I am a newbie self-learning NAV. Some of queries may be foolish ones, hoping to hear from you genius experts!
Really confused with licensing framework.
Queries,
I can identify two types of licenses - Customer license vs Partner license. Customer license is the license for ERP product and includes system functionality packages (starter/extended) and user access(full/limited user). Partner license is what a dev partner subscribes to. There is no relation among those two types, right?
Is a development partner able to make changes to any of the primitive objects (tables/codeunits) that come pre-installed with Starter/Extended pack. Is development partner allowed to modify/enhance the system functionality to any extent?
When a development partner registers with Microsoft, is it given a fixed set of object IDs that it will be using to create new objects? Would it be using same set of IDs for all the customers it would be implementing NAV? So, these IDs are globally unique - no two dev partners be having same IDs?
When I connect to RTC using my domain account,, I act as a Full User under Customer License (I can see my user set as full user under Departments=>administration=>General=>Users). If I connect to NAV DEV ENVIRONMENT, I CAN design almost all the tables, but CAN'T any of the CODEUNITS. So, how does security work on DEV Environment???
License depending on context can refer to two different things:
- Application\Development License
- Client License Type
Application \ Development License
Microsoft Dynamics NAV's license model is built on defining Read,Insert,Modify,Delete and Execute on each object in the database (Table, TableData, Form, Report, Dataport, XMLDataport, Codeunit, MenuSuite, Page, Query) this is true for both End Users, Partners and ISV's.
There are different well known ranges of objects that have different meaning, so depending on what the object numbers are you can assume different parties will have access, they are documented here
Your ability to modify objects will depend on the Object Design Granules you have purchased from Microsoft via your Microsoft Partner, a list of the ones relevent to design can be found at link
Depending on when you Purchased your Microsoft Dynamics License different ones would have been included in your starter pack, most commonly users have:
- 7110 Report and Dataport Designer
- 7120 Form and Page Designer
These provide you the ability to modify code within Reports and Forms, and themselves include objects for modification within the customer license range.
The ability to modify Codeunits is part of the Application Builder granule which not a lot of customers have purchased, would likely explain why you can design some object types and not others.
Microsoft Partners have what is equivalent to the Solution Developer License which allows them to modify protected tables (Ledger Tables for instance) in the Base Application range.
Granules
There are a couple of good resources within the system to get information about what permissions you can expect to have within your NAV Instance. In the Microsoft Dynamics IDE you can access your license file (or you can read it as a text file just ignore when it gets into ASCII at the bottom).
You can use the number and name to lookup what each one is used for Example
There is also a report 10313 License Permissions that you can execute that will provide an overview of the ranges and what specific permissions (RIMDE) you have within your license to each one.
Your Microsoft Partner has access to generate a License Report (Detailed or Summary) this will provide a list of the objects you have purchased and where they have been assigned.
In previous licensing programs like Business Ready Licensing (BRL) you would have had to define and purchase each granule individually.
More recently Microsoft has moved to perpetual and subscription licensing which provides most of the application areas you are likely to use.
Object Assignment
The Design Granules come with access to specific objects, if you require additional access to objects in the database they must be purchased separately and then assigned by your Microsoft Partner.
For Example Purchasing 10 Additional Tables grants you the right to 10 Tables, that then need to be assigned to your License by selecting the specific object id's for tables in your database and adding the security.
Development
There are a couple of main types of parties that do development within a Dynamics NAV instance:
Microsoft Solution Partners
These tend to do customer specific development, this is modifications to existing forms and objects, bug fixes and other items that are likely to only apply to a specific customer.
Most of this type of development is done within the existing Microsoft Dynamics NAV object ranges, or if new objects are created it is done within the Customer Design Area (50,000 - 99,999).
Customers that have the in-house skills can typically also do development in this range, as the permissions are in the Client Range.
Independent Software Vendors(ISV)
these are also Microsoft Partners but they focus on developing solutions for multiple customers that will be installed into an array of database and work in the Certified Partner Design Area (100,000 - 999,999,999) these objects used will be the same for all customers.
A note is that Microsoft Solution Partners, do not automatically have access to modify all ISV object they need to be provided access to the object ranges the same as an end user would, and in some cases maybe unable to modify some objects due to the desires of the ISV (this is rare).
Client License Type
The Full User determines the client license type that is consumed when you connect to the database, and it self does not directly provide security; the Limited user does have a restriction of what it can access.
Your License and Security set-up work together to identify the maximum security that a user can have, as you can add permissions to a user to an object your not licensed for but as the runtime will not have permission they will still get a security error (this is true even for the SUPER role and MS partners that are not licensed for a specific ISV Solution Range).
I can identify two types of licenses - Customer license vs Partner license. Customer license is the license for ERP product and includes system functionality packages (starter/extended) and user access(full/limited user). Partner license is what a dev partner subscribes to. There is no relation among those two types, right?
Partner license in its nature is the same as customer license. It just grants you more abilities, like create objects, fields, modify code of objects. Those applies to objects included in partner license.
Customer license can also include some additional abilities like report designer which allows customers to modify reports (as form Nav 5, dunno if this was changed in latest versions).
Is a development partner able to make changes to any of the primitive objects (tables/codeunits) that come pre-installed with Starter/Extended pack.
Whether or not partner is permitted to modify certain objects is defined by it's license. There may be limitations based on object number. Not sure if there are any but technically it is possible.
Is development partner allowed to modify/enhance the system functionality to any extent?
There are limitations like: you won't be able to delete/insert field from table if field number is in range from 1 to 49999 (so called standard range). But its not critical since you always can create field in your partner range. Actually your partner/customer range is your main limitation. Which could be leveraged by
sending more money to MS ;)
Keep in mind that if you create object in your range, 50010 for example. Your customer must have this range included in his license to use the object. So you both must send more money to MS ;)
When a development partner registers with Microsoft, is it given a fixed set of object IDs that it will be using to create new objects? Would it be using same set of IDs for all the customers it would be implementing NAV? So, these IDs are globally unique - no two dev partners be having same IDs?
Well see this. In short: range 50,000 - 99,999 shared by partners, certified partner can by a range of objects from 100,000 - 999,999,999 and have it reserved solely for him.
When I connect to RTC using my domain account,I act as a Full User under Customer License (I can see my user set as full user under Departments=>administration=>General=>Users). If I connect to NAV DEV ENVIRONMENT, I CAN design almost all the tables, but CAN'T any of the CODEUNITS. So, how does security work on DEV Environment???
Not sure what you mean by "security". Access to data is restricted by user rights setup. Access to objects is restricted by license.
In Nav before RTC there were special user rights to allow access to object designer (which is now all that left in Dev Env). As for now I suppose you have to grant that user db_owner role on the database to access Dev Env.
Related
Taking the following service description:
X is a platform matching buyers and sellers.
Buyers can join the platform by creating a buyer account and browse seller shops, buy, manage their account, ..., on the Buyers client application.
Sellers can join the platform by creating a seller account and manage their shops and orders, ..., on the Buyers client application.
I am still confuse about the right approach to adopt.
Here I represented the organization X (the platform). I assume that a buyer is not considered as an organization but rather a user of X. So every time a buyer create an account, I register a user under X, save email and password on an external database and link this entry to a user in X's wallet.
A seller can be considered as an organization (at least to me but happy to debate on that). So every time a seller create an account, I have to create an add a new organization to the existing network. They will however share the same "Seller application", also using a email/password approach.
In most of the sample under the Hyperledger Fabric repo, there is like 3-4 organizations at the start of the network and it is quite painful to add one more to an existing network. In my case, I could end up with 1 million organization or an infinite if the service is a success. Can this scale?
Is it the correct approach for this kind of use case? Any feedback or resource related to this use case is welcome.
This doesn't look like a valid use of hyper-ledger fabric. The blockchain is optimized to store transactional information. It isn't a regular DB, if you try, for instance, to store "user profiles" you will have a hard time trying so. For instance, each member for the blockchain network (again, hyper-ledger fabric) is meant to keep a copy of the ledger. Thus, everyone would get access to all user profiles. You can play around with PDC (private data), or as you mention, having virtually infinite users created on a single organization, but that isn't really how it's supposed to be used..
So, again, hyper-ledger fabric is meant to store transactional information (ledger relates to transaction). I think whatever strategy you try to implement for your use case, you should keep buyer/seller profiles/information off chain, and use the ledger only for transactional information that members of the network can see. In this scenario Fabric would server as an audit trail system, adding trust to each operation between buyers/sellers.
Consider the following micro services for an online store project:
Users Service keeps account data about the store's users (including first name, last name, email address, etc')
Purchase Service keeps track of details about user's purchases.
Each service provides a UI for viewing and managing it's relevant entities.
The Purchase Service index page lists purchases. Each purchase item should have the following fields:
id, full name of purchasing user, purchased item title and price.
Furthermore, as part of the index page, I'd like to have a search box to let the store manager search purchases by purchasing user name.
It is not clear to me how to get back data which the Purchase Service does not hold - for example: a user's full name.
The problem gets worse when trying to do more complicated things like search purchases by purchasing user name.
I figured that I can obviously solve this by syncing users between the two services by broadcasting some sort of event on user creation (and saving only the relevant user properties on the Purchase Service end). That's far from ideal in my perspective. How do you deal with this when you have millions of users? would you create millions of records in each service which consumes users data?
Another obvious option is exposing an API at the Users Service end which brings back user details based on given ids. That means that every page load in the Purchase Service, I'll have to make a call to the Users Service in order to get the right user names. Not ideal, but I can live with it.
What about implementing a purchase search based on user name? Well I can always expose another API endpoint at the Users Service end which receives the query term, perform a text search over user names in the Users Service, and then return all user details which match the criteria. At the Purchase Service, map the relevant ids back to the right names and show them in the page. This approach is not ideal either.
Am I missing something? Is there another approach for implementing the above? Maybe the fact that I'm facing this issue is sort of a code smell? would love to hear other solutions.
This seems to be a very common and central question when moving into microservices. I wish there was a good answer for that :-)
About the suggested pattern already mentioned here, I would use the term Data Denormalization rather than Polyglot Persistence, as it doesn't necessarily needs to be in different persistence technologies. The point is that each service handles its own data. And yes, you have data duplication and you usually need some kind of event bus to share data across services.
There's another option, which is a sort of a take on the first - making the search itself as a separate service.
So in your example, you have the User service for managing users. The Purchases services manages purchases. Each handles its own data and only the data it needs (so, for instance, the Purchases service doesn't really need the user name, only the ID). And you have a third service - the Search Service - that consumes data produced by other services, and creates a search "view" from the combined data.
It's totally fine to keep appropriate data in different databases, it's called Polyglot Persistence. Yes, you would like to keep user data and data about purchases separately and use message queue for sync. Millions of users seems fine to me, it's scalability, not design issue ;-)
In case of search - you probably want to search more than just username, right? So, if you use message queue to update data between services you can also easily route this data to ElasticSearch, for example. And from ElasticSearch perspective it doesn't really matter what field to index - username or product title.
I usually use both approaches. Sometimes i have another service which is sitting on top on x other services and combines the data. I don't really like this approach because it is causing dependencies and coupling between services. So in general, within my last projects we tried to stick to polyglot persistence.
Also think about, if you need to have x sub http requests for combining data in some kind of middleware service, it will lead you to higher latency. We always try to cut down the amount of requests for one task and handle everything what is possible through asynchronous queues. ( especially data sync )
If you conceptualize modules as the owners and controllers of the data they work on, then your model must also communicate that data out of that module to others. In contrast, the modules in a manufacturing process have the access to change data without possessing and controlling it.
Microservices is an architecture for distributed processing, like most code, where modules pass the data around to work on it. From classic articles by Harvard Business Review and McKinsey on the subject of owning members of a supply chain, I identified complexities arising from this model and wrote an article teaching programmers what you need to know: http://www.powersemantics.com/p.html
Manufacturing is an architecture for integrated processing, where modules work on the data without passing it around from point to point. This can be accomplished by having modules configured to access the same memory, files or database tables. My architecture shows how to accomplish this on memory via reference properties.
When you consider "exposing an API at the Users Service end which brings back user details based on given ids", you need to be aware that creates what HBR calls "irreversible" complexity, which I've dubbed centralization complexity. Don't build A->B (distributed) systems, because you can't decentralize them later after failing to separate requirements. Requirements in production processes represent user instructions, and centralized modules only enable you to change the wrong users' processes. In other words, centralized modules don't document user groups or distinguish them from derived-product-users.
I am tasked with creating an API that would allow 3rd party customers the ability to send orders into our Microsoft Dynamics NAV 5.0 SP1.
I want to be able to create a SalesOrder in Dynamics NAV not with the client but via an API so i can allow a seperate process to enter in orders automatically.
Any help is appreciated in leading me in the right direction.
Well, it depends on how complicated you want to make it. Do you need confirmation of the Sales Order creation in "real time"? If so, you'll need to use a Web Service and ensure that there is a network path from wherever customers will create orders (public internet, extranet) to your NAV Web Service - likely using a VPN tunnel, etc.
es th
Alternatively, if you can live with a batch type process then you can have your customers create SOs via a web-based form, etc. and then import these orders into NAV on a regular basis using Dataports or XMLPorts.
For example, you may have a form online that your customer can create an Order on that places the Order in a staging table in SQL or even an XML or CSV file. Then you can run a process on a regular basis that imports these Orders into NAV and creates the appropriate SalesOrders.
Presumably, you also need a way to expose your Item database to the Ordering interface so customers can select which Items to order (and therefore create SalesLines from).
Which type of scenario are you interested in?
Web Services is the way to go; we have several applications that have a similar requirement. I'd recommend building an interface (ASP, to utilise the web service from NAV) and have it talk to NAV that way.
Editing the database directly is not recommended as it will cause locking and may result in deadlocks if not careful. Also NAV can be quite sensitive when it comes to the database, so best not write to it directly if possible :)
I'd recommend creating a codeunit that handles the sales order, in which you can create your functions, 'CreateOrder' and then expose that via Web Services. Even if you're not planning to use a web-based interface, NAV uses the SOAP protocol -- many libraries exist to enable you to connect and interface to Web Services from other languages, like Java.= for instance.
I've been tasked with setting up a society's website. I'm a full time Django (at al) web developer so I was happy to take on the task.
Going through the specs, they want to control memberships so that all applications need a "second" (read: sponsor, referee, etc) and then they need to pay a subscription fee to be part of the club.
This club has a number of events with variable ticket prices for lunches and talks to name two. Only members are allowed to see the price per ticket and therefore only members are allowed to buy the tickets.
I had originally planned on farming the event management off to EventBrite and pulling the upcoming events back to the website through EB's API but this members-only constraint looks like something EventBrite can't do.
Then there's processing members subscriptions. I had hoped to allow anybody to register a django.contrib.auth account but leave subscription payment offline but the client would be happier if they could mark accounts as "members", store the subscription data in the database and let the members pay online.
Like with EventBrite, I was hoping I could store rough membership data (whether or not they're allowed to subscribe, a unique token for the user on the API service, their level of membership and their membership's expiry) and there'd be something I could post users off to to process their subscription payment.
I basically don't want to touch any payment systems. Even something as simple as Paypal+IPN is something I'd rather not do (I can and have in the past on other projects) but it's the layer of management that I'd have to build around it (messaging members, creating recurring events, etc) that I'd like to farm out to a third party... Even if they do want an additional percent of the payments processed.
Do any of you know any suitable APIs that cover membership or events or both?
Or is this so complex that I should give up hoping for external help and just knuckle down and do it myself?
I think the google search you are looking for is online membership management. I don't know if any of them play particularly nicely with Django/python, but some of them do include APIs. Almost all of these are companies that charge, either for the system, or on a per-user basis.
If you don't mind installing something yourself, CiviCRM is a free, open source solution that I found with a bit of googling. It's integrates with either Joomla or Drupal (so probably PHP-based). You'd have to put the payment processing in yourself, but it does support payments using PayPal which would take handling payments mostly out of the equation. If you can, choose PayPal Express rather than PayPal Website Payments Pro since you may need to be PCI-DSS compliant to use the latter.
I am developing a Django web application with a suite of steel design tools for structural engineers. There will be a database table of inputs for each design tool, and each row of each table will correspond to a particular design condition to be "solved." The users may work solely or in groups. Each user needs to have ongoing access to his own work so that designs can be refined, copied and adapted, and so that reports can be created whenever convenient, usually at the end of a project when hard copy documentation will be needed. The database contents must then be available over any number of sessions occurring over periods measured in months or even years for a given design project.
When there is a group of users, typically all associated with a given design office, it will probably be acceptable for them all to have joint and mutual access to each other's work. The application supports routine engineering production activities, not innovative intellectual property work, and in-house privacy is not the norm in the industry anyway. However, the work absolutely must be shielded from prying eyes outside of the group. Ideally, each group would have one or more superusers authorized to police the membership of the group. Probably the main tool they would need would be the ability to remove a member from the group, discontinuing his access privileges. This would be a user group superuser and would not be the same as a superuser on the site side.
For convenient access, each row of each database table will be associated with a project number/project name pair that will be unique for a given company deploying a user or user group. A different company could easily choose to use a duplicate project number, and even could choose a duplicate project name, so discriminating exactly which database rows belong to a given user (or group) will probably have to be tracked in a separate related "ownership list" table for each user (or group).
It is anticipated (hoped) that, eventually, several hundred users (or user groups) associated with different (and often competing) companies will solve tens of thousands of design conditions for thousands of projects using these tools.
So, here are my questions:
First, is there any point in trying to salvage much of anything from the Django contrib.auth code? As I perceive it, contrib.auth is designed for authentication and access control that is suitable for the blogosphere and web journalism, but that doesn't support fine-grained control of access to "content."
Second, is there any available template, pattern, example, strategy or design advice I could apply to this problem?
django-authority: Documentation, code on GitHub