Creating a user who can add users and roles but cannot be a superuser

Hi, I want to create a user who can create other users, reset their passwords, add roles to users but he cannot add himself as a superuser nor can he make others superusers as well. I don’t want him to access the object designer as well. How best can this be done?

Hi,

I was in the exact same situation in my previous job.

I tried many different things to archive this, but the only way I found was actually to build an alternative permission setup system. This also allowed us to setup a permission change log (required by many IT auditors). Remember to set correct permissions on the SQL Server also.

As Erik stated below, this is hard. You give someone permission to add “Roles” to other users. A Super user is a role and no an entity in its own right, so by allowing a user to give another user roles, they inherit the ability to make someone (inc themselves) a super user.

Also note, again as Erik stated, that to add users and change roles that user needs special permissions in SQL if you are not running native,

t

I am using Native server not sql… So this is not possible using Native server??

I have never tried this in a production environment with the native database. But I think I must have tested it using native, but it’s 3 years ago, so I don’t remember anymore.

You referring to setting up the log change?

The problem you will run into is that user can only assign permissions to another user that he has himself. If a user could assign any permissions to any person then that user can just make himself a super user.

This sounds wrong. I thought that you could only assign rights that you already have rights to, so if you are not a super user you can not give someone else super permissions.

I have not done this for a while, but we did do this for one client, where for example the head of Accounting could give permissions to new employees to do AR or post checks etc, but couldn’t give inventory permission etc.

It’s not wrong. If you assign someone permissions to the “User” and “Member Of” tables (or the equivalent SQL tables) then you can let them assign permissions indirectly to other users without giving them SUPER permission.

I haven’t tried it in NAV 2009, but there is a role called “Security” that looks as if that would work. You might have to add a security filter to filter out the SUPER role. Of course this would probably only work for 2009.

That’s my 2 cents… [;)]

Hi all!

Guess I’m digging out a very old post, still, I am getting a some problems with a similar situation:

Audit user must have permission to:

  • Read All

  • Attrib Roles to User (Windows Access Control)

If the user has ‘SECURITY’ only, she needs all permissions she wants to assign, each time she does the job. That can’t happen and she CAN NOT be SUPER.

Have you found a solution for this already?

I’m working on NAV2009 SP1, SQL Server 2008.

Thanks in advance,

Miguel

Why not? If they have permission to assign any role to any user, they can just assign SUPER to themselves. I mean, I know what you’re going for, but that wouldn’t make sense from a security stand point either.

My honest opinion, get someone to handle security that you trust. I’m sure there is a way to build a solution on top of standard security. Maybe Eric is correct, if you give permission to Windows Login and Windows Access Control that will be enough. You could have a custom form on top of those two tables. But still, it seems silly, as again they would just be able to assign SUPER to themselves.