Hi,
I have a client who has Nav 4 sp2 and he wants to setup the security espacially because now he wants to implement Navision CRM . I know that implementing the securioty in Navision can be cumbersome . So my questions:
What is the best way and the fastest to implement that?
If I have users that are belong to specific group related to locations , how can I do that? All my users are linked to locations ( warehouses)
Any help will be appreciated.
Thanks
Hi Taty,
My suggestion is:
Use the standard roles. Creating new security roles is a mess in Navision.
Forget about using filtering on Location Code. It’s a night mare! Tried to do it with one of our subsidiaries before. We spend 3-4 times the estimated time on this before it worked. And we estimated it high already!
Navision and special security is cumbersome as you say, so try to do everything what you can to get around these requirements.
Original Roles Setup in NAV is clumsy, and sometimes it is difficult to gain results you need, especially creating new roles which differ from “preset” ones. (e.g. allow user to create PO/SO and Ship/Recieve, but NOT Invoice).
MS made a tool called “User Rights Setup”, it was included in Installation Disc, don’t know is it there up to now. The one I have got is from old 3.7 version, but if you have access, check PartnerSource - there might exist newer versions. This tool isn’t a panacea, but it’s still more friendly than standart. (You will need Partner license - Object numbers are from range not accessible to Client)
Hi Modris,
Yes the “User Rights Setup” tool is an ok help. But it only works on the native database!
And yes the roles are not great, but creating all new roles is a night mare. Yes of course go ahead create 1-2 new groups like the one you mention.
Hey Taty,
I agree with Erik on location specific setups… do not do that. You will be in a world of hurt. Additionally, if you start doing roles like “WHSE_SPR_MI (MICHIGAN), WHSE_SPR_CA (CALIFORNIA), WHSE_SPR_CHINA (OBVIOUS)” etc etc, where you are naming them location specific…your just asking for trouble, especially if you have to spread out your roles and make lots of them. Keep it simple.
If you want to name the roles you wish to create based on “Department” or “function” like “WHSE-SUPER” vs “WHSE-RESTR (RESTRICTED)” that might be ok. It allows you to keep some logic in how you create your roles so its easy to understand, while still allowing you to maintain some diversity in how you create and follow them.
Also, I would wait until your implementation of the CRM is complete before you start doing security… your probably going to have new FOB’s put in, and sometimes people forget security related information when doing that anyway. Might as well not do twice the work.
Thanks all for your reply. Very helpful.
For Torh, We have finish the CRM implemetation and the Go live should take place in 3 weeks BUT we need to add permissions to several users ( new and old NAV users).
So we want to create some groups of users that share same permisions; groups such as Finance; Purchase; Sales; Sales New Yoork; Sales Boston; Shipping etc… Users in each group should have acess to only their contacts ( CRM) meaning contacts that are related to their location/Warehouse.
So that is the type of security that I want to put in place.
Thanks
Taty,
There is supposed to be a way to filter security on roles. I think you could filter on Read rights where Salesperson = “” on the customer card but I don’t recall how to do it or if that is exactly how it works. I’m still pretty new to NAV but I’m eating it up like Candy as I go… I just have not really touched on Security yet.
I recommend you look into that, it may be what you are looking for. Also LANHAM field security is nice to have too, so something else to review.
Thanks Torch.
I really dont know how to handle that as My client already uses NAVa nd they want to revise all the security.
I need to find the best way and the efficient way to do that: They really need people to wok and SEE ONLT things belonging to their location ( they dont use multiple companies).
Thanks
You might consider another approach - filters set in code. Its of course NOT security, and smart guys can remove these, but as you reopen/refresh form, filter kicks back in. If that is enough for you, it is MUCH easier to implement.
Example - Sales Order List & Card filtered in code by Salesperson, so every salesman sees only his own ones, very common solution if there are many of them.
BUT ! Don’t forget to fill in these filter values in code on CreateNew, too!
Othervwise newly created SO will momentarily be out of filter scope - as common mistake as usage of this approach [:D]
Hey Modris,
That works but can’t they just hit the Un-filter button at the top? I wouldn’t necessarily use that as a solution … you never know what the situation is with sales rep’s, (especially sales reps because in my experience they are sneaky pre-madonna’s).
Taty - you might want to contact a company called LANHAM. I don’t know how others feel about them because I’ve heard mixed reviews, and I’ve been working with them for a while. They seem alright and their “Field Level Security” mod is pretty nice. In fact it’s a lot more robust than some give it credit for, but you have to implement it after you do your other customizations. Otherwise everytime you need to add new fields to the security you have to do some development work that may or may not go smoothly.
Again… it’s worth looking into.
I’ve done this with a project I’ve worked on. But I will not recommend anyone to repeat it. It was really a mess. Navision security is really not very good here!
Expect it to cost 2-3 times more than what you or any developer (who haven’t don’t exactly this before) would estimate up front.
Not if you set the filters in FILTERGROUP(2)
e.g.
MyRec.SETFILTER(MyField1,‘%1’,MyValue1);
FILTERGROUP(2);
MyRec.SETFILTER(MyField2,‘%1’,MyValue2);
FILTERGROUP(0);
If you write code like that, the user will be able to remove the filter on MyField1, but not the one on MyField2
Yes but to archive this system-wide, you still have to do a major development work.
Totally agree…
Only posted my comment to point out the possibility to set filters in other filtergroups, and thereby disabling the possibility to have the user remove them.
And FilterGroups are a great option, that I know most Navision developers don’t even know how to use. Thanks for reminding me!