mibuso.com
Home NAV/Navision Classic Client

behavior of standard/enhanced security mode

clockworktoyclockworktoy Member Posts: 5
edited 2008-09-01 in NAV/Navision Classic Client
I spent some time to read some previous posts (not all , so sorry about this, :oops: ) and also the w1w1isql.pdf about the security mode, but I still a bit confused about it. Hope someone could kindly help me in the below questions:


1. The document(w1w1isql.pdf) wrote the below :
With the Standard Security model, every time you create, modify or delete a Windows login or a database login, the security system is automatically synchronized. However, if you add, alter or delete a role in the Dynamics NAV security system, you must manually
synchronize the security system.

So I suppose for standard security model, if I create an new user in NAV, the system will automatically synchronized the security system , and it sounds like I should manually sychronize if I change the permission of a role .

But I did a test in 50SP1 (SQL db) , if I modify the role ,e.g. in standard "All" role , I added "table data" customer with R/W/E/I/D permission . Then I re-login with a SQL user (with just the role "ALL") , I found I already able to read customer data (customer list) (without sychronzied the security system)

So I am confused here ,so it seems like I don't need to synchronize manually anyway in standard mode. Anyone can kindly explain this behavior to me?

And then under which situation , I really need to sychronize manually with Standard Security mode ?

2. it seems like Standard Security is more user-friendly and less trouble for synchronization
But any advantage or situation I must choose "Enhanced mode" ?


3. And I found that if I modify some key fields in table like Item ledger entry(e.g. Item no), and then I login with SQL user(just with public right),
then I open Sales Order or Item card , SQL permission error will be encountered due to the flow fields based on the item ledger entry. I need to manually sychronize the security system (if I use Enhanced mode)
But I don't need to manually sychonize the security system if I do the same (but with standard mode)
Anyone can kindly explain this behavior to me ? (it seems like with standard mode, even I modified objects , it will also auto sychronize
the security system ? is this true ? )


Thanks and best regards,

Comments

  • kinekine Member Posts: 12,562
    The base is that Standard model is using one application role for all users, and this application role have all permissions on the MS SQL. It means, that there is no "synchronization" needed (the role have still all rights regardless you modify/add some table). But the process is automatically run each time you add user or do some change to the users. It set the permissions on the app. role again to be sure, that the role has correct permissions.

    Extended mode is creating one application role per user, and the role has only permissions to tables which have the user access to. It means no more permissions than user is really allowed. It is why it take so long time to sync them.

    And when to use extended security? Difference will be mainly in case when some intruder (hacker) will hack NAV client and will try to read data from tables which NAV user have no permissions for. Under standard model, because NAV client is connected through application role with all permissions to the tables, the hacker will be able to read all data from NAV DB, because on SQL server there are no restrictions for the account. Under extended mode, the hacker will have still access only to tables which are allowed by the roles of the user, under which the hacker is connected. The security will be still checked by SQL server itself.

    Some simple chart to describe the difference:

    Standard model: 
    User Account1 - NAV Roles 1 - SQL App role - Tables 1
User Account2 - NAV Roles 2 -/             \-Tables 2
User Account3 - NAV Roles 3 /               \Tables 3
    Regardless user account, all users have access through one SQL App role, which covers access for SUPER user or user with access only to one table... it means possible access to permitted tables if NAV client is hacked, because only NAV client drive which table can user read and which can't.

    Extended model 
    User Account1 - NAV Roles 1 - SQL App role 1 - Tables 1
User Account2 - NAV Roles 2 - SQL App role 2 - Tables 2
User Account3 - NAV Roles 3 - SQL App role 3 - Tables 3

    As you can see, all accounts are isolated from other, thus hacker can still access only tables which is allowed to read in NAV client and nothing more.


    But, how many NAV hackers you know? ;-)
    Kamil Sacek
    MVP - Dynamics NAV
    My BLOG
    NAVERTICA a.s.
  • David_SingletonDavid_Singleton Member Posts: 5,479
    kine wrote:
    But, how many NAV hackers you know? ;-)

    Come on Kamil, aren't we all Navision hackers at heart. :mrgreen:
    David Singleton
  • krikikriki Member, Moderator Posts: 9,110
    David Singleton wrote:
    kine wrote:
    But, how many NAV hackers you know? ;-)

    Come on Kamil, aren't we all Navision hackers at heart. :mrgreen:
    Let's rephrase Kamil's statement : "how many NAV hackers with bad intentions do you know? :D
    Regards,Alain Krikilion
    No PM,please use the forum. || May the <SOLVED>-attribute be in your title!

  • kinekine Member Posts: 12,562
    Problem is, that NAV "hackers" have full admin access to the server by default because their are working as IT Admin in the company... ;-)
    Kamil Sacek
    MVP - Dynamics NAV
    My BLOG
    NAVERTICA a.s.
Sign In or Register to comment.