Howdy, Stranger!
Categories
- All Categories
- 73 General
- 73 Announcements
- 66.5K Microsoft Dynamics NAV
- 18.5K NAV Three Tier
- 38.4K NAV/Navision Classic Client
- 3.6K Navision Attain
- 2.4K Navision Financials
- 115 Navision DOS
- 854 Navision e-Commerce
- 1K NAV Tips & Tricks
- 772 NAV Dutch speaking only
- 615 NAV Courses, Exams & Certification
- 2K Microsoft Dynamics-Other
- 1.5K Dynamics AX
- 270 Dynamics CRM
- 109 Dynamics GP
- 10 Dynamics SL
- 1.5K Other
- 992 SQL General
- 384 SQL Performance
- 33 SQL Tips & Tricks
- 34 Design Patterns (General & Best Practices)
- Architectural Patterns
- 10 Design Patterns
- 5 Implementation Patterns
- 53 3rd Party Products, Services & Events
- 1.7K General
- 1.1K General Chat
- 1.6K Website
- 79 Testing
- 1.2K Download section
- 23 How Tos section
- 259 Feedback
- 12 NAV TechDays 2013 Sessions
- 13 NAV TechDays 2012 Sessions
Options
Navision Security
Navaudit
Member Posts: 4
Dear all,
The company that I am auditing now has set up its own security in Navision. They even declared a new "ALL" role, which means that all these permissions are attached to it. But I find something strange about the setup and cannot judge whether the setup contains a risk for the Company:
All / object (O, all rights)/ Table / Permissions: YES (read, insert, delete execute)
All / Object (O, all rights)/ Table data / Permissions: Indirect (read), YES (Execute)
Does this means that user are able to delete or modify tables if they wish? Ps: they recently switched from Native to SQL db
Could somebody provide me with an answer please, 8-[
Navaudit
The company that I am auditing now has set up its own security in Navision. They even declared a new "ALL" role, which means that all these permissions are attached to it. But I find something strange about the setup and cannot judge whether the setup contains a risk for the Company:
All / object (O, all rights)/ Table / Permissions: YES (read, insert, delete execute)
All / Object (O, all rights)/ Table data / Permissions: Indirect (read), YES (Execute)
Does this means that user are able to delete or modify tables if they wish? Ps: they recently switched from Native to SQL db
Could somebody provide me with an answer please, 8-[
Navaudit
0
Comments
TableData permissions give access to data in the tables.
Giving a Indirect access to all data in tables is a potential risk as it quite difficult to ensure, that all objects (forms, reports, codeunits, etc) what are giving "missing half" of the permission are used only by authorized persons. It is always possible that a developer has accidentally given a permission to a form what is usable by everybody.
In current situation, the indirect permission to read data is not a threat to compromise data but users can potentially have access to data they should not see.