NAV2013 Object Admin

Giving SQL Server permissions was not always secure in the past… When a user needed to be able to upload objects, they actually needed the db owner role. Which isn’t actually something that you always want.

Since NAV2013 it has become possible to tighten the security a lot.

A colleague and myself have played around with security until we created the SQL Script below.

Run this for every database you wish to create the database role.

Then for each user that needs to upload objects in the environment, assign the public and the NAVObjectAdmin role. Do not forget to assign public rights to the master database as well!

This script works both on single tenant and multitenant environment.
It only needs to run on the app database in a multitenant environment, and a few grants might will fail, since that data will be in the tenant database. (Grants on $ndo$tenantproperty & object metadata snapshot will fail).
The user will only be able to access development environment and upload objects.

If database changes need to be performed, these should be executed by the NST and the service account which will have all necessary permissions on that environment.

/****** Object:  DatabaseRole [NavObjectAdmin] ******/
CREATE ROLE [NavObjectAdmin]
GO

GRANT VIEW DEFINITION ON [dbo].[Object] TO [NavObjectAdmin] AS [dbo]
GRANT SHOWPLAN TO [NavObjectAdmin]

GRANT DELETE ON [dbo].[$ndo$tenantproperty] TO [NavObjectAdmin] AS [dbo]
GRANT INSERT ON [dbo].[$ndo$tenantproperty] TO [NavObjectAdmin] AS [dbo]
GRANT SELECT ON [dbo].[$ndo$tenantproperty] TO [NavObjectAdmin] AS [dbo]
GRANT UPDATE ON [dbo].[$ndo$tenantproperty] TO [NavObjectAdmin] AS [dbo]

GRANT DELETE ON [dbo].[$ndo$dbproperty] TO [NavObjectAdmin] AS [dbo]
GRANT INSERT ON [dbo].[$ndo$dbproperty] TO [NavObjectAdmin] AS [dbo]
GRANT SELECT ON [dbo].[$ndo$dbproperty] TO [NavObjectAdmin] AS [dbo]
GRANT UPDATE ON [dbo].[$ndo$dbproperty] TO [NavObjectAdmin] AS [dbo]

GRANT DELETE ON [dbo].[$ndo$cachesync] TO [NavObjectAdmin] AS [dbo]
GRANT INSERT ON [dbo].[$ndo$cachesync] TO [NavObjectAdmin] AS [dbo]
GRANT SELECT ON [dbo].[$ndo$cachesync] TO [NavObjectAdmin] AS [dbo]
GRANT UPDATE ON [dbo].[$ndo$cachesync] TO [NavObjectAdmin] AS [dbo]

GRANT DELETE ON [dbo].[Object] TO [NavObjectAdmin] AS [dbo]
GRANT INSERT ON [dbo].[Object] TO [NavObjectAdmin] AS [dbo]
GRANT SELECT ON [dbo].[Object] TO [NavObjectAdmin] AS [dbo]
GRANT UPDATE ON [dbo].[Object] TO [NavObjectAdmin] AS [dbo]

GRANT DELETE ON [dbo].[Object Metadata] TO [NavObjectAdmin] AS [dbo]
GRANT INSERT ON [dbo].[Object Metadata] TO [NavObjectAdmin] AS [dbo]
GRANT SELECT ON [dbo].[Object Metadata] TO [NavObjectAdmin] AS [dbo]
GRANT UPDATE ON [dbo].[Object Metadata] TO [NavObjectAdmin] AS [dbo]

GRANT DELETE ON [dbo].[Object Metadata Snapshot] TO [NavObjectAdmin] AS [dbo]
GRANT INSERT ON [dbo].[Object Metadata Snapshot] TO [NavObjectAdmin] AS [dbo]
GRANT SELECT ON [dbo].[Object Metadata Snapshot] TO [NavObjectAdmin] AS [dbo]
GRANT UPDATE ON [dbo].[Object Metadata Snapshot] TO [NavObjectAdmin] AS [dbo]

GRANT DELETE ON [dbo].[Object Tracking] TO [NavObjectAdmin] AS [dbo]
GRANT INSERT ON [dbo].[Object Tracking] TO [NavObjectAdmin] AS [dbo]
GRANT SELECT ON [dbo].[Object Tracking] TO [NavObjectAdmin] AS [dbo]
GRANT UPDATE ON [dbo].[Object Tracking] TO [NavObjectAdmin] AS [dbo]

GRANT DELETE ON [dbo].[Permission Set] TO [NavObjectAdmin] AS [dbo]
GRANT INSERT ON [dbo].[Permission Set] TO [NavObjectAdmin] AS [dbo]
GRANT SELECT ON [dbo].[Permission Set] TO [NavObjectAdmin] AS [dbo]
GRANT UPDATE ON [dbo].[Permission Set] TO [NavObjectAdmin] AS [dbo]

GRANT DELETE ON [dbo].[Server Instance] TO [NavObjectAdmin] AS [dbo]
GRANT INSERT ON [dbo].[Server Instance] TO [NavObjectAdmin] AS [dbo]
GRANT SELECT ON [dbo].[Server Instance] TO [NavObjectAdmin] AS [dbo]
GRANT UPDATE ON [dbo].[Server Instance] TO [NavObjectAdmin] AS [dbo]

GRANT DELETE ON [dbo].[Debugger Breakpoint] TO [NavObjectAdmin] AS [dbo]
GRANT INSERT ON [dbo].[Debugger Breakpoint] TO [NavObjectAdmin] AS [dbo]
GRANT SELECT ON [dbo].[Debugger Breakpoint] TO [NavObjectAdmin] AS [dbo]
GRANT UPDATE ON [dbo].[Debugger Breakpoint] TO [NavObjectAdmin] AS [dbo]

GRANT SELECT ON [dbo].[Web Service] TO [NavObjectAdmin] AS [dbo]
GRANT SELECT ON [dbo].[Client Add-in] TO [NavObjectAdmin] AS [dbo]

Enjoy! 🙂

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.