Secure Report

Ewan

Hi

Currently users have permission to run all reports.

What is the best way of securing specific action reports without having to go through the pain of securing each report individually in order to remove the default permission giving access to all reports.

One idea I had was to add an object to the report global parameters that users do not have permission to access in the hope that this will enable me to grant specific permissions to the given report?

Is there a better way?

Andwian

I have the same pain too.

Anyway, could you please explain your workaround? I think it is a nice trick!

Sam_Morris

Could you use the NAV security Roles to control who can access which reports?

The ALL role (or BASIC in NAV 2013) gives permissions to all reports, but this can be changed. You could delete the entry in ALL role that gives permissions to all reports (it's the one with Object Type::Report, ObjectID 0). You can then create new roles with the permission sets you require for your reports. These can then be applied to users as required.

The only other thing I can think of it to look at codeunit 1. Every time you run a report, one of the first things NAV does is run the FindPrinter function on codeunit 1. It always sends the ID of the report that is being run to the function.

I'm not sure exactly how/where you want to set permissions for your reports, but you could put some code in here to error if user does not have permission for that report?

Andwian

Sam Morris wrote:

You can then create new roles with the permission sets you require for your reports. These can then be applied to users as required.

But you should add the permission per tabledata, right? instead of the, which report ID you could access.

Sam Morris wrote:

The only other thing I can think of it to look at codeunit 1. Every time you run a report, one of the first things NAV does is run the FindPrinter function on codeunit 1. It always sends the ID of the report that is being run to the function.

I'm not sure exactly how/where you want to set permissions for your reports, but you could put some code in here to error if user does not have permission for that report?

I am sorry, I am still could not get it.

Sam_Morris

Hi,

Yes, you are right that it is more usual to just setup permissions against table data, but you could also use the permissions to restrict which reports users can run. This might be a complicated way of doing it though, as there are hundreds of reports that you might want to allow or deny permissions for.

The second, probably simpler way I could think of, was to add some code in codeunit 1 to control who can use specific reports. Say, for example, you wanted to only allow certain users to run the report 296 Batch Post Sales Orders. You could add a field to the User Setup table. Something like "Allow Batch Post Sales Ord.".

Then, in codeunit 1, in the function FindPrinter, add something like the following:

IF ReportID = 296 THEN BEGIN
  IF UserSetup.GET(USERID) THEN BEGIN
    IF NOT UserSetup."Allow Batch Post Sales Ord." THEN
      ERROR('You are not permitted to run this report.');
  END;
END;

Andwian

Thanks, Sam.

I got it. But I can imagine that, if we want to apply it in many reports, that would be so hurting.

Thanks for the insight, anyway

Ewan

We use Active directory group membership to secure users in nav

So you can use the User SID table see http://msdn.microsoft.com/en-us/library/dd301176.aspx

if you put the following in the OnPreDataItem the report will exit without processing data

OK:=FALSE;
IF UserSID.FINDFIRST THEN
REPEAT
UserSID.CALCFIELDS(UserSID.ID);
IF (UserSID.ID = 'Domain\SecurityGroupA') OR
(UserSID.ID = 'Domain\SecurityGroupB') THEN OK:=TRUE;
UNTIL (UserSID.NEXT=0) OR (OK = TRUE);
IF (OK = FALSE) THEN
BEGIN
MESSAGE('You do not have permission to run this report');
CurrReport.QUIT;
END;