Dilemma with permissions

Bitwise · 2005-12-27

Hi all.

I hope somebody can help me.

I have a small customer on 2.60, who just hired a new employee. This will be the first user, who isn't a superuser. The new user must be able to perform a number of tasks, but he must be restricted from seeing G/L Accounts, which is TableData 15.

If I try to remove read rights for TableData 15 from his roles, then he isn't able to post invoices and other tasks. But if he has read rights for G/L Accounts, then he can freely look at Chart of Accounts.

My thought is, that then I must restrict him on form level by granting him Execute rights to all forms EXCEPT Chart of Accounts. However, I can't find an easy way to do this without having to manually set 1200+ form rights to yes.

My question is twofold:

A) Am I taking the right approach to this? (by resticting on form level)

and

Is there an easier way to set up rights for a large number of objects at the same time?

Thanks in advance
and Happy holidays.

ara3n · 2005-12-27

You can set indirect read access to the table. and allow all form access.

Bitwise · 2005-12-28

Yes, but that doesn't seem to work the way I expected. The user can still open the Chart of Accounts form, even if he's only got indirect read rights to TableData 15. :?

Bitwise · 2005-12-28

Bitwise wrote:

Yes, but that doesn't seem to work the way I expected. The user can still open the Chart of Accounts form, even if he's only got indirect read rights to TableData 15. :?

Sorry, my memory failed me. What happens when I set indirect read rights to TableData 15 is:

The user can NOT open Chart of Accounts (good),
but the user can not post invoices either (very bad).

During the posting operation, it gives an error message saying that you need read rights for Tabel 15.

Marije_Brummel · 2005-12-28

Where does the error occur? You can set the rights to the object. Every object has permissions, seperate from the userpermissions.

Just add the readrights to the object.

Bitwise · 2005-12-28

Objects have permissions too? That sounds interesting. How do I use that?

The error occurs in codeunit 12, if that's any help.

Marije_Brummel · 2005-12-28

Just open the codeunit and hit the properties button. Permissions are there.

Good luck.

Bitwise · 2005-12-28

Great, that seems to do the trick. Cheers Mark =D>

And I even learned something new today.

Marije_Brummel · 2005-12-28

Me to

http://www.mibuso.com/forum/viewtopic.p ... highlight=

Bitwise · 2006-01-06

Darn. It stilll doesn't work as it's supposed to.

The user (who only has indirect read rights to table 15) opens an invoice (which has read rights to table 15 and so does the subform of the invoice).
Next the user stands on a line on the invoice, where the type of the line is Finance. He does a lookup on the number field and voila, the Chart of Accounts overview opens as it is supposed to.
Next the user creates a new line on the invoice. Type is finance, but when the user tries a lookup from the empty number field, he gets an error about missing read rights to table 15. ](*,)

Am I missing additional read rights on other objects, e.g. an underlying code unit? Is the read rights on the invoice form inherited by other objects instantiated by the invoice? Why can't I get anything to work today? (don't answer that last question 8-[ )

Marije_Brummel · 2006-01-06

Maybe you can try the following:

Add the debugger to the role you want to change
Start the debugger before you test only active, not on breakpoints
The debugger should point out the object that needs the permissions.

Good luck.

Bitwise · 2006-01-06

That was my first thought too, but unfortunately that doesn't work. The debugger isn't activated when the error message comes from the permission system.

Marije_Brummel · 2006-01-06

And what about codecoverage or the client monitor?

Bitwise · 2006-01-06

As far as I can see, it occurs somewhere in the "No. - OnValidate()" trigger on table 37 Sales Line.

Is there a way to give a table read rights to another table? I can't find the Permissions property on Tables.

Bitwise · 2006-01-06

Found out how to give table 37 read rights to table 15, but that didn't fix the problem.

It's like the permissions on the objects aren't taken in to consideration in this special case :-k

I'm still clueless.

Bitwise · 2006-01-06

When I'm standing on the empty No. field, and I activate the debugger WITH break on triggers, I don't get into any code before I get the error message, when I press lookup.

So the error must be from the system itself. That's kinda hard to fix, right?

Marije_Brummel · 2006-01-06

Yes, it is hard to find the object. You can use the debugger with the triggers active to browse through the code.

You can also put in messages in the code to see what code is executed.

Or try the client monitor or code coverage.

Bitwise · 2006-01-06

Yes, I guess I'll have to raise this as a support incident for MBS.

But I just can't believe that nobody has solved this before. Surely there must be other companies with users who aren't allowed to see the full chart of accounts with balances and everything, but who still can create finance lines on an invoice using the Chart of Accounts list.

Bitwise · 2006-01-06

Ah, finally found the answer.

I needed to add read rights to table 15 on the following objects:

Table 37
Forms 18, 43, 44, 47 and 96
Code units 12, 80 and 378

Why must security be so difficult in Navision ? #-o

JulianHarper · 2006-01-06

Security is probably one of Navisions weakest points, it's fairly flexiable but it's a bitch to maintain.

Dilemma with permissions

Answers

Categories