When you integrate Microsoft Dynamics NAV with Microsoft Dynamics® Mobile, users can submit XML documents called request documents from mobile devices. To help secure your data, Microsoft Dynamics NAV provides security roles that you can apply to Windows logins to assign users access to mobile functionality. For more information, see Predefined Mobile Security Roles.
 Note |
|---|
|
The integration with Microsoft Dynamics Mobile requires that the Microsoft Dynamics NAV database runs the enhanced security model. For more information, see the Microsoft Dynamics NAV 2009 Developer and IT Pro Documentation. |
Security Considerations
The Security Hardening Guide for Microsoft Dynamics NAV provides best practices for making your Microsoft Dynamics NAV installation more secure. The following list highlights some of the key issues when integrating Microsoft Dynamics NAV with Microsoft Dynamics Mobile:
-
Run the SQL Server service as the NT Authority\Network Service account.
-
Protect your network with firewalls.
-
Set up an Application Server instance for each Microsoft Dynamics NAV role that submits documents from mobile devices, so that Application Server only has the access that the role defines. For example, if you assign a group of mobile users a role, such as S&R-Q/O/I/R/C, you can create an Application Server instance and assign this instance the S&R-Q/O/I/R/C role.
In the configuration of the Microsoft Dynamics Mobile - Server Components document service, you must then define endpoints that are specific for each of the relevant roles, and these endpoints must point to the correct Application Server instance. For more information, see Microsoft Dynamics Mobile Installation and Configuration Guide online.
-
Assign security roles to mobile users that restrict their access to only what is absolutely needed. For more information, see Predefined Mobile Security Roles.
-
Ensure that the document handlers that process incoming request documents verify that the mobile user has the appropriate permissions to execute the request. For example, if the incoming request document is for creating a sales order, the user who submits the request document must have been assigned security roles that grants access to the relevant tables. For more information, see Defining Document Handlers in Microsoft Dynamics NAV.
The following list describes tips for defining secure mobile users in Microsoft Dynamics NAV:
-
The salespeople who are mobile users are added to an Active Directory group.
CautionThe integration with Microsoft Dynamics Mobile requires that the Microsoft Dynamics NAV database runs the enhanced security model. This means that users can only be members of security groups in their own domain. For example, if your company has defined two Active Directory domains, Domain A and Domain B, a user who is in Domain A cannot be added to a security group in Domain B.
-
The Active directory group is a Windows login in Microsoft Dynamics NAV, and the login has the appropriate security roles that allow members to submit request documents from mobile devices.
-
The individual members of the Active Directory group are also added as Windows logins in Microsoft Dynamics NAV and assigned basic individual permissions, such as the ALL role.
The group members will inherit the permissions from the Windows login for the Active Directory group, so do not assign individual users the same security roles.
-
The individual Windows logins are set up as mobile users.
-
A mobile group exists, and the mobile users are members of it.
-
A document type is set up, and the mobile group is assigned to it.
For more information, see the following topics:
| Microsoft Dynamics NAV | Microsoft Dynamics NAV Classic |
|---|---|
|
How to: Set Up Mobile Users in Microsoft Dynamics NAV |
How to: Set Up Mobile Users in Microsoft Dynamics NAV Classic |
|
How to: Set Up Mobile Groups in Microsoft Dynamics NAV |
|
|
How to: Set Up Mobile Document Types in Microsoft Dynamics NAV |
How to: Set Up Mobile Document Types in Microsoft Dynamics NAV Classic |
Predefined Mobile Security Roles
Microsoft Dynamics NAV comes with the following predefined security roles. All roles provide object level security by assigning access to tables.
| Role | Description | Assign to |
|---|---|---|
|
MOB-SERVER-NAS |
Provides the user with permission to validate incoming requests and to add requests to the document queue. |
The user account under which Application Server runs. |
|
MOB-SERVER-SETUP |
Provides the user with permission to set up and maintain mobile functionality in Microsoft Dynamics NAV, including setting up mobile users, document types, and document schemas. |
Users who set up and maintain mobile functionality on the server. |
|
MOB-SERVER-USER |
Provides the user with read permission to access mobile tables. It also gives permissions to modify and delete requests in the document queue. |
Users who process and maintain the document queue. |
|
MOB-SALES-CUST-PRICE |
Provides the user with permission to update customer prices in Mobile Sales. |
Users who run the Mobile Create Customer Price report to add unit price per item per customer for the mobile application. |
|
MOB-SALES-SETUP |
Provides the user with permission to set up and maintain Mobile Sales functionality, including defining if Mobile Sales activities must be updated automatically when to-dos are updated. |
Users who set up and maintain mobile functionality on the server. |
|
MOB-SALES-SYNC-TODO |
Provides the user with permission to modify the Mobile Sales Activity Table table through the To-do table. |
Users who run the Mobile Sync. To-do/Activity report to synchronize to-dos with Mobile Sales activities |
For more information about viewing the list of tables that a role provides access to, see Modifying Permissions for Roles. For more information about security roles and security, see the Microsoft Dynamics NAV 2009 Developer and IT Pro Documentation.