使用 Navision 优雅地处理 sql-server 权限
背景
我正在创建一个应用程序(称为 MyApp),该应用程序必须从 Navision 处理的 SQL Server 数据库中读取数据。 Navision 用户应该能够使用我的应用程序,而无需修改数据库中的权限。
Navision对权限的处理似乎是在应用层。它执行权限检查,而不将它们存储在数据库中。
问题
Navision 在与数据库同步时会覆盖数据库中的用户、权限和其他相关对象,因此创建数据库用户并仅使用该用户的常规方法不起作用。
可能的解决方案
我认为最合适的解决方案是在 Active-Directory 中创建一个 MyApp
角色,该角色授予对数据库的必要权限,并将此角色添加到所有用户。
我不知道该怎么做,或者即使这是可能的。欢迎其他解决方案或建议,但请仅建议可从 ActiveDirectory 或 Navision 内管理的解决方案。
服务器是运行 Navison 5 的 SQL Server 2008 服务器,客户端是 Navision 6。我使用的是 Windows Server 2K8 的 Active Directory。
编辑:
我的应用程序是一个板条箱创建和设计应用程序。它需要读出客户的姓名和 ID,以及项目表中的一些项目,这就是我需要此功能的原因
Background
I am in the process of creating an application (referred to as MyApp) which must read data out from a SQL Server database handled by Navision. Navision users should to be able to use my application, without modifying permissions in the database.
Navision's handling of permissions seems to be on the application layer. It performs the checking of permissions without storing them in the database.
Problem
Navision overwrites users, permissions, and other related objects in the database when synchronizing with the database, so the normal approach of creating a DB user and just using that won't work.
Possible Solution
What I think would be the most appropriate solution is to create a MyApp
role in Active-Directory, which grants the necessary permissions on the DB, and add this role to all users.
I do not know how to do this, or even if it's possible. Other solutions, or proposals, are welcome, but please only suggest solutions with can be managed from within ActiveDirectory or Navision.
The server is an SQL Server 2008 server running Navison 5, and the client is Navision 6. I'm using Active Directory for Windows Server 2K8.
EDIT:
My app is a crate creating and designing application. It needs to read out the customers' names and IDs, and a few items in the items table, and that is why I need this functionality
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
如果您在 NAV 中使用增强的安全模型,用户权限将同步到 SQL Server。但是,这些 SQL 权限映射到 SQL Server 中的应用程序角色,而不是用户的登录名。如果您使用标准安全模型,所有用户都会映射到一个 SQL 应用程序角色,该角色是超级用户(安全性较低)。
如果要使用 NAV 安全模型(即通过 NAV 创建的 SQL 应用程序角色)访问 SQL Server 中的数据,则应使用 CFront API(通过 SDK 选项安装)。如果您使用 NAV 2009 Web 服务也是一种选择。
如果您想直接访问 SQL Server,那么您必须使用 SQL Server 自行管理权限。如果您创建 SQL 脚本来授予权限,则可以轻松恢复 NAV 在同步登录期间可能删除的任何内容。
您无法完全按照您的描述从 Active Directory 授予 SQL 权限。相反,您必须将 Active Directory 组映射到 SQL Server 登录名或 NAV Windows 登录名(取决于您决定直接访问 SQL 还是通过受支持的 NAV API)。注:与角色关联的权限分别在SQL或NAV中管理;不在公元。
从管理角度来看,您可以简单地在该 Active Directory 组中添加和删除用户。如果您使用 NAV 增强安全模型,AD 组中的每个用户还必须在 Windows 登录中拥有一个条目,并且每当您进行更改时,您都必须同步登录。这种轻微的不便是本机数据库的遗留问题。
If you use the enhanced security model in NAV, user permissions are synchronized to SQL Server. However, these SQL permissions are mapped to an app role in SQL Server, rather than the user's login. If you use the standard security model, all users map to a single SQL app role which is a super user (less secure).
If you want to access the data in SQL Server using the NAV security model (i.e. through the SQL App roles NAV creates), you should use the CFront API (installed via the SDK option). If you are using NAV 2009 web services are also an option.
If you want to access SQL Server directly, then you will have to manage the permissions yourself using SQL Server. If you create a SQL script to grant permission it is easy to restore anything which NAV might delete during Synchronize Logins.
You can't grant SQL permission from Active Directory exactly as you described. Instead you must map Active Directory groups to either SQL Server logins or NAV Windows Logins (depending on whether you decide to access SQL directly or go through a supported NAV API). Note: the permissions associated with the role are managed in SQL or NAV respectively; not in AD.
From an administration perspective, you can simply add and remove users from this Active Directory group. If you use the NAV enhanced security model each user in the AD group must also have an entry in Windows Logins, and whenever you make changes you must Synchronize Logins. This slight inconvenience is a hangover from the native database.
一般来说,完全不建议跳过 NAV 层并直接读取/写入数据库,因为您绕过了存储在 NAV 中的表和报告对象中的所有 NAV 业务逻辑。
您的应用程序打算做什么(如果您无法具体说明,则为大致范围)以及使用 NAV 插件或数据端口是否可行?
In general, skipping the NAV layer and reading/writing directly to the DB is not recommended at all as you're bypassing all of NAVs business logic which is stored in the table and report objects in NAV.
What does your app intend to do (broad strokes if you can't get specific) and would using a NAV add-in or dataport be feasible?