Howdy, Stranger!
Categories
- All Categories
- 73 General
- 73 Announcements
- 66.6K Microsoft Dynamics NAV
- 18.6K NAV Three Tier
- 38.4K NAV/Navision Classic Client
- 3.6K Navision Attain
- 2.4K Navision Financials
- 115 Navision DOS
- 854 Navision e-Commerce
- 1K NAV Tips & Tricks
- 772 NAV Dutch speaking only
- 615 NAV Courses, Exams & Certification
- 2K Microsoft Dynamics-Other
- 1.5K Dynamics AX
- 298 Dynamics CRM
- 109 Dynamics GP
- 10 Dynamics SL
- 1.5K Other
- 993 SQL General
- 384 SQL Performance
- 34 SQL Tips & Tricks
- 34 Design Patterns (General & Best Practices)
- Architectural Patterns
- 10 Design Patterns
- 5 Implementation Patterns
- 53 3rd Party Products, Services & Events
- 1.7K General
- 1.1K General Chat
- 1.6K Website
- 79 Testing
- 1.2K Download section
- 23 How Tos section
- 259 Feedback
- 12 NAV TechDays 2013 Sessions
- 13 NAV TechDays 2012 Sessions
NAS Job Queue and Windows Logins
matthiasclaes
Member Posts: 18
Dynamics NAV 5.0sp1 on SQL Server 2008 on Windows Server 2008.
NAS is installed with JOBQUEUE startup parameter on a separate server.
NAS is running under MYDOMAIN\NAS user account.
MYDOMAIN\NAS user account is a Navision Windows Login with full access to all tabledata + execute permission on specific reports.
Our Dynamics NAV partner uses database logins, we use Windows logins.
Alle database logins are SUPER user, Windows logins have restricted permissions.
The NAS is able to execute job queue items where the User ID is a database login, but not those where the User ID is a windows login. I have only tested executing reports.
Job Queue Response reports the following error:
User Matthias Claes has not been set up to be allowed to run Report 50049 - TEST - MAG GEWIST WORDEN - MC.
The user Matthias Claes is a Windows Login (MYDOMAIN\Matthias Claes) with following roles:
ALL -> Absolute minimal permissions to open a NAV database.
SUPER (DATA) -> RIMD on all TableData (Tabledata, ID = 0)
_NAS -> Execute on report 50049 (and others).
Enhanced Security is enabled.
Even assigning the SUPER role does not solve the problem.
I find it strange the User ID field in the Job Queue entry only show 'Matthias Claes', and not 'MYDOMAIN\Matthias Claes'. How does NAV differentiate between a database login and a windows login?
What piece of the puzzle is missing to execute my Job Queue items?
NAS is installed with JOBQUEUE startup parameter on a separate server.
NAS is running under MYDOMAIN\NAS user account.
MYDOMAIN\NAS user account is a Navision Windows Login with full access to all tabledata + execute permission on specific reports.
Our Dynamics NAV partner uses database logins, we use Windows logins.
Alle database logins are SUPER user, Windows logins have restricted permissions.
The NAS is able to execute job queue items where the User ID is a database login, but not those where the User ID is a windows login. I have only tested executing reports.
Job Queue Response reports the following error:
User Matthias Claes has not been set up to be allowed to run Report 50049 - TEST - MAG GEWIST WORDEN - MC.
The user Matthias Claes is a Windows Login (MYDOMAIN\Matthias Claes) with following roles:
ALL -> Absolute minimal permissions to open a NAV database.
SUPER (DATA) -> RIMD on all TableData (Tabledata, ID = 0)
_NAS -> Execute on report 50049 (and others).
Enhanced Security is enabled.
Even assigning the SUPER role does not solve the problem.
I find it strange the User ID field in the Job Queue entry only show 'Matthias Claes', and not 'MYDOMAIN\Matthias Claes'. How does NAV differentiate between a database login and a windows login?
What piece of the puzzle is missing to execute my Job Queue items?
0
Answers
When you (or your partner) tried it with DB login, it means it has been launched using the client and not the NAS (the NAS cannot use DB-logins) and probably the partners license was loaded for trying it.
No PM,please use the forum. || May the <SOLVED>-attribute be in your title!
Closed NAV, reopenend (using my Windows credentials) and verified our license. It is our company's license, so I do not think that's the problem. With my Windows login (MYDOMAIN\Matthias Claes) I can run the report and even modify it (I have the SUPER role). Report 50094 is within the 100 reports that come with the package, as far as I understand. So, as a user, I have no problem running the report.
The NAS may not be able to use DB-logins, but it does check the User ID field of the Job Queue records. (using CU 449 Job Queue Start Codeunit). Something fails in there when the User ID is a windows login, but works when the User ID is a DB-login. The result is the error in the Job Queue Response record that I mentioned above. I cannot check CU 499 because that's outside the scope of our license.
[url]HasWinPermission(UserId2 : Text[65];ObjectType : Integer;ObjectID : Integer) : Boolean
IF WinLogin2.FINDSET THEN
REPEAT
WinLogin2.CALCFIELDS(ID);
Found := UPPERCASE(LoginManagement.ShortUserID(WinLogin2.ID)) = UPPERCASE(UserId2);
IF Found THEN
WinLogin := WinLogin2;
UNTIL Found OR (WinLogin2.NEXT = 0);
IF NOT Found THEN
EXIT(FALSE);
HasPermission := WinAccessControl.GET(WinLogin.SID,'SUPER',COMPANYNAME);
IF NOT HasPermission THEN
HasPermission := WinAccessControl.GET(WinLogin.SID,'SUPER','');
IF HasPermission THEN
EXIT(TRUE);
Permission.SETRANGE("Object Type",ObjectType);
Permission.SETRANGE("Object ID",ObjectID);
Permission.SETRANGE("Execute Permission",Permission."Execute Permission"::Yes);
IF Permission.FINDSET THEN
REPEAT
HasPermission := WinAccessControl.GET(WinLogin.SID,Permission."Role ID",COMPANYNAME);
IF NOT HasPermission THEN
HasPermission := WinAccessControl.GET(WinLogin.SID,Permission."Role ID",'');
UNTIL HasPermission OR (Permission.NEXT = 0);
EXIT(HasPermission);[/url]
Does your windows user has some special characters in his name or has a name longer than 20 characters?
No PM,please use the forum. || May the <SOLVED>-attribute be in your title!
No special characters, but the total length of the username (MYDOMAIN\User Name) is 25 characters.
Try with a username of max 20 chars.
No PM,please use the forum. || May the <SOLVED>-attribute be in your title!
I checked with our NAV Partner, and your code is different from ours. Our function is defined als follows:
IF WinLogin.FINDSET THEN REPEAT WinLogin.CALCFIELDS(ID); Found := UPPERCASE(COPYSTR(WinLogin.ID,STRLEN(WinLogin.ID) - STRLEN(UserId2))) = UPPERCASE(STRSUBSTNO('\%1',UserId2)); UNTIL Found OR (WinLogin.NEXT = 0);And ours is clearly wrong. After finding a matching WinLogin record, another .NEXT is executed in the UNTIL clause, thus shifting the Winlogin record to the next record in the table.
It seems your NAV installation is more up-to-date than ours. I will get this fixed by our NAV Partner.
Thank your for your assistance with this problem.