We have installed and configured NAV 2016 web client. Works fine.
However, it appears to be possible to simply change the company name element of the url and this by-passes NAV security.
Example:
Two NAV companies, Company A and Company B
User only has access to Company A as per NAV security permissions
URL for web client is https://xxxxxxx/yyy/WebClient/?company=Company A but if user changes url to https://xxxxxxx/DEV/WebClient/?company=Company B then then can access Company B, overriding security.
If they try to change company via 'My Settings' they (correctly) get an error.
However, it appears to be possible to simply change the company name element of the url and this by-passes NAV security.
Example:
Two NAV companies, Company A and Company B
User only has access to Company A as per NAV security permissions
URL for web client is https://xxxxxxx/yyy/WebClient/?company=Company A but if user changes url to https://xxxxxxx/DEV/WebClient/?company=Company B then then can access Company B, overriding security.
If they try to change company via 'My Settings' they (correctly) get an error.