NAV2013 Object Admin

Giving SQL Server permissions was not always secure in the past… When a user needed to be able to upload objects, they actually needed the db owner role. Which isn’t actually something that you always want.

Since NAV2013 it has become possible to tighten the security a lot.

A colleague and myself have played around with security until we created the SQL Script below.

Run this for every database you wish to create the database role.

Then for each user that needs to upload objects in the environment, assign the public and the NAVObjectAdmin role. Do not forget to assign public rights to the master database as well!

This script works both on single tenant and multitenant environment.
It only needs to run on the app database in a multitenant environment, and a few grants might will fail, since that data will be in the tenant database. (Grants on $ndo$tenantproperty & object metadata snapshot will fail).
The user will only be able to access development environment and upload objects.

If database changes need to be performed, these should be executed by the NST and the service account which will have all necessary permissions on that environment.

Enjoy! 🙂

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.