How to: Manage Users and Permissions

If you get a new employee, your company’s system administrator or IT pro has to add them to your Dynamics NAV. Then, you can assign them access to the relevant parts of the product based on their work area by assigning user groups and permissions.

Permission sets define which database objects, and thereby which UI elements, users have access to, and in which companies.

A permission set is a collection of permissions for specific objects in the database. All users must be assigned one or more permission sets before they can access Dynamics NAV. A number of predefined permission sets are provided by default. You can use these permission sets as already defined, modify the default permission sets, or create additional permission sets.

You can add users to user groups. This makes it easier to assign the same permission sets to multiple users.

Administrators can use the User Setup window to define periods of time during which specified users are able to post, and also specify if the system logs the amount of time users are logged on.

To assign permissions to a user

1. Choose the icon, enter Users, and then choose the related link.
2. Select the user that you want to assign permission to. Any permission sets that are already assigned to the user are displayed in the Permission Sets FactBox.
3. Choose the Edit action to open the User Card window.
4. On the User Permission Sets FastTab, on a new line, fill in the fields as necessary. Choose a field to read a short description of the field or link to more information.

To group users in user groups

You can set up users groups to help you manage permission sets for groups of users in your company. You can use a function to copy all permission sets from an existing user group to your new user group. User group members are not copied.

Choose the icon, enter User Groups, and then choose the related link.

Alternatively, in the Users window, choose the User Groups action.

In the User Groups window, select an existing user group that you want to copy, and then choose the Copy User Group action.

In the New User Group Code field, specify the name of the new user group, and then choose the OK button.

As an alternative to copying, you can choose the New action to create a new line for an empty user group, which you then fill in manually.

To add new or additional users, in the User Group window, choose the User Group Members action.

In the User Group Members window, on a new line, fill in the fields as necessary by selecting from existing users.

To add new or additional permission sets, in the User Group window, choose the User Group Permission Sets action.

In the User Group Permission Sets window, on a new line, fill in the fields as necessary by selecting from existing permission sets.

To create or modify permission sets

If the default permission sets that are provided with Dynamics NAV are not sufficient or not appropriate for your organization, you can create new permission sets. And if the individual object permissions that define a permission set are not adequate, you can modify a permission set. You can create a permission set manually, or you can use a recording function that records your actions as you navigate through a scenario and then generates the required permission set.

To create or modify permission sets manually

Choose the icon, enter Users, and then choose the related link.

In the Users window, choose the Permission Sets action.

In the Permission Sets window, choose the New Action.

On a new line, fill in the fields as necessary.

Choose the Permissions action.

In the Permissions window, fill in the fields on the header as necessary.

On a new line, fill in the five fields for the different permission types as described in the following table.

Option	Description
Blank	Specifies that the permission type is not granted for the object.
Yes	Specifies that the permission type is granted with direct access to the object.
Indirect	Specifies that the permission type is granted with indirect access to the object.

Indirect permission to a table means that you cannot open the table and read from it, but you can view the data in the table through another object, such as a page, that you have direct permission to access. For more information, see the “Example — Indirect Permission” section in this topic.

In the Security Filter field, enter a filter that you want to apply to the permission by selecting the field on which you want to limit a user’s access.

For example, if you want to create a security filter so that a user can view only sales with a specific salesperson code, you choose the field number for the Salesperson Code field. Then, in the Field Filter field, you enter the value of the that you want to use to limit access. For example, to limit a user’s access to only Annette Hill’s sales, enter AH.

Repeat steps 7 and 8 to add permissions for additional objects to the permission set.

To create or modify permission sets by recording your actions

Choose the icon, enter Users, and then choose the related link.

In the Users window, choose the Permission Sets action.

In the Permission Sets window, choose the New Action.

On a new line, fill in the fields as necessary.

Choose the Permissions action.

In the Permissions window, choose the Start action.

A recording process starts to capture all your actions in the user interface.

Go to the various windows and activities in Dynamics NAV that you want users with this permission set to access. You must carry out the tasks that you want to record permissions for.

When you want to finish the recording, return to the Permissions window, and then choose the Stop action.

Choose the Yes button to add the recorded permissions to the new permission set.

For each object in the recorded list, specify if users are able to insert, modify, or delete records in the recorded tables. See step 7 in the «To create or modify permission sets manually» section.

Example — Indirect Permission

You can assign an indirect permission to use an object only through another object. For example, a user can have permission to run codeunit 80, Sales-Post. The Sales-Post codeunit performs many tasks, including modifying table 37, Sales Line. When the user posts a sales document, the Sales-Post codeunit, Dynamics NAV checks if the user has permission to modify the Sales Line table. If not, the codeunit cannot complete its tasks, and the user receives an error message. If so, the codeunit runs successfully.

However, the user does not need to have full access to the Sales Line table to run the codeunit. If the user has indirect permission to the Sales Line table, then the Sales-Post codeunit runs successfully. When a user has indirect permission, that user can only modify the Sales Line table by running the Sales-Post codeunit or another object that has permission to modify the Sales Line table. The user can only modify the Sales Line table when doing so from supported application areas. The user cannot run the feature inadvertently or maliciously by other methods.

To set up user time constraints

Administrators can define periods of time during which specified users are able to post, and also specify if the system logs the amount of time users are logged on. Administrators can also assign responsibility centers to users.

1. Choose the icon, enter User Setup, and then choose the related link.
2. In the User Setup window opens, choose the New action.
3. In the User ID field, enter the ID of a user, or choose the field to see all current Windows users in the system.
4. Fill in the fields as necessary.

Delegate Permissions for Group Policy

This topic describes procedures for an administrator to delegate permissions to others using the GPMC so that they can perform some Group Policy administrative tasks.

Introduction

With GPMC, the following tasks can be delegated:

Create GPOs in a domain.

Set permissions on a GPO.

Set policy-related permissions on site, domain or organizational unit.

Link GPOs to a given site, domain or organizational unit.

Perform Group Policy Modeling analyses on a given domain or organizational unit (but not on a site).

Read Group Policy Results data for objects in a given domain or organizational unit (but not on a site).

Create WMI filters in a domain.

Set permissions on a WMI filter.

GPMC simplifies delegation by managing the various ACEs required for a task as a single bundle of permissions for the task. If you want to see the ACL in detail, you can click the Advanced button on the Delegation tab. The underlying mechanism for achieving delegation is the application of the appropriate DACLs to GPOs and other objects in Active Directory. This mechanism is identical to using security groups to filter the application of GPOs to various users.

You can also specify Group Policy to control the behavior of MMC and MMC snap-ins. For example, you can use Group Policy to manage the rights to create, configure, and use MMC consoles, and to control access to individual snap-ins.

How to delegate permissions for a group or user on a Group Policy Object

To delegate permissions for a group or user on a Group Policy Object

In the Group Policy Management Console (GPMC) console tree, expand the Group Policy Objects node in the forest and domain containing the Group Policy object (GPO) for which you want to add or remove permissions.

In the results pane, click the Delegation tab.

Click Add.

In the Select User, Computer, or Group dialog box, click Object Types, select the types of objects for which you want to add GPO permissions, and then click OK.

Click Locations, select either Entire Directory or the domain or organizational unit containing the object for which you want to add GPO permissions, and then click OK.

In the Enter the object name to select box, type the name of the object for which you want to add GPO permissions by performing one of the following actions:

If you know the name, type it and then click OK.

To search for the name, click Advanced, type the search criteria, click Find Now, select the name in the list box, click OK, and then click OK again.

In the Permissions box of the Add Group or User dialog box, select the appropriate permissions from the drop-down list, and then click OK.

Additional considerations

To perform this procedure, you must have Edit settings, delete, and modify security permissions on the GPO.

Groups and users that have Custom in the Allowed Permissions column in the Groups and users list box on the Delegation tab have permissions that do not match one of the three standard levels of permissions. To view the permissions for groups with custom permissions or to set custom permissions, click Advanced.

You can also click the Delegation tab to change or remove permissions for a group or user on a GPO.

How to delegate permissions to link Group Policy Objects

To delegate permissions to link Group Policy Objects

In the Group Policy Management Console (GPMC) console tree, do one of the following:

To delegate permission to link Group Policy objects (GPOs) to either the domain or an organizational unit (OU), click the domain or the OU.

To delegate permission to link GPOs to a site, click the site.

In the results pane, click the Delegation tab.

In the Permission drop down-list box, select Link GPOs. Click Add.

In the Select User, Computer, or Group dialog box, click Object Types, select the types of objects to which you want to delegate permissions for the domain, site, or OU, and then click OK.

Click Locations, select either Entire Directory or the domain or OU containing the object to which you want to delegate permissions, and then click OK.

In the Enter the object name to select box, enter the name of the object to which you want to delegate permissions by doing one of the following:

If you know the name, type it and then click OK.

To search for the name, click Advanced, enter the search criteria, click Find Now, select the name in the list box, click OK, and then click OK again.

In the Add Group or User dialog box, in the Permissions drop-down list, select the level to which you want permissions to apply for this group or user, and then click OK.

Additional considerations

To delegate permissions to link GPOs to a site, domain, or OU, you must have Modify Permissions on that site, domain, or OU. By default, only Domain Administrators and Enterprise Administrators have this permission.

Users and groups with permission to link GPOs to a specific site, domain, or OU can link GPOs, change link order, and set block inheritance on that site, domain, or OU.

You cannot remove groups and users that inherit permissions from a parent container.

Some entries in the Groups and users drop-down list, such as System, do not have an associated property dialog box, so Properties is unavailable for these entries.

How to delegate permissions for generating Group Policy Modeling data

To delegate permissions for generating Group Policy Modeling data

In the Group Policy Management Console (GPMC) console tree, click the domain or organizational unit (OU) for which you want to delegate Group Policy Modeling permissions.

In the results pane, click the Delegation tab.

In the Permission box, select Perform Group Policy Modeling analyses to add a new group or user to the permissions list**.**

On the Delegation tab, click Add.

In the Select User, Computer, or Group dialog box, click Object Types, select the types of objects to which you want to delegate permissions for the domain, site, or OU, and then click OK.

Click Locations, select either Entire Directory or the domain or OU containing the object to which you want to delegate permissions, and then click OK.

In the Enter the object name to select box, find the name of the object to which you want to delegate permissions by doing one of the following:

If you know the name, type it, and then click OK again.

To search for the name, click Advanced, enter the search criteria, click Find Now, select the name in the drop-down list, click OK, and then click OK.

In the Add Group or User dialog box, in the Permissions drop-down list, select the level to which you want permissions to apply for this group or user, and then click OK.

Additional considerations

To delegate permissions to perform Group Policy Modeling analyses for objects in a domain or organizational unit, you must have Modify Permissions on that domain or organizational unit. By default, only domain administrators and enterprise administrators have this permission.

You cannot delegate permission to perform Group Policy Modeling analyses for sites.

You can also use the Delegation tab to change or remove permissions for a group or user for Group Policy Modeling data.

How to delegate permissions to generate Group Policy Results

To delegate permissions to generate Group Policy Results

In the Group Policy Management Console (GPMC) console tree, click the domain or organizational unit (OU) for which you want to delegate permission to generate Group Policy Results.

In the results pane, click the Delegation tab.

In the Permissions drop-down list, select Read Group Policy Results data to add a new group or user to the permissions list.

On the Delegation tab, click Add.

In the Select User, Computer, or Group dialog box, click Object Types, select the types of objects to which you want to delegate permissions for the domain, site, or OU, and then click OK.

Select the user or group to which permission should be delegated.

In the Add Group or User dialog box, in the Permissions drop-down list, select the level to which you want permissions to apply for this group or user, and then click OK.

Additional considerations

To delegate permissions to generate Group Policy Results for objects in a domain or OU, you must have Modify Permissions on that domain or OU. By default, only domain administrators and enterprise administrators have this permission.

You cannot delegate permission to generate Group Policy Results for sites.

You can also use the Delegation tab to change or remove permissions for a group or user for Group Policy Results data.

How to delegate permissions for a group or user on a WMI filter

To delegate permissions for a group or user on a WMI filter

In the Group Policy Management Console (GPMC) console tree, click the WMI filter for which you want to delegate permissions.

In the results pane, click the Delegation tab.

Click Add.

In the Select User, Computer, or Group dialog box, click Object Types, select the types of objects to which you want to delegate permissions on the WMI filter, and then click OK.

Click Locations, select either Entire Directory or the domain or organizational unit containing the object to which you want to delegate permissions, and then click OK.

In the Enter the object name to select box, type the name of the object to which you want to delegate permissions by doing one of the following:

If you know the name, type it and then click OK.

To search for the name, click Advanced, type the search criteria, click Find Now, select the name in the list box, click OK, and then click OK again.

In the Add Group or User dialog box, in the Permissions box, select the permissions level you want to assign to the group or user, and then click OK.

Additional considerations

You must have Full Control permissions on a WMI filter to change its permissions.

You cannot remove or change inherited permissions for WMI filters.

All users must have Read access to all WMI filters. Otherwise, Group Policy stops processing when it encounters a WMI filter that cannot be read.

You cannot use the GPMC to remove Read permissions from WMI filters.

WMI Filters are available if at least one domain controller in the domain is running Microsoft WindowsВ ServerВ 2003 or later.

You can also use the delegation tab to change or remove permissions for a group or user for WMI filters.

How to delegate permissions for a Group or User on a Starter GPO

Delegating permissions for a Group or User on a Starter GPO

Open the Group Policy Management Console. Expand the Starter GPOs node.

Click the Starter GPO you want to delegate.

In the results pane, click the Delegation tab.

Click Add.

In the Select User, Computer, or Group dialog box, click Object Types, select the types of objects for which you want to add Starter GPO permissions, and then click OK.

Click Locations, select either Entire Directory or the domain or organizational unit containing the object for which you want to add Starter GPO permissions, and then click OK.

In the Enter the object name to select box, type the name of the object for which you want to add Starter GPO permissions by performing one of the following actions:

If you know the name, type it and then click OK.

To search for the name, click Advanced, type the search criteria, click Find Now, select the name in the list box, click OK, and then click OK again.

In the Permissions box of the Add Group or User dialog box, select the appropriate permissions from the drop-down list, and then click OK.