Hi, Readers.
Today I would like to share a mini tip when developing, how to check if a user is Delegate Admin via AL.
As you might know, Microsoft partners use the delegated admin role to set up and manage certain aspects of Business Central on behalf of their customers. More details: Delegated Administrator Access to Business Central Online
When you sign in to your customers’ Business Central as the delegated administrator from the Business Central administration center, you have access to all areas of their Business Central. However, because you aren’t registered as a regular user, there are certain tasks that you can’t do. More details: Restricted access to Business Central as delegated administrator
The following tasks aren’t available to the delegated administrator:
- Run scheduled tasks in the job queue.However, delegated administrators can test that the job queue can run without issues, before asking their customer to start it, by using the Run once (foreground) action on the Job Queue Entry card. This action creates a temporary non-recurrent copy of this job and runs it once in the foreground. You can then call it as many times as you need before you hand it over to your customer so that they can start it as a recurrent job. After the job queue completes, it will be put in the on-hold status and can’t be rescheduled.
- Trigger a web hook or any other application action that relies on the job queue functionality, except by using the Run once (foreground) action.
- Use the Invite External Accountant assisted setup guideInstead, you can add the external user in the Azure portal and assign this user the External Accountant license.
- Access a web service by using a Web Service Access key.Usage of Web Service Access key was deprecated in 2022 release wave 1. Find out more here.
Of course, some similar restrictions can also be added in our customization. In this post, I will briefly describe 1 method on OnPrem and 3 methods on SaaS, and their sources.
1. First, we can find some clues in the Job Queue related functions.
For example, in page 673 “Job Queue Entry Card”:
PS: There are two security groups in the partner’s Azure AD tenant that are used for delegated administration: Admin Agents and Helpdesk Agents.
When a customer grants a delegated administration privilege to a partner:
- The Admin Agent group is assigned to the Global administrator role in the customer’s Azure AD tenant.
- The Helpdesk Agent group is assigned to the Helpdesk administrator role in the customer’s Azure AD tenant.
More details: Delegated admin privileges in Azure AD
Unfortunately, the scope of these two methods is OnPrem, and we cannot use them in SaaS (Cloud).
codeunit 9024 “Azure AD Graph User”: procedure IsUserDelegatedAdmin() and procedure IsUserDelegatedHelpdesk()
2. In page 9807 “User Card”: local procedure IsUserDelegated
This can be used😁. For example,
Source Code:
pageextension 50111 MyExtension extends "Customer Card"
{
trigger OnOpenPage()
begin
if IsUserDelegated(UserSecurityId()) then
Error('You are not allowed to open this page.');
end;
local procedure IsUserDelegated(UserSecID: Guid): Boolean
var
PlanIds: Codeunit "Plan Ids";
AzureADPlan: Codeunit "Azure AD Plan";
begin
exit(AzureADPlan.IsPlanAssignedToUser(PlanIds.GetDelegatedAdminPlanId(), UserSecID) or
AzureADPlan.IsPlanAssignedToUser(PlanIds.GetHelpDeskPlanId(), UserSecID));
end;
}PS:
Dynamics 365 Business Central: User Security Id (SID) and User Id (Name)
Dynamics 365 Business Central: All service plan identifiers (Plan Ids)
3. In codeunit 9178 “Application Area Mgmt.”: IdentityMgmt.IsUserDelegatedAdmin()
This can also be used.
Source code:
pageextension 50111 MyExtension extends "Customer Card"
{
trigger OnOpenPage()
var
IdentityMgmt: Codeunit "Identity Management";
begin
if IdentityMgmt.IsUserDelegatedAdmin() then
Error('You are not allowed to open this page.');
end;
}4. In table 1513 “Notification Schedule”: AzureAdUserManagement.IsUserDelegated(UserSecurityId())
This method is similar to the second method in that it uses the Plan Id to determine if it is a Delegated Admin, but please note that this method includes the D365 Admin Partner Plan Id.
PS: Dynamics 365 Business Central: All service plan identifiers (Plan Ids)
This can also be used.
Source Code:
pageextension 50111 MyExtension extends "Customer Card"
{
trigger OnOpenPage()
var
AzureAdUserManagement: Codeunit "Azure AD User Management";
begin
if AzureAdUserManagement.IsUserDelegated(UserSecurityId()) then
Error('You are not allowed to open this page.');
end;
}I briefly listed several methods, you can choose the method to use according to your actual situation. Give it a try!!!😁
PS: How to quickly check if the user has the SUPER permissions set via AL (Best practice)
END
Hope this will help.
Thanks for reading.
ZHU
コメント