G’day all! I have a question about tuning of access rights. I’d like to reach following state: developer could be able to view source code of the object but he could not have permission neither to modify objects neither to insert or delete them. Suppose I have role named DEBUG_ONLY. I’m adding all permissions to all “Table Data” objects into this role. Then I’m changing modify, insert and delete permissions to NO (actually it’s an empty value) in the “Table Data 2000000001 Object” string. But it didn’t help, I still can modify objects. Any ideas? Is it theoretically real to have such permissions? Thanks in advance.
Hi Max, If you want your developer not being able to affect the live data (and/or objects), why don’t you give him access to a copy of your live database? He can do whatever he wants with the copy (view, create, modify, delete), but the changes will never be reflected in the live database. If you don’t want him to see the data in the tables, just import the objects in this dev database, with no table data…
David, thanks for your reply. Sorry, I should mention it in the first posting - all things should be done in the same database, this is one important restriction.
Create two companies and give him the right “super” or sth. more relevant to your restrictions on both companies - result being that he cannot change cross-db objects. He still can insert them if he’s good and bypass you 
Tõnu
You also need to remember, that when he would do debugging, he potentially locks all other users. Therefore a copy of the database would be ideal. Just my 2 cents
quote:
Originally posted by facade
Create two companies and give him the right “super” or sth. more relevant to your restrictions on both companies - result being that he cannot change cross-db objects. He still can insert them if he’s good and bypass youTõnu
If you change an object design, you change it in the entire database, and this will affect all companies in that database. Doing development in one company in the same database as your production company is a REALLY bad idea, unless you like being chased by your users of course [8D]. I don’t know if it is even possible to have rights to open objects in design mode but not to save them. If I were you I’d convince the customer that they need to have a development/test database separate from their production database.
quote:
Originally posted by DenSter
I don’t know if it is even possible to have rights to open objects in design mode but not to save them.
If you don’t know then read once again - then you shall know
quote:
Originally posted by facade
Create two companies and give him the right “super” on both companies - result being that he cannot change cross-db objects. Tõnu
And to clarify for Daniel - cross-db objects means any object in database except tabledata and system of course ie - all tables, forms, reports, dataports and codeunits that you can see through “Object designer”.
quote:
Originally posted by facade
If you don’t know then read once again - then you shall know
And to clarify for Daniel - cross-db objects means any object in database except tabledata and system of course ie - all tables, forms, reports, dataports and codeunits that you can see through “Object designer”.
mmm [V] I think someone is being a little sarcastic with me here.
quote:
Originally posted by facade
Create two companies and give him the right “super” on both companies - result being that he cannot change cross-db objects. Tõnu
The reason why this does not make sense is that by saying “cross-db”, you are implying that there are any other types of objects, which is simply not true. An object (table, form, report, dataport, codeunit) lives in the database, regardless of how many companies are in that database. If any object is changed in one company, the change will be made in all companies in that database, simply because all companies use the same physical objects. If you have super user rights in one company, then you can do everything a super user is allowed to do in that company, regardless of the security settings of that same user in another company. I am super user in countless databases with countless companies and I can do whatever I want with every single object in those databases. So please explain exactly how that works, I am curious.
quote:
Originally posted by DenSter
mmm [V] I think someone is being a little sarcastic with me here. Sry - please no offence.quote:
Originally posted by facade
Create two companies and give him the right “super” on both companies - result being that he cannot change cross-db objects. Tõnu
do whatever I want with every single object in those databases. So please explain exactly how that works, I am curious.
Explanation is in the lines up there - please read and follow - So here we go once again - From where we go - we have a db. We have two companies. We have a superuser. We have superseeonlyuser. We set up superuser with permission SUPER (no companies). We set up superseeonlyuser with permission SUPER on both companies ie. two records in table (if using winlogin) Windows Access Control. S-* SUPER CRONUS Ltd. DOMAIN\seeonlyuserid This user has. S-* SUPER CRONUS TEST DOMAIN\seeonlyuserid This user has. Result - user superseeonlyuser cannot modify anything. Helped?, worked? - feedback expected Tõnu
quote:
Result - user superseeonlyuser cannot modify anything. Helped?, worked? - feedback expected
It worked, thank you very much![:)]
quote:
Originally posted by facade
we have a db. We have two companies. We have a superuser. We have superseeonlyuser. We set up superuser with permission SUPER (no companies). We set up superseeonlyuser with permission SUPER on both companies ie. two records in table (if using winlogin) Windows Access Control. S-* SUPER CRONUS Ltd. DOMAIN\seeonlyuserid This user has. S-* SUPER CRONUS TEST DOMAIN\seeonlyuserid This user has.
Thank you for explaining Tõnu. I did not understand what you meant before (having more than one user always confuses me [8D]), but this cleared it up. That is an interesting ‘feature’… As soon as you assign a company to a super user, they can’t save objects anymore… you don’t even have to assign both companies to the user. So do you know how to allow a user access to only one company, but also allow him to change objects?
quote:
So do you know how to allow a user access to only one company, but also allow him to change objects?
In sql this is easy, but in native - when i figure it out i’ll tell. Heya till then.
Please note that Tonu’s solution is not restricting the programmer to import FOBs. This issue can be resolved by giving a “RESTRICTED SUPER” role to the programmer. This new role would be like SUPER, but wouldn’t have the permissions for: System 1310 - File, Import, Binary System 1320 - File, Import, Text