NAV User Groups and Permissions Provisioning

Working with User Groups

A User Group specifies a group that you have added permission sets and users to.

Create User Groups

Click Departments/Administration/IT
Administration/General/Users.

Click User Groups and create user groups as per your business requirement. For example, here we have created three groups, namely for Finance Administrator, Finance User and Finance Viewer.

Add Members to the User Groups

You can use the User by User Group window to assign or remove users to user groups. There is a matrix of User Group Vs User Name where we can select or remove Users to the User Group.

Permission Set by User Group

With Microsoft Dynamics NAV 2016, there is an easy way to assign or remove permissions. From the User Group window, select User Group Permission Sets and select the permissions you want to assign to all users of the group.

Export and Import User Group

You can set permissions up in a test. Once all setup and testing is complete, you can move them to the production environment using Export User Group and Import User Group.

If you are planning to create a new user Group that will be a subset or superset of any existing group, you can use Copy User Group.

The following picture shows the xml file that is generated when you export the user group, which contains the user group details and the permissions assigned to that group.

You can import it into your production environment and assign users in the group.

NOTE:

  • User Groups are stackable, so you can associate and disassociate them with a user to create the necessary permission structure.
  • Try to identify the base access requirements for users across all levels of your organization as a starting point. Having a “foundational” User Group will simplify your task tenfold by leaving only the areas that require some lock-down / control to manage.

Working with Permissions

Permission Recording

Let’s say you would like to give certain user access to post payables. Now, this was quiet complex in previous versions of NAV, because when you click on the “Post” button in NAV, a bunch of stuff happens in the background to make that document get posted, hitting all sorts of tables and code units. Typically, if you had no point of reference what permissions were involved in an action like posting, you’d have to trial-and-error your way through the endless error message pop-ups which was both tedious and inefficient.

Microsoft Dynamics NAV 2016 has its own version of a database profiler – a little script that lurks in the background and watches what you do temporarily, making note of all the tables and areas of NAV that you’re touching. This means that you can click the “Start” button, go post an invoice, press “Stop” and then confirm the prompt asking to add the recorder permissions. The routine adds in all the relevant recorder permissions.

Example:

  1. Click Departments/Administration/IT Administration/General/Permission Sets.
  2. Create a new permission set POSTING for posting invoice.
  3. Click Permissions.

  1. Click Start on the Permissions window and confirm the prompt that appears.

  1. Post a Sales Order (ship and invoice).
  2. Come back to the Permissions window and click Stop. You will notice that all the relevant permissions are added automatically.

Relate Permissions

Apart from recording the permissions, you can also have Microsoft Dynamics NAV automatically figure out what related tables you’d need READ access to.

For example, you might have someone who has the ability to read, create, modify, and delete customers, but you realize that there might be related tables that a customer-manager might need to be able to read and have access to. All you need to do is highlight that permission line and click on the “Add Read Permission to Related Tables” button.

Upon doing that you instantly see the application populate the page with the most common base NAV tables that relate to it, adding in the READ permission.

Include or Exclude Permission Sets

On the Permissions window you can use the Include/Exclude Permission Set action to point Microsoft Dynamics NAV to another Permission Set and tell it to either include all the permissions from that Set or Exclude all the permissions from that set.

NOTE:

Provisioning smaller, discrete tasks as Permission Sets, such as “Posting Purchase Invoice” or “Deleting a Customer”, etc. might take some time to configure, however it will ultimately maximize visibility and ease of provisioning permissions in Microsoft Dynamics NAV. It will pay off in the long run and will also be an easy way to demonstrate to your auditors (internal or otherwise) what application controls you have set up in your system.

Show All Permissions

On the Permissions window, click on the little drop-down besides Show field, to not only see the permissions in the current set you’re editing, but also see them all. This will enable you to provision them for the set you’re working on accordingly.

One very relevant use case would be for a client who might want to restrict Page access (maybe they want to lock down access to the Chart of Accounts). As such, you would simply remove the “All Pages” allowance in the BASIC Permission Set and then just pull in all the other pages fast and quickly using this drop-down.

NOTE: If read access to data is not a concern in your organization, consider provisioning the “SUPER (READER)” permission set to mitigate any of the nuisance “Read” permission errors. Then you need only control permissions on Insert, Modify, and Delete, infinitely simplifying your task.