Permissions for Webserice calls

trasheinztrasheinz Member Posts: 5
edited 2010-08-25 in NAV Three Tier
Hi,
Currently a third party application connect to a MS Dyn NAV Web Service with a windowslogin which has the role SUPER. Know I try to specify more precise the permissions.
My example Web Service is a published "Item" Page (30). I try to get work, that the Web Service user can only read data (read, readMultiple) and can not create, update, etc.

I already figure it out, that the Webservice User need read access to:
  • Table "Item" (27) <-- clear!
  • Table "Web Service" (2000000076)
  • Page "Item Card" (30)
But it still not enought. Have someone experience with that?

Thank you for any help

Comments

  • jlandeenjlandeen Member Posts: 524
    Are there any error messages that are being displayed or trapped in an event log anywhere?

    Is the 3rd party application outside your network or is it run on your own network?
    Jeff Landeen - Sr. Consultant
    Epimatic Corp.

    http://www.epimatic.com
  • trasheinztrasheinz Member Posts: 5
    Hi,
    Unfortunately, I had only a readable error-message befor i include the table "Web Service". That was a hint, that I have to include the "Web Service" Table. Now, the interaction between the third party application and MS Dyn NAV abort while the "readMultiple" function call.

    I don't have any Log Events in the MS Windows Event Table
    Are they other place to look after displayed logs (in MS Dyn NAV f.e. - I don't know about logging function inside MS Dyn NAV)?

    My environment:
    They are in the same network, but not in the same Domain
    The third party application is java based and it does authenticate with NTLM
    The interaction between the application works great as long as the webservice user has the role "super"
  • kinekine Member Posts: 12,562
    You need to check the event log on server and on the client too...
    Kamil Sacek
    MVP - Dynamics NAV
    My BLOG
    NAVERTICA a.s.
  • trasheinztrasheinz Member Posts: 5
    The only entry I can see, is that the login to the database was successful.
    Message
    An account was successfully logged on.
    [...]
    Detailed Authentication Information:
        Logon Process:        NtLmSsp
        Authentication Package:    NTLM
        Transited Services:    -
        Package Name (NTLM only):    NTLM V2
        Key Length:        0
    
    But I can no see any access denied events in the event log, neither on the client nor on the server.

    My second approach was to find out which table are involved with SQL Server Profiler (tracert). But it wasn't successful yet. I found a lot of other tables which are touched by the Webserice call. For example
    • Dimension
    • Dimension Translation
    • User Metadata
    • General Ledger Setup
    • Item Ledger Entry
    • Purchase Line
    • ...
    I put them all in the permission table for the specific role. But as I already wrote, it wasn't successful.

    Any other ideas?
  • jlandeenjlandeen Member Posts: 524
    Ok now that I'm re-reading this whole thread - it sounds like the web service call IS working if you are using a user who has the SUPER role, but once you change them off of that then it no longer works? Is that correct?

    I'm not 100% sure on the individual permissions, in the past I've worked with services that have SUPER permissions as those processes tend to need to go all over NAV. There may be more than just table permissions - there may be some other object or executable permissions that need to be set.
    Jeff Landeen - Sr. Consultant
    Epimatic Corp.

    http://www.epimatic.com
  • trasheinztrasheinz Member Posts: 5
    but once you change them off of that then it no longer works? Is that correct?
    Yes, that is correct.
    there may be some other object or executable permissions that need to be set
    This is exactly that, what I wont to know. Which permissions need the Webshopuser to interact with MS Dyn NAV.

    I don't want to give this webshopuser SUPER - rights. I have to publish the MS Dyn NAV Webservices user and password informationen. So everyone who can read the Interface, could log into MS Dyn NAV with SUPER permission.

    Has someone an idea how I can solve that or know a workaround
  • jlandeenjlandeen Member Posts: 524
    That was something I've been asked about before but I haven't found any exact documentation yet that covers off the required permissions for either the Service Tier or NAV client.

    Have you searched around on MSDN's NAV section or Partnersource? Those are the best places that I can think to start looking. Also check out Freddy's blog or any of the other MSDN Blogs.
    Jeff Landeen - Sr. Consultant
    Epimatic Corp.

    http://www.epimatic.com
Sign In or Register to comment.