Howdy, Stranger!
Categories
- All Categories
- 73 General
- 73 Announcements
- 66.6K Microsoft Dynamics NAV
- 18.7K NAV Three Tier
- 38.4K NAV/Navision Classic Client
- 3.6K Navision Attain
- 2.4K Navision Financials
- 115 Navision DOS
- 854 Navision e-Commerce
- 1K NAV Tips & Tricks
- 772 NAV Dutch speaking only
- 615 NAV Courses, Exams & Certification
- 2K Microsoft Dynamics-Other
- 1.5K Dynamics AX
- 305 Dynamics CRM
- 109 Dynamics GP
- 10 Dynamics SL
- 1.5K Other
- 993 SQL General
- 384 SQL Performance
- 34 SQL Tips & Tricks
- 34 Design Patterns (General & Best Practices)
- Architectural Patterns
- 10 Design Patterns
- 5 Implementation Patterns
- 53 3rd Party Products, Services & Events
- 1.7K General
- 1.1K General Chat
- 1.6K Website
- 79 Testing
- 1.2K Download section
- 23 How Tos section
- 260 Feedback
- 12 NAV TechDays 2013 Sessions
- 13 NAV TechDays 2012 Sessions
Odd Permissions Error with record level security
MikeDalziel
Member Posts: 10
Hi,
I'm about to go mad, I've been ](*,) for hours on this and can't see what the problem is. I've setup 2 roles;
The first to allow access for a user to create purchase Invoices, the second to allow creation of purchase credits - not posting, on both.
The roles are exactly the same apart from the "Security Filter" which are: "Purchase Header: Document Type=Invoice" and
"Purchase Header: Document Type=Credit Memo".
When I test the PI role it works fine, when I test the PC role, it shows me the Purchase credits but wont let me create a new record as I get this error.
The PC Create role DOES have permission to insert; if I remove the security filter then it works fine.
Client: NAV2009 R2
Database: NAVW16.00,NAVGB6.00 with "Partner customisations"
Permissions Sync Login: I've all power roles on SQL, all other permissions synchronisations working fine
Permissions Sync Login NAV Roles: SUPER etc
Debugger Results?: With the debugger active no errors appear, I've fixed missing codeunit and table permissions on other roles no problem, this scenario presents no debugger screen, just straight to the error message.
Customisations? There are some but nothing that is obviously 'wrong'.
Testing Login: I've tried this with both database and windows logins.
What about your NAV partner?: I've been training them on how to setup securities to allow access to only certain System commands so I have little faith.
As I mention, I'm at a loss. Any suggestions? Anyone a securities expert/knows a securities expert who is willing/able to assist?
I could modify the ALL role to not show the forms as standard and then add the forms into each appropriate role, but I'd really like to get to the bottom of this if I can.
Yours ](*,) -ily,
Mike
I'm about to go mad, I've been ](*,) for hours on this and can't see what the problem is. I've setup 2 roles;
-
CREATE-PI
CREATE-PC
The first to allow access for a user to create purchase Invoices, the second to allow creation of purchase credits - not posting, on both.
The roles are exactly the same apart from the "Security Filter" which are: "Purchase Header: Document Type=Invoice" and
"Purchase Header: Document Type=Credit Memo".
When I test the PI role it works fine, when I test the PC role, it shows me the Purchase credits but wont let me create a new record as I get this error.
Microsoft Dynamics NAV Classic
You do not have permission to insert into the Purchase Header table.
OK
The PC Create role DOES have permission to insert; if I remove the security filter then it works fine.
Client: NAV2009 R2
Database: NAVW16.00,NAVGB6.00 with "Partner customisations"
Permissions Sync Login: I've all power roles on SQL, all other permissions synchronisations working fine
Permissions Sync Login NAV Roles: SUPER etc
Debugger Results?: With the debugger active no errors appear, I've fixed missing codeunit and table permissions on other roles no problem, this scenario presents no debugger screen, just straight to the error message.
Customisations? There are some but nothing that is obviously 'wrong'.
Testing Login: I've tried this with both database and windows logins.
What about your NAV partner?: I've been training them on how to setup securities to allow access to only certain System commands so I have little faith.
As I mention, I'm at a loss. Any suggestions? Anyone a securities expert/knows a securities expert who is willing/able to assist?
I could modify the ALL role to not show the forms as standard and then add the forms into each appropriate role, but I'd really like to get to the bottom of this if I can.
Yours ](*,) -ily,
Mike
0
Answers
Is it possible to open the table 2000000005 "Permission" from object designer and to set the filter on the CREATE-PC role.
there should an entry with object ID 38 and insert permission set to YES.
Role ID Object Type Object ID Read Permission Insert Permission Modify Permission Delete Permission
ACH-PA/C/F/A Table Data 38 Yes Yes Yes Yes etc. Purchase Header
If I am not mistaken If security filter is set then insert won't work as the record does not exist in the table yet.
So probably you may need to find a way around without using the security filter for insert.
I hope this helps.
The only thing I can conclude is that "On Insert" the document type is initially "Invoice" for some reason, then it is immediately changed to quote or order etc.
But that doesn't make any sense to me. Then again, who said it needs to make sense...
I've tried it in a Cronus database as well with similar results, so i'm guessing it is a :bug:
(see page 547-553 of of the Application Designer’s Guide w1w1adg.pdf)
The reasoning is that in order to make an insert, NAV might have to do a check on the last record of the table.
If that last record is filtered about, you'll get a read permission error.
There are some web pages and blogs that explain it in full detail, but I can't remember one of the top of my head.
So, if you have to set Record Level Security on a table where the user has insert permission, you need to create a second role where the user has Indirect Read without RLS.
Fortunately, I thought, well an Indirect insert wont hurt either so I added that to the 2nd role and it works!