NAV Menu assignment when authenticating via Windows Groups

Kishragu

Hi,

We are using AD groups to authenticate users for Navision and only want specific menu items to be visible for specific groups in the Navigation Pane. For eg., people in the "Finance" group will only have access to "Financial Management" menu item. I have set the relevant menu items for various AD groups by using "Assign Users" function by editing the Navigation Pane.

Now when a user within the Finance AD group logs on to Navision, he is able to see all the menu items regardless of what permission is set for that AD group. It appears Navision doesn't look at the AD group permissions but records against individual users in the "User Menu Level" table.

I can overcome this issue by
a) Ditch AD group and create individual users in Windows Login and assign the permissions (or)
b) Stick with AD group, but manually create records via backend in User Menu Level table based on the permissions of the AD group

Just wondering if anyone has experienced this issue before and come up with any creative solutions?

Cheers,
Kishore

kriki

Can this be your problem: http://mibuso.com/blogs/kriki/2012/02/13/nav-security-using-windows-groups/?

Kishragu

Hi Kriki,

Thanks for that link..something to bear in mind for sure!

In my instance the only ones added to "Windows Logins" are the the AD groups and no individual logins has been added. I am 100% certain of that.

The name of the AD group is <domainname>\NAV-Finance and my individual login is <domainname>\kishore (part of NAV-Finance group ofcourse!!). I can log on to NAV without any issues and can only access tables which is set within my roles etc., But the navigation pane will display all the menu items regardless of what permissions are set against my AD group. I think this is because even though the authentication is set at AD level, when NAV logs you on it logs you on as an individual user ie <domainname>\kishore and is looking for the relevant record in the "User Menu Level" table and since nothing is found, it just shows all the menu items. Probably one of the undocumented features of NAV

Hope that helps.

Cheers,
Kishore

kriki

Probably it is more that somewhere (probably a group to which they belong to) they have a permission to run all forms/pages/reports/.... And so NAV displays all menuitems.

Kishragu

I understand your thought process...but shouldnt the behaviour be the same if the users are added individually. For eg., I add 10 users as individual windows logins all with "Super" permission, but has different menus allocated to them and it works fine. Each user only gets to see the menus allocated to them and nothing else. Based on your theory they should be able to see all the menus isnt it or am I missing something?

matttrax

You cannot assign menu items using groups.

Kishragu

Figured that Matttrax...sort of defeats the purpose of being able to use AD groups for authentication isnt it!! Any suggestions apart from the 2 options I had mentioned in my original post?

matttrax

You can still assign permissions via the group. That makes that part easier. But you will have to add the individual logins to NAV, with or without roles, to assign them individual menus.

I have seen some companies just do a single menu, letting the permissions automatically drive what is visible or not.

vanrofi

](*,)

Just finsihed the setup with AD Groups for 120 users by working with 3 security group types :

1. different Comp groups allows user to login to one or more companies, usefull in a 10 company environment
2. different Business Unit groups so the data is filtered by using the security filtering
3. different function groups allow the user to use objects he needs to do his job, usefull in a 10+ functions environment, thank god there is a permission tool that semi-automatically creates roles

Last part was setting up new menu-structure, so that every function has a specific menu...so based on AD function group, NOT the 120 individuals...

last phase was testing this, and guess what, it doesn't work, again ](*,)

Why does nav allow using groups in the setup, while it doesn't work? Ok, I should have tested it Pilotwise agree on that.

is there any script I can use to fill this automatically? 2 steps to take :

1. auto-create individual users by groups in the window login table?
2. Auto-flag the menu's for the corresponding individual users based on the flags of the groups?

thx for any tips

vanrofi

\:D/

I went a little deeper and created a workaround :

The user setup table was the only place that I planned to create individuals instead of groups. I created an extra field there, related to new table : profile (a bit similar to the profile table used in the RTC environment). there I add the different profiles corresponding to the usergroups I created on AD, and link it to the window login table, so I can link a profile to a Windows login (read : AD group).

The menus are assigned to the Group logins, standard this fills the User menu level table.

On validate of the field Profile in the user setup, I go and find the user menu level of the windows login of the group, and copy this but for the single user.

This works fine! So no single user in the windows login table, only groups in the Menu assignment, all this by filling 1 extra field in the standard user setup.
good enough for me, and my security project is finished.

Here my draft code behind the field, just need some cleanup now, but it might help :


//first delete existing rights of this user, in case he changes from function it is better to start from scratch
Lrec_menulevel.SETFILTER(ID,'=%1','domain\' + FORMAT("User ID")); //replaced our domain in default 'domain'
IF Lrec_menulevel.FINDFIRST THEN BEGIN
REPEAT
Lrec_menulevel.DELETE(FALSE);
UNTIL Lrec_menulevel.NEXT =0;
END;

//through new Profile group table (data per company is set on NO!) pickup the group's menu level
//2 fields : 1 is code to give unique name of profile, 1 is linked to Windows login

IF Lrec_profilegroup.GET(Profiel) THEN BEGIN
Lrec_winlogin.GET(Lrec_profilegroup."User group ID");
Lrec_winlogin.CALCFIELDS(Lrec_winlogin.ID);
Lrec_menulevel2.SETRANGE(ID,Lrec_winlogin.ID);
IF Lrec_menulevel2.FINDFIRST THEN BEGIN
REPEAT
Lrec_menulevel3 := Lrec_menulevel2;
Lrec_menulevel2.CALCFIELDS(Object); //don't forget the blob!
Lrec_menulevel3.Object := Lrec_menulevel2.Object;
Lrec_menulevel3.ID := 'domain\' + FORMAT("User ID");
Lrec_menulevel3.INSERT;
UNTIL Lrec_menulevel2.NEXT = 0;
END;