Security related. Renaming / Removing the Super User Role

najja · 2008-04-09

Hello All,

For security reasons we need to make some strict policies for the Navision Users. I would like to know:

1. Is it possible to Rename or Remove SUPER role. When I tried renaming it didnt allow me telling that atleast one user should be there in 'SUPER'. So the name should be SUPER only and nothing else.

2. How do I create a user who has all the administrative privileges as SUPER but should not be able to perform any transactions. Usually the It team manages the application and require admin privileges like adding users, setting up roles, user setup, change log setup and privileges to configure other functionalities like Business Notifications, Employee Portal etc. But this user shoule not be able to do any posting or delelte any transactions from any of the tables.

3. Likewise we would also require to setup a 'Functional Super User' who will be like a business head but will not have any admin related privilege like adding users etc. But he should have privileges for User Setup to control the posting period, time register etc.

Please help me.

Regards

najja

kine · 2008-04-09

You just needs to create own roles, but still, one user account must be member of SUPER role / you cannot change that...

If you need to have users able to setup the system but not posting, you need to give them permissions to insert/modify/delete the correct tables (roles, user, windows user etc.) but not give them permissions for the transactional tables (posted documents, ledger entries etc.). And vice versa for the functional admins...

najja · 2008-04-09

Thanks Kine. Thats exactly we have thought of. Needed expert confirmation on the same.

For the SUPER role the work around we have thought is to create a a new AD Admin User, make him the SUPER in NAV and do not reveal that account to anyone including the admin (ofcourse the AD admin will know)

Is there any better way of doing this.

Najja

najja · 2008-04-09

Hello All,

There is a practical difficulty which we are not able to crack. Suppose if I create a new role, which is a SUPER (minus) Transaction Table rights and name that role as 'NAV-ADMINS'. I am giving them exclusive permissions explicitly for the following tables:

Company
Database Key Groups
Member Of
Object
Object Translation
Permission
Printer Selection
Property Store
Record Link
Report List Translation
sysdiagrams
User
User Default Style Sheet
User Menu Level
User Role
Windows Access Control
Windows Login

The problem is the users with this role can later login and add the default 'SUPER' role to himself, or any other NAV users. Is there any way we cna restrict that.

Regards

Najjaf

mrQQ · 2008-04-09

record level security in sql?

diptish.naskar · 2008-04-09

Yes! There is a way to restrict the same.

Access the Member Of table in design mode now in the <on validate> of the ROLE IDA field add the following code

IF "Role ID"='SUPER' THEN
ERROR('Cannot Select This Role');

Hope this would solve your problem of selecting the default SUPER role by the users.

kine · 2008-04-09

There is special role "SECURITY" which have one special function - if you are member of this role, you can create users and assign them roles, but only roles you are member of. It means you cannot assign SUPER role to anyone if you are not member of SUPER role. But this has one CONS for you: the admin need to have access to the transactional tables if he will assign roles to common users which needs these permissions. But you can limit the user by assignig him non-existing Posting date limits and prevent them to change the limit in the User setup for their login... ;-)

Security related. Renaming / Removing the Super User Role

Comments

Categories