How to efectively set up the permission for the users!!!

JTPro

Hello all!!

Now, this is the time for me to set up the permissions for the users of Navisio system. I've never done this before. My client has got two types of users. First group is built with employees of warehouse (selling, buying, posting orders etc.). The second type of users are strictly responsible for financial part of company.

I will be really grateful if you share with me yours ways of setting up roles for the users.

Best regards

themave

I take two tracks to do this,

Use windows authentication, and setup your two types of users into windows security groups. You then can set the group permissions in Navision. this way you do not have to set the individual permissions for each user, just the whole group. And when a new employee starts, he gets put in the windows group and has all the permissions he needs for Navision.

To set the group permission from inside Navision, go to Tools --> Security --> Windows login

from there click on the lookup button and select your group, all the individual logon names are there, but you are picking the group instead of individuals.

Next and easiest is assign the same groups to only the menus they need. Open the Navigation Pane Designer (Alt+F12), right click on menu and assign the groups to their menus.

I also setup special group menus for each, so they only have the most used functions on them, Many menus have a lot of stuff the user never needs to see. By making a group menu you eliminate a lot of that, and you do not have to edit the standard Navision menu panes.

Select it and then assign roles.

chen_wan

First, you must know what are the screens / objects that you want the 2 groups of users to access. Once you have identified the screens that they can access, you can run the Client Monitor (Tools--> client Monitor) to find out the permissions need to be given to the objects.

Go to Tools-->Secutiry-->Roles to create a role for each group of user. Give permission to the Roles created according to the list genereated by Client Monitor.

Assign the Role to the respective user.

themave

First, you must know what are the screens / objects that you want the 2 groups of users to access. Once you have identified the screens that they can access, you can run the Client Monitor (Tools--> client Monitor) to find out the permissions need to be given to the objects.

That is how a developer finds out what premissions a client will need, but an end user, doesn't have access to client monitor, to find out what permissions you need, it is trial and error for the most part.

two tacks to try:

1. Give user access to most everything and then take away the items you can identify that you don't want him/her to access.

or

2. Use the built in roles and assign those, then add the remaining items individualy as your user tries to access things. The error message will tell you which tables they need to access

kine

One thing to add: If you will use the security groups to assign roles, you still need to add each user into Navision to be able to login as the user. But this is only simple thing and you do not need assigning some role to this user. Roles will be taken from the security group.

And yes, use the standard role for setting the permissions, and you can create roles for your customizations (new tables) as needed. And one warning, standard roles sometime miss permissions for some standard tables. Do not be surprised with this... If you get error about permissions, look into Permission table to see in which role is the table included and assign the role which is describing the process the user want to do. If there is no such a role, you can extend some other role or create your own...

Shenpen

Sadly, there is no really powerful way to configure permissions. I think the best approach is to take not the add, but the take away role: ask the customer what is the most important things for a given group of users they should NOT be able to do or see. Write a program that allows access for all objects one by one, an then turn of the critical ones. For example, to not allow invoiceing, take away either direct or indirect rights to insert sales invoice header and sales cr. memo header. And for everything else just hope there won't be any big trouble.

It sounds damn unprofessional, but once when we took the standard "add rights they need" approach instead of this "add everything, and take away the ones that can cause the biggest trouble" way, it took a full 4 months for a guy to finally get 80 users right. You know he kept spending his days like "I can't print Shipment!" "Why the hell do you want to print Shipment anyway, when in your department Joe should do it?" "Because Joe is ill!" "OK, then, here it is." And finally, of course, almost everybody got almost everything It's just a too big mess. Better just take aways the really dangerous stuff (settings, item, customer master data, invoicing).

DenSter

You could start out with the standard roles/permissions that come with the demo database and expand on that. If it took someone's customer 8 months to get security settings right, that is because someone didn't explain it well enough.

Shenpen

I found the standard ones are quite bad - might depend on locale, maybe the USA localization takes local objects into account correctly etc. As for the 4 months, it was the typical situation when the managements daydream of an ultra-secure system just does not work in reality, you know...

DenSter

And it is your job to prepare them for it.

Of course standard roles/permissions do not have custom objects in them, the US version is no different in that respect. All you'd need to do is create a role with permission to the custom objects and add that role to the users who need to use it, or add access to the custom objects to the right existing roles.

Shenpen

*Sigh* haven't we just went tru this a couple of times?... Yeah, the waiter preparing you in a restaurant, that the food tastes not perfect and might not be easy to digest. Yeah. Sounds quiet likely. Sure.

sharks

http://www.mibuso.com/forum/viewtopic.p ... highlight=

themave

a note of caution also.

if you add a new user, he/she automatically is added to all menus, so if you restrict user menus you must go into the Navigation pane designer and un-assign the new user to any menus you don't want him/her to have.

In our case I made a few new menus for each user type so we don't use the standard payables, sales, warehouse menus ect. but everytime I add a new user all these show up for them by default. would be much easier if default was no assigned menu and then I could just add to the one menu they would need.

gri

there is this thing called user rights setup which you could find somewhere in the 4.0 cd's or in that awfull mess called partnersource.
basicly it uses client monitor to create a role.
it's almost good, but you have to make sure that you have the client monitor granule in your licence (of course, if your working in a NSC)
and merry cristmas to you and, boy, that campari orange hasn't to much orange in it, hasn't it?

sharks

it's in the tools cd. to download click here