Work with Permission Sets

Follow these steps to create an new permission set (formerly user role):

1. Open the window Permission Sets by selecting Departments - Compliance - Security - Authorization Management - Permission Sets. User roles can be managed in this window (insert, modify or delete).

1. Insert a new permission set by using the standard Dynamics NAV method Ctrl+N.

2. Fill the field User role ID with a recognizable code.

3. Fill the field Name with a description of the permission set.

1. Select Related Information, Permission Set, Permissions to modify the permissions of a role.

In this window the permissions to various objects can be managed: Table Data, Table, Form, Report, Dataport, Codeunit, XMLport, MenuSuite, Page, System. We advise to only authorize objects of type Table Data, Form, Report and Page. The permissions that can be setup are Read, Insert, Modify, Delete and Execute. The first four are relevant for object type “Table Data”, the last is relevant for all the other object types.

2. Select per object the appropriate permissions for Read, Insert, Modify, Delete and Execute by selecting “Yes”, “Indirect” or “Empty”.

• Yes: Gives users with this role direct access to read or modify records of the table.
• Indirect: Gives users with this role indirect access. Records can only be modified through Dynamics NAV functions (e.g. Codeunits).
• Empty: The user has no permission for the object.

By using “Object ID” 0 the permission is valid for all objects of that type. Select Actions, All objects to open the window Permissions (All objects).

The window simplifies searching for objects and assigning permissions to multiple objects to a permission set at once.

3. Administering multiple permissions at once for the objects selected can be done through the button Permission Sets on the ribbon.

After acceptance of new permission sets, the authorization administrator can release and implement the new permission sets in the production environment. Only released permission sets can be linked to organizational roles (formerly user profiles). The status of the roles can be managed in the windows Permission Sets.

User roles can be released one by one by manually changing the field Permission Set status from ‘Open’ to ‘Released’. The status of a permission set can be managed by users with the permission set that is setup as Super Permission Set ID in Authorization Management Setup.

To release all permission sets select Actions, Functions, Release all Permission Sets.

Per object an extra security filter can be set. A security filter gives permission in certain circumstances. Security filters can only be used in combination with Microsoft SQL Server.

Example:

Table 38 Purchase Header is used for all purchase documents. If a user is only allowed to use purchase orders, we advise enabling a security filter that only gives permissions to table data if the field Document Type is Purchase Order.

1. Click on “…”.

2. Click on the arrow down button of the field and select the desired field filter and click on “OK”.

3. Enter a filter according to the chosen field by selecting the lookup button and selecting a value.

4. Click on “OK” and the filter will be added.

If the module Field and Dataset Security and / or the granule Change Log Management is part of your license you can in the windows Permission and All Objects use functions to directly create field or dataset security or activate the change log.

With 2-Controlware you can add permissions for all objects of a certain type in the system to a role. This is useful for creating roles, i.e. with most pages or reports in the system.

1. Create a new role and open its permissions. We advise to mention the object type in the role name.

2. Modify the object type of the first line to the type for which the role is meant.

3. Fill a permission for the 0, usually Execute.

4. Click Actions, Functions, All Objects. Filter the objects on the type for which the role is meant. The initially entered permission is present on every line now.

5. Remove the permission of at least one line. This creates a difference with the 0 initially entered.

6. Click OK. 2-Controlware detects the difference and extends the role with lines for each object not removed containing the given permission.

7. Optionally, you can add the object initially removed to the role for a complete set of permissions for every object in the system of the given type.