Are there some helpful hints for speeding up the 'synchronize security' process?
Even on a development server with not many users (<10), this process takes a long time (minutes). It's not clear WHY it would take so long, but what we hear from the consultants is it's not unusual for this to take a long time. Is this the case, or are we getting bad info?
Thanks.
0
Comments
Independent Consultant/Developer
blog: https://dynamicsuser.net/nav/b/ara3n
That's what I'm seeing, in the neighborhood of 10 minutes.
SharePoint Implementation and Development
Network Administration
Mirifex Systems
The sync takes 4 ½ hours to complete and if theres a lock from another client and its not released so that the sync. can continue it halts and has to start from the beginning again. So we have a job that closes alle external access to the database and start the sync every sunday. We just lucky that we can close Navision down for 6 hours. Otherwise we had no chance of sync. the users.
And the best part is that if you add a new user, that user needs to be synchronised before he can access the data. And the synchronize takes all users every time. It drops the access token and then creates it for scratch.
Ive tried to trace the changes when i do a sync and it ends up in more then 1.8 mill. statements for the whole sync. on the system.
There is not to my knowledge a way to make a partial sync. Its all or nothing.
Its a "feature" that according to MBS, maybe changed in the second service release for 4.0 12-18 month from now. ´
Hopefully MBS will see that this is not the optimal solution and send an update where it does partial sync for only the involved tables/users.
Regards Bo Heltborg
On a practical note, what are you using to implement that job? Is there a good tool you can recommend? I have heard some people on these forums referring to a tool from ExpandIT, I believe. Are you using that or something else.
Thanks,
Steve
Afterwards we manually start the Sync job, because with the tools we have available cant start the Sync job.
Afterwards we open the database again
I know the utility you are referring to but we are not using it
Regards Bo
Where did you get this release schedule information (that in second service release in about 12 - 18 this problem will be fixed) ? We've opened a support ticket and have tried to get a precise and valuable statement without any success so far.
Our workaround is to assign to all SQL Server users the db_owner role, which overrules the app_role concept in SQl Server, i.e. then synchronization ist not neccessary anymore. We have chosen this workaround because we don't have a time slot for a batch job of one our per night. But of course, therefore we have a security problem now.
Best regards
Jochen Anderko
Exclusive products and attractive prizes for our newsletter subscribers.
Just sign in here:
http://www.lh-worldshop.com/newsletter-en.html
our customer database contain 1000 named users and security synchronization takes 10 hours. When I post this problem to www.partnersource.com I get this answer from Microsoft developpers:
***
In SP1 here are changes in xp_ndo.dll and system goes faster, but not so much as customer expects.
We have looked at alternative ways of handling the 'Security Sync' --> online, differential etc.
BUT we got stucked everytime trying to handle 'indirect' permissions. If Navision only had 'standard' permissions we would be able to port this one to one on the SQL Server. The indirect permission is not a group and not a per user permissions and needs to be handled using the 'app-role' functionallity of SQL Server.
At this point in time (not in any close future...) we are not able to change this behaviour. I can only recommend large installations to use 'sync security' outside office hours to prevent these locking timeouts.
***
This gives you no control over the actions the users are doing to the database.
In my opinion this is hazardous solution that can lead to even worse problems than the downtime during synchronization. Problems like rogue users and datainconsistency.
Unfortunatly i cannot give you any other solution to the sync. problem. I just wanted to point out some of the risks involving adding users to the DB_OWNER role.
Regards Bo Heltborg
"There is a review of the SQL Security going on right now and they are looking to allow the synch to be run for just one user at a time and to also see if we can get better performance out of it."
If they can make it work with one user at a time I think it would make everyone's life easier.
I have been working with Microsoft regarding this issue since the beginning of the year. The code that they are probably reviewing is a concept that I created for one of our customer sites that was having issues (they are a 100 user site, and cannot re-sync throughout the day.
I am in the final stages of testing the functionality, and I will post it in this thread as soon as the basic functionality works. I'm hoping that someone else in the Navision community can take it and modify it as needed, since I am not what I classify as a "hard-core" developer. I just get to a solution that works 99% of the time and leave the theoretical stuff to the pros .
I will post it within the next couple days.
- Scott
Vice President, Deployment Operations
Symbiant Technologies, Inc.
http://www.symbiantsolutions.com
Here is the objects and code that I promised. This is a work in process (it works with the basic Navision system, but linked tables do not currently work within the design, along with database users).
Please test thoroughly before introducing this into a Production environment! You have been warned!
Navision Objects:
SQL Object:
Also, there has been some great news from Microsoft regarding this topic. Currently, the US team is evaluating a new executable that contains the capability to do user-specific synchronization. This is implemented in the core .exe code. From what I have heard, there are some enhancements for timeout times, but there has not been any drastic performance increases (other then the capability to do user specific synchronization).
Hopefully, it will be introduced sooner rather then later!
Enjoy, and please give any feedback that you can!
- Scott
Vice President, Deployment Operations
Symbiant Technologies, Inc.
http://www.symbiantsolutions.com
Thanks for the update. We'll check this out in our development environment and see what happens.
Also, let us know if you hear anymore from Microsoft re: the new executable with user-specific synchronization. I can't be the only one who can't wait to get a hold of that...
Thanks again
Steve
Thanks again for posting this. It answered some questions that until now I wasn't getting answers to!
I had a couple questions. I am looking primarily at the SQL piece (testing that, then once that's good, I'll look at the UI).
First off I notice this works for most roles but not for SUPER, since SUPER doesn't have entries for all items in the Permissions table. I'm thinking what you do in this case is grant permissions on all non-company specific tables and either all company specific tables, or just the company specific tables for the company you want to grant permissions for. It was not too hard to make changes for this, just wanted to verify this approach was OK.
The other big question is about this chunk of code:
Actually in our database I don't see those. We are running 4.0 with presumably a different license so maybe that's the reason for the difference.
We have some tables in the 20..... block, but with different names.
One other thing: In my case some of the machineID input parameters didn't fit into the Integer type. I had to use BIGINT for those. The functionality mapping the SID to the Navision security role still works after those changes on the tiny test database where I'm testing this.
Aside from those issues, the code does appear to work and it does its work QUICKLY. I will test it further of course.
Thanks,
Steve
From what I can tell, the technique currently used drops all permissions to all objects and then runs statements to re-grant permissions according to what is configured in Navision (the other post on this group works similarly). This is an utterly inefficient technique, particularly when there are many users in the system. I decided to take the approach of ascertaining the differences in permissions configured in Navision versus what is actually granted in SQL. Then knowing the differences, run only the statements necessary to bring the SQL permissions into synchronization. The results are dramatic. In a database of 100 users, I am able to synchronize permissions in about 1 minute compared to 45-60 minutes for the Navision synchronization.
I've validated my technique by comparing the permissions set by my script compared to the Navision sync and confirmed that it results in setting the exact same permissions. I've tested this with a number of different roles/permissions on a database with 8 companies in it. My implementation uses a Navision form to call SQL stored procedures which are supplied. You can either sync a specific user or all users although there is not a lot of difference in execution time.
Why MBS couldn't come up with this is beyond me. My company has approached MBS with this solution but have not yet actually been asked for the implementation. So in the interest of helping those living with this nightmare, I'm making the solution available. Since the script is rather large, we've decided to make it available for download from our website. Currently the script only synchronizes Windows logins but it should be easily adaptable to Database logins if an algorithm for matching the logins to the corresponding application roles can be derived.
Download from here (http://www.choicesolutions.com/navision.cfm?PN=Support)
http://www.BiloBeauty.com
http://www.autismspeaks.org
Thanks for making this available. It is odd that there's secrecy around mapping database logins to app roles. It wasn't until the earlier post that I was able to obtain info about the relationship between windows logins and app roles. Fortunately we made a point of using the Windows Integrated authentication, so this solution will work for us.
Steve
i know the thread is old but we have still this problem!
Have anybody the Script? I tried to download with no success...
br,
Mathias
Independent Consultant/Developer
blog: https://dynamicsuser.net/nav/b/ara3n