(For more resources on PHP & MySQL, see here.)
Securing the network is indispensible to any organization's IT security. Firewalls and implementing user security policies go a long way in securing the network. A few highlights of network/hardware security that we will not cover in detail in this article are as follows:
- Implementing Dynamics NAV on a secure internal company network.
- Following Microsoft recommendations for software and hardware requirements including operating system considerations and hardware considerations.
- Defining user access policies and windows network access policies; these may be extendible to the Dynamics NAV security system as well.
These topics can be found in detail in Microsoft operating system documentation and other network-related documentation.
Security with SQL Server installation
The SQL security system is very robust and comprises the following two main components:
- Access to the server: This is the layer of security that involves granting access to the server using logins to authenticate the users and provide them secure connection to the server.
- Access to the database: This refers to the security defined by roles and permissions for appropriate database access to the users.
Dynamics NAV security models
There are two distinctive but not-so-different security models that build the security system for Dynamics NAV. They are mainly differentiated by how they synchronize the Dynamics NAV security system with the SQL Server security system and Windows security system. In the following table, we highlight the key differences between the two security models—Standard and Enhanced.
Switching between Enhanced and Standard security models
To change the security model from Enhanced to Standard or vice versa, we will have to alter the database, change the Security Model option (Advanced tab). We need to make sure that the database is made as "single user only" (by checking on the Single User check mark on the Alter Database window). It is also required to synchronize all logins after the Security Model is changed.
Synchronization is the process for the Dynamics NAV security system to match the SQL Server security system. This does not happen automatically and must be done manually after performing the following options:
- Applying a change to the objects in the database
- Changing the security model
- Making changes to the users, roles, and permissions in Dynamics NAV
- Restoring a backup
- Upgrading or converting the database and/or the client executables
Synchronizing one or multiple users
To synchronize one or multiple users go to the Windows Login option under Tools | Security . Highlight the login(s) that need to be synchronized. Go to Tools | Security | Synchronize Single Login or Synchronize All Logins.
Users, logins, and passwords
Dynamics NAV application provides two types of authentication methods to log in to the database as explained next.
Creating database logins
These logins use database server (SQL or Classic) authentication to provide access to the application. We can create Database Logins as follows:
- To create a database login in a Dynamics NAV Classic database server go to Database Logins from Tools | Security | Database Logins.
- Press F3 to create a new User ID and Name for the Database Logins.
- If we are using the SQL Server as the database for Dynamics NAV installation, we have to make sure that the database logins' User ID that we are using here also exists as a user on the SQL Server.
- If we are using the Dynamics NAV Classic database server, we will have an additional column to specify the Password for the User ID.
The first user that we create should be the SUPER user (the user with super access to everything in the application). SUPER is one of the roles in Dynamics NAV that assigns all permissions (access to all forms, tables, reports, and other objects) to the user who has been assigned that role.
An Expiration Date can also be specified for the Database Logins in the last column on the right side of the Database Logins form. This Expiration Date, for example, can be used by subcontractors or short term employees who need access to Dynamics NAV application for only a given period of time.
Setting up user accounts
We can set up the users from the User Setup menu, in the Administration section, under Application Setup | Users.
Using the User Setup screen, there is an option to control some basic features of Dynamics NAV application.
We have the ability to restrict the date range of posts from Allow posting from and Allow posting to fields, these fields take precedence over the posting date range specified in the General Ledger Setup form.
Users entering the system can also be restricted to particular responsibility center(s) thus allowing them to view/do transactions in that responsibility center only. There is also an option to restrict a database login to a particular company, this will be discussed in the Roles section later in this article.
There is an option to register the time for the users logging on to the system. If we mark the Register Time column for a user, the system will log the User ID , Date of login, and Minutes spent on the application. This will be updated every time the user logs off from the Dynamics NAV application.
How is a USER ID used across application
The User ID is tagged to almost every transaction and ledger entry, and helps in providing an audit trail for transactions.
Specific reports can be printed on separate printers by different users. This can be set up in the Printer Selections menu in the Administration | IT Administration | General Setup | Printer Selections.
User ID(s) are also represented in the Change Log entries, if the Change Log option is enabled. For more information on Change Log option, refer to the Change Log section in this article.
The creation of database logins, appropriate permissions, and so on can be done by a SUPER user or by a user who has appropriate permissions to change security for Dynamics NAV.
Logging in using Windows Authentication
Microsoft Windows operating system provides a robust and secure computing platform. Dynamics NAV is designed to leverage the Windows security system. The administrators have the ability to set up Windows single sign-on feature with Dynamics NAV installation.
When a user opens Dynamics NAV, they have the option to select Windows Authentication. If that is selected, we don't have to key in the username and Password while logging into the application, as shown in the following screenshot:
(For more resources on PHP & MySQL, see here.)
SQL extended stored procedures
To use Windows Authentication with SQL Server option for Dynamics NAV, we need to add two extended stored procedures as follows:
These two stored procedures come with the xp_ndo.dll file that comes along with the Dynamics NAV installation. The program will automatically add these extended stored procedures automatically, the first time Dynamics NAV connects to the server.
If we have already connected to the server, we will have to add these extended stored procedures manually. To add these stored procedures manually, follow the next steps:
- From the Product CD folder ..\SQL_ESP, find xp_ndo.exe.
- Run the file and enter the path to the BINN folder of the SQL Server installation. Make sure that the xp_ndo.dll is copied to this path.
- Use Microsoft SQL Server Management Studio(2005) or Enterprise Manager (SQL 2000) to add extended stored procedures with the following names:
- Assign execute permissions for both the extended stored procedures to the public role in the SQL Server database.
Let's do a walkthrough of how to create Windows login(s) in the Dynamics NAV application as follows:
- While logged in to the database (as a SUPER user or user with permissions to create new users), go to Tools | Security | Windows Logins.
- Press F3 to create a new Windows login.
- We can press F6 or Assist Edit button on the ID field to lookup and select from among all the Windows Users and Groups available in the cluster of domains.
- If we are using SQL Server as a database, after we have assigned the appropriate roles we will have to synchronize this new login with the SQL Server. To synchronize the Windows login to the SQL Server go to Tools | Security |Synchronize Single Login or Synchronize All Logins. The synchronization will create the Windows login(s) in the SQL Server. More about synchronization is discussed earlier along with the Dynamics NAV security models section.
Why use Windows Logins?
Microsoft Dynamics security inherits all the extended security features of Active Directory, if Windows Authentication is used for accessing the Dynamics NAV application. It also makes the administration a lot easier and manageable.
Some of the biggest advantages of using Active Directory and Windows Authentication is that, everything is manageable from within NAV (for database administrators). One of our favorite and highly recommended approaches is to use Windows groups. Using Active Directory Windows groups makes the setup of users and management of existing users almost effortless. Network administrators can just add the new Windows login to the appropriate groups while creating new users for dynamics NAV application.
If we decide to use Database Authentication for our installation, we will have to specify passwords for all the database logins that we create.
To change the password for Dynamics NAV, go to Tools | Security | Password.
The following screenshot will prompt us to confirm our Current Password and then specify a New Password for Dynamics NAV program (followed by a re-enter).
Roles and permissions
Dynamics NAV security system provides extensive security and access control options to specify direct and indirect permissions for up to object level (table level) security and also record level security in the Dynamics NAV for SQL Server option. This layer of security, consisting of roles and permissions, is a very discreet layer of security on top of the SQL database security system and Windows security system.
There are no default users when we first start the database, either new database or the demo database. The first login that we create—Windows or database login—must be a SUPER user, with access to the SUPER role in Dynamics NAV. This role has all the permissions to the application. We can add the SUPER user by adding a new user and assigning the SUPER role by clicking the Roles button at the bottom of the screen.
The SUPER user defined earlier can now create other logins and assign them roles according to the functions that users perform.
A role in dynamics NAV is a set of permissions for various objects—tables, forms, Codeunits, reports or dataports, and so on.
It is highly recommended that before starting to assign and create new roles, we must take into account the standard Dynamics NAV roles that come along with the demo database. These are standard roles that provide a wide range of access control based on the business functions.
Roles can be accessed from Tools | Security | Roles.
A database or Windows login can have multiple roles assigned to it. Let's assign roles to Windows or database logins as follows:
- Open the Database Logins or Windows Logins window from Tools | Security.
- Highlight or make sure our cursor is on the login that we want to assign roles to.
- Click on the Roles button in the bottom.
- Assign one or multiple roles in the screen that appears next. We can create a role by using F3 and then looking up the list of roles by clicking Assist Edit (or press F6).
- There is also an option to specify the Company Name on the right most column, this is used if we want to restrict a user to a particular company only.
Every role is cluster of a set of permissions for various objects, which are as follows:
- Table Data
The previous screenshot shows the permissions assigned to the SUPER role in the Dynamics NAV demo database. The value 0 assigned to the Object ID field, indicates all objects of that object type will get included in the role, depending on the read, modify, execute, insert, and delete permissions.
While most of the earlier given access to the respective objects in the database, the system object type is used to define a set of functions, which are not executed by the objects in the database, for example, importing and exporting object files.
Each permission field has three different options as follows:
- Blank:No permissions are associated with this permission type (such as read, insert, modify, delete, or execute).
- Yes: The role has full permissions associated with this object.
- Indirect: This option gives access to the object through another object. For example, access to a table may be needed by a Codeunit that uses the table to either read from, write into, or modify the records. A lot of tables are modified by the Codeunit 12 Gen. Jnl.-Post Line and one of them is Table 81- Gen. Jnl line. Therefore, the user who has to perform posting, needs indirect access to the table.
(For more resources on PHP & MySQL, see here.)
Creating a new user from scratch
Let's do a walkthrough of the process of creating a new user that needs access to read G/L Accounts. We will create from scratch the role(s) and the associated permissions with the role as follows:
- Create a new database login (or could also be a Windows login) as shown in the next screen from Tools | Security | Database/Windows Login.
- Go to Tools | Security | Roles.
- Create a new role by using F3, named COA (Chart of Accounts) from General Ledger.
- Click on the Permissions button from the Role menu button in the bottom of the form.
- Assign appropriate permissions to the Table Data-15 G/L Accounts, in this case, we only need Read Permission.
- We also need permissions for G/L Entry table, as there are flow fields in the G/L Account table that read from G/L Entry table.
- Let's go back to our Database Logins window and assign the appropriate roles to our new user. In addition to the new role we previously created, we also need to add ALL role to the user's list of role. This role is kind of a prerequisite for any other roles (except SUPER). This contains access to basic tables, forms, and other objects that are needed for proper functioning and start up of Dynamics NAV application.
- The next process is to synchronize our new user (if we are using SQL database); we could either use Tools | Security | Synchronize one Login or Synchronize All Logins to synchronize the new user and associated role.
Security filter—record level security
Security filters—record level security/access control can be explained by extending the previously described example for accessing G/L Accounts. Let's take an example where we want the user to view only balance sheet G/L Accounts.
To accomplish the record level security, we use security filters from the Permissions window. Click on the Assist Edit button in the Security Filters field in the Permissions window and select the field on which we want to apply filters.
Record-level security is available only if we are using the SQL database.
Sarbanes Oxley compliance
The Sarbanes Oxley compliance or SOX compliance has been a huge concern for the corporations across North America over the last few years. We will discuss some of the features and practices in Dynamics NAV that help make the life of SOX compliance auditors a lot easier.
Security, backups, and authorization
Dynamics NAV provides an extensive range of tools to work with security, most of those have been discussed in this article. In addition, Dynamics NAV also provides integrated security structure with Windows Authentication and SQL Server security model. Dynamics NAV backup feature provides access to back up the database from within the application. Regular backups could also be scheduled to ensure effective database recovery procedures are in place.
Access control and audit trail
In addition to that, a user is restricted by Dynamics NAV roles and permissions to the level where the user is able to perform his daily activities on the system. This is further cemented with the new Role Centers in Dynamics NAV RoleTailored clients.
In SQL Server option for Dynamics NAV, it is possible to provide record-level security, which ensures that specific users view only specific areas of the application.
The User ID of the user, performing a transaction in Dynamics NAV is tagged along at every stage, including data entry in the documents and journals. The User ID can also be found in the ledger entries and on posted documents, thus enabling a smooth trail of transactions supported by dates and times.
Shown next is a screenshot of the G/L Entries, showing User ID and Source Code to identify the source of transaction:
A Change Log feature in Dynamics NAV, if set up, provides a log of all the changes done to the data including insert, modify, or delete.
To set up the Change Log in Dynamics NAV, let's follow the next steps:
- From the Administration menu in Dynamics NAV, scroll to the Application Setup and then expand further to General and open the Change Log Setup screen as shown next:
- To start using the Change Log, check the Change Log Activated checkbox.
- Click on the Setup menu button at the bottom of the screen and select Tables.
- This opens a list of all Dynamics NAV application tables with options to log insertions, deletion, or modification of those tables, as shown next:
- For each table, that needs to be change logged, there is an option to select all fields in the table, or select a collection of some fields (by selecting some fields and clicking Assist Edit button).
- Once the setup has been done, the application changes in the application tables start getting logged in the Change Log Entries screen as shown next:
Data validation and accuracy
Dynamics NAV application provides several checks and balances at every step throughout the various stages of application including data entry and postings. Language-specific error messages and prompts assist users with the data accuracy and ensuring the correct information enters the application. There are checks to ensure the debits and credits match, field level controls are established throughout the application to ensure the fields that are mandatory for the transaction are entered by the user before moving on.
Effective change management
Change management procedures are essential part of maintaining a SOX compliant application. A few aspects of change management to keep in mind while defining the organization's change management policy are as follows:
- Every change must be driven by a business case or an issue raised by a business process owner. This must be documented.
- The change done to the application must be tested in a separate test database before releasing the code to live database.
- The object files must be logged and so should be the objects changed to accomplish the change.
- Proper versioning of objects, ensures the previously defined measures are accomplished easily.
- Appropriate approvals must be taken to promote the object changes to the database and must be documented in the change management process.
There are several tools available across a wide range of partners to manage the code promoted to the database and report on it.
This article talks about the security, roles, permissions, and other related topics for Dynamics NAV application. Microsoft has ensured that Dynamics NAV is a very secure application for enterprises and the article outlines some features of the application that ensure the security across various application areas.
- Fine-tuning the SQL Server database for Dynamics NAV [Article]
- Microsoft Dynamics NAV 2009 Development Tools [Article]
- Microsoft Dynamics NAV 2009 SP1 Programming Cookbook [Book]
- NAV 2009: Reports [Article]
- Code Analysis and Debugging Tools in Microsoft Dynamics NAV 2009 [Article]