Implementing Security, a basic approach

Mauddib

Security isnt easy to implement is it? Its hard to predict sometimes what tables a user will need access to. For example doing stock transfers in item reclass, they need access to the payment terms table. Didnt see THAT coming.

Considering that users here have very basic computer knowledge I am not locking them out totally from everything. The approach im taking is this. Tell me what you think:

Giving users indirect access to ALL tables and table data.
Giving users read and execute access to ALL codeunits
Full Access to the System - Edit, View, Find functions.

I am then implementing security by only giving users access to the table data and forms and reports they need to do their own tasks.

Gavin

bbrown

Granting a user indirect access requires that the objects accessing those tables be granted permission to them.

kine

There are more "how to":

1) If you can use client monitor, you can use the collected data to generate role with needed access to used table (you run the monitor, do what the user will do, stop monitor, through some batch you create the role, because you know which table was read etc.)

2) Use standard role for main skelleton of roles for the user. Than do what the user need to do, if there is some permission missing, look for role which include it, if there is some but it is something what the user do not need, create own role for this "user role" and extend it with needed permissions (this procedure does not include new created tables, you need to add them to standard role or into some extra roles).

itspeter

Our NSC ask us to use Code Coverage, which having the similiar step with client monitor.

But it is tedious, and it require lots of patience, by looking at a long list of objects, in the Code Coverage form.

kine

You can do it by batch... it is not hard, and I think that there is some download for it on MIBUSO... some about security, and there is wizard for it...

ovicash

I found somewhere that batch job Kine was talking about. I can't find a link now but if you want I can send it to you by mail.

vgvozdev

Hi,

Actually it is quite easy. You just need to reverse your thinking. Think what users have to be restricted to do not what they have to be able to do:

Step 1: Create group ALL that will include all objects (not table 0, form 0 … All objects one by one) and assign this group to everyone;

Step 2: Ask you client what they want to restrict. Let say they do not want to allow some people to see Chart of Accounts – delete form Chart of Account from group ALL and create new Group CHGL that will have only form Chart of Accounts. Assign this group to all users who need to see Chart of Accounts… (you can combine objects here so you can add G/L related reports to CHGL group and delete them from ALL group)

Repeat step 2 for all other restrictions…


But the whole idea is to remove functionality from people not to give them ability to do something. Based on this method you can constantly refine you security without having problems that people can not do something.

Shenpen

I 've always been doing what vgvozdev suggests, but the problem is that you need to restrict access to 50+ configuration/setup tables like Item Category, Product Group etc.

I've always been writing programs that take away access from settings tables but it need contant tweaking. No real solution I think.

In 4.0 custom menus can be a big help.

The only real solution I have managed to find is to transfer the task of configuring user rights to the sysadmin or whatever of the customer

DenSter

I have heard about some functionality that kind of works like the client monitor, but that creates the permissions while doing a task. So instead of stepping through the client monitor and setting permissions, this program does that for you. Is that what you are talking about Kine?

kine

Yes, exactly, I have one which I make for our company, and another from downloads... and I think it was some MBS tool for free use (you need only the nos. in license)...

Shenpen

DenSter: it is on the Tools CD. But you need an NSC licence or the objects in your one.

I was always thinking on how to make this damn process simpler. My new idea is a new table where we copy the AllObj table, and it has a new code field with restriction codes. F.e. we enter ST code for all settings tables, and then I write a program that first gives access to all table data and takes away the ones that are restricted for the user based on this. The basic idea is that we have to configure it only once and then import it to all projects and just make minor modifications.

Should I make a download of it?

DenSter

You can make a download of anything you want. I for one will not hack the object table though.

sharks

usually split them in categories and assigning active directory groups to each i.e.
Active Directory Group
NAV_RE : Only Read Permission.
NAV_BA : Only Basic, Read, Edit, Delete and Post Persmissions but no access to vital Company Info.
NAV_DE : Same as Basic with ability to design
NAV_SU : SUPER

Also I create a role for each one for specific needs i.e.
ALL_RE
ALL_BA
ALL_DE

This way they can simply add a user to a specific group and there is no overhead. Also most companies require the same groups so you can easily copy-paste from one db to another with these some dataports like:
http://www.kassinosdevelopers.com/donotdelete/permissions.zip

sharks

I forgot to mention that there is a nice little utility that works quite well in creating the ALL_* roles or even create the whole permission range for a user or group. It's called Navision Permission Role Wizard and it's in the download section http://www.mibuso.com/dlinfo.asp?FileID=357.

DenSter

Thank you sharks, that's the one I was talking about.