to your main account.

4. Accept the invite - setup and create a password for the account and select 2FA to your email - and register the account 2FA to your 2FA on your phone - this account now belongs to you and cannot be hijacked.

5. In MYOB go into ROLES - right click the ROLE 'PAYROLL' - and select 'Create a copy of the role' - and a new role is created called 'copy of payroll' - rename it to 'Payroll - WagesOnTheNET' and assign this to the new user deselect the generic payroll role.

6. Go into the new ROLE and severely lock it down to allow 'only the information you want them to have' - which this permissions tick box now gives you control over without changing the generic payroll ROLE

7. Connection day - you actually don't need the 2FA as the permission token is got via the http API call - but when they connect - YOU DO THE LOGON DETAILS - type in as the user 'wagesonthenet@bigtractors.com.au

password - [DO NOT HAND THIS OUT] - type it in yourself as it cannot be seen unless someone can see your keyboard.

The 3rd party is now connected to your online file fully under your control and with only the permissions of access you want them to have.  You cannot terminate this at anytime by deactivating this user.

That is it - secure but controlled 3rd party connection to view (only) your crown jewels.

The software wage company integrator person had absolutely no idea of this degree of control was possible!!!

Know your security.

The Doc