19. February 2018
Quickly grant access to a user group when starting a NAV container
As we use Docker containers internally to quickly spin up environments for reproducing bugs, delivering fixes on older releases or quickly test our application, we needed a way to easily grant access to a specific Active Directory user group. When starting a container, we want the following actions to be taken:
- Create NAV user and permission set for each user within the given domain user group
- Create SQL user for the given user group to allow access via development environment
Luckily, the official Docker image for NAV makes customization very easy and we can just override the AdditionalSetup.ps1-script and run our custom scripts. You can find these scripts in Tobias’ GitHub repository.
The setupDevDbAccess.ps1-script just adds a SQL user for the domain user group to the local database if it not already exists. The domain and group name are taken from the environment variables DevDomain and DevGroup.
The script setupDevNavUsers.ps1 uses the ActiveDirectory PowerShell module and therefore installs the corresponding Windows feature. Afterwards it retrieves every single user of the group specified in DevGroup, checks if it already has a NAV user and if not, creates it.
Note that the container needs access to the Active Directory domain for this to work. This can be achieved with the use of gMSAs. Jakub Vanak provided a script in his repository, which shows how to easily create a gMSA.
With the gMSA set up and the use of the folders feature we can start a container with the custom scripts:
docker run --rm -e accept_eula=y -e auth=Windows --network MyTransparentNetwork --security-opt "credentialspec=file://releaseX.json" --name releaseX --hostname releaseX -e folders="c:\run\my=https://github.com/tfenster/nav-docker-samples/archive/grant-user-access.zip\nav-docker-samples-grant-user-access" -e DevDomain=SUPER-COMPANY -e DevGroup=ALL_DEVS microsoft/dynamics-nav:2017-cu14
Docker uses the CredentialSpec to run the container with the specified gMSA. To access the domain, the container connects via a transparent network. While the container starts, the custom scripts are downloaded from the GitHub repository and the users are created.
This way, we can easily grant access to a user group in a couple of seconds while starting the NAV container. Awesome!