Problem setting security permissions

Hello!

I’ve developed some custom objects concerning job management and now I need to specify appropriate roles and permission for the users (Windows Logins, btw). I’m using NAV 5.0 SP1 IT.

Specifically, among other objects, I implemented a table “Job User Type”, which has to be available (Read,Insert,Modify,Delete) just to “Job admins”. Other users (“job managers”), must have the “Job” table available (R,I,M,D). Form “Job Card” reads, among others, table “Job User Type” to apply some logic to the displayed jobs.

So, after reading all the docs I found on the issue, I tried to set the appropriate permission. I did not find any predefined roles for job management, so I started from scratch with the “Job managers”, who must not see table “Job User Type”. I set all “Table Data” permissions to Yes for all the objects managers need to use directly, then set all “Table Data” permissions to “Indirect” for Table “Job User Type”. An error occurred, specifying I don’t have the permission to read from table “Job User Type”. But the role I’m defining must indeed not read that table, so I cannot set the Read permission to true, hence I tried to specify the R,I,M,D permissions to true for “Table” “Job User Type” (rather than “Table Data”). No change!

I tried several combinations, but I didn’t achieve my goal: it looks like I need to make “Job User Type” available to “Job managers”, whereas they should not be able to even know its existence… Am I missing some basic concept, or is it really so?

I always assigned also role “ALL” to the users I’m testing with…

Thank you very much in advance!

PS: I also used the Client Monitor, but I did not find further information.

Hi,

If you set a given permission to ‘Indirect’, then some other object has to have to full permission, in order for the user to gain that permission.

You could have a look at the ALL-role…
It grants indirect rights to TableData 405 (Change Log Entry).
Also it grants execute-rights to all codeunits.
Then Codeunit 423 - Change Log Management has the full permission to read and insert records in Change Log Entry.

So my guess is that you have to assign some permissions to other objects, that the “Job Manager”-role has to run.

Btw…
I think it is the best way to create brand new roles for your new function, rather than modifying the existing ones, just like you do [;)].
That’s the way i always do it.

Thanks for the reply, but actually I do create roles from scratch, that’s not my problem: thing is, how would you solve my situation? I have a table TA which X can see and update, but this table can’t be seen by Y. Y needs to see another table, TB, through a form, which needs to read TA to apply some logic.

What permission should I (would you) set to TB and TA for Y?

Thanks again!

You need to assign direct permission to TB, and indirect permissions to TA.
AND also assign permissions to TA to the form that Y uses to read data from TB.

Thanks again, I tried to apply what you suggested, but it doesn’t work. Here’s what I’ve done

Table Data TB R=Yes I=Yes M=Yes D=Yes E=Yes

Table Data TA R=Indirect I=Indirect M=Indirect D=Indirect E=Yes

Form FormWhichReadsTB R=Yes I=Yes M=Yes D=Yes E=Yes

I also gave user Y role ALL, but the displayed message is, as usual, “You do not have the permission to read the TA table”.

I guess you meant to let Table TA acquire (indirectly) the permission to be read through direct permission of the form, but maybe it’s just that I don’t know how to let the form acquire direct permission to a determined object (TA in this case). I know I’m becoming a nuisance, but could you please help me a bit further?

Thank you in advance!

This one is where you have misunderstood me. (or i failed to explain properly [:D])

In the ALL-role (in default setup) the users already gain permission to each and every form in the database, through the permission:FormID=0

What you need to do, is to add the permission to the form it self.
This is done by going to the form in object-designer, go into design, and open the form-properties.
There is a form-property called Permission, and this is where you can assign some permissions to the form it self.
This is what you have to do, in order to make the indirect-thing work.

WOW! I haven’t tried it yet, I’ll do it tomorrow, but I can already tell you opened a whole new world with this revelation!!!

Thanks again, I’ll let you know!!!

Thank you very much! It did work!!!

I hadn’t even noticed property “Permissions”, now I have a clearer vision of the NAV security model!!! [<:o)]

Thanks again!