problem with USERID when used domain accounts

Robik · 2004-11-21

Hello everyone,
i am using navision roles for my own rights to some objects (i want to have some buttons to be visible only for account with SUPER role, for example...) and with database accounts it is not problem (just use of 1 navision table - Member Of and command USERID, which return current user) but when i use the domain accont, the command USERID returns only second part of domain name (returns only Tom for account DOMAIN/Tom) and beside i have to use different table Windows Access Control, instead of Member Of - i cannot get the correct record, if i dont want use wrong method like SETFILTER('Login ID', '@*/TOM') which is correct for atleast some settings (not same names in different domains)...

any workarounds here?

Robik

g_dreyer · 2004-11-22

Hi Robik,

Query the Session table where MySession = True.
This would give you Domain\User, and also the Login Type (Windows,Database).

This should be enough information to query the correct table, in order to find out whether the user belongs to SUPER or not.

Regards,
Gus

Robik · 2004-11-22

Thanks Gus
Works great

g_dreyer · 2004-11-23

You're welcome!!

afarr · 2004-12-23

Gus,
I've been messing around for hours with the "Windows Login" table, and the virtual table "SID - Account ID", trying to match the USERID (uppercase, no domain name) with the "User ID" (mixed-case, with domain name, that is a FlowField). Your post was very helpful.

Thanks,
Alastair

Urmas · 2005-02-21

Just a hint.

You should use the Sessions table only to query the type of authentication. It normally makes no sense to use the username from this table. It is better to use user sid virtual table what contains all sids of a current user. You should in fact check them all, as user may have permissions also granted due to belonging in some activedirectory group.

afarr · 2005-02-22

I am using both the Sessions table and the SID table. Here is the relevant code.

CLEAR(SessionRec);
SessionRec.SETRANGE("My Session",TRUE);

IF SessionRec.FIND('-') THEN
BEGIN
UserLogName := SessionRec."User ID";

tblSIDConversion.SETCURRENTKEY(ID);
tblSIDConversion.SETRANGE(ID,SessionRec."User ID");

IF tblSIDConversion.FIND('-') THEN
BEGIN
tblWinAccess.SETFILTER("Login SID",tblSIDConversion.SID);

tblWinAccess.SETFILTER("Role ID",PurchPayablesSetup."PO Release Role ID");
Bool_ReleaseAllowed := tblWinAccess.FIND('-');
END;

Urmas · 2005-02-22

The problem there is that you get the existance of the permission only for user actual login ID. User may have inherited permissions also by belonging to group (for example Domain Admins may have be granted a SUPER role). In fact there is no sense of having the user ID itself as the windows permissions table is definyning relations between roles and windows SID-s AND User Sid table contains all SIDs what the user has (all groups and personal ones). So by connecting those two tables, you'll get the actual permission "matrix"

the relevant code would be:

// Check the logon type
recSession.SETRANGE("My Session",TRUE);
recSession.FIND('-');
CASE recSession."Login Type" OF
  // Database auth - do as in old good days
  recSession."Login Type"::Database :
      IF NOT recUserRole.GET(USERID,'SAM_MANAGER') THEN
        ERROR(txtSecurityError);
  // Windows auth - check all sids - user may have role tied to NT group
  recSession."Login Type"::Windows :
    BEGIN
      blnFound := FALSE;
      IF recUserSID.FIND('-') THEN
      REPEAT
        blnFound := recWindowsRole.GET(recUserSID.SID,'SAM_MANAGER');
      UNTIL (recUserSID.NEXT = 0) OR (blnFound);
      IF NOT blnFound THEN
        ERROR(txtSecurityError);
    END;
END;

afarr · 2005-02-22

"User Sid table contains all SIDs that the user has"
But surely it contains many other SIDs as well. How are you going to filter them out?

Urmas · 2005-02-22

No. The User SID table contains ONLY these SID-s what are granted to currently logged in user (ie the results will be different for each user). So, if you query the table on runtime you will get the sids of the actual user and therefore also you can get the permissions for all the sids what the actual user is having.

For example the SID table for me contains following rows:

ID
Everyone
NT AUTHORITY\Authenticated Users
NT AUTHORITY\NETWORK
RLK\URMAS
RLK\Arvutuskeskus
RLK\KONTROLLERID
RLK\IT OSAKOND
RLK\kmp-admin
RLK\METAFRAME1
RLK\Domain Admins
RLK\Domain Users
RLK\Domain Guests
RLK\Enterprise Admins
BUILTIN\Administrators
BUILTIN\Users

(sorry - I will not publish actual SID-s for understandable reasons).
This list is specific to me only. Naturally someone else can have also SID of RLK/Users and also permissions tied to this group.

afarr · 2005-02-24

Urmas,
thanks, the code worked, with one small change - I used something like

blnFound :=
recWindowsRole.GET(recUserSID.SID,'My Role',COMPANYNAME) OR
recWindowsRole.GET(recUserSID.SID,'My Role','');

By the way, I just learnt from a Navision.net posting that in Navision 4.0 the individual users' Windows Accounts must be added to the Windows login table (see quote below).

Alastair

Security and Permissions

In previous versions of the SQL Server Option for Navision, you can enter a Windows group in the Windows Login table and assign Navision roles to this group. Any user who is member of this group is assigned these permissions when they log on to the system and open this database.

In Navision 4.0 you must enter the Windows group in the Windows Login table and enter the Windows account for each individual user that is a member of that group. You do not need to assign any Navision roles to the individual users as long as the roles that the Windows group is assigned contain all the permissions that the users need. The users Windows account must be entered in the Windows Login table before any SQL permissions can be assigned to that user in the SQL database.

From "Update for Microsoft Business Solutions-Navision 4 0.pdf"

problem with USERID when used domain accounts

Comments

Categories