Small and medium business | Business Central, N...

Create User Permission Sets

(0) Share

Report

Posted on by Feras

hello everyone

i am working on permission sets on D365 BC trying to set a security for each user. Standard permission set is not a good option in my case as its not suitable for what i looking for, therefore, i think the only option that i have is to set my own permission set from the scratch or look for the most suitable standard permission set and modify it, however, i find both options very difficult to work on it table by table, its a very long procedure and it takes a lot of time.

i have 2 questions, dose anyone have a better / easier way to deal with creating / modifying permission sets? if no, my second question is, is there any document or so that shows mapping between database tables and application screens, this can at least help me to know which tables that i need to work on based on the screens that i want to give users access to, this would save a lot of time.

thank you.

I have the same question (0)

All responses (6)

Answers (0)

Suggested answer

Mohana Yadav 60,999 Super User 2025 Season 2 on at

Like (0)

Report

We can record the permission sets.

Please check below blog

archerpoint.com/.../

Was this reply helpful? Yes No
Suggested answer

S.Kawamura 1,530 on at

Like (0)

Report

Hello,

Recording feature will help you to setup your permission set.

Operation is detailed here.
Dynamics 365 Business Central: How to create or modify permissions by recording your actions (Record Permissions) | Dynamics 365 Lab (yzhums.com)

BR,

S.Kawamura

Was this reply helpful? Yes No
Feras 43 on at

Like (0)

Report

Hi Mohana

thank you for your reply.

yes i am fully aware of recording option, but this is not the issue i am facing.

My main concern is not with the number of users that i need to create the permission for, my concern is creating the permission set itself for the first time, i am confused because there is a lot of database tables and i am not sure which one is related to the screens that i want to give permission to or not.

if i want to explain it in another way, lets take a hypothetical example, lets say that we have a user that we want to give access only to Purchase Journal, Purchase Order and Cash Receipt Journal, i dont want that use to be able to open any other screen especially from the search option.

going through each table separately in permission sets will be difficult as i am not fully aware of all these tables and which screens they are related to.

so the question is, what is the easiest and fastest way to complete that task mentioned above?

Was this reply helpful? Yes No
Suggested answer

YUN ZHU 95,548 Super User 2025 Season 2 on at

Like (1)

Report

Hi, unfortunately, I'm in agreement with the two above that the most appropriate feature for your needs is Record Permissions.

"lets take a hypothetical example, lets say that we have a user that we want to give access only to Purchase Journal, Purchase Order and Cash Receipt Journal"

You just need to open Role Center first and then open Purchase Journal, Purchase Order and Cash Receipt Journal respectively in the record permissions. This is the easiest and fastest way.

And please note that for each Major version, Microsoft will adjust the set of permissions required by the page. If you do not do recording, it is difficult to completely find the required permissions.

For example: In BC19, the Time Sheet page has been converted from a worksheet to a document page, so the page ID is changed.

More details: https://yzhums.com/18043/

And for Record Permissions: https://yzhums.com/10068/

Hope this will help.

Thanks

ZHU

Was this reply helpful? Yes No
Suggested answer

S.Kawamura 1,530 on at

Like (0)

Report

Hello,

>i dont want that use to be able to open any other screen especially from the search option.
"Indirect" option might help your reqirement.

I think there are roughly Two ways to create a permission set.

The first is to PILE UP the privileges you think you need. The second way is to CUT DOWN the privileges you don't want to give.

The first method "PILE UP" is to assign the Out-of-Box privilege set provided by Microsoft to the user, test the actual operation by the user assigned the permission set, and add any missing privileges. To find out which permissions need to be added, the permissions recording feature can be useful.

The advantage of this method is that Microsoft will adjust the Out-of-Box permission set in the update, and as Zhu mentioned, sometimes major features like Timesheets are changed in major updates. In such cases, the deleted table or page object will be removed from the Out-of-Box permission set. And also the added table or page object will be added to the Out-of-Box permission set.

This is very convenient, but in other words, you are trusting Microsoft's permission sets, or having a deep understanding of the content of the Out-of-Box permission sets. Unfortunately, I have not been able to find any Docs that fully explain the contents of the Out-of-Box permission set.

The second way "CUT DOWN" unnecessary permissions is to first create a Super-like permission set that specifies all the objects (tables, pages, codeunits, etc.) one by one, and then delete the permissions of the objects you don't want to grant. For example, if you don't want to grant the Modify permission to General Ledger Setup, you can remove the Modify permission of Table Data:98. You can use the permission recording feature to identify the objects you want to remove.

The advantage of this approach is that you can make all the decisions yourself, and you don't have to worry about not knowing the contents of the Out-of-Box permission set. On the other hand, the disadvantage of this method is that you may give users "dangerous" permissions that you should not give them. Can you list ALL the setup related tables?
You also need to keep track of the objects that have been added and changed in major and minor updates.

I think the practical solution is to give up on the exact identification and repeat testing and adjusting permissions. This is a similar idea to the first method.
Or " Accept giving users slightly risky permissions. Or "offer to give users slightly risky privileges. This is closer to the second approach.

I hope this will help you.

Thanks,
S.Kawamura

Was this reply helpful? Yes No
Community Member on at

Like (0)

Report
Hello everyone

Identified issues

When the user attempts to access the Business Central system after having the new specially prepared permission set assigned, they receive the following message.

Should there be configuration that would automatically add any base permission to the newly created permission set or is there additional permission sets that contain only the missing base permissions which should also be applied to the user along with the recorded permission set?

Thank you in advance

Bill

Was this reply helpful? Yes No