Thursday, June 5, 2014

Dynamics GP 2013 - Web Client Only Users & Active Directory Integration (LDAP)

This morning I been thinking about the new security structure for Dynamics GP web-client user who does not have SQL Users, and how these users will interact with SQL Server, I had to go through this as I have a client who’s running a very strict policy in granting SQL permissions for domain users.

Getting through this, I have created few users with multiple scenarios as below:

  1. The first user linked to domain account called that “TEST1”, but didn’t check “Web Client user only (no SQL Server Account)”
  2. The second user linked to domain account called that “TEST2”, and checked the “Web Client user only (no SQL Server Account)” option.

I have noticed that the first case created an “SQL User Account” called “TEST1” and didn’t granted the domain user any access to the database, and the second didn’t create any users which been a mystery to me understanding which user will be used to access the SQL Server!

To test this I have modified the GL00100 table and added a new column called “UserName” –this is for testing only, you cannot do this on GP tables!- and set the default value for this column to be “SUSER_SNAME()” function which returns the user who’s currently logged in and started my testing by creating new accounts!

Logged in by TEST1 to the web client and created a new account, the result was somehow wired, the user who was recorded was “DYNSA”

image

Logged in by TEST2 to the web client and created a new account, the result was the same, the user who was recorded was “DYNSA” as well.

Then logged in but selected “SQL Authentication” option from the login page:

image

The result was as expected, the logged in user was “TEST1”!

Now it been clear, all windows authentication users will be using one account to access the SQL, the login is the one you specified during the installation of the web client, so if you been counting on the user who is currently logged in in your customizations you might need to review your code!

Hope that helps giving you a good understanding to the new security process.


Regards,

--
Mohammad R. Daoud MVP - MCT
MCP, MCBMSP, MCTS, MCBMSS
+962 - 79 - 999 65 85
me@mohdaoud.com
http://www.di.jo

4 comments:

Unknown said...

I cannot get my "Web Client user only" userid to login! I have it mapped to my windows account and am able to get to the GP splash screen. When I choose "Windows Account", it just says "This login failed."....do you have any ideas why this is failing?

Unknown said...

Also, I can use the same windows account to login through "https://server/GP". It sounds like you do not have any problems...any help with this would be great! Thank you!

Unknown said...

Nevermind, I figured it out. Thanks!

Anonymous said...

I am running in the same issue. For auditing purposes, it's not clear to assess who has added, updated or deleted a record when the GP session is opened from Web Client. Any idea how to report for auditing purposes in this case ?

Related Posts:

Related Posts with Thumbnails