Plugging Dynamics NAV Security Holes
The default security roles that come out of the box allow certain users to access the Chart of Accounts, G/L detail and financial reports when they should not have access.
The technical reason behind this is specific permission sets give the user the ability to read G/L accounts and G/L Entries. These include sales/purchase order entry, posting of sales/purchase orders, and so forth. Further, the default permissions give users the ability to view all pages (screens). Therefore, these users have the ability to view the chart of accounts, see balances and drill down into the G/L entries.
The obvious question is, "Why do you not simply take away the ability to read the G/L account or entries?" Users may need to select a G/L account on the sales or purchase lines for misc. charges or to record an expense and the posting routines need to read the G/L entries. Therefore, these permissions cannot simply be taken away.
The next obvious question is, "Why not give users access only to specific pages (screens)?" This is a valid question and yes this can be done, but it will a mind-numbingly and time-intensive task which could take a hundred hours or more. There are third party tools which can help, but there are other possibilities without purchasing additional software.
A recommended approach is to set up roles for each department so that users only see the pages, reports and tools they will need. Then the key thing is to remove the Departments menu from the user's role. Users will not be able to access any page, report, etc. that they cannot see on their menu. They will not be able to search and find any feature that is not specifically on their role. Therefore, they will not have access to the Chart of Accounts, or financial reports. Setting up roles as described above accomplishes two goals:
- Simplifies the user-interface greatly and enhances the user experience.
- Enhances, but does not replace the security settings.
Still with the above done, there is still a few holes to be plugged. Users, while looking up a G/L account, could go to the G/L Account Card or Navigate and see the detail of posted entries. Navigation is an immensely useful feature, but the user could potentially drill down into the G/L entries, remove the filter and see any data in the G/L. This can be resolved with a few lines of code on the G/L Account Card and General Ledger Entries pages. It is recommended to add a field to the User Setup table which very few users will have access to. Call it, "G/L detail access". Then code the G/L Account Card and Entries page to error out unless the user has "G/L Detail Access". This should plug the final holes.
What if you don't have roles configured as above and you need to plug the holes right now? Then, you would take the coding approach above and apply it to all objects to be blocked. This would include minimally: G/L Account Card, G/L Entries page, G/L Registers Page and Report, Chart of Accounts and all reports on the General Ledger menu under Entries and Financial Statement. This sounds daunting, but is easily accomplished in a few hours.
Don Saito
All content provided on this blog is for informational purposes only. ERP Efficiency Experts, LLC makes no representations as to the accuracy or completeness of any information on this site or found by following any link on this site. ERP Efficiency Experts, LLC will not be liable for any errors or omissions in this information nor for the availability of this information. ERP Efficiency Experts, LLC will not be liable for any losses, injuries, or damages from the display or use of this information.