Skip to main content

Notifications

Small and medium business | Business Central, N...
Suggested answer

Effective Permissions advising a permission exists when it is not present in the permission set

Posted on by 49

Hi all,

I am experiencing an issue with permission sets, I am trying to apply a page exclusion to a user (to block them from accessing it)

Our structure for using permissions is to have layers: 

Base permission

Role permission

Security filters

Page Exclusions

I have made sure that this Page (16) does not exist in the upstream permission sets and then applied it to the page exclusions permission set.

The result was no effect on the user experience, I have then opened effective permissions on the user and I am being shown that the Page exists in the Base Permission.

I then open the Base permission set to find that it does not exist.

Has anyone experienced this, and could the problem stem from outside the permissions. (Licenses, Feature management, extensions etc.) 

Screenshot-2023_2D00_04_2D00_19-150100.png

Screenshot-2023_2D00_04_2D00_19-150156.png

Thanks

  • Suggested answer
    RE: Effective Permissions advising a permission exists when it is not present in the permission set

    There is newer functionality in permissions that may help you. I don't see a reference to it in your example and I know of no other way to create a hierarchy in permissions. There is no "order" of process or reference when permission sets or user groups are assigned to a user. They are all on the same level.

    To create a hierarchy you need to use the new permission set structure. 

    Create an all inclusive permission set, add an exclusion for Page 16 in the top section. Exclusions and Inclusions only relate to permissions sets assigned in the set. It is not a deny and does not apply if you assign another permission set to the user directly. 

    pastedimage1682033884724v1.png

    The first Exclude on this permission set meets your requirements.

    I am also wondering if what you really want is a user that can select a GL Account in an entry and post, but not see the actual posted GL Entries or balances from the chart of accounts or in any other reporting. Do you want to exclude access to GL Entries, not the actual chart of accounts?

    If this is what you want, do not exclude the chart of accounts page, as you will need to allow the user to select a GL account. Instead add an exclusion as I have here on the second line for the GL Entries. This second exclude should work for this requirement. Note the Security Filter you will need to add to be able to post. 

    pastedimage1682033933880v2.png

  • Jake2023 Profile Picture
    Jake2023 49 on at
    RE: Effective Permissions advising a permission exists when it is not present in the permission set

    Thank you Zhu,

    So based on my organisations permission structure:

    Base

    Role

    Exclusion

    Security filters

    I would need to make sure that the Base and Role do not contain this page or All pages permission for the exclusion to apply.

    To avoid further issues would removal/non inclusion of 'All objects of type Page' from all permission sets have an impact on the user experience, meaning, is it a requirement for users to access Business Central or used to give a user access to all, even if Page exclusions are applied?

    Really what I am trying to say is that I want to avoid having to put in all 3500ish pages into the Base Permission minus the pages i want to exclude.

    Thanks again for your help on this matter.

  • Suggested answer
    YUN ZHU Profile Picture
    YUN ZHU 73,565 Super User 2024 Season 2 on at
    RE: Effective Permissions advising a permission exists when it is not present in the permission set

    Unfortunately, all pages in Set A will overwrite Exclusion in Set B.

    When different Permission Sets are used, they are intersections, so the largest one is always taken. Just like my example above.

    PS: If the system takes the minimum, there is also a risk that Super permissions cannot be used.

    Hope this helps.

    Thanks.

    ZHU

  • Jake2023 Profile Picture
    Jake2023 49 on at
    RE: Effective Permissions advising a permission exists when it is not present in the permission set

    Hi Zhu,

    So to confirm that if a user has all Pages in Set A but I apply an Exclusion to Set B, Set A has the override?

    I believed this to be the other way around, in that if I grant a user access to all pages but then want to exclude a subset that the exclusion will take presidence.

    Thanks

  • Suggested answer
    YUN ZHU Profile Picture
    YUN ZHU 73,565 Super User 2024 Season 2 on at
    RE: Effective Permissions advising a permission exists when it is not present in the permission set

    Hi, is this in one permission set?
    For example, if a user has permission sets A and B, A excludes Page 16, but B includes Page 16. The end user will have the permission of Page 16.

    For example,

    The following will work.

    pastedimage1681953039541v2.png

    pastedimage1681953010348v1.png

    pastedimage1681953056639v3.png

    The following will not work.

    pastedimage1681953132746v4.png

    pastedimage1681953149404v5.png

    Hope this can give you some hints.

    Thanks.

    ZHU

  • Suggested answer
    Akash Shukla Profile Picture
    Akash Shukla 335 on at
    RE: Effective Permissions advising a permission exists when it is not present in the permission set

    Hi Jake,

    First you make sure that if you are creating the permission sets for pages, then make sure that you will export all the pages details and then manually applied into the permission sets. For example - For a sales user you only want to give permission for Sales quote not others, then you have to disable other pages of sales order and sales invoice. As you know that for all the three in the backend table ID is same.

    For exporting all the pages - please see below image:

    pastedimage1681914777195v2.png

    Check your business central URL and after the question mark add page=9174

    For page no. 16 I checked this in my environment then found that it's stand for Chart of Accounts List page.

    pastedimage1681914207129v1.png

    Because if you give the access permission of G/L entry table then by default user able to open the chart of accounts list page. This is the default working style of Business Central.

    Please try this and let me know if this works for you.

    Thank you

Under review

Thank you for your reply! To ensure a great experience for everyone, your content is awaiting approval by our Community Managers. Please check back later.

Helpful resources

Quick Links

December Spotlight Star - Muhammad Affan

Congratulations to a top community star!

Top 10 leaders for November!

Congratulations to our November super stars!

Tips for Writing Effective Suggested Answers

Best practices for providing successful forum answers ✍️

Leaderboard

#1
André Arnaud de Calavon Profile Picture

André Arnaud de Cal... 291,253 Super User 2024 Season 2

#2
Martin Dráb Profile Picture

Martin Dráb 230,188 Most Valuable Professional

#3
nmaenpaa Profile Picture

nmaenpaa 101,156

Leaderboard

Featured topics

Product updates

Dynamics 365 release plans