Tuesday, 20 February 2007

Security Filter (Record Level Security)

Navision allows you to limit the user access to certain records based on the security filter setting. For example, the table may have 1000 records, but your user may only see 100 records in the table that meet the security filter. Users will see 100 records no matter how they access the table through forms or reports. Even when the user run the table from object designer, he/she will still see 100 records. The remaining 900 records that cannot be seen are totally invisible to the user. This is how powerful the security filter can be. It can only be used in SQL Option. Security filter will not work in native database.

Setting of security filter is fairly easy. Just set it at the Security Filter column in the Permission table. The screenshot below shows the security filter set to only users to see records with Global Dimension 1 Code = SALES.

Theoritically, security filter is very easy to use. You just set it in the Permission table and the Navision will apply the filter in the whole system. But in actual fact, once you set the security filter, the nightmare will begin. You will receveive a lot of complaints from users saying cannot access to this and that, and when you check the permission setting, you have granted them with the necessary permission. All the problems arises because:
  1. Security filter does not work when you use code to open a form, report or dataport. You must use the command button or menu button properties to open form, report or dataport.
  2. Security filter does not applies to Global and Local variables automatically. You need to use SETPERMISSIONFILTER function to apply security filter to record variables. SETPERMISSIONFILTER has to be set in all record variables in all objects that are affected by the security filter. For example, if you have set a permission filter in the customer table, you have to add this line of code to all record variable that access customer tables in all objects. Customer.SETPERMISSIONTABLE;This is a tedious job to do.
  3. Your complex CAL function try to access all records in a table to perform calculation but your security filter limit access to certain records only. This may cause conflict that will throw an error message. For example, a form needs to access the last record in a table before it can insert a new record but the last record is not within your permitted range. To overcome this problem, you have to create a new role with indirect access to the table and assign this new role to your user.


Anonymous said...

Interesting and usefull post! Although rather old. ;-)
Thank you!

Anonymous said...


i will trying blocking Business unit. how can i writing that filter.
i'm trying "Dimension: Business Unit Filter=<>BU2100"
But error occuring A '=' is missing in TableFilter.
Dimension Business Unit Filter=<>BU2100.

Would give me some advice?
Thank you.

Anonymous said...

I have created two Role

1. One for Read the Item Master ( Form ID. 30) (also considered the required objects in this role)

2. Two for Indirect Read permission to the Tabledata Item Ledger Entry table (Table ID. 32)

And assign these two roles to a user1. Now User1 can able to Open the Form ID 30.

If I remove the Role no. 2 then User1 can not able to open the Form ID 30.

Now I have created the same scenario again....for creation of Sales Order (SO)

I have created two Roles
1. One for Creation of Sales Order. Here I have considered the required object level permission.
2. two for Indirect Read Permission for the Sales & Receivables Setup Tabledata (ID 311).

Now I have assigned these two role to user2. But user2 can not able to create the Sales Order. He is facing the below error message...
" You do not have the Read permission for the Sales & Receivables Setup table"

What this reason behind this error message ? kindly explain if possible...

Thank you.