One of the more groan-inducing topics of NAV has always been the subject of user permissions and – more specifically – defining, provisioning, and maintaining what users can do in the system. However, the process of governing what users can or cannot see or do is not only accomplished with permissions, but also with profiles.
NAV 2016 brings a variety of functionality improvements to help improve application security and access cause. This blog will outline a number of these functionality improvements and explain how to use them.
User Groups in NAV 2016
The first major improvement is found when you take a peek at the User card and stumble upon a new FastTab called “User Groups.”
User Groups are groups that have Permission Sets associated with them. You can now create discrete groups of permissions and then associate your users with a role. This means that you no longer have to set up and maintain the long list of Permissions Sets on a user-by-user basis.
To give you a very simple example of how this function can help you, imagine your A/P clerk, Amy, goes on vacation for a month and needs someone to cover for her. Thankfully your data entry intern, Bob, is fully-trained in all things payables and is able to perform the duties for coverage.
However, in order to perform the A/P functions Bob needs to have access to the same NAV functions as Amy. Traditionally, NAV administrators would copy the permissions on Amy’s user card and paste them in Bob’s and then delete those out of Bob when Amy comes back. Where it gets messy is if Bob already had some Permission Sets in common with Amy. Now as an administrator, you’d need to make a note of the Permission Sets they have in common so as not to delete those when reverting Bob back to his old state as plain ol’ intern.
Now with NAV 2016 and User Groups your new process would simply be:
- Add Bob to the A/P clerk User Group when Amy leaves;
- Remove Bob from the A/P clerk User Group when Amy (reluctantly) returns;
Just like Permission Sets, User Groups are stackable, so you can associate and disassociate them with a user to create the necessary permission structure that you have always dreamed of.
Try to identify the base access requirements for users across all levels of your organization and use these as a starting point. Having a “foundational” User Group will simplify your task tenfold by leaving only the areas that require some lock-down / control to manage.
Permissions Recording in NAV 2016
Ever caught yourself saying “give him/her access to post payables”, only to be met with a “it’s not that simple” response from the person provisioning the permissions? That’s because when you click on the unassuming “Post” button in NAV, a bunch of stuff happens in the background to make that document get posted, hitting all sorts of tables and code units. Typically if you had no point of reference as to what permissions were involved in an “action” like posting, you’d have to trial-and-error your way through the endless error message pop-ups which is both tedious and inefficient.
Well, Microsoft heard the complaints and have put in its own version of a database profiler – a little script that lurks in the background and watches what you do temporarily, making note of all the tables and areas of NAV that you’re touching.
What this means is that you can click the “Start” button, go post an invoice, press “Stop” and when prompted…
And then magically the routine adds in all the relevant recorded permissions:
Just. Like. Magic!
Relate Permissions in NAV 2016
Beyond recording the process of what you just did, you can also have NAV magically figure out what related tables you’d need read access to. For example, you might have someone who has the ability to read, create, modify, and delete customers:
But you realize that there might be related or peripheral tables that a customer-manager might need to be able to read/access. All you need to do is highlight that permission line and click on the “Add Read Permission to Related Tables” button (shown below):
Upon doing that you instantly see the application populate the page with the most common base NAV tables that relate to it, adding in the “read” permission (see below):
…seriously, where has this been all my life?
NAV 2016 Time Savers
As if we weren’t already blown away with all the major functionality that Microsoft added to the permissions-side of the application, they’ve actually added in some time-saving elements as well! I cannot emphasize how much time was wasted in the past to populate the Permission Sets by either copy-pasting from other Permission Sets or by making my own in Excel and then pasting it back into the list page.
Gone are those days, for NAV 2016 has some killer new time-saving functions:
Inclusion/Exclusion from Other Permission Sets
That little button next to the “Add Read Permission to Related Tables” button called “Include/Exclude Permission Set” packs one mighty punch. By clicking it, you can point NAV to another Permission Set and tell it to either include all the permissions from that Set or Exclude all the permissions from that set.
So now if you’re developing a new Permission Set that crosses functionality, you need only select “Include” and point to each of the relevant Permission Sets and there you have an aggregate Set. This is a lot quicker than copying both sets into Excel, combining them into one line manually (usually copying over least restrictive permissions) and then pasting it back into NAV. It now does it for you!
Provisioning smaller, discrete “tasks” as Permission Sets, such as “Posting Purchase Invoice”, “Deleting a Customer”, etc. might take some time to flesh out, but will ultimately maximize visibility and ease of provisioning permissions in NAV! It pays off in the long run and will also be an easy way to demonstrate to your auditors (internal or otherwise) what application controls you have set up in your system!
Showing All Permissions
With this little drop-down you can now opt to not only see the permissions in the current set you’re editing, but also see them all and then be able to provision them for the Set you’re currently working on:
One very relevant use case would be for a client who might want to restrict Page access (maybe they want to lock down access to the Chart of Accounts). As such, you would simply remove the “All Pages” allowance in the BASIC Permission Set and then just pull in all the other pages fast and quickly using this drop-down!
Very cool and very, very powerful added functionality.
If read access to data is not a concern in your organization, consider provisioning the “SUPER (READER)” permission set to mitigate any of the nuisance “Read” permission errors. Then you need only control permissions on Insert, Modify, and Delete, infinitely simplifying your task!
Permission management in NAV has historically been more evolutionary than revolutionary, with crawls of functionality wiggling into each release. However with NAV 2016 Microsoft has really listened to the pain-points that clients and consultants faced in managing permissions. They’ve made this area of NAV much more robust, yet still simple enough for end-user usage.
If you’ve ever had to deal with permissions in prior versions you will probably be as excited as I am about this. And if you’re implementing NAV for the first time with 2016, you’ll never have to deal with the tension-headaches that usually come with NAV permission provisioning!
About this Series
Catapult’s Microsoft Dynamics NAV 2016 blog series is designed to give you a better understanding of the new features in NAV 2016. Our NAV team has combined their expertise to walk you through different scenarios for these new features. So you can decide if an upgrade is a good idea now or later. Here are the features we cover: