Who is $ndo$shadow

skiddoo

Hello,

I created a new SQL-Trigger for a table to log deletion actions on that table. This trigger works very well but sometimes it logs the user $ndo$shadow.
I searched for that user and I found a lot of guys which are struggling with permissions. But I can't find any information about that user and what is his job.

Can somebody explain it to me?

Thanks!

Regards
skiddoo

krzychub83

It is Application Role (In SQL Server: Database Name->Security->Roles->Application Roles). This application role is created and managed by the NAV. So each time you add a table to the database NAV creates this table in SQL, and then grants permissions to it for $ndo$shadow app role.

Basically NAV is using this application role to contact SQL server for data manipulation, if your user has insufficient permissions from SQL Side. This way your users require only SQL Public role to access the database from SQL side. In the same time they are able to fully work with the data in NAV. Any permission limitations is resolved by NAV (by NAV's roles) on NAV's side. This was very handful, because normal users should never have db_owner role.

So I would guess that anybody who is not a db_owner will be logged as $ndo$shadow, where db_owners will be logged normally with their ids.

This role was in use before NAV 2013. I don't remember seeing it in NAV 2013 though...

May I ask why you use SQL Trigger to log it? If you do not delete data from SQL side, I would advise to add code into the OnDelete trigger of the table in NAV, or to use the Change Log functionality inside the NAV. Although please note that Change Log functionality was resulting in some dodgy issues on the Web Services with some build versions. So please test it before Go Live with it.

PS: I might be wrong, as this subject is not well described, as you already noticed it.