NAV Easy Security
Download
Report
Transcript NAV Easy Security
Complete solution for NAV Security
◦ RoleTailored and Classic Client
Field Level and Data Security
◦ Security beyond NAV’s standard abilities
Logins and Permissions
◦ Tools for standard NAV security
NAV Easy Security Light
◦ Tools for small NAV customers to simplify security
maintenance
Record permissions (TableData and objects)
Group permission sets and companies
Expiration date of access controls
Quick/Go-live security
◦ Setup security by only denying access to few objects
100+ Segregation of Duties permission sets
◦ Tasks based on recordings to add customizations
Restore points for rollback and history
Object level permissions
Pages and forms
◦ Edit, read only or hide
Fields
◦ Edit, read only or hide
Actions and buttons
◦ Normal, greyed-out or hide
Filter data per page or form to only show some
records
◦ User based filters or based on a calculation
Tools to maintain standard security
◦ Copy from other users
◦ Assign multiple permission sets in multiple companies
◦ Add related permissions to permission sets
Record TableData permissions
Snapshots can rollback individual users or
permission sets
Maintain logins
Quick Security
Record permission set
Easy Security demo data
Publish permissions
Field Level Security
Data Security
2.60 to 2016
◦ Released within 30 days of Microsoft
All NAV application versions
Only new objects (no merge required)
Application translated to 8 languages
◦ Danish, Dutch, English, French, German, Italian,
Portuguese and Spanish
Complete documentation and online help
NAV Easy Security
◦ Logins and Permissions ($2500)
Record permission sets, segregation of duties, quick security,
grouping, restore points and a lot more
◦ Field level and data security ($2500)
◦ Complete solution ($4500)
◦ Fixed price training and support ($1250)
NAV Easy Security Light
No additional object cost for CfMD solutions
Volume discount and subscription pricing available
◦ Free for base features
◦ Unlimited TableData recording ($250)
Over 250 NAV partners sell our solutions
No partner fee or training requirement
34% partner margin
Free support and partner training
Free access to use NAV Easy Security Light for
customers security setup
900+ customers in 60+ countries are using NAV
Easy Security
◦ Case studies on our web-site
Mergetool.com website
◦ http://mergetool.com/easysecurity.html
Request demonstration version or other questions
◦ [email protected] or contact your NAV partner
Meet us at our booth in the expo, next to the good
coffee
Per Mogensen
President
Per Mogensen
How does NAV Security work
◦ User access control
◦ Roles/Permission Sets
Best practices for NAV Security
◦ What does Microsoft deliver
NAV Easy Security Light
Hide data like payroll, recipes or sales data
Protect data from accidental changes
Ensure data integrity by protecting setup
Segregation of duties
External requirements (SOX)
Auditors
Combines Roles/Permission Sets with companies
◦ Access to single company or all companies
Permissions always add
Users can have access directly assigned or as
part of groups using Active Directory
◦ Best suited for a single company setup
◦ High level access to NAV should be avoided
Can be administered directly in Active Directory
Many Windows Groups required when more than
a single company
Work fine for low level access, but is a security
risk for SUPER or similar access
A set of permission data, objects and system
functions
Not related to companies only to permissions
◦ Access control under Users combine Roles and
Company
Data security possible with Security Filters
No Field Level control
Data (TableData)
◦ Read, insert, modify and delete access
◦ Direct or indirect
indirect access need proper permissions in code
Indirect read enough to calculate FlowFields
Objects (Forms/Pages, Reports, Codeunits…)
◦ Execute
◦ Design different object types (only in NAV 2009 and older)
Read, insert, modify and delete
System
◦ Tools (Zoom, User administration…)
Execute
◦ Design access (Importing fob, change report…)
Execute
◦ NAV 2009 RTC and 2013 have limited functions that can be controlled. This is
improved in future builds/versions
ALL/BASIC access to login and more
Functional roles (S&R Q/O/I/C/B/R)
System Roles (new role TOOLS, ZOOM)
High level access (SUPER, SUPER (DATA))
“SUPER” can administer users
“SUPER” can design and change objects
“SUPER” can run tables from the designer
“SUPER (DATA)” still have full access to the
application
Consider creating other “SUPER” roles
◦ “SUPER (READ)” read-only access to the complete application
◦ “SUPER (TOOLS)” allow access to all tools except designers
and security management
Focus on a small task in NAV
◦ Make assigning permissions and testing simple
◦ Small chance of breaking all roles when upgrading or adding
new customizations
Do NOT make roles for each user
◦ Hard to maintain
◦ Very hard to know if everything is covered
◦ Cannot remove permissions easily without a lot of testing
Use NAV Easy Security Light to combine many small
task based roles if needed
Role Center give access to view and is improving
usability
Permissions give access to perform tasks
BASIC role in NAV 2013 has too many
permissions to view data
◦ Access to Login/Logout (OK)
◦ Access to execute objects (OK)
◦ Access to read all data for ORDER PROCESSOR
(wrong)
NAV 2009
◦
◦
◦
◦
NAV 2013
◦
◦
◦
◦
◦
User connect directly to SQL database
User needs access to data in SQL database
Complex setup to allow impersonation
NAV and SQL database verify user credentials
Service user connect to SQL Database
User need NO access to data in SQL database
No requirements to only use SQL database or windows login
NAV Service Tier verify user credentials
No Login/Logout required after security changes
NAV 2009 and 2013
◦ Design access (Classic Client) require access to SQL database
◦ DBO for many design and security functions (2009 only)
Apply filters directly to the data in SQL database
Many side-effect create un-intended errors
◦ Filter Items, Customer or Vendor and the user cannot post
orders or print invoices
◦ Filter Ledger Entries and the user cannot post orders
◦ Inventory valuation can be completely messed up
Very hard to configure since “blank” security filter
override a defined security filter
NAV 2013 can manually be coded to handle this better
Security is always checked by NAV client
Enhanced mimic NAV security in SQL database, BUT
is only used when NAV connects
Synchronize security is very slow with enhanced and
required for all security changes
Synchronize not required with standard
No benefits from enhanced (this is just the default
value)
Are you also using the default object cache value?
Enhanced has been removed by Microsoft in NAV
2013
User can never exceed the license permissions
Indirect license permissions are used to secure
important posting data
◦ Removed when buying 7300 Solution developer as a
customer (be careful, security setup is most harder)
MenuItems is removed based on license or user
permissions
◦ Classic: always removed from MenuSuite
◦ RTC: optional based on setup, different by version
Tools to maintain standard security
Record TableData permissions
Snapshots can rollback users or roles
Free including all tools with limited recording
◦ Copy from other users
◦ Assign multiple roles in multiple companies
◦ Add related permissions
◦ Partner must add module “14123010 NAV Easy Security Light”
to NAV license at no charge
$250 to unlock recording feature with registration key
Available in Navision 2.60 to NAV 2013 R2
Assign multiple roles in multiple companies
Copy from another user
Roll-back permissions from snapshots
Add related permissions
Combine multiple roles to a single role
Copy permission from one role to another
Export/Import roles like the FOB-worksheet
Roll-back roles using Snapshots
Record permissions with SQL profiler
◦ Limited in the free version
Training videos
◦ http://mergetool.com/addin_e/faq/FAQ_ESLTRAINING_WEB.htm
114 roles based on Segregation of Duties
Verified with FastPath with no Sarbanes-Oxley conflicts
Recorded and verified in NAV
Finance, Sales, Purchase and Inventory
All 21 Role Centers recorded with read access only
Technical Login only and many more
Source Code Analyzer handle many customizations
◦ NA 2009 R2 and 2013 (US, CA and MX)
◦ DE 2009 R2 and 2013 (DE, AT and CH)
◦ Banking (2) Budget (1) Customer (5) Finance (16) Item (8)
Purchase (17) Role Centers (22) Sales (17) Technical (15)
Transfer Order (6) Vendor (5)
An ISV (Independent Software Vendor) developing
products for NAV
Located in Atlanta, GA USA
More than 500 customers using or solutions
NAV training and classes
Based on input from our partners and over 100
customer trainings
Simple wizard to update data in existing
installations
Following Microsoft’s terminology in NAV 2013
and later
Revised translations (Danish, German, Spanish
and Dutch)
Quick Security
Publish single Login
Export/Import of Login Access Controls
Permissions from
Simple access to Change Log entries
Server information FactBox
Adding multiple Access Controls Wizard
And many more
Intermediate step between “SUPER (DATA)” and
“Segregation of Duties”
Implement and deploy in a few hours in production
Control with “Full Access”, “Read-Only” and “No
Access”
◦ Standard NAV tables already categorized
◦ TableData and Objects
First step when building precise security
Recorded Permission Sets tested for Segregation
of Duties (already exists in earlier versions)
◦ Recorded in NAV 2009 R2, 2013, 2013 R2 and 2015
◦ Worldwide, German and North American databases
New recordings released when future NAV
versions are released
◦ Simplify the upgrade by having the new NAV permissions
required in our recording
Danish database soon to be supported too
User Filters
◦ Remove need to customize dynamic filtering
◦ Link User ID to Salesperson Code and 30 other major
NAV tables
Adding multiple Fields and Actions
Available on our web-site
Updated documentation
Updating existing customers
◦ Import the new objects
◦ Run the “Update Data” process
Import and compile new Easy Security Objects
◦ Do NOT import ESACC objects
Open the Security Setup and Update Data
Open the Field Level and Data Security Setup and
Update Data
Optional: Import new Recordings to existing
Segregation of Duties Permissions Sets
Import Quick Security Permission Groups
Finish Initial Install in Production Database
◦ Logins and Permissions
◦ Field Level and Data Security
Use the same Source Tables and in the Test Database
Export from Test Database
◦ “Permission Sets”, “Permission Groups”, “Login Access Controls”,
“Object Properties”, “Field Level Security Codes” and “Data Security
Codes”
Create “Logins” and “Company Groups” in Production Database
to match the Test Database
Import in the same order as exported above to Production
Publish Permission in the Production Database
◦ The Import and Overwrite can be used if needed
Import Objects
Create Easy Security company
Initial Source Code Analysis
Add Source Tables
Implement Changes in Code
Setup Copy Data in other Companies
Import objects
Initial Source Code export
Create Easy Security company
Run Complete Install
Import additional NAV Easy Security data
First publish
Recording only setup in other companies
Adding Tables to the Source Table Setup
Adding a Page with an existing Table
Working with multiple databases (Dev, UAT, Prod)
Reversing changes to objects
Typically 3 databases, Development (DEV), User
Acceptance Test (UAT) and Production (PROD)
Development database
User Acceptance Test (UAT)
Production (PROD)
◦ NAV Easy Security objects imported
◦ No changes to base code implemented
◦ Allow simple implementation of cumulative updates and upgrades
◦ New objects from DEV replace objects
◦ Run “Implement Changes in Code” for all objects
◦ Objects are moved from UAT compiled with code implemented
◦ Filter on Date and Time in UAT for all modified objects
Data Security for each Page
User Filters
Create new Data Security Code
Data Security for Reports
Data Security in Jet Reports
Control access by “Edit”, “View” or “Hide”
Object Level Security
Field Level Security
Action Security
Create New Field Level Security Code
Updating the Source Code Analysis
Permissions added automatically
Using Relations and Variables
Calculating Summary Permissions
Permission From
Segregation of Duties
Based on recordings
◦ NAV 2009 R2, 2013 2013 R2 and 2015
◦ Worldwide, German, North American and Danish
Certified for Segregation of Duties by FastPath
Made for the future (upgradeable)
Object Level Security
Future NAV versions maintained by
Mergetool.com
Setup simply by category, easy for
ISV/Customizations
Quick Security Permission Groups
Go-Live
Security based on a few tables
Good Security between SUPER (DATA) and
Segregation of Duties level access
Publish All
Publish single Login or Permission Set
Compare Restore Points
Reverse changes
Builder Permissions
Related Permissions
Override permissions
Recording Permissions
Correcting a Permission Set with a recording
Multiple Recordings in a Permission Set
Reducing recorded Permissions
Using a Minimum access Role Center and
restarting Service Tier
Grouping Permission Sets
Grouping Companies
Expiry Date
Summary Permissions
Adding a new User
Assigning permission to multiple users