Permissions for Webserice calls

trasheinz

Hi,
Currently a third party application connect to a MS Dyn NAV Web Service with a windowslogin which has the role SUPER. Know I try to specify more precise the permissions.
My example Web Service is a published "Item" Page (30). I try to get work, that the Web Service user can only read data (read, readMultiple) and can not create, update, etc.

I already figure it out, that the Webservice User need read access to:

• Table "Item" (27) <-- clear!
• Table "Web Service" (2000000076)
• Page "Item Card" (30)

But it still not enought. Have someone experience with that?

Thank you for any help

jlandeen

Are there any error messages that are being displayed or trapped in an event log anywhere?

Is the 3rd party application outside your network or is it run on your own network?

trasheinz

Hi,
Unfortunately, I had only a readable error-message befor i include the table "Web Service". That was a hint, that I have to include the "Web Service" Table. Now, the interaction between the third party application and MS Dyn NAV abort while the "readMultiple" function call.

I don't have any Log Events in the MS Windows Event Table
Are they other place to look after displayed logs (in MS Dyn NAV f.e. - I don't know about logging function inside MS Dyn NAV)?

My environment:
They are in the same network, but not in the same Domain
The third party application is java based and it does authenticate with NTLM
The interaction between the application works great as long as the webservice user has the role "super"

kine

You need to check the event log on server and on the client too...

trasheinz

The only entry I can see, is that the login to the database was successful.

Message
An account was successfully logged on.
[...]
Detailed Authentication Information:
    Logon Process:        NtLmSsp
    Authentication Package:    NTLM
    Transited Services:    -
    Package Name (NTLM only):    NTLM V2
    Key Length:        0

But I can no see any access denied events in the event log, neither on the client nor on the server.

My second approach was to find out which table are involved with SQL Server Profiler (tracert). But it wasn't successful yet. I found a lot of other tables which are touched by the Webserice call. For example

• Dimension
• Dimension Translation
• User Metadata
• General Ledger Setup
• Item Ledger Entry
• Purchase Line
• ...

I put them all in the permission table for the specific role. But as I already wrote, it wasn't successful.

Any other ideas?

jlandeen

Ok now that I'm re-reading this whole thread - it sounds like the web service call IS working if you are using a user who has the SUPER role, but once you change them off of that then it no longer works? Is that correct?

I'm not 100% sure on the individual permissions, in the past I've worked with services that have SUPER permissions as those processes tend to need to go all over NAV. There may be more than just table permissions - there may be some other object or executable permissions that need to be set.

trasheinz

but once you change them off of that then it no longer works? Is that correct?

Yes, that is correct.

there may be some other object or executable permissions that need to be set

This is exactly that, what I wont to know. Which permissions need the Webshopuser to interact with MS Dyn NAV.

I don't want to give this webshopuser SUPER - rights. I have to publish the MS Dyn NAV Webservices user and password informationen. So everyone who can read the Interface, could log into MS Dyn NAV with SUPER permission.

Has someone an idea how I can solve that or know a workaround

jlandeen

That was something I've been asked about before but I haven't found any exact documentation yet that covers off the required permissions for either the Service Tier or NAV client.

Have you searched around on MSDN's NAV section or Partnersource? Those are the best places that I can think to start looking. Also check out Freddy's blog or any of the other MSDN Blogs.