BEST PRACTICES FOR DYNAMICS NAV

ADMINISTRATION AND SECURITY

Per Mogensen
DESCRIPTION

We will take a relaxed approach and walk

through our experts' best practices for
proper administration, and security setup
and maintenance, in and around Dynamics
NAV. Draw on the collective experience as
we share "what I would have done
differently," and gain insight on the
additional tools and resources available in
the community.
#NAVUGCongress16
AGENDA

What is the difference between security and

usability
Adding Access Controls to a User
Defining new Permission Sets (Roles)
How to design your security

#NAVUGCongress16 3
WHY IS SECURITY NECESSARY?

Hide data like payroll, recipes, G/L or sales

data
Protect data from accidental changes
Ensure data integrity by protecting setup
Segregation of duties
External requirements (SOX)
Auditors
#NAVUGCongress16
ADDING ACCESS CONTROLS TO A USER

#NAVUGCongress16 5
USER ACCESS CONTROL
Combines Roles/Permission Sets with companies
Access to single company or all companies
Permissions always add
Users can have access directly assigned or as part of groups
using Active Directory
Best suited for a single company setup
High level access to NAV should be avoided
NAV 2013 or later require users to be created in NAV
NAV 2016 support groups in NAV
Still create data in the regular tables

#NAVUGCongress16
LOGIN WITH WINDOWS GROUP

Can be administered directly in Active

Directory
Many Windows Groups required when more
than a single company
Work fine for low level access, but is a
security risk for SUPER or similar access

#NAVUGCongress16
DEMONSTRATION

Add new User

Add Access Controls to the user
Testing on a single computer
Run as a different User
Create Windows Group

#NAVUGCongress16 8
DEFINING NEW PERMISSION SETS (ROLES)

#NAVUGCongress16 9
PERMISSION SETS (ROLES)

A set of permissions for data, objects and

system functions
Not related to companies only to data and code
Access control under Users combine Permission Sets
and Company
Data security possible with Security Filters
No Field Level control

#NAVUGCongress16
WHAT CAN BE SECURED IN NAV
Data (TableData)
Read, insert, modify and delete access
Direct or indirect
indirect access need proper permissions in code

Indirect read enough to calculate FlowFields

Objects (Forms/Pages, Reports, Codeunits…)

Execute
Design different object types (only in NAV 2009 and older)
Read, insert, modify and delete

System
Tools (Zoom, User administration…)
Execute
Design access (Importing fob, change report…)
Execute
NAV 2009 RTC, 2013 and later have limited functions that can be controlled. Only the Zoom is currently
controlled

#NAVUGCongress16
INDIRECT PERMISSION TO TABLEDATA

Allow users to perform tasks by using the

right process
Post documents, apply entries
Permissions added in code
License permissions use Indirect to control
editing posted data

#NAVUGCongress16 12
STANDARD PERMISSION SETS (ROLES)

Access to login and more

ALL/BASIC/FOUNDATION
Functional permission sets
S&R Q/O/I/C/B/R
System permission sets
TOOLS, ZOOM
High level access
SUPER, SUPER (DATA)

#NAVUGCongress16
“SUPER” VERSUS “SUPER (DATA)”

“SUPER” can administer users

“SUPER” can design and change objects
“SUPER” can run tables from the designer
“SUPER (DATA)” and “BASIC” still have full access to the
application
Consider creating other “SUPER” roles
“SUPER (READ)” read-only access to the complete application
“SUPER (TOOLS)” allow access to all tools

#NAVUGCongress16
DEMONSTRATION

Correct Permission Errors

Edit Permissions based on existing
Permission Sets
Record Permissions in NAV 2016
Create new Permission Sets
TOOLS, ZOOM, SUPER READ

#NAVUGCongress16 15
 HOW TO DESIGN YOUR SECURITY

#NAVUGCongress16 16
BEST PRACTICES FOR DESIGNING ROLES

Focus on a small task in NAV

Make assigning permissions and testing simple
Small chance of breaking all roles when upgrading or
adding new customizations
Do NOT make a single role for each user
Hard to maintain
Very hard to know if everything is covered
Cannot remove permissions easily without a lot of testing

#NAVUGCongress16
ROLE CENTER VERSUS PERMISSIONS

Role Center give access to view and is improving

usability
Permissions give access to perform tasks
BASIC role in NAV 2013 and later has too many
permissions to view data
Access to Login/Logout (OK)
Access to execute objects (OK)
Access to read all data for ORDER PROCESSOR (wrong)
#NAVUGCongress16
NAV 2009 VERSUS 2013+ SECURITY
NAV 2009
User connect directly to SQL database
User needs access to data in SQL database
Complex setup to allow impersonation for RoleTailored client
NAV and SQL database verify user credentials
NAV 2013 and later
Service user connect to SQL Database
User need NO access to data in SQL database
No requirements to only use SQL database or windows login
NAV Service Tier verify user credentials
No Login/Logout required after security changes
NAV 2009 and 2013 and later
Design access (Classic Client) require access to SQL database
DBOwner for many design and security functions (2009 only)

#NAVUGCongress16
LICENSE AND USER PERMISSIONS

User can never exceed the license permissions

Indirect license permissions are used to secure important
posting data
Removed when buying 7300 Solution developer as a customer (be
careful, security setup is much harder)
MenuSuite remove MenuItems based on license or user
permissions
Classic: always removed from MenuSuite
RTC: optional based on setup, different by version, 2015 also
include fields and actions removal on pages

#NAVUGCongress16
COMMON CONFUSION ABOUT SECURITY

TableData versus Table

Security data and companies
Objects and Read/Insert/Modify/Delete
TableData and Execute

#NAVUGCongress16
 SUMMARY

#NAVUGCongress16 22
REFERENCES

Permission Set (Role) spreadsheet

http://
www.mergetool.com/data/es/Roles%20Demo%20Data%20ES
1.40.27.zip

#NAVUGCongress16 23
THANK YOU FOR ATTENDING
Reminders:
Please download the session slides from the
NAVUG Congress Community or through the
Congress App
Please visit our Dynamics NAV help desk
Monday evening in the Expo
Please complete your session survey in the
Congress App
#NAVUGCongress16 24