DB access in Nav only possible with db_owner role in SQL2005
AndreasD
Member Posts: 34
Hello,
I realized that a user can only open the database with the Nav40SP3-Client if he/she is given the role db_owner for this database in SQL Server 2005 (in db in SQL Server 2005: right click the user name under security, users, => Properties)
How can that be?
Why does not db_accessadmin or db_datareader suffice? Why is any role necessary if Public has been given access thru which the user should gain access?
Could someone shed some light on this?
Thank you
Andreas
I realized that a user can only open the database with the Nav40SP3-Client if he/she is given the role db_owner for this database in SQL Server 2005 (in db in SQL Server 2005: right click the user name under security, users, => Properties)
How can that be?
Why does not db_accessadmin or db_datareader suffice? Why is any role necessary if Public has been given access thru which the user should gain access?
Could someone shed some light on this?
Thank you
Andreas
Andreas
0
Comments
-
DB_Owner is NOT required for access to NAV. In fact no other role membership beyond Public is required for normal users. Security is handled thru application role(s) which are built by the security syncronization process in NAV
NOTE: DB_Owner is required for users doing development and selected Admin taskThere are no bugs - only undocumented features.0 -
Additional note: the only development task that requires db_owner is for table changes, as that is the only type of change that affects SQL Server.0
-
There is a database option in Navision (NAV) that db owners only can use the database.
I think you see it on one of the tabs in Alter Database.0 -
Karenh wrote:There is a database option in Navision (NAV) that db owners only can use the database.
I think you see it on one of the tabs in Alter Database.
The purpose of that setting is to disable access for normal users. There may be a time when you want to run a maintenance process and don't want users logging into the database.There are no bugs - only undocumented features.0 -
Hello,
thank you.
However, this does not seem to be true.
First: The option for "db owner only" is NOT checked.
In SQL Server 2005 Management Studio I go to the database in question.
Then: Security, Users, The user in question
Rightclick, Properties
This opens the window database User for the user in question.
The upper part is owned schemas, the lower part is database role membership.
If I take out the checkmark before db_owner in the lower part of the window then – when the user tries to open the database thru the Navision client – he gets the message
The combination of user ID and password entered is invalid. Try again.
As soon as I set the check mark before db_owner he can access without any changes in the passwords.
If this checkmark is not necessary, what then is wrong here?
What permissions have to be set for public?
Thank you
AndreasAndreas0 -
You do not need to assign any permissions to public. The defaults are all that is required.
Have you setup the security in NAV and sycronized? See section 4.1 of the w1w1isql.pdf document that is in the DOC folder of the CD.There are no bugs - only undocumented features.0 -
Hello,
the issue was indeed the synchronization.
First I created a new db in sql server. Then I imported a backup thru the Nav client. Of course the db had many users that did not exist in sql server so that synchonization failed. It is too bad that the only option for synchronization from Navision is for all users. They should have an option to synchronize a single user!
The error message The combination of user ID and password entered is invalid. Try again. was due to the fact that the synchronization from Navision is to the user name in sql server not to the login in sql server. So to be on the safe side it is best to have user and login named the same.
Also the user does get the default schema dbo although he does not become member of the role db_owner.
Is it normal that a new user gets the dbo as default schema? Shouldn't a new schema be created under the users name?
Then it is interesting to note that obviously you can get around the need of Synchronize all by giving the user the role db_owner in sql server 2005. The rights in Navision will still be restricted thru the configuration in Navision (at least it seems to me to be that way).
Finally the synchronization creates many funny named schemas and application roles in SQL Server although I deleted the non-existing users in Navision beforehand. The names go s.th. like
$ndo$ar$01B6C6194E6C56440971CDA47AD26F0F
I assume these are application roles which get their own like named schema in sql server?
It looks kind of strange, doesn't it?
RegardsAndreas0 -
AndreasD wrote:... They should have an option to synchronize a single user!
...
Enhanced Security gives you this option. Don't consider using it. Losing the ability to sync single users is a small trade-off compared to the other issues it will create.There are no bugs - only undocumented features.0 -
[Topic moved from Navision forum to SQL General forum]Regards,Alain Krikilion
No PM,please use the forum. || May the <SOLVED>-attribute be in your title!0
Categories
- All Categories
- 73 General
- 73 Announcements
- 66.6K Microsoft Dynamics NAV
- 18.7K NAV Three Tier
- 38.4K NAV/Navision Classic Client
- 3.6K Navision Attain
- 2.4K Navision Financials
- 116 Navision DOS
- 851 Navision e-Commerce
- 1K NAV Tips & Tricks
- 772 NAV Dutch speaking only
- 617 NAV Courses, Exams & Certification
- 2K Microsoft Dynamics-Other
- 1.5K Dynamics AX
- 320 Dynamics CRM
- 111 Dynamics GP
- 10 Dynamics SL
- 1.5K Other
- 990 SQL General
- 383 SQL Performance
- 34 SQL Tips & Tricks
- 35 Design Patterns (General & Best Practices)
- 1 Architectural Patterns
- 10 Design Patterns
- 5 Implementation Patterns
- 53 3rd Party Products, Services & Events
- 1.6K General
- 1.1K General Chat
- 1.6K Website
- 83 Testing
- 1.2K Download section
- 23 How Tos section
- 252 Feedback
- 12 NAV TechDays 2013 Sessions
- 13 NAV TechDays 2012 Sessions