NAV Table access outside of Role permissions

brownfc

Hi,

we run NAV 5 SP1 on a SQL 2005 Database with Enhanced Security. Everything seems ok but I've come across a strange issue that I hope someone can help with. Our users have a Windows AD Login account to access NAV and the NAV Roles are assigned to Windows Groups instead of the individual user accounts. I've noticed that a user can access a table within NAV even though the NAV role assigned to that user doesn't include access to this table. I thought that the SQL Public Role might have been used to assign more permissions than the default settings but it doesn't seem so.
Can anyone explain how a user can access a table even though they haven't been assigned permission via a NAV Role? I think this points to SQL permissions.

Thanks.

stryk

Hi!

Maybe this could help you: http://dynamicsuser.net/blogs/stryk/archive/2010/02/16/extended-database-hardening-nav-sql.aspx

brownfc

I think I might know what is allowing a user to access tables even though their NAV roles should prevent it - there is a Active Directory Group on the SQL Server (in both Logins and Users) that has been assigned db-owner rights but this AD Group must have been deleted from AD as it doesn't exisit anymore. I assume this user was a member of this Group as the name of the group implies that included all NAV users. When you delete a Group from AD it still remains in SQL Logins and Users unless you delete it. I came across a posting that mentions the same thing. The user is a member of other NAV realted AD Groups but it looks like it still retains the DB_Owner permissions even though the AD Group has been deleted.
http://ask.sqlservercentral.com/questio ... issio.html