Sage 100

MAS_Reports gets datareader role for each database.

MAS_User get dbowner from being assigned as the owner - no need to add it under each database.

Thanks Phil - I went though this and recreating and adjusting these two accounts within the SQL server was able to be scripted ( used Google Gemini AI )  and appears to have worked. I'm now back into. Sage 100 2025.

The condensed steps included your recommendation and the final step was running Sage 100 2025 SQL Settings Utility (Start Menu > Sage 100 2025 > SQL Settings). Then I provided new passwords for each account and used the SA credentials to reset and synchronize the passwords between Sage and SQL. 

Sage 100 2025 then started right up

Here's the initial Gemini AI response when I asked it about recreating accounts.

Here is the breakdown of the required SQL permissions for the MAS_USER and MAS_REPORTS accounts.

Quick Comparison Table

1. MAS_USER (The Application Login)

This account is the workhorse. It processes all transactions, writes to the General Ledger, and handles schema changes during updates.

• Server Roles: It strictly requires public. It does not need sysadmin (and for security, should not have it).

• User Mapping: You must map this login to:

  • The MAS_System database.

  • Every individual company database (e.g., MAS_ABC, MAS_XYZ).

• Database Role Membership:

  • Requirement: db_owner.

  • Technician Note: While you can technically run day-to-day operations with db_datareader + db_datawriter, Sage 100 Premium frequently requires the ability to create temporary tables, truncate tables, and modify schema during module upgrades or install updates. Leaving it as db_owner prevents obscure permission errors during Period End Processing.

2. MAS_REPORTS (The Reporting Login)

This account is used by the ODBC connection for Reports. It is designed to be a "Read Only" user to prevent a malicious (or poorly written) report from altering your accounting data.

• Server Roles: public.

• User Mapping: Map this login to:

  • The MAS_System database.

  • Every individual company database.

• Database Role Membership:

  • Requirement: db_datareader.

  • Technician Note: Do not give this account db_owner or db_datawriter. If a user creates a custom Crystal Report with a command object, you want to ensure the SQL Server rejects any UPDATE or DELETE statements.

Critical "Sage Wisdom" for Manual Setup

If you are adding these manually in SQL Server Management Studio (SSMS) rather than using the Sage configuration utility, keep these three things in mind:

1. The Password Synchronization Trap

Creating the user in SQL does not update Sage 100's internal configuration files. Sage 100 stores the encrypted SQL password in the MASSQL.settings file (or MAS_System config tables, depending on the version).

• The Fix: Ensure the password you set in SSMS matches exactly what Sage expects. If you don't know the original password, you will need to reset it in SSMS and then run the Sage 100 Premium SQL Connection utility on the server to update the application's encrypted strings.

2. Orphaned Users (After Restore)

If you restored the databases from a backup (e.g., moving from Server A to Server B) and then created the SQL Logins, the "User" inside the database is likely not linked to the "Login" on the server.

• The Fix: Run the following query for each database to link them back up:

  <response-element class="" ng-version="0.0.0-PLACEHOLDER"></response-element>
  SQL

  <mat-icon _ngcontent-ng-c2451299390="" role="img" fonticon="content_copy" class="mat-icon notranslate google-symbols mat-ligature-font mat-icon-no-color" aria-hidden="true" data-mat-icon-type="font" data-mat-icon-name="content_copy"></mat-icon>

  USE MAS_XXX; -- Repeat for MAS_System and all company DBsEXEC sp_change_users_login 'Auto_Fix', 'MAS_USER';EXEC sp_change_users_login 'Auto_Fix', 'MAS_REPORTS';

  <response-element class="" ng-version="0.0.0-PLACEHOLDER"></response-element>

3. Default Schema

Ensure the "Default Schema" for both users in the User Mapping section is set to dbo.

MAS_Reports gets datareader role for each database.

MAS_User get dbowner from being assigned as the owner - no need to add it under each database.

I was surprised ( happy ) that Google Gemini was able to generate this without me having to supply a user guide to point it to the Sage KB. I'm not sure the info is every step that needs to be taken. In my case there were some minor errors that came up and in every case I asked Gemini about the error and it gave me a script to fix it.

Thanks Phil - I went though this and recreating and adjusting these two accounts within the SQL server was able to be scripted ( used Google Gemini AI )  and appears to have worked. I'm now back into. Sage 100 2025.

The condensed steps included your recommendation and the final step was running Sage 100 2025 SQL Settings Utility (Start Menu > Sage 100 2025 > SQL Settings). Then I provided new passwords for each account and used the SA credentials to reset and synchronize the passwords between Sage and SQL. 

Sage 100 2025 then started right up

Here's the initial Gemini AI response when I asked it about recreating accounts.

Here is the breakdown of the required SQL permissions for the MAS_USER and MAS_REPORTS accounts.

Quick Comparison Table

1. MAS_USER (The Application Login)

This account is the workhorse. It processes all transactions, writes to the General Ledger, and handles schema changes during updates.

• Server Roles: It strictly requires public. It does not need sysadmin (and for security, should not have it).

• User Mapping: You must map this login to:

  • The MAS_System database.

  • Every individual company database (e.g., MAS_ABC, MAS_XYZ).

• Database Role Membership:

  • Requirement: db_owner.

  • Technician Note: While you can technically run day-to-day operations with db_datareader + db_datawriter, Sage 100 Premium frequently requires the ability to create temporary tables, truncate tables, and modify schema during module upgrades or install updates. Leaving it as db_owner prevents obscure permission errors during Period End Processing.

2. MAS_REPORTS (The Reporting Login)

This account is used by the ODBC connection for Reports. It is designed to be a "Read Only" user to prevent a malicious (or poorly written) report from altering your accounting data.

• Server Roles: public.

• User Mapping: Map this login to:

  • The MAS_System database.

  • Every individual company database.

• Database Role Membership:

  • Requirement: db_datareader.

  • Technician Note: Do not give this account db_owner or db_datawriter. If a user creates a custom Crystal Report with a command object, you want to ensure the SQL Server rejects any UPDATE or DELETE statements.

Critical "Sage Wisdom" for Manual Setup

If you are adding these manually in SQL Server Management Studio (SSMS) rather than using the Sage configuration utility, keep these three things in mind:

1. The Password Synchronization Trap

Creating the user in SQL does not update Sage 100's internal configuration files. Sage 100 stores the encrypted SQL password in the MASSQL.settings file (or MAS_System config tables, depending on the version).

• The Fix: Ensure the password you set in SSMS matches exactly what Sage expects. If you don't know the original password, you will need to reset it in SSMS and then run the Sage 100 Premium SQL Connection utility on the server to update the application's encrypted strings.

2. Orphaned Users (After Restore)

If you restored the databases from a backup (e.g., moving from Server A to Server B) and then created the SQL Logins, the "User" inside the database is likely not linked to the "Login" on the server.

• The Fix: Run the following query for each database to link them back up:

  <response-element class="" ng-version="0.0.0-PLACEHOLDER"></response-element>
  SQL

  <mat-icon _ngcontent-ng-c2451299390="" role="img" fonticon="content_copy" class="mat-icon notranslate google-symbols mat-ligature-font mat-icon-no-color" aria-hidden="true" data-mat-icon-type="font" data-mat-icon-name="content_copy"></mat-icon>

  USE MAS_XXX; -- Repeat for MAS_System and all company DBsEXEC sp_change_users_login 'Auto_Fix', 'MAS_USER';EXEC sp_change_users_login 'Auto_Fix', 'MAS_REPORTS';

  <response-element class="" ng-version="0.0.0-PLACEHOLDER"></response-element>

3. Default Schema

Ensure the "Default Schema" for both users in the User Mapping section is set to dbo.

MAS_Reports gets datareader role for each database.

MAS_User get dbowner from being assigned as the owner - no need to add it under each database.

I was surprised ( happy ) that Google Gemini was able to generate this without me having to supply a user guide to point it to the Sage KB. I'm not sure the info is every step that needs to be taken. In my case there were some minor errors that came up and in every case I asked Gemini about the error and it gave me a script to fix it.

Thanks Phil - I went though this and recreating and adjusting these two accounts within the SQL server was able to be scripted ( used Google Gemini AI )  and appears to have worked. I'm now back into. Sage 100 2025.

The condensed steps included your recommendation and the final step was running Sage 100 2025 SQL Settings Utility (Start Menu > Sage 100 2025 > SQL Settings). Then I provided new passwords for each account and used the SA credentials to reset and synchronize the passwords between Sage and SQL. 

Sage 100 2025 then started right up

Here's the initial Gemini AI response when I asked it about recreating accounts.

Here is the breakdown of the required SQL permissions for the MAS_USER and MAS_REPORTS accounts.

Quick Comparison Table

1. MAS_USER (The Application Login)

This account is the workhorse. It processes all transactions, writes to the General Ledger, and handles schema changes during updates.

• Server Roles: It strictly requires public. It does not need sysadmin (and for security, should not have it).

• User Mapping: You must map this login to:

  • The MAS_System database.

  • Every individual company database (e.g., MAS_ABC, MAS_XYZ).

• Database Role Membership:

  • Requirement: db_owner.

  • Technician Note: While you can technically run day-to-day operations with db_datareader + db_datawriter, Sage 100 Premium frequently requires the ability to create temporary tables, truncate tables, and modify schema during module upgrades or install updates. Leaving it as db_owner prevents obscure permission errors during Period End Processing.

2. MAS_REPORTS (The Reporting Login)

This account is used by the ODBC connection for Reports. It is designed to be a "Read Only" user to prevent a malicious (or poorly written) report from altering your accounting data.

• Server Roles: public.

• User Mapping: Map this login to:

  • The MAS_System database.

  • Every individual company database.

• Database Role Membership:

  • Requirement: db_datareader.

  • Technician Note: Do not give this account db_owner or db_datawriter. If a user creates a custom Crystal Report with a command object, you want to ensure the SQL Server rejects any UPDATE or DELETE statements.

Critical "Sage Wisdom" for Manual Setup

If you are adding these manually in SQL Server Management Studio (SSMS) rather than using the Sage configuration utility, keep these three things in mind:

1. The Password Synchronization Trap

Creating the user in SQL does not update Sage 100's internal configuration files. Sage 100 stores the encrypted SQL password in the MASSQL.settings file (or MAS_System config tables, depending on the version).

• The Fix: Ensure the password you set in SSMS matches exactly what Sage expects. If you don't know the original password, you will need to reset it in SSMS and then run the Sage 100 Premium SQL Connection utility on the server to update the application's encrypted strings.

2. Orphaned Users (After Restore)

If you restored the databases from a backup (e.g., moving from Server A to Server B) and then created the SQL Logins, the "User" inside the database is likely not linked to the "Login" on the server.

• The Fix: Run the following query for each database to link them back up:

  <response-element class="" ng-version="0.0.0-PLACEHOLDER"></response-element>
  SQL

  <mat-icon _ngcontent-ng-c2451299390="" role="img" fonticon="content_copy" class="mat-icon notranslate google-symbols mat-ligature-font mat-icon-no-color" aria-hidden="true" data-mat-icon-type="font" data-mat-icon-name="content_copy"></mat-icon>

  USE MAS_XXX; -- Repeat for MAS_System and all company DBsEXEC sp_change_users_login 'Auto_Fix', 'MAS_USER';EXEC sp_change_users_login 'Auto_Fix', 'MAS_REPORTS';

  <response-element class="" ng-version="0.0.0-PLACEHOLDER"></response-element>

3. Default Schema

Ensure the "Default Schema" for both users in the User Mapping section is set to dbo.

MAS_Reports gets datareader role for each database.

MAS_User get dbowner from being assigned as the owner - no need to add it under each database.