Classifying Data in Dynamics NAV


At Microsoft Dynamics NAV, we are committed to data protection, information security, and privacy. Part of this commitment is helping our partners to ensure that the applications they develop are compliant with the latest legislative requirements for collecting, storing, and using user personal information. The latest cumulative updates for Dynamics NAV 2015 (CU 41), Dynamics NAV 2016 (CU 29), Dynamics NAV 2017 (CU 16), and Dynamics NAV 2018 (CU 03) introduce the DataClassification property on tables and fields.
This property lets you tag table and field data with one of the classifications described in the next section.

You should consider the DataClassification property as the first layer of classification - done by developers (Dynamics NAV partner) on customizations, add-ons, and extensions. The second layer is the users and how they handle data they provide and that is made available to them.

Classifications of the DataClassification property

The DataClassification property can be set on table objects and field controls.

Classification Description Examples
CustomerContent Content directly provided/created by admins and users. This is the default when no value has been specified.
  • Customer generated BLOB or structured storage data
  • Customer-owned/provided secrets (passwords, certificates, encryption keys, storage keys)
EndUserIdentificationInformation (EUII) Data that identifies or could be used to identify the user of a Microsoft service. EUII does not contain Customer content.
  • User name or display name (DOMAIN\UserName)
  • User principle name (name@company.com)
  • User-specific IP address
AccountData Customer billing information and payment instrument information, including administrator contact information, such as tenant administrator’s name, address, or phone number.
  • Tenant administrator contact information (for example, tenant administrator’s name, address, e-mail address, phone number)
  • Customer’s provisioning information
EndUsePseudonymousIdentifiers (EUPI) An identifier created by Microsoft tied to the user of a Microsoft service. When EUPI is combined with other information, such as a mapping table, it identifies the end user. EUPI does not contain information uploaded or created by the customer (Customer content or EUII).
  • User GUIDs, PUIDs, or SIDs
  • Session IDs
OrganizationIdentifiableInformation (OII) Data that can be used to identify a tenant, generally config or usage data. This data is not linkable to a user and does not contain Customer content.
  • Tenant ID (non-GUID)
  • Domain name in e-mail address (xxx@contoso.com) or other tenant-specific domain information
SystemMetadata Data generated while running the service or program that is not linkable to a user or tenant.
  • Database table names, database column names, entity names
ToBeClassified Content that has not yet been given a classification. This is the initial value when table or field is created.
  • New tables or columns added by developers while developing extensions or customizations

Data classification on upgrade

When you upgrade an application to the new platform, existing tables and fields (except for FlowFields and FlowFilters) will automatically be assigned the CustomerContent classification. You can then access the DataClassification property on tables and fields, and change the classification as needed. FlowFields and FlowFilters are assigned the SystemMetadata classification.

Viewing data classification

You can view the data classification of tables and fields in the Table Metadata Virtual table (ID 2000000136) and Field virtual table (ID 2000000041), respectively.

More information

To read more about these development features, see the following articles in the Developer and IT-Pro Help for Microsoft Dynamics NAV:

Classifying Data
DataClassification Property
Table Metadata Virtual Table
Field Virtual Table

For information about General Data Protection Regulation compliancy and Dynamics NAV, see Get GDPR compliant with Dynamics NAV.

 

Updated on March 13, 2018, with an updated version of the Windows PowerShell module attached:

DataClassification

Comments (6)

  1. MartonNagy says:

    Dear DevTeam,

    thank you for this but unfortunately the Set-FieldDataClassificationFromExcelFile cmdlet is not working at all due to man bugs:

    – Line 91 : the $TableFilter is wrong. I’ve exported Table 18 and Table 23 but the script was filtered for Table 18..23
    – Line 92 : there’s a rouge “git status” in there
    – Line 284 : the paths in $import are not enclosed between quotes so the cmd /c fails straight away
    – Line 284 : in $import $FinSQLPath should be used instead of $FinSQLFolder\finsql.exe
    – Line 302 : ditto but with $export
    – Line 276 – Function ZipFiles : the file are being created in “C:\WINDOWS\system32\”

    Can you please fix these issues and release a working version with the next CU?

    Cheers,
    Marto

    1. navteam says:

      Hi Marto,

      Oops, thanks for finding those bugs! The team is fixing the script right now (and they are also having a retrospective to find out why the script shipped in its current state to begin with). We hope to publish the corrected script here on the blog already this week as well as in the April cumulative updates.

  2. navteam says:

    Updated module attached – download the file, and then rename it to DataClassification.psm1.

    1. MartonNagy says:

      Hi,

      many thanks for the swift reply and the fix?

      Marton

  3. Hello,

    could you please give me an example of field from NAV 2018 that is going to be classified as AccountData?

    Thanks,
    Jiri

    1. ikoletic says:

      Hi Jiri
      Sorry for late reply. AccountData classification would be used for data relating to tenant conact and billing information. Let’s say you build your own data center and decide to host NAV in multitenant mode. Any information you have on who the tenant is, how his tenant is provisioned with anything that’s related to this tenant admin would be classified as AccountData.
      Standard NAV application objects do not contain such data. However if you, as data processor, were to keep track of for example billing information for tenant admin and his contact information in NAV tenant database, you as processor of such data, would classify such data as AccountData.
      This classification does not apply to Customer or Contact table records in NAV, as data in these tables is directly provided/created by admins and users or created by system on user’s behalf and would be classified as CustomerContent.
      If you / your company are in data processor role role, I’d recommend seeking legal guidance from your legal advisors.
      Regards
      Ivan

Skip to main content