Howdy, Stranger!
Categories
- All Categories
- 73 General
- 73 Announcements
- 66.6K Microsoft Dynamics NAV
- 18.7K NAV Three Tier
- 38.4K NAV/Navision Classic Client
- 3.6K Navision Attain
- 2.4K Navision Financials
- 115 Navision DOS
- 854 Navision e-Commerce
- 1K NAV Tips & Tricks
- 772 NAV Dutch speaking only
- 615 NAV Courses, Exams & Certification
- 2K Microsoft Dynamics-Other
- 1.5K Dynamics AX
- 305 Dynamics CRM
- 109 Dynamics GP
- 10 Dynamics SL
- 1.5K Other
- 993 SQL General
- 384 SQL Performance
- 34 SQL Tips & Tricks
- 34 Design Patterns (General & Best Practices)
- Architectural Patterns
- 10 Design Patterns
- 5 Implementation Patterns
- 53 3rd Party Products, Services & Events
- 1.7K General
- 1.1K General Chat
- 1.6K Website
- 79 Testing
- 1.2K Download section
- 23 How Tos section
- 260 Feedback
- 12 NAV TechDays 2013 Sessions
- 13 NAV TechDays 2012 Sessions
NAV 5 - SQL2005 (Windows Logins) Issue
Tomas
Member Posts: 420
Working on SQL2005/NAV5 [Security Model: Enhanced]
I have noticed strange issue.
If we create a Windows Login in Navision, and synchronize all security, username in sql will be created (with its own schema attached to it).
Let's say we do not give super role to the new user, just some roles to read customer table, etc. After synchronization, when new users logs into navision he is getting error message:
And let's say we try to open Budgets with same user (for which we do not have permissions). We will get error (instead of - you do not have to read... ):
Furthermore, if I would go to SQL and there would add db_owner role, I would get error message (which is actually what i expect to get):
Had anyone else noticed similar issues? Any ideas and discussions would be helpful.
I have noticed strange issue.
If we create a Windows Login in Navision, and synchronize all security, username in sql will be created (with its own schema attached to it).
Let's say we do not give super role to the new user, just some roles to read customer table, etc. After synchronization, when new users logs into navision he is getting error message:
--------------------------- Microsoft Dynamics NAV --------------------------- The following SQL Server error(s) occurred while accessing the License Agreement table: 229,"42000",[Microsoft][ODBC SQL Server Driver][SQL Server]The SELECT permission was denied on the object 'CRONUS UK Ltd_$License Agreement', database 'Test', schema 'dbo'. --------------------------- OK ---------------------------
And let's say we try to open Budgets with same user (for which we do not have permissions). We will get error (instead of - you do not have to read... ):
--------------------------- Microsoft Dynamics NAV --------------------------- The following SQL Server error(s) occurred while accessing the G/L Budget Name table: 229,"42000",[Microsoft][ODBC SQL Server Driver][SQL Server]The SELECT permission was denied on the object 'CRONUS UK Ltd_$G_L Budget Name', database 'Test', schema 'dbo'. --------------------------- OK ---------------------------
Furthermore, if I would go to SQL and there would add db_owner role, I would get error message (which is actually what i expect to get):
--------------------------- Microsoft Dynamics NAV --------------------------- You do not have permission to read the G/L Budget Name table. --------------------------- OK ---------------------------
Had anyone else noticed similar issues? Any ideas and discussions would be helpful.
Tomas,
Dynamics NAV Enthusiast
Dynamics NAV Enthusiast
0
Answers
Independent Consultant/Developer
blog: https://dynamicsuser.net/nav/b/ara3n
Yes, I did.
What I am trying to say is, that instead of normal Navision error that you do not have permissions, I am actually getting SQL error (which is strange).
........
Let's say, if you create a login in SQL first, it will have default schema defined as DBO by default.
If user is created at the moment you synchronize all security, the user will have a default schema named by the user itself.
Dynamics NAV Enthusiast
It is wierd that you are seeing SQL Errors instead of Navision. My guess synchronization didn't finish or is screwed up.
Personally I've given up on enhanced security model.
Independent Consultant/Developer
blog: https://dynamicsuser.net/nav/b/ara3n
Security was synchronized with user 'sa'. I did not get any error messages while synchronizing. And keeping in mind, that new user was actually created when synchronizing, I am assuming that synchronization was successful.
In SQL2005 probably public role is not good enough with NAV Enhanced security model.
As for synchronization being screwed up - problem is that I was able to replicate same issue on two different machines. ](*,)
Dynamics NAV Enthusiast
Why not use Standard Security model? It makes life a lot easier.
No PM,please use the forum. || May the <SOLVED>-attribute be in your title!
It wouldn't be so interesting then... :?
Dynamics NAV Enthusiast
To make it even more interesting, you should open a help ticket with MS.
Independent Consultant/Developer
blog: https://dynamicsuser.net/nav/b/ara3n
RIS Plus, LLC
1. Add db_owner role to the user (yeah, right - not possible)
2. In the database, find user. Check it's schema. Go find that schema. Change default owner of the schema to dbo (works like a charm, just if there are a lot of users, then there are a lot of clicking in order to solve this issue). And in the future, you will firstly need to create a user in SQL before adding that user into Navision (even if you are creating Windows logins).
3. Change Security model to Standard (which usually everyone goes for). And by everyone I mean myself included.
Thanks for everyone's input, anyways.
Dynamics NAV Enthusiast
No it's not weird....this is the difference between enhanced and standard security...
Enhanced: SQL wil be in charge of permission to a table. For each user a role will be created and in that role all tables will be present with the correct permissions. Nav clients sends selects etc.. directly to sql who will allow or dissallow according to the role settings.
Standard: One role exists in sql, and that role is used by every users and in that role all permissions on all tables are allowed...
The nav client will check prior to giving the select statement (or alter or delete or whatever) to sql if the user has rights into this table , and if not navision client will block and give the error message....
Stay with the suggestion of everyone here, use always standard security....never enhanced (not seen one example of a client who really needs enhanced security, but seen a lot of problems with it....)
Benny Giebens
I don't remember exactly which version it was, but that is when the 'enhanced' security option was the only option for SQL Server. When that caused problems in just about every single NAV implementation they decided to give back the old security system, and give NAV users the option to select the basic system, and thereby giving the users the responsibility of selecting a "less secure" security system.
RIS Plus, LLC
The use of roles on the standard system, is only there to be able to access the database via a navision client and not directly via a sql login...
So once you have access the security per table is taken over by navision...
I think it's only how you put it, but imho when using standard, it's the navision client that enforces the real security....
Benny Giebens
This makes sense, as when you are using Enhanced security model, you are actually getting SQL errors (that you do not have SELECT permissions/etc) instead of (before) getting Navision license permission errors.
Dynamics NAV Enthusiast
Yes if you are using enhanced security, NO if you are using standard security.
If you have a database with standard security, you will notice you only have ONE application role (public) and in that application role all tables of the db are defined with read,write,alter... access allowed!!! Every navision user then uses the same role, and to make the security compliant with the roles you defined in navision logins, it's the navision client that checks the security.....
Benny Giebens
By the way, application roles is a SQL Server option, but individual permissions are not pushed down to SQL Server, that's why synchronizing is so fast on the standard model. All PERMISSIONS are managed within the app, not on SQL Server.
RIS Plus, LLC
Then other guy (let's call him NAV adminsitrator) could define navision permissions accordingly. And he would not be able to give more permissions than SQL DBA has already given in SQL.
Dynamics NAV Enthusiast
I don't think this is workable, role names are not readable (its not userArole, but something with guid...so how to find out the role of a specific user.... but main reason is that if you do a syncronize in advanced security, role is first deleted and recreated from scratch...(and you need to syncronize a lot...)
Benny Giebens
When working in SQL - I actually means user created roles (basically, schemas with permissions to tables/etc) and not the roles from Navision.
Dynamics NAV Enthusiast
Thats also what i mean...Navision roles are translated to application roles in sql. You can change the application role in sql to add or remove permissions, but when you do a syncronize from navision, these sql application roles will be deleted (and for this also youre modifications) and recreated based on the navision role...
Benny Giebens
My main issue with the $ar$.... as well as the $ndo$shadow roles is that if you're not DBO you cannot create a company. A couple of investment banks whose NAV:s we're managing see this as a humongous flaw as handing out CONTROL permissions on a SQL Server database is a NoNo when you're working in a datacenter environment, and they keep adding companies to NAV on a daily basis, so having the SQLDBA do it for them is unfeasable,
This has nothing to do with whether the DBA is a "security freak". There's nothing wrong with making sure the app is secure, it is just unfortunate that it appears as though 'enhanced' security is more secure than 'standard', and in my opinion that is not the case.
RIS Plus, LLC
I must say that this is probably the best explanation of Enhanced Security I have seen.
Ability to do post-mortem traces on who-did-what-and-when!
When using standard security, the Navision client assumes the identity of the application role $ndo$shadow when talking to SQL Server. When a transaction is made, the identity stored in the transaction log is $ndo$shadow, thus not possible to trace who did this or erased this list of customers before leaving the company...
On the other hand, using Enhanced Security will create one application role per user. Navision does not grant permissions to users but to application roles. So, whenever a user performs a transaction in Navision with Enhanced Security model active, this users application role will be saved in the transaction log. Using this id, you can trace back to the "who-did-what-and-when".
Then of course, there are issues with Enhanced Security as mentioned in this thread... but if the customer absolutely need the ability to do post-mortem analysis, the options are either Enhanced Security or C2-Audit.
Regards
Stefan
Doubles as MSDBA and Navision Developer (in that order)
And also SQL server 2008 has good logging possibilities that are not so slow as the NAV solution.
If the customer really needs that, you can best invest a little instead of getting headaches caused by the Enhanced Security Model.
No PM,please use the forum. || May the <SOLVED>-attribute be in your title!