Is there a negative security tool, should I roll one?

Miklos_Hollender

I mean it is often impractical to assign roles of what can you do to people as you have no idea what exactly they do. But very often it so that the CEO comes and says OK these warehouse dudes should not be able to post invoices and G/L and then you should take away just that (say no insertion into the Sales Invoice Header and G/L Register, something like that) and leave all the other permissions.

Now I see two options.

One is a tool that generates permissions for every tabledata for a role, then you just take a few away. But then every time you create a new table you need to add it to every role and so on, it is confusing after a while.

Or could I for example do something along the lines hack something into the OnGlobalInsert etc. triggers in Codeunit 1 and then as a setup I figure I would assign SUPER to all, but also assign roles that have say like 1 table in it insert not allowed and suchlike and check that, something like that would be a goo idea?

What is your general experience with this?

Please don't try that stuff that a company should be well organized and define clear job responsibilities for everyone. Yeah, should, but often it is not the case, period. Often companies are understaffed and people need to represent and help out each other all the time.

einsTeIn.NET

I wouldn't bypass NAV's access rights logic. I know that it's sometimes a bit annoying when you can't get clear statements to responsibility of some employees and you need to change the user access right every two day. But I think you should train someone on customer side who should be responsible to setup access rights and leave it in their hands. If they get annoyed by this situation they will think about creating clear statements of responsibility.

Miklos_Hollender

I am the customer side. BTW my problem is not even having to change it daily but the general outrage it would create when former superusers feel like they were demoted when they get this you have no permission error message. I would rather avoid that. It is easier to go the safe route and take away only those rights that management wants to take away.

The question is, we 143 such tools, why nobody thought if this? This the entirely logical way off approach, you start with superusers and then you gradually narrow it down.

einsTeIn.NET

By customer side I mean someone who is responsible for defining roles and user rights (and set it up). I mean everybody has a certain role in his company, sometimes it just needs to be defined.

I think it's no good idea to give everyone full access and reduce it time by time. It should just work the other way round. I see your point that it is sometimes much work, but it basically depends on unclear job definitions in your company.

kriki

I don't think that is a good idea for security reasons.

For example, you add some new module (new tables and forms/pages/codeunits/...) to have sensitive employee-data (like salary-info). You test it and all is ok.
You put it in production and the people start working with it. If you forget to remove permissions to those objects, EVERYONE can see it!
For security, it is better to do like NAV does. You DON'T have access unless explicitly given access.

To make things easier to maintain, it is best to have a lot of small roles with limited functionality and give those to the users that need to have the role.

Marije_Brummel

What I asked Microsoft is to add a button on the errormessage that you get when you don't have access.

"Request Permission".

This should start a workflow allowing the sysadmin person to evaluate if the person should have rights, and if so, allow this with a single click without knowing about tables, pages etc.

It's IMHO rediculus, the 1980's way security is setup in the product today.

davmac1

Mark,
That sounds way too sensible for Microsoft to ever implement. 8)