The sales role has #3 MODULE OPTIONS do you have "Allow Maintaining of Customer Data During Data Entry" checked and they have nodify and view access in A/R customer maintenance.  If I give them create access in A/R they can enter ship to addresses.  If not when you click on "Ship to add" and enter a new code number you get the following.

You do not have security rights to create the record.

I find myself with the exact same problem since upgraqding to 4.4.

I do not want our data entry clerks to be able to access customer maintenance.  However, they need to be able to create new ship to's for sales orders.

Has anyone found a way around this?  This seems like a major security gap otherwise.  This wasn't an issue in 4.3.

Check out Resolution ID 495707.  http://infosource.sagesoftwareonline.com/infasp/kdb.asp?isresolutionconceptid=495707

It looks like it was a problem in 4.2 but it was resolved with a service update.

Maybe they will release a service update to resolve it in 4.4?

I'm sorry for the trouble you are having in Sales Order Entry with Ship To locations. With the advent of framework sales order (starting in 4.10), the ability to add ship to codes (ship to locations) is controlled by Customer Maintenance security since ship to codes are added there.  Unfortunately, the aforementioned resolution in 4.20.0.21 incorrectly bypassed security and inadvertently allowed ship to codes to be added when the user had no rights to customer maintenance (Module Option Allow Maintaining & Customer Maintenance Tasks), but when this bypass was discovered during 4.40 development, it was corrected.

The  true correction for that 4.20 defect should have been the addition of a security event OR module option to allow ship to's to be added on-the-fly, in sales order data entry programs, regardless of whether Customer Maintenance rights are enabled. 

I hope you are able to take a moment and submit an enhancement request to add this security enhancement. You can do this by clicking on the Product Feedback link at the top of this page, or make this request verbally the next time you or your reseller calls into support.

I decided to opt for a couple of UDS to lock down customer maintenance and SO Entry.

Here they are in case any else is interested.  The role I was attempting to limit was "OUTSIDE".  I only need for these users to create new Ship To's from SO Entry.

Locks down certain, fields, buttons, and panels.  Table - Post-Read of AR Customer Master.

'does not allow this role to view the tabs in customer maintenance

if oSession.AsObject(oSession.Security).IsMember("OUTSIDE")=1 then
	retVal = oScript.SetUIControl("fldr.pAddl","DISABLE")
	retVal = oScript.SetUIControl("fldr.pStats","DISABLE")
	retVal = oScript.SetUIControl("fldr.pSummary","DISABLE")
	retVal = oScript.SetUIControl("fldr.pHistory","DISABLE")
	retVal = oScript.SetUIControl("fldr.pInvoice","DISABLE")
	retVal = oScript.SetUIControl("fldr.pTrans","DISABLE")
	retVal = oScript.SetUIControl("fldr.pOrders","DISABLE")
	retVal = oScript.SetUIControl("BT_TERMSCODE","DISABLE")
	retVal = oScript.SetUIControl("BT_CONTACTCODE","DISABLE")
	retVal = oScript.SetUIControl("BT_SHIPMETHOD","DISABLE")
	retVal = oScript.SetUIControl("BT_CONTACTCODE","DISABLE")
	retVal = oScript.SetUIControl("BT_TAXSCHEDULE","DISABLE")
	retVal = oScript.SetUIControl("BT_EXEMPTIONS","DISABLE")
	retVal = oScript.SetUIControl("BT_PAPERLESSDELOPTIONS","DISABLE")
	retVal = oScript.SetUIControl("BT_SALESPERSON","DISABLE")
	retVal = oScript.SetUIControl("BT_COPY","DISABLE")
	retVal = oScript.SetUIControl("BT_RENUMBER","DISABLE")
	retVal = oScript.SetUIControl("BT_OPTIONS","DISABLE")
	retVal = oScript.SetUIControl("BT_RMA_INQUIRY","DISABLE")
	retVal = oScript.SetUIControl("BT_CUSTOMER_CONTACTS","DISABLE")
	retVal = oScript.SetUIControl("BT_ITEMS","DISABLE")
	retVal = oScript.SetUIControl("BT_SHIP_TO_ADDRESS","DISABLE")
	retVal = oScript.SetUIControl("BT_IT_CUSTOMER","DISABLE")
	retVal = oScript.SetUIControl("BT_INVOICE_HISTORY_INQUIRY","DISABLE")	
	retVal = oScript.SetUIControl("CONTACTCODE","DISABLE")
	retVal = oScript.SetUIControl("BT_MEMO","DISABLE")
end if

Does not allow the user to modify or create new records.  Table - Pre-write of AR Customer Master

'does not allow this role to edit the data

if oSession.AsObject(oSession.Security).IsMember("OUTSIDE")=1 then
	retVal = oScript.SetError("Error - You are not authorized to edit customer data")
end if

Does not allow the customer to delete existing records.  Table - Pre-delete of AR Customer Master

'does not allow this role to delete the data

if oSession.AsObject(oSession.Security).IsMember("OUTSIDE")=1 then
	retVal = oScript.SetError("Error - You are not authorized to delete customer data")
end if

Does not allow the user to create on-the-fly customers in SO Entry.  Column - Post-validate CustomerNo of SO Header.

'does not allow this role to create new cusotmers

if oSession.AsObject(oSession.Security).IsMember("OUTSIDE")=1 then
	retVal = oScript.SetError("Error - You are not authorized to create new customers")
end if