Business Central / NAV UG
Business Central / NAV UG
Organizer:
- Organized by
-
-
Creating A Security administrator
-
Creating A Security administrator
-
Happy Summer,
We have a security driven by an audit situation.
Now, before I start I know that once a person can setup security they can theoretically give themselves anything. Still, I’m wondering if someone can just have the security permission set (in addition to the foundation). We’ve tried this and right now we believe that won’t work – the security admin needs more rights.
Thoughts?
NAV 2016.
Adam——————————
Adam Jacobson
President
Red Three Consulting, Inc.
Bronx NY
—————————— -
if you mean security permissions in nav, role super, then that is the role with max. permission nav level. the levels behind that are the database/sql level and the AD/windows rights.
——————————
Franz Kalchmair
Dynamics NAV Consultant
Cegeka Business Solutions
Vienna
——————————
——————————————- -
No, i don’t want them to have a role called Super or anything like it. There is a permission set called Security. That’s the one I want to assign.
I am focused entirely here on the minimum one needs in NAV. This person won’t be doing database level work.——————————
Adam Jacobson
President
Red Three Consulting, Inc.
Bronx NY
——————————
——————————————- -
you definitely need to have one “Super” role and one user assigned to that role to manage the database. However, after that, you can certainly control who gets what permission and give the minimum required.
For example, I have created a “Super – READ ONLY” that gave permission to the leadership team to only read/review data in NAV without making any accidental changes. Then, some team only have ready only for Sales orders/invoices/posted shipments and invoices as all they need is to review the revenue for the day/month or year.
so that one way of controlling permissions and managing security. is that what you are looking for?
——————————
Meenakshi Singh
Manager of Business Applications
Home Market Foods, Inc.
Norwood MA
——————————
——————————————- -
“Security” role can only grant permissions that they have.
By the way the role is designed, you could have a user allowed to certain things in a certain area grant permissions to people they work with. As an example, you could have a user able to post invoices with security role grant permission to another user to post invoices.
In order to do what you describe, the minimum permission set for a security role user would be every permission set that they can grant other users.
——————————
Ian Ray
Cypress Grove
Arcata CA
——————————
——————————————- -
Will this person ONLY be doing securities or will they have other tasks in NAV (like order entry, general ledger, etc.)?
I was wondering if they had a role that was “SUPER – READ ONLY” (which would be the same as ‘super’ but read only) if that would give them enough permission to do securities without too much?
I have a role set up so that developers cannot do securities, but not the reverse. Interesting idea though.
——————————
Andrea Wasley
Project Manager
NOCO Energy Corp.
Tonawanda NY
——————————
——————————————- -
Ian’s answer clarifies this for me.
Thanks all for the assistance.Sent from my iPhone
——Original Message——
Will this person ONLY be doing securities or will they have other tasks in NAV (like order entry, general ledger, etc.)?
I was wondering if they had a role that was “SUPER – READ ONLY” (which would be the same as ‘super’ but read only) if that would give them enough permission to do securities without too much?
I have a role set up so that developers cannot do securities, but not the reverse. Interesting idea though.
——————————
Andrea Wasley
Project Manager
NOCO Energy Corp.
Tonawanda NY
—————————— -
?
Adam,
There are many variables that will allow for methods to access the database. You have your SQL access rights that could have SysAdmin and DBO access level to manage the database and also to extract data from the NAV database without logging into NAV. You also have the opposite where a user is setup with generic public access rights in SQL but have SUPER or (SUPER(DATA) in NAV. The login can be within a “Windows Group” that also inherits Active Directory permissions or it can be a Database Login with additional permission sets from SQL Server.
If your Security Admin is going to only setup NAV Security, then the NAV role for SECURITY with a BASIC or ALL Role should work. Make sure that your BASIC / ALL (depending on NAV Version) is not customized to give our more than just access to open the client application to perform the SECURITY functions needed. If it is, then someone with the SUPER role should setup the access for your SECURITY admin and login as that individual into NAV to confirm access is restricted as needed by the auditors.
Most likely you are aware that setting up NAV permissions is a cumbersome process (setup, synchronize login (depending on NAV version), test, correct, re-sync, retest, etc.). There is an add-on tool called Easy Security that can help you with this process.
——————————
Wanda Roldan
Technology & Management Consulting
RSM US LLP
New York, NY
——————————
——————————————- -
Have You looked at EasySecurity from mergetool.com
One of the features they have, is for that specific purpose. You set up a separate company (Security Management) and the person(s) that manage security only have permissions to that company.
Then You update permissions and such in THAT company, and You are able to publish the permissions to the other companies, once You are done.
From their Best Practices Section:
What Company to use for Easy Security data
Data in Easy Security should be maintained in a company that can be controlled with specific permissions, meaning a company that is not used for other purposes than security setup. This can allow a person in the IT department working on security to have full permissions to the NAV Easy Security application in that company. By using a NAS (NAV Application Server), it is possible to have a person without SUPER rights maintain and publish permissions. They cannot even change their own permissions by using the Login Setup to lock down the user. A blank company without any data is the best to use for the data in Easy Security. By using a separate company the NAV Easy Security setup wizard can also be run at a later point if the initial data needs to be re-initialized. Other companies can be setup for recording only. This is easily done with the setup wizard in Easy Security. Recordings done in one company with the SQL Profiler is only a list of required permissions and is imported in the NAV Easy Security company. The Launch Objects feature used for recording especially of Role Centers can also be used from any company. The data in the Easy Security company is used to calculate the needed information. Although Restore Points and Recordings can be exported and imported, a lot of other data is being used when publishing permissions. Without maintaining all the data in the company, Object Level Security, Permission Groups, Company Groups and features in the Permission Set Builder will not work the same way if reinstalled in a new company. All Data from the original company can be exported and imported to the new company. This is also the approach to move an Easy Security setup from a test to a production environment. A CRONUS company should not be used for maintaining security. Based on the special permissions in a company starting with the word “CRONUS”, recordings may not always be correct. The message from Easy Security will also warn the user about this when running processes in Easy Security.
——————————
Henrik Helgesen
President | Helgesen Consulting, Inc. | Burbank | CA
::blog: http://eshipguy.com ::
——————————
——————————————- -
I will need to concur with Henrik. The best way to deal with security rights is to use Easy Security. Check some of the recorded webinars for more details.
——————————
Eduardo Diaz
IT Director
Minequip Corp.
Miami FL
——————————
——————————————- -
Each of our Super Users is also a regular user, generally with Controller-type access. These users have two separate logins, a Super User account that they use only for security and other high-level settings and an account with their ongoing, day-to-day privileges that they use for their regular work.
Any time they log in to the Super User account, they log the date, time and action taken in a spreadsheet. Auditors can then cross-reference any activities in the system with that login to the documentation in the spreadsheet.
——————————
Robert Cook
Senior Director of Finance
Washington State Housing Finance Commission
Seattle WA
——————————
——————————————- -
The best way to accomplish this would be to use some sort of identity management tool because unfortunately any user that has permissions to grant security roles/permissions to other users in NAV can ostensibly change their own permissions as well. I know there are a couple available, the one I am most familiar with is Identity Manager from Fastpath – http://www.gofastpath.com/products/identity-manager.
——————————
Amanda Mayer
New View Strategies
Milwaukee WI
——————————
——————————————- -
?This is always an issue for database security. This is also a major reason that the audit tables were created, to track activity. You can view the audit report on a regular basis to see what each user has done.
For example, we have users set-up that can create purchase invoices and we have users set-up that can create payment journals and that can approve payments. However, because of segregation of duties, users should not be able to do both. How do I ensure that a user does not create the bill and pay the bill? Take a look at the audit logs.
From an audit perspective, you must assume the worst and review with the expectation that your employees are always looking for ways to get the best of you. I once had a teacher that said to run a report for all your vendor payments and check the addresses against your employees. You may be very surprised.
——————————
Greg Sizemore
Cost Accountant
Kureha PGA LLC
Belle WV
——————————
——————————————- -
Thanks for all your answers.
The fundamental answer is that this can’t be done with base NAV.
We’re not going to invest in new software to solve the problem unless the auditors make a issue of it.
(I had actually recommended that we check out easy security. But our partner said that it was unnecessary. I’m sure we’ve spent more doing the setup ourselves. But such is life).
thanks again.——————————
Adam Jacobson
President
Red Three Consulting, Inc.
Bronx NY
——————————
——————————————-
-
-
0 Replies
Sorry, there were no replies found.
The discussion ‘Creating A Security administrator’ is closed to new replies.
