QBO3 supports the ability to run ad-hoc queries against the QBO database. Ad-hoc queries can be dangerous; just ask little Bobby Tables. In order to minimize the risks associated with ad-hoc queries, the following security constraints are in place:
The user must be part of a role that has RoleAdHoc permissions
There must be a dedicated connection string that ad-hoc queries will be run under
by default, this connection string must be named 'qbo.AdHoc'
this may be overridden at a Role or Person level by defining a SystemDefault called AdHocConnection
The dedicated connection string should be configured to use a SQL account with minimal privileges, specifically
GRANT SELECT ON {user tables}
Do not GRANT SELECT ON ConfigurationEntry
Do not GRANT CREATE, GRANT DROP, or GRANT ALTER
Do not GRANT DELETE, GRANT UPDATE, or GRANT INSERT