Blogs

Microsoft Dynamics NAV 2009 offers a Role-Tailored Client, which offers its users a simpler, cleaner interface in which to help them prioritise their tasks, whilst keeping their workplace clean and simple.

The Role Tailored Client will communicate with a Nav SQL database, through the Microsoft Dynamics NAV Server service. For this service to be successful there needs to be specific SQL permissions allocated or any attempt at connecting through the Role Tailored Client to the specified server will fail (eg. Change Listener permission error).

Some things to take note of when installing the Role Tailored NAV Server are:

1.    Take note of which User/System account is being used to run the Role Tailored NAV Server. By default it is the 'NT AUTHORITYNETWORK SERVICE'. Alternatively a new specific Domain User Account can be created and used, which can be setup to only have the very minimum of required permissions to run the Service, but have limited access elsewhere.

2.    Ensure that the User/System account being used, is allocated either db_owner or db_securityadmin permission to the required NAV database.

3.    Log into the NAV Database through the Classic Client and ensure you add the User/System account to Windows Logins, give SUPER access, and Synchronise the security settings.

4.    Load up the SQL Server Management Studio, connect to the SQL Service instance where your relevant NAV database is sitting, and create a new query that is pointing to the NAV database that your NAV Server is using. The query should be as following:

sp_grantlogin 'WindowsAccount'

GRANT CREATE PROCEDURE TO [WindowsAccount];

GRANT CREATE QUEUE TO [WindowsAccount];

GRANT CREATE SERVICE TO [WindowsAccount];

GRANT VIEW DEFINITION TO [WindowsAccount];

GRANT SUBSCRIBE QUERY NOTIFICATIONS TO [WindowsAccount];

GRANT RECEIVE ON QueryNotificationErrorsQueue TO [WindowsAccount];

GRANT REFERENCES ON CONTRACT:[http://schemas.microsoft.com/SQL/Notifications/PostQueryNotification] TO [WindowsAccount];

use master

alter database [NavDB] SET ENABLE_BROKER

WITH ROLLBACK IMMEDIATE

SELECT is_broker_enabled FROM sys.databases WHERE name = 'NavDB'



Please note:

i)    In the above query, replace all instances of the key word WindowsAccount, with the actual account you are using to run the Role Tailored NAV Server (eg. NT AUTHORITYNETWORK SERVICE).

ii)    Replace all instances of the keyword NavDB, with the name of the actual Database the Service is connecting to (eg. Demo Database NAV (6-0)).

Look at the following example of how the finished query may look:

sp_grantlogin 'NT AUTHORITYNETWORK SERVICE'

GRANT CREATE PROCEDURE TO [NT AUTHORITYNETWORK SERVICE];

GRANT CREATE QUEUE TO [NT AUTHORITYNETWORK SERVICE];

GRANT CREATE SERVICE TO [NT AUTHORITYNETWORK SERVICE];

GRANT VIEW DEFINITION TO [NT AUTHORITYNETWORK SERVICE];

GRANT SUBSCRIBE QUERY NOTIFICATIONS TO [NT AUTHORITYNETWORK SERVICE];

GRANT RECEIVE ON QueryNotificationErrorsQueue TO [NT AUTHORITYNETWORK SERVICE];

GRANT REFERENCES ON CONTRACT::[http://schemas.microsoft.com/SQL/Notifications/PostQueryNotification] TO [NT AUTHORITYNETWORK SERVICE];

use master

alter database [Demo Database NAV (6-0)] SET ENABLE_BROKER

WITH ROLLBACK IMMEDIATE

SELECT is_broker_enabled FROM sys.databases WHERE name = 'Demo Database NAV (6-0)'

This should hopefully cover most (if not all) the security hurdles that you may encounter when installing the Role Tailored Service.

Good luck!