Dynamics 365 Business Central: Special Permission Sets

Dynamics 365 Business Central

Hi, Readers.
In the last two months we have discussed the new special permission set added in this major release, LOGIN Permission Set (Minimal permission set for log-in). Today I would like to briefly share all the special permission sets currently in the Business Central.

The following permission sets have special definitions that you should be aware of as you implement permissions and security for Business Central users.

SUPER: Can read, use, update, and delete all data and all application objects in the scope of your license. Business Central requires that at least one user is assigned this permission set in each database.

The first user created in Business Central is automatically assigned the SUPER Permission Set.

You can’t modify permissions for the SUPER permission set.

But you can use permissionsetextension to extend it. (Although it doesn’t make much sense)

SUPER (DATA): Can read, use, update, and delete all data in the scope of your license. You typically assign this permission set to an accounting manager who needs to work with all data but doesn’t need to change Business Central.

PS: Difference between Table Data and Table in Permissions

SECURITY: Manage the permission sets that are assigned to your account. When assigned this permission set, you can:

  • Create new users and assign them any permission set that is also assigned to your account.
  • Remove a permission set from a user as long as the permission set is also assigned to your account.
  • Modify individual permission granted by a permission set as long as the permission set is also assigned to your account.

The idea behind this permission set is to prohibit you from granting users more permissions than you have. The permission set is useful for SUPER users or global administrators who want to delegate permission management to team administrators. For example, a sales manager can assign permissions in sales area to sales people, sales assistant, sales coordinator, and so on.

BASIC: Grants Read access to almost all application tables and all system tables.

Note: This permission set is available only for Business Central on-premises.

The main purpose of this permission set is to enable the service to open and show all pages.

D365 BASIC: Grants Read access to almost all application tables and all system tables.

The main purpose of this permission set is to enable the service to open and show all pages.

FOUNDATION: A prerequisite for all other permission sets. The FOUNDATION permission set grants access to system tables and application setup tables that are required for most application features to work. 

Note:
1. This permission set is recommended when using the UI Elements Removal feature to automatically remove UI elements according to user permissions. For more information, see Removing Elements from the User Interface According to Permissions.

2. This permission set is available only for Business Central on-premises.

SYSTEM APP – BASIC: Grants access to most features of the system application and is required for login to Business Central.

SYSTEM APP – ADMIN: Grants full permissions to all features of the System Application.

LOGIN: Grants the minimum permissions to application and system objects that needed to sign in to Business Central. Use the permission set to allow users to sign in to Business Central without accidentally granting them permissions beyond those required by their tasks. By granting this permission set, the user will always be able to sign in.

Note: This permission set does not grant access to a Role Center. It only allows the user to log in to Business Central.

You can find more about Special Permission Sets in MS Docs.

PS: EXTEN. MGT. – ADMIN is not classified by Microsoft in the special permission sets.
But to install or uninstall extensions from AppSource or add per-tenant extensions, you must either be a member of the D365 Extension Mgt. user group, or you must have the EXTEN. MGT. – ADMIN permission set explicitly. (For older versions, you need to have D365 EXTENSION MGT permission set)

END

Hope this will help.

Thanks for reading.

ZHU

コメント

タイトルとURLをコピーしました