Skip to main content

Notifications

Announcements

No record found.

News and Announcements icon
Dynamics 365 Community / Forums / Microsoft Dynamics NAV (Archived) / Database Security - Be...
Microsoft Dynamics NAV (Archived)

Database Security - Best Practices

(0) ShareShare
ReportReport
Posted on by Roberto Santoro 25

Hello,

We've a Microsoft Dynamics 2009 NAV R2, based on a Role tailored environment.

I've a question concerning SQL Server access rights assignment.

The external consultant who did installation insists that in order to grant a specific user the necessary rights to create a user within NAV, the operator must have at least SecurityAdmin rights at server level and db_owner + db_accessadmin for the NAV_DB and master db_accessadmin.

this kind of procedure seems rather odd and dangerous especially if we consider that the securityAdmin role applies as well to all other DBs in the server.

Personally I would have expected the Classic Client to be able to impersonate a user (i.e.: the user that runs the NAV service) to create/delete/modify users.

 I found this document that seems to confirm the database level access rights: http://msdn.microsoft.com/en-us/library/dd568727

although it doesn't mention anything for SecurityAdmin.

do you have a final answer on this topic? any official document?

 

Thanks,

Roberto.

*This post is locked for comments

  • Roberto Santoro Profile Picture
    Roberto Santoro 25 on at
    Re: Database Security - Best Practices

    Thanks... Frankly I am a bit disappointed with such a poor user rights management and it doesn't seem very scalable to big enterprise level to me.

    Thanks a lot for your answer anyhow, it reassured me very much.

    Have a nice day,

    Roberto.

  • Verified answer
    Nick Haman Profile Picture
    Nick Haman on at
    Re: Database Security - Best Practices

    The link you reference is correct, there is no impersonate user option. So to recap, here is what is needed to create/sync users:

    1. Security admin at the server level. This is because we create logins at the server level. When a login is member of security admin at the server level they don't need to be securityadmin at the database level

    2. db_accessadmin on the NAV database and master. This is in order to create databaser users in both.

    3. db_owner of the NAV database.

    4. Granted “select on sysprocesses with grant option”

    5. Granted “view server state with grant option”

    NAV 2013 will be different, but this is how NAV 2009 works.

    Nick

Under review

Thank you for your reply! To ensure a great experience for everyone, your content is awaiting approval by our Community Managers. Please check back later.

Helpful resources

Quick Links

December Spotlight Star - Muhammad Affan

Congratulations to a top community star!

Top 10 leaders for November!

Congratulations to our November super stars!

Tips for Writing Effective Suggested Answers

Best practices for providing successful forum answers ✍️

Leaderboard

#1
André Arnaud de Calavon Profile Picture

André Arnaud de Cal... 291,280 Super User 2024 Season 2

#2
Martin Dráb Profile Picture

Martin Dráb 230,235 Most Valuable Professional

#3
nmaenpaa Profile Picture

nmaenpaa 101,156

Leaderboard

Featured topics

Product updates

Dynamics 365 release plans