I know it should provide a better security model for the client, but is it worth the complications? Does everyone just by default ignore 4.00sp2, and go immediately to Simple model? Or do some people prefer the Enhanced model?
[Poll]
Thanks
Can anyone give some small bullet points to what the actual benefits are in using Enhanced?
I try to stay clear of it where ever possible, as I just don’t see that there are any really??
Cheers
With enhanced security model, Navision uses security implemented natively in SQL. So you can use external applications to read Navision tables and use the same user that you have in Navision.
With standard Navision uses a proxy to read tables, meaning that security is done in proxy and not directly in SQL. That why enhanced takes so long to apply security. It has to apply permissions to all tables and objects for each user and some ties it fails because of deadlocks in tables.
Thanks for the response, would you say that if you are not using an external application to read NAV data, then the standard option is the best way to go, due to speed issues locking etc?
Thanks
The locking problem only arises in synchronising. I always prefer to use standard security model, but it’s just a personnel opinion. When you have many users some times can problematic to synchronize all users in Enhanced security model.
I use simple almost exclusively now. A few months ago I sent the following question to Microasoft:
Is there a document available that explains the reasons for choosing one method over the other? I’m finding little reason to use the enhanced method. I plan to move another site to standard
And received this answer…
“…No, I am not aware of any document that explains the reasons. The Enhanced came about because of Microsoft’s Trustworthy Computing initiative…”
It really gives me a warm and fuzzy feeling when Microsoft can’t explain the reasons for one of their “Enhancements” [:P]
Sort of what motivated me to write this post. Thanks for the feedback, much appreciated.
The way it was explained to me is that when Microsoft purchased Navision, they went through a security audit, and the way that Navision’s security model was implemented was not deemed ‘secure enough’, or not consistent with current guidelines or something. The security people at Microsoft then forced the Navision team to implement the ‘enhanced’ model, by pushing all permissions down to SQL Server. As far as I know, this has only caused problems, I do not know of any implementation where the enhanced model has added any value. If you have an external app reading into a NAV database, you can always manually add permissions directly on SQL Server, even when you’re on the standard security model.
The only thing with simple security is that if you are a developer then you need have the database owner or sys admin rights to be able to make changes to tables. When you don’t have these permissions you get a great SQL error message.
You get the same message on the enhanced security model.
This is normal SQL behavior and not a “Navision” issue. Only DB_Owner is allowed to modify objects owned by another user.
They probably re-introduced the standard security model when they noticed most users were dbowners in SQL to avoid the loss-of-time when synchronizing and thus a lot LESS secure.
It’s a good question and I’d like to add my bit and hopefully clear a few things up, without too much detail. All of what I write can be deduced using the SQL Profiler, albeit not easily.
The Enhanced security model was indeed made to put up more security barriers as part of the security initiative for Navision 4.0. This is not to say at all that Standard is not secure – but certainly Enhanced is more secure, at the cost of the performance of administration (i.e. Synchronization).
As many know, NAV uses an application role to enforce security for regular (non-dbo) users of it’s SQL databases. The primary difference between Standard and Enhanced is that for the Standard model a single application role is used and all users access tables using this role, and for the Enhanced model separate application roles are used for and owned by each user.
For Standard, whenever a table is created in the database (by a dbo), all permissions to it are added to the application role. Any user can now access this table as far as SQL is concerned, provided the application role is activated. NAV alone knows how to activate it.
For Enhanced, t he Synchronization process that everyone is fond of, looks at each user’s effective NAV permissions using the security tables and applies them as SQL permissions to that user’s particular application role, for the tables involved (nothing is done at table creation time). So if user A can read only the Customer table and user B has all permissions to hundreds of tables then their personal application role’s permissions will reflect this (1 permission for A, versus hundreds for B). Activation of their respective application roles by NAV will yield SQL permissions specific to each user. You could say that the SQL permission set is sandboxed more strictly for the Enhanced model than the Standard. Further to this, more security is also achieved by the actual activation mechanism of the application roles, and this is more complicated for the Enhanced model than Standard – I will not go into that.
There is no difference in terms of integration from other systems; for both models the actual database user has no permissions at all within the database and activation of any application role is not possible.
The option of choosing Standard again, was made (in 4.0 SP1?) because of the Synchronization performance for a database with many users, being un-workable. You should feel super-confident with the security offered by the Standard model, which has been in place since 1999 with no reported security issues at all. No matter what level of security exists in a system though, there will always be a more secure possibility – with NAV that is the Enhanced model.
I made my above post with many paragraphs but they seem to have been removed when I posted. Sorry for the single long text.
Did you create this in an external editor? If so what? It has inserted: .<o:p></o:p> instead of
or
as a paragraph breakThat’s it of course - I had forgotten that I composed it in Word first then copied it over. Won’t do that again then [:)]
Sure you can. Just copy the text from word, and then use the “PASTE FROM WORD BUTTON” this should get the formatting correct.
Thanks for the bit Dean, that does clear it up. I kind of knew why but not exactly the what. I have always thought that on enhanced, table permissions were pushed down to SQL Server, which in my opinion was the only reason to even use that model. Since all of my customers chose standard I have never been in a position to actually test that though. Thanks again for the clarification.
I’ve read through the posts on this topic, and have one question.
Can we move from enhanced security back to standard just by changing the option through the File, Database, Alter dialog box, or is there more to it?
cheers, Mark
That’s all there is to it, but since you must also enable the “Single User” option to do this, you cannot have any other users connected to the database.
Going in this direction, Enhanced → Standard, is also of course the fastest because all that happens is a bunch of objects are deleted so this change will not take long.