db_owner in Navision database too much?

As part of an issue I was working on earlier today I had to have my customer add db_owner to all Navision database users, to enable some SQL views that we created. Naturally, they are a little worried if that’s not overdoing it. My worry is that anybody with MS Access on their computer could connect to the database and wreak havoc (sp) in there. Is granting db_owner to every user a security risk?

Yep, it basically gives every user permission to do whatever they like. Insert, delete or even drop the database so I don’t think this is a situation you want to stick with. Normally you just want to give them the pulic role and the Navision permissions take care of the rest. Also, somebody with a later Navsion client could connect and accidentally convert your database, making it inaccessible to users with older clients. I would recommend finding a different way of doing this as this is very insecure. Meint

Hi Daniel We had the same issue; views to external db’s that must be accessed by non-db_owner users. Our feeling is on par with that of Meint, db_owner is too much of a security risk. To go a bit further: our solution was to create standard Navision tables (obejct that would have been used by the views in any case) and then use DTS tasks to populate the tables. Depending on the kind of information required we either scheduled the DTS task to run at pre-determined time intervals or we call the DTS task with some code behind a button on a form. In this instance the DTS task takes care of the security. Although this is not first prize this has enabled us to get the information into Navision. Regards Marius