Today I would like to talk about Permission Exclusion in Business Central.
This was originally a new feature of Business Central 2022 wave 1 (BC20).
More details from Business Central Launch Event 2022 Release wave 1 (BC20):
But on June 28, Microsoft announced that it was moving the feature to the next release wave (Business Central 2022 wave 2 (BC21)).
More details: Features removed from release plan
Business Central 2022 wave 2 (BC21) is generally available this week. More details: Generally available: Dynamics 365 Business Central 2022 wave 2 (BC21)
We can also finally see the full image of this feature. The following information is extracted from the MS Learn/Document.
To create a permission set:
In 2022 release wave 2 we made it easier to add permissions to permission sets. Rather than adding permissions individually, you can add entire permission sets. If needed, you can then exclude individual permissions in them. For more information, see To add other permission sets. To make that possible, we replaced the Permission Set page with a new one. The key differences are the new Permission Sets and Results panes, and the Included permissions FactBox. To continue using the replaced Permissions page, on the Permission Sets page, choose the Permissions (legacy) action.
New Permission Set page:
Similar to Include, to exclude the permissions, or one or more access levels, choose Exclude, and then choose the level of access to give. The following table describes the options.
|Use the access level based on the hierarchy of permissions in the set.
|Remove the specific access level for the object.
|Reduce to indirect
|Change the access level to Indirect if any permission sets give Direct access to the object. For example, choose this option if the permission set gives Direct access to G/L entries but you don’t want users to have full access to the entries.
The highest permission set in the hierarchy determines whether the permission is included or excluded. If two sets are at the same level in the hierarchy, and a permission is included in one set but excluded in the other, the permission will be excluded.
You can also exclude a permission set in Permission Sets pane.
And to fully exclude a permission set you’ve added, on the Result pane, select the line, choose Show more options, and then choose Exclude. When you exclude a permission set, a line is created on the Permission Sets pane of the type Excluded. If you’ve excluded a permission set, but want to include it again, delete the line on the Permission Sets pane.
For an overall view of permissions in the permission set, choose the View all permissions action. The Expanded Permissions page shows all permissions that were already assigned to the permission set and the permissions in the added permission sets.
Expanded Permissions page:
This is a great feature that makes permission management much easier and free. Let’s look at a simple example: Prevent users from viewing the Chart of Account.
Copy D365 BUS FULL ACCESS to create a new permission set. And set G/L Account (15) to Exclude.
Assign to user.
The user does not have permission to open Chart of Account.
Very convenient, isn’t it?😁 Give it a try!!!
PS: If a permission is in a permission set that is included, and is also in a permission set that is excluded, the permission will be excluded. More details: To create a permission set
Hope this will help.
Thanks for reading.