Creating special Permission Set (Role) in NAV2013
rsaritzky
Member Posts: 469
Hi all,
I'm sure a number of you have used a technique for locking down a certain page to even SUPER users by creating a special Permission Set (called a Role in NAV2009 an earlier), then writing a small amount of code into the page to check the USERID to see if that role exists for that user.
In NAV2009 and earlier, you had to check the "Windows Access Control" table if you were using Windows Authentication and the "Member Of" table if you were using Database Authentication.
I'm trying to do the same thing in NAV2013. I've created a Permission Set record "SPECIAL" and assigned that Permission Set to a User.
Now, in my page, I'm trying to see if that Permission record exists in the Access Control table (used to be Windows Access Control). My first code attempt was the following:
The FINDFIRST command above fails. I've run the debugger and USERID returns the <DOMAIN>\<USERNAME> string that is stored in the Access Control table. I can also run the table and manually set the filter and see the record I am looking for.
So, since "User Name" is a flowfield, I thought that maybe that was the issue. So instead, I attempted to look up the "User Security ID" (the primary key to the Access Control Table) in the USER table first:
Again, the FINDFIRST fails, this time on the User table.
I've even tried stripping out the domain and backslash, searching only for the username portion and doing a case-insensitive search, e.g.
Has anyone tried searching on USERID in either the Access Control table or User table in NAV2013 with success?
Thx
Ron
P.S. I know there are other techniques for adding a special role, such as adding a field to the user table. At this point, I'm looking to understand why the code above is not working.
I'm sure a number of you have used a technique for locking down a certain page to even SUPER users by creating a special Permission Set (called a Role in NAV2009 an earlier), then writing a small amount of code into the page to check the USERID to see if that role exists for that user.
In NAV2009 and earlier, you had to check the "Windows Access Control" table if you were using Windows Authentication and the "Member Of" table if you were using Database Authentication.
I'm trying to do the same thing in NAV2013. I've created a Permission Set record "SPECIAL" and assigned that Permission Set to a User.
Now, in my page, I'm trying to see if that Permission record exists in the Access Control table (used to be Windows Access Control). My first code attempt was the following:
_accessControl.SETFILTER("User Name",USERID);
_accessControl.SETFILTER("Role ID",'SPECIAL');
IF NOT _accessControl.FINDFIRST THEN
ERROR('You do not have permissions to access the special pages');
The FINDFIRST command above fails. I've run the debugger and USERID returns the <DOMAIN>\<USERNAME> string that is stored in the Access Control table. I can also run the table and manually set the filter and see the record I am looking for.
So, since "User Name" is a flowfield, I thought that maybe that was the issue. So instead, I attempted to look up the "User Security ID" (the primary key to the Access Control Table) in the USER table first:
_userRec.SETFILTER("User Name",USERID);
IF _userRec.FINDFIRST THEN BEGIN //<------ THIS FIND ALWAYS FAILS
_accessControl.SETFILTER("User Security ID", _userRec."User Security ID");
_accessControl.SETFILTER("Role ID",'SPECIAL');
IF NOT _accessControl.FINDFIRST THEN
ERROR('You do not have permissions to access the special pages');
END
ELSE
ERROR('Cannot find record in User table for user ' + FORMAT(_userRec.GETFILTERS));
Again, the FINDFIRST fails, this time on the User table.
I've even tried stripping out the domain and backslash, searching only for the username portion and doing a case-insensitive search, e.g.
Namelookup := COPYSTR(USERID, STRPOS(USERID,'\') + 1);
_userRec.SETFILTER("User Name",'%1','*@'+NameLookup);
IF _userRec.FINDFIRST THEN BEGIN...
Has anyone tried searching on USERID in either the Access Control table or User table in NAV2013 with success?
Thx
Ron
P.S. I know there are other techniques for adding a special role, such as adding a field to the user table. At this point, I'm looking to understand why the code above is not working.
Ron
0
Comments
-
There is a new system function USERSECURITYID that return the primary key, then can you easily do a filter that works.0
-
Hi Per:
Nice!
OK next question smart guy:
If the user is part of any groups, they will have multiple SIDs (one for themselves and one for each group they are in) is there any easy way to get ALL of a users sids? The virtual table "User SID" used to have this but I don't think it does in Nav2013.0 -
Thanks, Per! I will try it - or maybe implement Easy Security <grin>
RonRon0 -
There used to be a Windows Group Member (2000000052) table, but Microsoft does not maintain that in NAV 2013. Your only option is to read the Active Directory with Automation/.NET or something like that.0
Categories
- All Categories
- 73 General
- 73 Announcements
- 66.6K Microsoft Dynamics NAV
- 18.7K NAV Three Tier
- 38.4K NAV/Navision Classic Client
- 3.6K Navision Attain
- 2.4K Navision Financials
- 116 Navision DOS
- 851 Navision e-Commerce
- 1K NAV Tips & Tricks
- 772 NAV Dutch speaking only
- 617 NAV Courses, Exams & Certification
- 2K Microsoft Dynamics-Other
- 1.5K Dynamics AX
- 320 Dynamics CRM
- 111 Dynamics GP
- 10 Dynamics SL
- 1.5K Other
- 990 SQL General
- 383 SQL Performance
- 34 SQL Tips & Tricks
- 35 Design Patterns (General & Best Practices)
- 1 Architectural Patterns
- 10 Design Patterns
- 5 Implementation Patterns
- 53 3rd Party Products, Services & Events
- 1.6K General
- 1.1K General Chat
- 1.6K Website
- 83 Testing
- 1.2K Download section
- 23 How Tos section
- 252 Feedback
- 12 NAV TechDays 2013 Sessions
- 13 NAV TechDays 2012 Sessions