Howdy, Stranger!
Categories
- All Categories
- 73 General
- 73 Announcements
- 66.5K Microsoft Dynamics NAV
- 18.5K NAV Three Tier
- 38.4K NAV/Navision Classic Client
- 3.6K Navision Attain
- 2.4K Navision Financials
- 115 Navision DOS
- 854 Navision e-Commerce
- 1K NAV Tips & Tricks
- 772 NAV Dutch speaking only
- 615 NAV Courses, Exams & Certification
- 2K Microsoft Dynamics-Other
- 1.5K Dynamics AX
- 269 Dynamics CRM
- 109 Dynamics GP
- 10 Dynamics SL
- 1.5K Other
- 992 SQL General
- 384 SQL Performance
- 33 SQL Tips & Tricks
- 34 Design Patterns (General & Best Practices)
- Architectural Patterns
- 10 Design Patterns
- 5 Implementation Patterns
- 53 3rd Party Products, Services & Events
- 1.7K General
- 1.1K General Chat
- 1.6K Website
- 79 Testing
- 1.2K Download section
- 23 How Tos section
- 259 Feedback
- 12 NAV TechDays 2013 Sessions
- 13 NAV TechDays 2012 Sessions
Options
Guest role
hvdhoeven
Member Posts: 99
I can remember that I've read that it is advised to use the SQL guest role for regular NAV users.
Now I read something completely different:
"The guest User Account
After a user has been authenticated and allowed to log in to an instance of SQL Server, a separate user account must exist in each database the user has to access. Requiring a user account in each database prevents users from connecting to an instance of SQL Server and accessing all the databases on a server. The existence of a guest user account in the database circumvents this requirement by allowing a login without a database user account to access a database.
The guest account is a built-in account in all versions of SQL Server. By default, it is disabled in new databases. If it is enabled, you can disable it by revoking its CONNECT permission by executing the Transact-SQL REVOKE CONNECT FROM GUEST statement. In SQL Server 2000 you can disable it by executing the Transact-SQL sp_dropuser or sp_revokedbaccess system stored procedures.
Security Note:
Avoid using the guest account; all logins without their own database permissions obtain the database permissions granted to this account. If you must use the guest account, grant it minimum permissions."
My organisation is an University of applied science and we would like our students to work with NAV to understand the concepts of ERP. We would like to give the students access to the SQL Server with a NAV SQL Client, that is installed on the students notebook. Our present idea is that the guest role is a safe solution: this user has very limited rights. In the text above you can read the opposite (or do I misunderstand this text? :? ).
We're planning to use SQL Server 2005 (not 2000).
Can you give me your opinion on this matter?
Now I read something completely different:
"The guest User Account
After a user has been authenticated and allowed to log in to an instance of SQL Server, a separate user account must exist in each database the user has to access. Requiring a user account in each database prevents users from connecting to an instance of SQL Server and accessing all the databases on a server. The existence of a guest user account in the database circumvents this requirement by allowing a login without a database user account to access a database.
The guest account is a built-in account in all versions of SQL Server. By default, it is disabled in new databases. If it is enabled, you can disable it by revoking its CONNECT permission by executing the Transact-SQL REVOKE CONNECT FROM GUEST statement. In SQL Server 2000 you can disable it by executing the Transact-SQL sp_dropuser or sp_revokedbaccess system stored procedures.
Security Note:
Avoid using the guest account; all logins without their own database permissions obtain the database permissions granted to this account. If you must use the guest account, grant it minimum permissions."
My organisation is an University of applied science and we would like our students to work with NAV to understand the concepts of ERP. We would like to give the students access to the SQL Server with a NAV SQL Client, that is installed on the students notebook. Our present idea is that the guest role is a safe solution: this user has very limited rights. In the text above you can read the opposite (or do I misunderstand this text? :? ).
We're planning to use SQL Server 2005 (not 2000).
Can you give me your opinion on this matter?
0
Comments
You can experiment what you want with roles and permissions, and use whatever you think is correct, but the recommended way to set up users in NAV on SQL Server (2005 or 2000, doesn't make a difference for NAV) is to assign the users on SQL Server to the public role, and take care of permissions within the NAV client. Set your NAV database up with 'standard' security model, and those users won't even be able to connect directly to SQL Server, unless you give them that right directly on SQL Server.
I don't know who told you that it is recommended to use the guest role for regular NAV users, but that is not correct. The guest role, as it states in BOL, comes with those security issues that you will want to avoid. The safest way to manage authentication and permissions is to assign each user with their own used ID. It takes more effort the more users there are, but it will be much easier to manage.
RIS Plus, LLC
MVP - Business Apps
Independent Consultant/Developer
blog: https://dynamicsuser.net/nav/b/ara3n