NAV Easy Security

download report

Transcript NAV Easy Security


Complete solution for NAV Security
◦ RoleTailored and Classic Client

Field Level and Data Security
◦ Security beyond NAV’s standard abilities

Logins and Permissions
◦ Tools for standard NAV security

NAV Easy Security Light
◦ Tools for small NAV customers to simplify security
maintenance




Record permissions (TableData and objects)
Group permission sets and companies
Expiration date of access controls
Quick/Go-live security
◦ Setup security by only denying access to few objects

100+ Segregation of Duties permission sets
◦ Tasks based on recordings to add customizations


Restore points for rollback and history
Object level permissions

Pages and forms
◦ Edit, read only or hide

Fields
◦ Edit, read only or hide

Actions and buttons
◦ Normal, greyed-out or hide

Filter data per page or form to only show some
records
◦ User based filters or based on a calculation

Tools to maintain standard security
◦ Copy from other users
◦ Assign multiple permission sets in multiple companies
◦ Add related permissions to permission sets


Record TableData permissions
Snapshots can rollback individual users or
permission sets







Maintain logins
Quick Security
Record permission set
Easy Security demo data
Publish permissions
Field Level Security
Data Security

2.60 to 2016
◦ Released within 30 days of Microsoft



All NAV application versions
Only new objects (no merge required)
Application translated to 8 languages
◦ Danish, Dutch, English, French, German, Italian,
Portuguese and Spanish

Complete documentation and online help

NAV Easy Security
◦ Logins and Permissions ($2500)
 Record permission sets, segregation of duties, quick security,
grouping, restore points and a lot more
◦ Field level and data security ($2500)
◦ Complete solution ($4500)
◦ Fixed price training and support ($1250)

NAV Easy Security Light

No additional object cost for CfMD solutions
Volume discount and subscription pricing available

◦ Free for base features
◦ Unlimited TableData recording ($250)





Over 250 NAV partners sell our solutions
No partner fee or training requirement
34% partner margin
Free support and partner training
Free access to use NAV Easy Security Light for
customers security setup

900+ customers in 60+ countries are using NAV
Easy Security
◦ Case studies on our web-site

Mergetool.com website
◦ http://mergetool.com/easysecurity.html

Request demonstration version or other questions
◦ [email protected] or contact your NAV partner

Meet us at our booth in the expo, next to the good
coffee 
Per Mogensen
President
Per Mogensen

How does NAV Security work
◦ User access control
◦ Roles/Permission Sets

Best practices for NAV Security
◦ What does Microsoft deliver

NAV Easy Security Light






Hide data like payroll, recipes or sales data
Protect data from accidental changes
Ensure data integrity by protecting setup
Segregation of duties
External requirements (SOX)
Auditors

Combines Roles/Permission Sets with companies
◦ Access to single company or all companies


Permissions always add
Users can have access directly assigned or as
part of groups using Active Directory
◦ Best suited for a single company setup
◦ High level access to NAV should be avoided



Can be administered directly in Active Directory
Many Windows Groups required when more than
a single company
Work fine for low level access, but is a security
risk for SUPER or similar access


A set of permission data, objects and system
functions
Not related to companies only to permissions
◦ Access control under Users combine Roles and
Company


Data security possible with Security Filters
No Field Level control

Data (TableData)
◦ Read, insert, modify and delete access
◦ Direct or indirect
 indirect access need proper permissions in code
 Indirect read enough to calculate FlowFields

Objects (Forms/Pages, Reports, Codeunits…)
◦ Execute
◦ Design different object types (only in NAV 2009 and older)
 Read, insert, modify and delete

System
◦ Tools (Zoom, User administration…)
 Execute
◦ Design access (Importing fob, change report…)
 Execute
◦ NAV 2009 RTC and 2013 have limited functions that can be controlled. This is
improved in future builds/versions




ALL/BASIC access to login and more
Functional roles (S&R Q/O/I/C/B/R)
System Roles (new role TOOLS, ZOOM)
High level access (SUPER, SUPER (DATA))





“SUPER” can administer users
“SUPER” can design and change objects
“SUPER” can run tables from the designer
“SUPER (DATA)” still have full access to the
application
Consider creating other “SUPER” roles
◦ “SUPER (READ)” read-only access to the complete application
◦ “SUPER (TOOLS)” allow access to all tools except designers
and security management

Focus on a small task in NAV
◦ Make assigning permissions and testing simple
◦ Small chance of breaking all roles when upgrading or adding
new customizations

Do NOT make roles for each user
◦ Hard to maintain
◦ Very hard to know if everything is covered
◦ Cannot remove permissions easily without a lot of testing

Use NAV Easy Security Light to combine many small
task based roles if needed



Role Center give access to view and is improving
usability
Permissions give access to perform tasks
BASIC role in NAV 2013 has too many
permissions to view data
◦ Access to Login/Logout (OK)
◦ Access to execute objects (OK)
◦ Access to read all data for ORDER PROCESSOR
(wrong)

NAV 2009
◦
◦
◦
◦

NAV 2013
◦
◦
◦
◦
◦

User connect directly to SQL database
User needs access to data in SQL database
Complex setup to allow impersonation
NAV and SQL database verify user credentials
Service user connect to SQL Database
User need NO access to data in SQL database
No requirements to only use SQL database or windows login
NAV Service Tier verify user credentials
No Login/Logout required after security changes
NAV 2009 and 2013
◦ Design access (Classic Client) require access to SQL database
◦ DBO for many design and security functions (2009 only)


Apply filters directly to the data in SQL database
Many side-effect create un-intended errors
◦ Filter Items, Customer or Vendor and the user cannot post
orders or print invoices
◦ Filter Ledger Entries and the user cannot post orders
◦ Inventory valuation can be completely messed up


Very hard to configure since “blank” security filter
override a defined security filter
NAV 2013 can manually be coded to handle this better







Security is always checked by NAV client
Enhanced mimic NAV security in SQL database, BUT
is only used when NAV connects
Synchronize security is very slow with enhanced and
required for all security changes
Synchronize not required with standard
No benefits from enhanced (this is just the default
value)
Are you also using the default object cache value?
Enhanced has been removed by Microsoft in NAV
2013


User can never exceed the license permissions
Indirect license permissions are used to secure
important posting data
◦ Removed when buying 7300 Solution developer as a
customer (be careful, security setup is most harder)

MenuItems is removed based on license or user
permissions
◦ Classic: always removed from MenuSuite
◦ RTC: optional based on setup, different by version

Tools to maintain standard security

Record TableData permissions
Snapshots can rollback users or roles
Free including all tools with limited recording




◦ Copy from other users
◦ Assign multiple roles in multiple companies
◦ Add related permissions
◦ Partner must add module “14123010 NAV Easy Security Light”
to NAV license at no charge
$250 to unlock recording feature with registration key
Available in Navision 2.60 to NAV 2013 R2



Assign multiple roles in multiple companies
Copy from another user
Roll-back permissions from snapshots






Add related permissions
Combine multiple roles to a single role
Copy permission from one role to another
Export/Import roles like the FOB-worksheet
Roll-back roles using Snapshots
Record permissions with SQL profiler
◦ Limited in the free version

Training videos
◦ http://mergetool.com/addin_e/faq/FAQ_ESLTRAINING_WEB.htm

114 roles based on Segregation of Duties
Verified with FastPath with no Sarbanes-Oxley conflicts
Recorded and verified in NAV

Finance, Sales, Purchase and Inventory

All 21 Role Centers recorded with read access only
Technical Login only and many more
Source Code Analyzer handle many customizations




◦ NA 2009 R2 and 2013 (US, CA and MX)
◦ DE 2009 R2 and 2013 (DE, AT and CH)
◦ Banking (2) Budget (1) Customer (5) Finance (16) Item (8)
Purchase (17) Role Centers (22) Sales (17) Technical (15)
Transfer Order (6) Vendor (5)




An ISV (Independent Software Vendor) developing
products for NAV
Located in Atlanta, GA USA
More than 500 customers using or solutions
NAV training and classes




Based on input from our partners and over 100
customer trainings
Simple wizard to update data in existing
installations
Following Microsoft’s terminology in NAV 2013
and later
Revised translations (Danish, German, Spanish
and Dutch)








Quick Security
Publish single Login
Export/Import of Login Access Controls
Permissions from
Simple access to Change Log entries
Server information FactBox
Adding multiple Access Controls Wizard
And many more



Intermediate step between “SUPER (DATA)” and
“Segregation of Duties”
Implement and deploy in a few hours in production
Control with “Full Access”, “Read-Only” and “No
Access”
◦ Standard NAV tables already categorized
◦ TableData and Objects

First step when building precise security

Recorded Permission Sets tested for Segregation
of Duties (already exists in earlier versions)
◦ Recorded in NAV 2009 R2, 2013, 2013 R2 and 2015
◦ Worldwide, German and North American databases

New recordings released when future NAV
versions are released
◦ Simplify the upgrade by having the new NAV permissions
required in our recording

Danish database soon to be supported too

User Filters
◦ Remove need to customize dynamic filtering
◦ Link User ID to Salesperson Code and 30 other major
NAV tables

Adding multiple Fields and Actions



Available on our web-site
Updated documentation
Updating existing customers
◦ Import the new objects
◦ Run the “Update Data” process

Import and compile new Easy Security Objects
◦ Do NOT import ESACC objects




Open the Security Setup and Update Data
Open the Field Level and Data Security Setup and
Update Data
Optional: Import new Recordings to existing
Segregation of Duties Permissions Sets
Import Quick Security Permission Groups

Finish Initial Install in Production Database
◦ Logins and Permissions
◦ Field Level and Data Security
 Use the same Source Tables and in the Test Database

Export from Test Database
◦ “Permission Sets”, “Permission Groups”, “Login Access Controls”,
“Object Properties”, “Field Level Security Codes” and “Data Security
Codes”

Create “Logins” and “Company Groups” in Production Database
to match the Test Database
Import in the same order as exported above to Production

Publish Permission in the Production Database

◦ The Import and Overwrite can be used if needed






Import Objects
Create Easy Security company
Initial Source Code Analysis
Add Source Tables
Implement Changes in Code
Setup Copy Data in other Companies







Import objects
Initial Source Code export
Create Easy Security company
Run Complete Install
Import additional NAV Easy Security data
First publish
Recording only setup in other companies




Adding Tables to the Source Table Setup
Adding a Page with an existing Table
Working with multiple databases (Dev, UAT, Prod)
Reversing changes to objects

Typically 3 databases, Development (DEV), User
Acceptance Test (UAT) and Production (PROD)
Development database

User Acceptance Test (UAT)

Production (PROD)

◦ NAV Easy Security objects imported
◦ No changes to base code implemented
◦ Allow simple implementation of cumulative updates and upgrades
◦ New objects from DEV replace objects
◦ Run “Implement Changes in Code” for all objects
◦ Objects are moved from UAT compiled with code implemented
◦ Filter on Date and Time in UAT for all modified objects





Data Security for each Page
User Filters
Create new Data Security Code
Data Security for Reports
Data Security in Jet Reports





Control access by “Edit”, “View” or “Hide”
Object Level Security
Field Level Security
Action Security
Create New Field Level Security Code



Updating the Source Code Analysis
Permissions added automatically
Using Relations and Variables



Calculating Summary Permissions
Permission From
Segregation of Duties

Based on recordings
◦ NAV 2009 R2, 2013 2013 R2 and 2015
◦ Worldwide, German, North American and Danish




Certified for Segregation of Duties by FastPath
Made for the future (upgradeable)
Object Level Security
Future NAV versions maintained by
Mergetool.com





Setup simply by category, easy for
ISV/Customizations
Quick Security Permission Groups
Go-Live
Security based on a few tables
Good Security between SUPER (DATA) and
Segregation of Duties level access




Publish All
Publish single Login or Permission Set
Compare Restore Points
Reverse changes



Builder Permissions
Related Permissions
Override permissions





Recording Permissions
Correcting a Permission Set with a recording
Multiple Recordings in a Permission Set
Reducing recorded Permissions
Using a Minimum access Role Center and
restarting Service Tier






Grouping Permission Sets
Grouping Companies
Expiry Date
Summary Permissions
Adding a new User
Assigning permission to multiple users