New Features for Dynamics 365 Business Central 2021 release wave 1 (BC18): Entitlement, PermissionSet, and PermissionSetExtension (New AL objects)

Hi, Readers.
Last week, the preview environment for Dynamics 365 Business Central 2021 release wave 1 (BC18) is available. Learn more: https://yzhums.com/10601/.

I will continue to test and share some new features that I hope will help.

New AL objects: Entitlement, PermissionSet, and PermissionSetExtension:

Business value:
The ability to manage user access to the functionality provided by a business application is a cornerstone of any successful solution or service. The Business Central application and service helps organizations across the world manage their most valuable and sensitive data.
Feature details:
Business Central uses two main concepts for defining access to the functionality:
・Entitlements
・Permissions
Entitlements describe which objects in Business Central a customer is entitled to use according to the license that they purchased from Microsoft or the Azure Active Directory role that they have assigned in the Microsoft 365 admin center (such as Global Administrator).
Permissions describe which objects an administrator or a partner gave to the customer user.
In the previous releases of Business Central, permissions and entitlements were defined as data in the application database. Keeping such sensitive information as data comes with additional security and audit risks. Changes applied to this data should ideally be well traceable. “Treat your critical data as you treat your code” is a mantra applied to this type of sensitive data in DevOps practices. With this release of Business Central we are turning this data into code.
Three new object types are introduced in the AL language:
・Entitlement
・PermissionSet
・PermissionSetExtension
This change will give you all of the advantages of using the AL Language extension in Visual Studio Code and source control systems (as Visual Studio Online and GitHub) to design, get an overview, and track changes to the objects that describe user access.
……

Let’s see more details.

Contents

PremissionSet
PermissionSetExtension
Entitlement

PremissionSet

A permission set is a collection of permissions for specific database objects. All users must be assigned one or more permission sets before they can access Business Central.

For example, permission set “D365 FA, EDIT”.

In BC17 or previous versions, it was formatted like following. It is a xml file.

Starting from BC18, the same PermissionSet, becomes Object.

So, now you can create a new PermissionSet via VS Code and Publish it to BC.

permissionset 50100 " New D365 FA, EDIT"
{
    Assignable = true;

    Caption = 'Dyn. 365 Create Fixed Assets';
    Permissions = tabledata "Depreciation Book" = Rm,
                  tabledata "Depreciation Table Buffer" = RIMD,
                  tabledata "Depreciation Table Header" = R,
                  tabledata "Depreciation Table Line" = R,
                  tabledata "FA Allocation" = R,
                  tabledata "FA Buffer Projection" = RIMD,
                  tabledata "FA Class" = R,
                  tabledata "FA Date Type" = R,
                  tabledata "FA Depreciation Book" = Rim,
                  tabledata "FA G/L Posting Buffer" = RIMD,
                  tabledata "FA Journal Batch" = RIMD,
                  tabledata "FA Journal Line" = RIMD,
                  tabledata "FA Journal Setup" = R,
                  tabledata "FA Journal Template" = R,
                  tabledata "FA Ledger Entry" = Rimd,
                  tabledata "FA Location" = R,
                  tabledata "FA Matrix Posting Type" = R,
                  tabledata "FA Posting Group" = R,
                  tabledata "FA Posting Group Buffer" = RIMD,
                  tabledata "FA Posting Type" = R,
                  tabledata "FA Posting Type Setup" = R,
                  tabledata "FA Reclass. Journal Batch" = RIMD,
                  tabledata "FA Reclass. Journal Line" = RIMD,
                  tabledata "FA Reclass. Journal Template" = R,
                  tabledata "FA Register" = Rimd,
                  tabledata "FA Setup" = R,
                  tabledata "FA Subclass" = R,
                  tabledata "Fixed Asset" = RIMD,
                  tabledata "Ins. Coverage Ledger Entry" = Rimd,
                  tabledata Insurance = RIMD,
                  tabledata "Insurance Journal Batch" = RIMD,
                  tabledata "Insurance Journal Line" = RIMD,
                  tabledata "Insurance Journal Template" = R,
                  tabledata "Insurance Register" = Rimd,
                  tabledata "Insurance Type" = R,
                  tabledata "Main Asset Component" = RIMD,
                  tabledata Maintenance = R,
                  tabledata "Maintenance Ledger Entry" = Rimd,
                  tabledata "Maintenance Registration" = RIMD,
                  tabledata "Total Value Insured" = RIMD;
}

PS: If you execute the “AL: Generate permission set containing current extension objects” command in VS Code, it still generates the permission set for the XML file.

PermissionSetExtension

In previous versions, Permission sets of type System and Extension cannot be changed. Only permission sets of type User-Defined can be changed. So when you want to modify a system permission set, you must first copy a new permission set before you can go modify it.

Now, you can use new object, PermissionSet Extension.

For example:
In D365 FA, EDIT.

Create a new permissionsetextension.

permissionsetextension 50100 "Mod D365 FA, EDIT" extends "D365 FA, EDIT"
{
    Permissions = tabledata "FA Setup" = RIMD,
                  tabledata "FA Posting Type Setup" = RIMD,
                  tabledata "FA Journal Setup" = RIMD;
}

Publish.

The system permission set has been updated.

Entitlement

Describe which objects in Business Central a customer is entitled to use according to the license that they purchased from Microsoft or according to the Azure Active Directory role that they have assigned in Microsoft 365 Admin Center, for example, Global Administrator.

In Base Application, there now exists a folder named Entitlement that holds all of standard Entitlement objects.

For example:

Some property of the Entitlement object:

(property) Type: OptionPerUserServicePlan,FlatRateServicePlan,Role,ConcurrentUserServicePlan,Application,ApplicationScope,Implicit
The type of entitlement. When a user logs into Business Central, it is checked if the user is assigned the given AAD service plan, the given AAD role etc., and if that is the case, the user will be entitled to use the objects covered by this entitlement. The same applies if an application logs into Business Central.

(property) RoleType: Option Local,Delegated
If the entitlement type is Role, the RoleType is used to distinguish between local and delegated assignments of the role.

(property) ObjectEntitlements: List Of PermissionSet
Determines the object permissions that this entitlement object permits a user or application to use.

(property) GroupName: String
If the entitlement type is ConcurrentUserServicePlan, the GroupName determines which AAD group that users with this entitlement should be members of.

Note: Entitlements are only used in the cloud version of Business Central (SaaS).

Update 2021/04/15: Information from Dynamics 365 Business Central Launch Event 2021 release wave 1

END

Hope this will help.

Thanks for reading.

ZHU