When NAV was set-up for our company numerous people were setup with super user accts. (It was told to me that the company that set us up was lazy and didnt want to figure out specific roles for users) I have been given the task to remove all the super user roles and give the users only permissions in NAV to the tables required for their job. The Sr. programmer suggested that I use the SQL profiler to monitor users activities, and write a VB prog to output tables accessed ect… and use this to assign roles. This does not seem to be the best way to go-about this project. Any suggestions would be greatly appreciated. I have “Implementing Microsoft Dynamics NAV 2009” by David Roys and Vjekoslav Babic. The chapter on Roles and the customer model is pretty self explanatory. I just need to make sure when i start migrating users out of the super user role the experience is seamless.
Setting up user credentials is something that the NAV reseller can help with, but it is ultimately up to the client to determine which users need what permissions. Without that input from the client, the reseller really doesn’t have much to go on.
I agree with your impression of the VB approach - not very clean or effective. I think that using the standard Navision functionality is your best bet.
When you take away Super credentials, users will invariably bump into features that they can’t any longer access, and you’ll have to adjust. You could spend a year tracking user behavior and still not avoid that effect. I think you’re best off to keep doing what you’re doing. Read all of the available documentation, and plan ahead. You will need to make adjustments after the change, plan for it.
The biggest part of the plan was alluded to earlier – you’ve got to know what permissions each user needs, separated from what they want or are just curious about. You may also want to group users based on the effect a security issue may have on their work, and cut them over at different times to minimize your support workload. You know your users better than anyone else. Plan accordingly.
In the end, you shouldn’t have more than a few users with Super credentials. And, you may want to separate responsibility for NAV security from SQL security, just to distribute the risk.
I have a feeling it was more your company didn’t want to pay the consulting rates associated with this task. It takes a long time to setup NAV roles properly.
It totally depends on how much work you want to put into it (and how much work you want to put in to maintain it). I prefer to start with the major tasks and / or master records and whittle down from there. Can a user post sales orders? If the answer is no then don’t give them Insert into the Customer Ledger Entry. Can they create or modify vendors? If the answer is No then don’t give them Insert or Modify for the Vendor table.
If you do this for the main tables you can have a decent structure. Users will be able to find a way around it if they really want to, but it’s a start. From there you can begin to take away more permissions.
It will never be seamless, though. There’s always a task that the user forgets they need to do, or does a different way. Data could even be filled out differently even though the process is the same, which could cause code from another table to be executed / inserted. It’s really just trial and error for the most part.