Howdy, Stranger!
Categories
- All Categories
- 73 General
- 73 Announcements
- 66.5K Microsoft Dynamics NAV
- 18.5K NAV Three Tier
- 38.4K NAV/Navision Classic Client
- 3.6K Navision Attain
- 2.4K Navision Financials
- 115 Navision DOS
- 854 Navision e-Commerce
- 1K NAV Tips & Tricks
- 772 NAV Dutch speaking only
- 615 NAV Courses, Exams & Certification
- 2K Microsoft Dynamics-Other
- 1.5K Dynamics AX
- 267 Dynamics CRM
- 109 Dynamics GP
- 10 Dynamics SL
- 1.5K Other
- 992 SQL General
- 384 SQL Performance
- 33 SQL Tips & Tricks
- 34 Design Patterns (General & Best Practices)
- Architectural Patterns
- 10 Design Patterns
- 5 Implementation Patterns
- 53 3rd Party Products, Services & Events
- 1.7K General
- 1.1K General Chat
- 1.6K Website
- 79 Testing
- 1.2K Download section
- 23 How Tos section
- 259 Feedback
- 12 NAV TechDays 2013 Sessions
- 13 NAV TechDays 2012 Sessions
Options
Security Auditing - How to Enumerate User Access
rmalt
Member Posts: 2
Hi All,
I find this site very helpful so I thought I'd give back to the community. I wanted to write a script that would allow me to see which users had update permissions on any given table. I'm using Windows Security in NAV 6. The code below is not all original work. The section that creates the user table was found on this site.
I plan on creating a web form on our intranet that will prompt for the table name and possibly the access type (Read/Update/Insert) and plugs the values in the appropriate spots before executing the SQL code.
Anyways, thought this might be useful for some poor soul trying to perform SOX auditing.
I find this site very helpful so I thought I'd give back to the community. I wanted to write a script that would allow me to see which users had update permissions on any given table. I'm using Windows Security in NAV 6. The code below is not all original work. The section that creates the user table was found on this site.
I plan on creating a web form on our intranet that will prompt for the table name and possibly the access type (Read/Update/Insert) and plugs the values in the appropriate spots before executing the SQL code.
Anyways, thought this might be useful for some poor soul trying to perform SOX auditing.
Declare
@Tablename varchar(50),
@ObjectID int
-- This can be modified to see access for any given table
Select @Tablename = 'Item'
-- Get the object ID of the selected table
-- NAV company name can be changed below
Select @ObjectID = ID
From [Object]
Where Name = @Tablename
and [Company Name] = 'EPW - LIVE'
-- Start of Create User Table
-- The following section just creates a table containing
-- Windows user names and SIDs
Declare @Users table (Name varchar(30), NAVSID varchar(255))
Declare
@SID varchar(255),
@OrigSID varchar(255),
@A bigint,
@B bigint,
@C bigint,
@D bigint,
@Value varbinary(255)
Declare PrintUser INSENSITIVE CURSOR FOR
Select SID From [Windows Login]
Open PrintUser
Fetch Next From PrintUser Into @SID
While (@@fetch_status <> -1)
Begin
Select @OrigSID = @SID
SET @SID = REVERSE(@SID)
SET @D = REVERSE(SUBSTRING(@SID,1,CHARINDEX('-',@SID)-1))
SET @SID = SUBSTRING(@SID,CHARINDEX('-',@SID)+1,255)
SET @C = REVERSE(SUBSTRING(@SID,1,CHARINDEX('-',@SID)-1))
SET @SID = SUBSTRING(@SID,CHARINDEX('-',@SID)+1,255)
SET @B = REVERSE(SUBSTRING(@SID,1,CHARINDEX('-',@SID)-1))
SET @SID = SUBSTRING(@SID,CHARINDEX('-',@SID)+1,255)
SET @A = REVERSE(SUBSTRING(@SID,1,CHARINDEX('-',@SID)-1))
-- Prefix the binary value with S-1-5-21 and reverse the byte order for each group.
Select @Value =
0x010500000000000515000000
+ CONVERT(VARBINARY,REVERSE(CONVERT(BINARY(4),@A)))
+ CONVERT(VARBINARY,REVERSE(CONVERT(BINARY(4),@B)))
+ CONVERT(VARBINARY,REVERSE(CONVERT(BINARY(4),@C)))
+ CONVERT(VARBINARY,REVERSE(CONVERT(BINARY(4),@D)))
Insert into @Users
select Name, @OrigSID as 'NAV SID' from master..syslogins where SID = @Value
Fetch Next from PrintUser into @SID
End
Deallocate PrintUser
-- End of Create User Table
-- After we have the list of users, and the object ID,
-- it's pretty easy to find out who can modify it
Select Name From @Users Where NAVSID in (
Select Distinct [Login SID] from [Windows Access Control]
Where [Role ID] in (
Select [Role ID]
From [Permission]
Where [Object ID] = @ObjectID
and [Modify Permission] = 1
)
)
0