Should you need any additional support, please send an email to support@2-controlware.com
In your mail, please mention
- the version of your NAV/Microsoft Dynamics 365 Business Central environment
- if possible any screenshot and/or error message you received
- when you have multiple databases in which connection the problem/error occurred.
We strive to answer within 48 hours after receipt of your request.
Here we will mention the latest news that could affect the general use of the Authorization Box.
The Permission Sets are now being cached for performance reasons.
For more information see “Caching of the Permission Sets” and our trouble shooting paragraphs below.
Latest changes can still be found in our Release Notes.
When you are using oAuth OnPrem authentication, it is necessary to set the ADOpenIdMetadataLocation parameter for version 22 and later in the server instance. (see https://learn.microsoft.com/en-us/dynamics365/business-central/dev-itpro/administration/authenticating-users-with-azure-ad-openid-connect?tabs=singletenant%2Cadmintool)
Error message was : “Fout bij verbinden met Dynamics - De inloggegevens zijn onjuist of de gekozen authenticatiemethode komt niet overeen met die van uw servicetier (Windows, NAVUserPassword of Microsoft Entra Application). Probeer de url van de webservice te openen in een andere browser of pas de instelling aan naar de juiste authenticatiemethode en probeer het nogmaals. Bij gebruik van de Microsoft Entra Application authenticatie: Maak gebruik van de toegangssleutel voor webservice als wachtwoord voor de ingestelde gebruiker. Deze kan aangemaakt worden vanaf de gebruikerskaart in Dynamics 365 Business Central.”
("Error connecting to Dynamics - The credentials are incorrect or the chosen authentication method does not match that of your service tier (Windows, NAVUserPassword, or Microsoft Entra Application). Try opening the URL of the web service in a different browser or adjust the setting to the correct authentication method and try again. When using the Microsoft Entra Application authentication: Use the web service access key as the password for the set user. This can be created from the user card in Dynamics 365 Business Central.")
The things you would have to be checked are :
Every once in a while the token for the connection between the Authorization Box and Microsoft Dynamics 365 Business Central needs to be refreshed.
A small error message mentioning this will then be shown in red on top of your screen when checking your database connection.
In this case, you can refresh this token by going to the database connection in Setup => General.
Usually this means that the OAuth refresh token has expired (this token is required for the connection).
This can be restored by going to the Settings => General => Databases. There you choose the database connection regarding this message.
Go through the Oauth setup process again https://wiki.2-control.nl/AB-Getting_Started#authentication-with-oauth.
Make sure that the person that is going through this process is a user with SUPER permissions in Business Central.
To troubleshoot the connection to the Authorization Box, the following steps can be followed.
These steps have to be performed on the server where the Authorization Box Multi Connector is installed. Base for this troubleshooting is the Microsoft manual : Troubleshooting guide for Azure Service Bus - Azure Service Bus | Microsoft Docs
All tests should run successfully. If not, then there is some Firewall setup blocking the necessary traffic. (e.g. outbound HTTPS traffic through port 443, see point 6)
3. Is the Windows service for the Authorization Box Multi Connector started on the server
4. Is the Windows service for the Authorization Box Multi Connector updater started on the server
5. Does the configuration file of the Authorization Box Multi Connector have the correct security code/key? You can check this to go the folder where the Multi Connector has been installed (standard is C:\Program Files (x86)\2-Control B.V\Authorization Box Multi Connector) and check in the file AuthorizationBox.MultiConnector.exe.config the value in the field CustomerSecurityCode. This field should be the same as the Security Key you use in the connection of the Authorization Box.
6. Check the outbound requirements. You need to open the Azure Relay port settings as described in the following article https://docs.microsoft.com/en-us/azure/azure-relay/relay-port-settings#wcf-relays. This article includes a table that describes the required configuration for port values for Azure Relay.docs.microsoft.com.
7. Check if the connection has not been changed (e.g. into proxy)
Go to the database connection in Setup => General.
Click on the database of which the connection was lost.
Click on the button “Database” at the bottom of the page.
Click on “Test Connection”
When the connection has been re-established successfully, this message will show up in green on the top of the page and a green check mark will appear on the checkbox “Dynamics connection available”
Business Central users can be activated in the Authorization Box by making an Authorization request for that user (by clicking on the + sign of that user or through User management=>Authorization request), or when you use Import Userdata through the Organization Chart.
When you use Import Userdata through the Organization Chart, you have to make sure you have removed the user you do not (yet) want to activate in the Authorization Box from the excel document you use to import the data.
By omitting the removal of those users from the import file, you will inadvertently activate those users in the Authorization Box too.
When a synchronization task has gone into error because of a query, you can find out what went wrong with which query.
In the User card where this error message was applicable for, you can find the fasttab Processsed Actions. Under this fasttab you could go to the time the synchronization task went into error and find the query which went wrong. In the column Error Text there is a short description why the query wasn't executed. Clicking on the magnifying glass will show a pop-up of that query regarding the fields and the values found for those fields.
When an error message arises in the Permission Sets which are User-Defined, you can manually add the missing permission to a Permission Set.
It is important that you know which table (Object Name) is mentioned in the error message and you need to know which permissions you want to add/edit (Read, Insert, Modify, Delete or Execute)
Go to Business Central and search for Permission Sets. Open the Permission Set which is missing a permission.
Click on the pencil on the top of the page to edit the set. In Objecttype choose Table Data. In Object-id choose the required table to which you want to give permissions.
Modify the permission(s) in the permissions columns.
As Business Central saves automatically you can now leave that screen and the Permission Set has been amended.
Note that this can only be performed on User-Defined Permission Sets and not on System Permission Sets.
During the implementation of the Authorization Box more environments are used. Building Permission Sets and testing is normally done in a test environment. Acceptance in the accept environment and go live with the production environment. It is possible to migrate the Authorizations and setup to a different environment. This involves Business Central and the Authorization Box database connection.
To migrate the authorizations and the setup you can follow the steps below. The steps describe a migration from a test environment to the production environment.
Create a RapidStart package for the Permission Sets and Permissions in Business Central (with Configuration Packages) and export this package.
Use this standard RapidStart package for the Field Validation and Field Security setup.
Backup the test environment through Setup => Backups => Export and select what you want to export.
Go to Authorization Framework => Organization Chart and Export the structure for the Permission Sets per Organization Role and Users per Organization Role. All users should have the correct permissions in the test environment.
Import the RapidStart packages and check the number series. If they do not exist yet, you will have to make them.
Import the backup made from the test environment through Setup => Backups => Import.
Import the Organization Role and Users per Organization Role through the export/import button on the Organization Structure.
When your scheduled synchronization task doesn't run, one of the reasons could be that an error occurred during the synchronization. (e.g. time out, connection lost)
To manually start a synchronization task, click on the Execute button behind the task.
When you have imported a Back-up because you want to set up a new environment which is a (perhaps amended) copy of an older version, you also need to import the (perhaps also amended) data on the users with the import options through the Organization Chart (Import Permission Sets per Organization Role, Import Users per Organization Role) after you made an Export Structure of the older version.
This usually means that, when your Authorization Box user has been added, the Function Profile has not been assigned to your user.
When changes which were made in an Approval template are not visible in Business Central, you should manually sync the users who have been assigned the role(s) with that approval template.
After the (successful) synchronization, the changes made in the Approval template should also be visible in Business Central.
You can make an export of the Organization Structure (Authorization Framework => Organization Chart) in which the Organization roles with their Permission sets can be found and the users with the Organization roles assigned to them.
Should you want to know which objects and their rights are assigned to the Permission Sets, you could go to the Permission Sets in Business Central, choose the set(s) you want to have this overview of and choose for Export permission sets. Save the XML file and you can open it with Excel to get a simple overview of the objects per permission set.
The webservice required to setup a database connection in the Authorization Box can be found in Business Central. When you have logged in to the database, you have to search for Web service. In the overview you can find the Objecttype “Codeunit”, Object-id “70077770” with Object name “2C ES ABWebService” and Servicename “AB”. This line will also mention the requested SOAP URL.
It is possible that no Permission Sets are shown in the Analysis results of a Critical permission, but you will see Permission Sets when you want to review a User or Organization Role.
A possible reason is that because in the setup of the Critical Permission, the “Has to comply to” is set to “All objects” or in the Objects assigned to that Critical Permission the “and/or RIMDX” is set to “and” in stead of “or”.
You can copy the data from a connection into a new connection, but the history from the “old” connection will (can) not be copied. (analysis results)
The steps to follow to copy the data are as follows :
Sequence of importing the data through the Organization structure :
The number of linked users on the Permission Sets page can be incorrect if there have been permisson set (role) assignments or revokes after the last cache refresh. To fix this, you can manually refresh the cache with the Refresh button on the top right corner of the Permission Sets page
When you want to add a permission set to an organization role, but that set is not visible, it could be that you changed something to that permission set, or it is a brand new one. In this case you should renew the cache for the permission sets.
Go to Authorization Framework => Permission Management => Permission Sets and click there on the Refresh button in the top right corner.
Every 90 days an Authorization Box user is required to change the password.
When a user has tried to log on with an invalid password 5 times, the user will be locked out. A new password has to be requested to the Application manager. An email with a temporary password will be sent to the locked out user which has to be changed on first login.
No, logging can not be changed by 2-Controlware employees.
You can find the changes made to the Authorization Box in the release notes.
2-Controlware can deliver a SOC2 report where an overview of the type of data is mentioned and here you can find more information about the databases we maintain.
Members of the 2-Controlware support team can access the Authorization Box environment of a customer and will only do so if necessary for support or training purposes. If a 2-Controlware user is active in your environment you can see this in user management under general setup. 2-Controlware access to a customer environment is automatically removed within 24 hours.
The password has to be at least 12 characters and consisting of at least one number, capital letter and a punctuation mark.
The Authorization Box is a generic SAAS application. It is not a specific customer application environment. In the processed authorization requests and the synchronization log, it is visible which changes by the Authorization Box have been made in the database environment. (Business Central) More authorization changes can be consulted in the change log entries of Business Central.
It is possible that the synchronization task for the Management data keeps going in error.
This task is meant to be able to choose a user from the Active Directory when you want to make an authorization request for this user and this user does not exist yet in the Authorization Box. When this task is not / can not be performed, the alternative would be to create this Active Directory user in Business Central, after which this user will be visible in the Authorization Box and can be picked from a list when creating an authorization request for that particular user.