Limited Usage Permission field in License Permission system table - licensing

I've created a new page of type List from wizard to show all the fields License Permission (2000000043) system table in NAV 2015.
This field is populated only in the records where Object Type is LimitedUsageTableData and it's an option with the following
Option Strings = , Included, Excluded, Optional
I haven't found an official documentation that explain the meaning of the different values and how to change them (The License Permission table is read-only).
I think this might be related to the limits a user with Limited User license can have.
Just for an example, the table Service Order Allocation 5950 has Limited Usage Permission = Optional. What does it mean?

Limited users licensing is explained in detail in the document named "Microsoft Dynamics NAV Licensing Guide". You can download the latest version from here:
https://www.microsoft.com/en-us/download/details.aspx?id=54248
In short, limited users are allowed to read any table and write to any 3 tables only. You do not need to specify which 3 tables would that be, NAV just counts database writes until there will be an attempt to write to 4th table.
In addition to this rule, there are granted tables which are not counted when you write to them, and there are restricted tables you can never write to.
Limited Usage Permission = Included - means that table is granted and does not count towards maximum of 3.
Limited Usage Permission = Excluded - means that table is restricted to write (e.g. G/L Entry)
Limited Usage Permission = Optional - means all the rest
You are not able to change these values as they are changed by Microsoft only and are part of a license. But partners are able to elect some of the tables in their ranges to be "Included" (which has to be approved by Microsoft).

Related

DB tables technical info in SAP Data Dictionary

I was given a task to develop a report that would present the following details (as separate columns in ALV):
1) Name of the DB table (like MSEG, EKPO etc.)
2) Size of the DB table in megabytes
3) Number of records
4) Number of read requests performed on the table
5) Number of write requests performed on the table
There are DB* tables that contain such kind of info. Specifically I am referring to DB6PMHST and DB6HISTBS. When I try to view them via SE11 or SE16, system reports that these tables do not hold any records. I tried all three development, testing and production landscapes.
Please may you provide a guidance on what I am doing wrong? Maybe there are some other system tables that would contain the necessary info?
P.S. I tried to debug ST04 transaction in order to see the tables from which the report selects data, but wasn't able to find those lines of the source code.
I would deeply appreciate your kind assistance.
P.S.S. Checked the table MSSDBSTATT - it is empty as well (our enterprise uses MS SQL Database)
Go to SE38 and run this report RSTABLESIZE, enter table ID and see the magic.
The number of reads and writes on a table is a subject specific to the type of database (MSSQL) -> please tag your question accordingly.
If you get an answer by an MSSQL expert, which says that the data is stored in some MSSQL tables, then you cannot query those tables using "Open SQL" but you may query them using "native SQL" (i.e. EXEC SQL or ADBC for instance).

How to know which user has write access to Clearcase database?

How to know which user has write access to Clearcase database? It mainly means authorization to perform check-in but not only, for example modify a Clearcase value of a defined attribute...
How to have a list of all the user identifiers who modify something in a given VOB? In any of the VOBs?
Does exist specific roles and profile in Clearcase? Or just the Unix root?
For information:
- ClearCase 8.0.1.4 (AIX 1 7)
- BASE CLEARCASE only is used, not UCM.
Start with "VOB and view access control"; the main access criteria is user and groups:
A user's name and group memberships are the principal credentials evaluated by Rational® ClearCase® when access is requested.
So any user which is has, as a primary group (first group when typing id -a) the same group as the one of a Vob can access that Vob. See for example "ClearCase won't allow Check-In" (note: the view itself must be correctly protected as well)
On AIX, you can use lsuser to list users of a given group.
See more with "Access control for elements".
But since ClearCase 9, you also have ACL authorization:
You can use ACLs to protect the VOB object, policies, rolemaps, and elements (other object types, such as branch types and label types, must be secured by the protection mechanisms of the operating system
You can setup policies (see cleartool lspolicy), and rolemaps
You use a rolemap to specify the principals that take on roles listed in a policy, and to apply the access controls to one or more VOB objects.
The intention is that you can define a small number of policies that determine ‘how' you apply permissions to objects. You then define a number of rolemaps for each policy describing ‘who' takes on the roles in the policy.
By listing rolemaps (cleartool lsrolemap), you can back a list of groups, from which you can deduce the list of users:
Role:Reader --> Group:DOMAIN/developers
Role:Manager --> Group:DOMAIN/mgrs
Role:Developer --> User:DOMAIN/danny
Role:Integrator --> Group:DOMAIN/integs
Role:Developer --> Group:DOMAIN/devs
Role:Administrator --> User:DOMAIN/vobadmin

Attribute-based access control with database

I work for a software house and I'm looking for a way to authenticate database access as follow:
Someone whose personal data are stored in a table needs to read his
personal row and he has the right to access the table.
Once the requested row has been retrieved, I need an external check
which ensures he has the right to read that specific row, checking
some table's fields which are contained in the same row.
It seems to me that the attribute-based access control is what I'm looking for, but I'm not sure. Can you confirm if it's able to do what I need?
Yes, ABAC (the model) can do that. However, the check would typically happen before you get access to the data - and that's better actually (it avoids retrieving data).
ABAC gives you two things:
a policy language to express what can and cannot happen. For instance
A user can view a record they own but not the credit card field
a request / response scheme or how to enforce the policies.
In the case of data-centric access control, policies are transformed into SQL filters. For instance, you would go from:
SELECT * FROM transactions;
to
SELECT amount, owner, CASE WHEN (0=1) THEN CREDITCARD ELSE 'xxxx' FROM transactions WHERE owner = 'Alice'
This is called dynamic data filtering and dynamic data masking. Some database vendors have had that capability e.g. Oracle and VPD or MySQL and FGAC. Lately the trend is to outsource this type of behavior to tools like Informatica DDM or Axiomatics ADAF MD (which is where I work).

Get audit history records of any entity record as per CRM view

I want to display all audit history data as per MS CRM format.
I have imported all records from AuditBase table from CRM to another Database server table.
I want this table records using SQL query in Dynamics CRM format (as per above image).
I have done so far
select
AB.CreatedOn as [Created On],SUB.FullName [Changed By],
Value as Event,ab.AttributeMask [Changed Field],
AB.changeData [Old Value],'' [New Value] from Auditbase AB
inner join StringMap SM on SM.AttributeValue=AB.Action and SM.AttributeName='action'
inner join SystemUserBase SUB on SUB.SystemUserId=AB.UserId
--inner join MetadataSchema.Attribute ar on ab.AttributeMask = ar.ColumnNumber
--INNER JOIN MetadataSchema.Entity en ON ar.EntityId = en.EntityId and en.ObjectTypeCode=AB.ObjectTypeCode
--inner join Contact C on C.ContactId=AB.ObjectId
where objectid='00000000-0000-0000-000-000000000000'
Order by AB.CreatedOn desc
My problem is AttributeMask is a comma separated value that i need to compare with MetadataSchema.Attribute table's columnnumber field. And how to get New value from that entity.
I have already checked this link : Sql query to get data from audit history for opportunity entity, but its not giving me the [New Value].
NOTE : I can not use "RetrieveRecordChangeHistoryResponse", because i need to show these data in external webpage from sql table(Not CRM database).
Well, basically Dynamics CRM does not create this Audit View (the way you see it in CRM) using SQL query, so if you succeed in doing it, Microsoft will probably buy it from you as it would be much faster than the way it's currently handled :)
But really - the way it works currently, SQL is used only for obtaining all relevant Audit view records (without any matching with attributes metadata or whatever) and then, all the parsing and matching with metadata is done in .NET application. The logic is quite complex and there are so many different cases to handle, that I believe that recreating this in SQL would require not just some simple "select" query, but in fact some really complex procedure (and still that might be not enough, because not everything in CRM is kept in database, some things are simply compiled into the libraries of application) and weeks or maybe even months for one person to accomplish (of course that's my opinion, maybe some T-SQL guru will prove me wrong).
So, I would do it differently - use RetrieveRecordChangeHistoryRequest (which was already mentioned in some answers) to get all the Audit Details (already parsed and ready to use) using some kind of .NET application (probably running periodically, or maybe triggered by a plugin in CRM etc.) and put them in some Database in user-friendly format. You can then consume this database with whatever external application you want.
Also I don't understand your comment:
I can not use "RetrieveRecordChangeHistoryResponse", because i need to
show these data in external webpage from sql table(Not CRM database)
What kind of application cannot call external service (you can create a custom service, don't have to use CRM service) to get some data, but can access external database? You should not read from the db directly, better approach would be to prepare a web service returning the audit you want (using CRM SDK under the hood) and calling this service by external application. Unless of course your external app is only capable of reading databases, not running any custom web services...
It is not possible to reconstruct a complete audit history from the AuditBase tables alone. For the current values you still need the tables that are being audited.
The queries you would need to construct are complex and writing them may be avoided in case the RetrieveRecordChangeHistoryRequest is a suitable option as well.
(See also How to get audit record details using FetchXML on SO.)
NOTE
This answer was submitted before the original question was extended stating that the RetrieveRecordChangeHistoryRequest cannot be used.
As I said in comments, Audit table will have old value & new value, but not current value. Current value will be pushed as new value when next update happens.
In your OP query, ab.AttributeMask will return comma "," separated values and AB.changeData will return tilde "~" separated values. Read more
I assume you are fine with "~" separated values as Old Value column, want to show current values of fields in New Value column. This is not going to work when multiple fields are enabled for audit. You have to split the Attribute mask field value into CRM fields from AttributeView using ColumnNumber & get the required result.
I would recommend the below reference blog to start with, once you get the expected result, you can pull the current field value using extra query either in SQL or using C# in front end. But you should concatenate again with "~" for values to maintain the format.
https://marcuscrast.wordpress.com/2012/01/14/dynamics-crm-2011-audit-report-in-ssrs/
Update:
From the above blog, you can tweak the SP query with your fields, then convert the last select statement to 'select into' to create a new table for your storage.
Modify the Stored procedure to fetch the delta based on last run. Configure the sql job & schedule to run every day or so, to populate the table.
Then select & display the data as the way you want. I did the same in PowerBI under 3 days.
Pros/Cons: Obviously this requirement is for reporting purpose. Globally reporting requirements will be mirroring database by replication or other means and won't be interrupting Prod users & Async server by injecting plugins or any On demand Adhoc service calls. Moreover you have access to database & not CRM online. Better not to reinvent the wheel & take forward the available solution. This is my humble opinion & based on a Microsoft internal project implementation.

DB2 row level access control: how to pass a user Id

In our web application we want to use DB2 row level access control to control who can view what. Each table would contain a column named userId which contain the user id. We want log-in users be able to see only row's usereId column with theirs id. I have seen db2 permission examples using DB2 session_id or user, for example taking DB2 given Banking example :
CREATE PERMISSION EXAMPLEBANKING.IN_TELLER_ROW_ACCESS
ON EXAMPLEBANKING.CUSTOMER FOR ROWS WHERE BRANCH in (
SELECT HOME_BRANCH FROM EXAMPLEBANKING.INTERNAL_INFO WHERE EMP_ID = SESSION_USER
)
ENFORCED FOR ALL ACCESS
ENABLE;
Our table gets updated dynamically hence we don't know what row get added or deleted hence we don't know what are all the user Id in the table.
At any given time, different user would log-on to the web to view information retrieve from the tables, the permission declaration above only take SESSION_USER as the input, can I change it to something like Java function parameter where one can pass arbitrary id to the permission? If not then how do I handle different log-in users at arbitrary time? Or do I just keep changing SESSION_USER dynamically as new user login (using "db2 set" ??)? If so then is this the best practice for this kind use case?
Thanks in advance.
Since the user ID in question is application-provided, not originating from the database, using SESSION_USER, which equals to the DB2 authorization ID, would not be appropriate. Instead you might use the CLIENT_USERID variable, as described here.
This might become a little tricky if you use connection pooling in your application, as the variable must be set each time after obtaining a connection from the pool and reset before returning it to the pool.
Check out Trusted Contexts, this is exactly why they exist. The linked article is fairly old (you can use trusted contexts with PHP, ruby, etc. now).

Resources