Hi all,
I am experiencing an issue with permission sets, I am trying to apply a page exclusion to a user (to block them from accessing it)
Our structure for using permissions is to have layers:
Base permission
Role permission
Security filters
Page Exclusions
I have made sure that this Page (16) does not exist in the upstream permission sets and then applied it to the page exclusions permission set.
The result was no effect on the user experience, I have then opened effective permissions on the user and I am being shown that the Page exists in the Base Permission.
I then open the Base permission set to find that it does not exist.
Has anyone experienced this, and could the problem stem from outside the permissions. (Licenses, Feature management, extensions etc.)
Thanks
There is newer functionality in permissions that may help you. I don't see a reference to it in your example and I know of no other way to create a hierarchy in permissions. There is no "order" of process or reference when permission sets or user groups are assigned to a user. They are all on the same level.
To create a hierarchy you need to use the new permission set structure.
Create an all inclusive permission set, add an exclusion for Page 16 in the top section. Exclusions and Inclusions only relate to permissions sets assigned in the set. It is not a deny and does not apply if you assign another permission set to the user directly.
The first Exclude on this permission set meets your requirements.
I am also wondering if what you really want is a user that can select a GL Account in an entry and post, but not see the actual posted GL Entries or balances from the chart of accounts or in any other reporting. Do you want to exclude access to GL Entries, not the actual chart of accounts?
If this is what you want, do not exclude the chart of accounts page, as you will need to allow the user to select a GL account. Instead add an exclusion as I have here on the second line for the GL Entries. This second exclude should work for this requirement. Note the Security Filter you will need to add to be able to post.
Thank you Zhu,
So based on my organisations permission structure:
Base
Role
Exclusion
Security filters
I would need to make sure that the Base and Role do not contain this page or All pages permission for the exclusion to apply.
To avoid further issues would removal/non inclusion of 'All objects of type Page' from all permission sets have an impact on the user experience, meaning, is it a requirement for users to access Business Central or used to give a user access to all, even if Page exclusions are applied?
Really what I am trying to say is that I want to avoid having to put in all 3500ish pages into the Base Permission minus the pages i want to exclude.
Thanks again for your help on this matter.
Unfortunately, all pages in Set A will overwrite Exclusion in Set B.
When different Permission Sets are used, they are intersections, so the largest one is always taken. Just like my example above.
PS: If the system takes the minimum, there is also a risk that Super permissions cannot be used.
Hope this helps.
Thanks.
ZHU
Hi Zhu,
So to confirm that if a user has all Pages in Set A but I apply an Exclusion to Set B, Set A has the override?
I believed this to be the other way around, in that if I grant a user access to all pages but then want to exclude a subset that the exclusion will take presidence.
Thanks
Hi, is this in one permission set?
For example, if a user has permission sets A and B, A excludes Page 16, but B includes Page 16. The end user will have the permission of Page 16.
For example,
The following will work.
The following will not work.
Hope this can give you some hints.
Thanks.
ZHU
Hi Jake,
First you make sure that if you are creating the permission sets for pages, then make sure that you will export all the pages details and then manually applied into the permission sets. For example - For a sales user you only want to give permission for Sales quote not others, then you have to disable other pages of sales order and sales invoice. As you know that for all the three in the backend table ID is same.
For exporting all the pages - please see below image:
For page no. 16 I checked this in my environment then found that it's stand for Chart of Accounts List page.
Because if you give the access permission of G/L entry table then by default user able to open the chart of accounts list page. This is the default working style of Business Central.
Please try this and let me know if this works for you.
Thank you
Stay up to date on forum activity by subscribing. You can also customize your in-app and email Notification settings across all subscriptions.
André Arnaud de Cal... 291,253 Super User 2024 Season 2
Martin Dráb 230,188 Most Valuable Professional
nmaenpaa 101,156